XIII
Very Senior Member
Any pointers?
I’m afraid I don’t understand what you wrote. Until recently unbound seemed to work fine, but maybe that was just my impression, so I would like to learn!
I’m afraid I don’t understand what you wrote. Until recently unbound seemed to work fine, but maybe that was just my impression, so I would like to learn!
sfx2000
Part of the Furniture
With dnsmasq - you can disable its resolver by setting the port to "0" (zero) in the dnsmasq.conf
port=0
XIII
Very Senior Member
ColinTaylor
Part of the Furniture
sfx2000
Part of the Furniture
You might want unbound on UDP/53 (and UDP/853 perhaps for DNSSEC), and dnsmasq on port 0 (which disables dnsmasq from acting as a resolver, period)
I think you're doing okay. If it's not broken, no need to fix unless you want to try something new.
The discussion implies you have to use Unbound for adblock. That I don't think you (or any existing common script users) are ready..
XIII
Very Senior Member
I'm trying to build a version of unbound with libopenssl 1.1.1 statically included, using the instructions from @Odkrys, as given here: https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-22#post-457050 (but I don't want to pollute the stubby topic, so I'm following up here).
Building Entware and unbound with libopenssl 1.0.2 statically (by modifying the unbound Makefile as suggested) seemed to work find (unbound got build without errors; I did not try to run it on my AC86U).
Now I want to try libopenssl 1.1.1 instead of 1.0.2, so I copied the stuff in the suggested repo (after selecting the 1.1.1 develop branch) and tried to build again. Unfortunately I get multiple warnings now:
How should I handle this?
Building Entware and unbound with libopenssl 1.0.2 statically (by modifying the unbound Makefile as suggested) seemed to work find (unbound got build without errors; I did not try to run it on my AC86U).
Now I want to try libopenssl 1.1.1 instead of 1.0.2, so I copied the stuff in the suggested repo (after selecting the 1.1.1 develop branch) and tried to build again. Unfortunately I get multiple warnings now:
Code:
$ make ./package/feeds/packages/unbound/compile
WARNING: Makefile 'package/system/fstools/Makefile' has a dependency on 'kmod-fs-autofs4', which does not exist
WARNING: Makefile 'package/libs/openssl/Makefile' has a dependency on 'kmod-crypto-user', which does not exist
WARNING: Makefile 'package/libs/openssl/Makefile' has a dependency on 'kmod-crypto-hw-padlock', which does not exist
WARNING: Makefile 'package/libs/openssl/Makefile' has a build dependency on 'cryptodev-linux', which does not existXIII
Very Senior Member
Hope there’s an easy solution because this seems way over my head:
https://github.com/openwrt/openwrt/pull/965
https://github.com/openwrt/openwrt/pull/965
Code:
make package/unbound/compile V=sXIII
Very Senior Member
Actually already did that, but it only seems to say that openssl does not build correctly?
Code:
checking for SSL... configure: error: Cannot find the SSL libraries in ~/Entware/staging_dir/target-aarch64_cortex-a53_glibc-2.27/optDid you adjust Makefile of openssl to entware style?
Code:
OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5)
define Build/Configure
[ -f $(STAMP_CONFIGURED) ] || { \
rm -f $(PKG_BUILD_DIR)/*.so.* $(PKG_BUILD_DIR)/*.a; \
find $(PKG_BUILD_DIR) -name \*.o | xargs rm -f; \
}
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/opt \
--libdir=lib \
--openssldir=/opt/etc/ssl \
$(TARGET_CPPFLAGS) \
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
$(if $(CONFIG_OPENSSL_USE_VERSION_1_0_2),
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
MAKEDEPPROG="$(TARGET_CROSS)gcc" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
depend,)
endef
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)$(if $(CONFIG_OPENSSL_USE_VERSION_1_1_1),ar,ar r)" \
RANLIB="$(TARGET_CROSS)ranlib" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
$(if $(CONFIG_OPENSSL_USE_VERSION_1_0_2),$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
build-shared
# Work around openssl build bug to link libssl.so with libcrypto.so.
-rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
do_linux-shared,)
$(MAKE) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
$(if $(CONFIG_OPENSSL_USE_VERSION_1_0_2),INSTALL_PREFIX,DESTDIR)="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
$(if $(CONFIG_OPENSSL_USE_VERSION_1_0_2),install,install_sw install_ssldirs)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/opt/include
$(CP) $(PKG_INSTALL_DIR)/opt/include/openssl $(1)/opt/include/
$(INSTALL_DIR) $(1)/opt/lib/
$(CP) $(PKG_INSTALL_DIR)/opt/lib/lib{crypto,ssl}.{a,so*} $(1)/opt/lib/
$(INSTALL_DIR) $(1)/opt/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/opt/lib/pkgconfig/{openssl,libcrypto,libssl}.pc $(1)/opt/lib/pkgconfig/
[ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/opt/lib/pkgconfig/{openssl,libcrypto,libssl}.pc || true
endef
define Package/libopenssl/install
$(INSTALL_DIR) $(1)/opt/etc/ssl
$(CP) $(PKG_INSTALL_DIR)/opt/etc/ssl/openssl.cnf $(1)/opt/etc/ssl/
$(INSTALL_DIR) $(1)/opt/etc/ssl/certs
$(INSTALL_DIR) $(1)/opt/etc/ssl/private
chmod 0700 $(1/opt)/etc/ssl/private
$(INSTALL_DIR) $(1)/opt/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/opt/lib/libcrypto.so.* $(1)/opt/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/opt/lib/libssl.so.* $(1)/opt/lib/
$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/opt/lib/$(ENGINES_DIR))
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/opt/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/opt/bin/openssl $(1)/opt/bin/
endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,openssl-util))XIII
Very Senior Member
XIII
Very Senior Member
Somehow during the compilation it wants to change one folder (either /opt or /etc, can't remember) on the build system itself... If I build via sudo (I'm trying in a virtual machine, so no real harm done) the build does complete.
