How to "make modules_install" from cross-build environment to target? (ipset source package)
 

Hello,
I'm trying to install the "ipset" command to a target device from a cross-build environment on my PC (Ubuntu 18.0.4 on VirtualBox hosted by Windows 11).

According to the README file included in the extracted ipset-7.17.tar.bz2 package, I need to run

% ./autogen.sh
% ./configure
% make
% make modules
% make install
% make modules_install

Under my cross-build environment (after executing "source /opt/pxc/sdk/EPC1502/2022.0/environment-setup-corei7-64-pxc-linux", it was the toolchain directory provided by the target device vendor),

* "./autogen.sh" was completed,
* "./configure --host x86_64-pxc-linux" was completed (x86_64-pxc-linux was my target prefix),
* "make" was completed,
* "make modules" was completed,
* "sudo make install DESTDIR=/tmp/mydest/" was completed, I compressed /tmp/mydest/ into mydest.tgz, put mydest.tgz into the target device by sfpt, and extracted mydest.tgz over the root directory of the target machine.

I added options "--host ~~~" of "configure" and "DESTDIR=~~~" of "make install," as it was cross-build.

Finally, I wanted to "sudo make modules_install DESTDIR=/tmp/mydest", like "make install", but it didn't work well. "INSTALL_MOD_PATH=/tmp make modules_install" failed too.

The error messages are as follows, ( "x)" is the line number of the message)

1) make -C /lib/modules/`uname -r`/build M=$PWD/kernel/net \
2) KDIR=$PWD/kernel modules_install
3) make[1]: Entering directory '/usr/src/linux-headers-5.4.0-137-generic'
4) INSTALL /home/yumoto/ipset_exp/ipset-7.17/kernel/net/netfilter/ipset/ip_set.ko
5) At main.c:160:
6) - SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72
7) - SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79
8) sign-file: certs/signing_key.pem: No such file or directory
(and similar messages repeated.)

Then, I have these questions,

Q1. As a result of `uname -r`, kernel version 5.4.0-137-generic was used in 3), but the target kernel was 5.4.47-rt28-pxc. Is it OK, or do I need to add something option to "make modules_install"?

Q2. From 6), 7), and 8), it seemed that I should have prepared additional files. Searching for these error messages on the Internet, I found articles about something called "sign make," but I have not understood yet.
Do I need to "apt install" additional something into my cross-build environment?

*Cross build environment is on Ubuntu 18.0.4 on VirtualBox hosted by Windows 11,
*Target device is EPC 1502 of Phoenix Contact, YOCTO Linux based system with customized and patched kernel "5.4.47-rt28-pxc",
*Toolchain is PLCnext_Toolchain_Linux_2022.0.sh provided by the vendor (Phoenix Contact),
*SDK is pxc-glibc-x86_64-epc1502-image-sdk-corei7-64-epc1500-64-toolchain-2022.0.sh provided by the vendor (Phoenix Contact).

Any advice would be greatly appreciated.
Thanks.

Unless you add signing and verifications to the modules, they are just static files built into the default location directory. You can take those files(compress that folder) and use them.

Not sure how you build modules to another location though, but I'm fairly sure it is an option in the Kernel config itself. I vaguely remember having seen such a thing in there.

Thanks for your advice. > zeebra

When I checked /proc/config.gz on the target device, I could not find any ipset-related items as follows,

root@epc1502:/proc# zcat /proc/config.gz | grep IPTABLE
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=m
root@epc1502:/proc# zcat /proc/config.gz | grep -i IPSET
root@epc1502:/proc#

I guessed it meant the kernel did not support ipset; was it correct?

I wouldn't bet on it. The names for all the tables section are a bit weird, and things might not be named what you think they are/should be named. There is actually a database online where you can search "common names" or assumed names of Kernel modules and get the actual module names. Too bad I can't remember the name of that page, it's quite good.

I would check it manually if I was you, or find that website to verify the names of the modules.

I found this site, a kind of Linux Kernel Driver Database,

https://cateee.net/lkddb/format.html

According to the site, the items related to ipset are

CONFIG_NET_EMATCH_IPSET
CONFIG_IP_SET
CONFIG_IP_SET_BITMAP_IP
CONFIG_IP_SET_BITMAP_IPMAC
CONFIG_IP_SET_BITMAP_PORT
CONFIG_IP_SET_HASH_IP
CONFIG_IP_SET_HASH_IPMAC
CONFIG_IP_SET_HASH_IPMARK
CONFIG_IP_SET_HASH_IPPORT
CONFIG_IP_SET_HASH_IPPORTIP
CONFIG_IP_SET_HASH_IPPORTNET
CONFIG_IP_SET_HASH_MAC
CONFIG_IP_SET_HASH_NET
CONFIG_IP_SET_HASH_NETIFACE
CONFIG_IP_SET_HASH_NETNET
CONFIG_IP_SET_HASH_NETPORT
CONFIG_IP_SET_HASH_NETPORTNET
CONFIG_IP_SET_LIST_SET

So I should search for "IPSET" and "IP_SET" from /proc/config.gz.
Then, I found only a comment, "# CONFIG_IP_SET is not set" as below,

root@epc1502:~# zcat /proc/config.gz | grep -i IPSET
root@epc1502:~# zcat /proc/config.gz | grep -i IP_SET
# CONFIG_IP_SET is not set
root@epc1502:~#

It seems that I can't use ipset unless the kernel is rebuilt with any option to enable ipset.
But the vendor doesn't provide any kernel rebuilding way.
I believe this is because they tuned the product strictly for real-time factory automation control.
So, in this case, I should give up using ipset with this device.

That's the one :)

Yup. IP_SET, not IPSET. Always a surprise in store. You have to rebuild it with IP_SET to use it yes, but if the situation doesn't allow that, then, well..
But never say never, but I don't know another way, but perhaps there is one.