However, I expected to end up with one or more large binaries with the libraries statically included. Instead I apparently have created a static libunbound.a (that is considerably larger than the dynamic .so version), but I have no idea how to use it (just putting that in /opt/lib, removing the .so versions, and replacing the unbound binaries in /opt/sbin is not working).
Any more tips? (Or am I too clueless?)
However, I expected to end up with one or more large binaries with the libraries statically included. Instead I apparently have created a static libunbound.a (that is considerably larger than the dynamic .so version), but I have no idea how to use it (just putting that in /opt/lib, removing the .so versions, and replacing the unbound binaries in /opt/sbin is not working).
Any more tips? (Or am I too clueless?)
RMerlin
Asuswrt-Merlin dev
After building a binary, check with ldd to confirm that a library is no longer being dynamically linked. For OpenVPN, for example.
Static:
Dynamic:
Static:
Code:
merlin@ubuntu-dev:~/amng-ovpn/release/src/router/openvpn/src/openvpn/.libs$ arm-brcm-linux-uclibcgnueabi-ldd openvpn
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
libgcc_s.so.1 => not found (0x00000000)
libnvram.so => not found (0x00000000)
libwlcsm.so => not found (0x00000000)
libshared.so => not found (0x00000000)
libz.so.1 => not found (0x00000000)
libnsl.so.1 => not found (0x00000000)
liblzo2.so.2 => not found (0x00000000)
libpthread.so.0 => not found (0x00000000)
libdl.so.2 => not found (0x00000000)
libc.so.6 => not found (0x00000000)
/lib/ld-linux.so.3 => /lib/ld-linux.so.3 (0x00000000)Dynamic:
Code:
merlin@ubuntu-dev:~/amng.ac86/release/src/router/openvpn/src/openvpn/.libs$ arm-brcm-linux-uclibcgnueabi-ldd openvpn
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
libgcc_s.so.1 => not found (0x00000000)
libnvram.so => not found (0x00000000)
libwlcsm.so => not found (0x00000000)
libshared.so => not found (0x00000000)
libz.so.1 => not found (0x00000000)
libpthread.so.0 => not found (0x00000000)
libnsl.so.1 => not found (0x00000000)
liblzo2.so.2 => not found (0x00000000)
libcrypto.so.1.0.0 => not found (0x00000000)
libssl.so.1.0.0 => not found (0x00000000)
libdl.so.2 => not found (0x00000000)
libc.so.6 => not found (0x00000000)
/lib/ld-linux.so.3 => /lib/ld-linux.so.3 (0x00000000)You need to remove ~/Entware/staging_dir/target-aarch64_cortex-a53_glibc-2.27/opt/lib/libcrypto.so.1.1 and libssl.so.1.1.
Compiler search shared library first.
But You will fail anyway. It is not easy than my thought.
Current entware compiler makes error when link unbound to openssl statically.
crosstools-aarch64-gcc-5.3-linux-4.1-glibc-2.22-binutils-2.25 RT-AC86U compiler also failed.
crosstools-aarch64-gcc-5.5-linux-4.1-glibc-2.26-binutils-2.28.1 RT-AX88U compiler succeeded.
But binary failed to execute because of other shared libraries which compiled from different compiler.
I suspect the problem comes from binutils version.
For those interested in knowing EDNS Client-Subnet, I've done a write up recently, mainly notes for myself but general purpose enough to read (click the previous link).
Briefly touched upon why you want your own DNS resolvers too. And in case, you want to enable EDNS Client-Subnet in Unbound though not needed as explained in the article.
In other news, Unbound 1.9.0 has superior support for DNS over TLS, incorporated some nice TLS features (that have been in place e.g. in pixelserv-tls for a little while).
Briefly touched upon why you want your own DNS resolvers too. And in case, you want to enable EDNS Client-Subnet in Unbound though not needed as explained in the article.
In other news, Unbound 1.9.0 has superior support for DNS over TLS, incorporated some nice TLS features (that have been in place e.g. in pixelserv-tls for a little while).
XIII
Very Senior Member
Similar threads
Similar threads
Similar threads
-
-
-
-
-
Setting up 2 mac addresses to same IP in dnsmasq.conf.add
- Started by lokester
- Replies: 6
-
-
Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90)- Started by RMerlin
- Replies: 102
-
CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled
- Started by RMerlin
- Replies: 30
-
Latest threads
-
-
-
LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE
- Started by copperhead
- Replies: 3
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!