From Segfault
Jump to navigation Jump to search


This is basically covered in the installation guide, we'll focus on post-install tasks here.



$ grep ^hostname /etc/rc.conf

For a static IP address configuration:

$ cat /etc/rc.conf
ifconfig_re0="inet netmask"

For dynamic IP address configuration, configure:

$ grep ^dhcp /etc/rc.conf
dhcpcd_flags="-qM re0"


Many applications make use of Root certificate authorities so we need to prepare for this:

pkg_add mozilla-rootcerts
touch /etc/openssl/openssl.cnf
mozilla-rootcerts install


$ cat /etc/fstab
/dev/sd0a       /               ffs     rw,log,noatime     1 1
/dev/sd0b       none            swap    sw                 0 0
tmpfs           /tmp            tmpfs   rw,nosuid,nodev,-m1777,-sram%25
tmpfs           /var/shm        tmpfs   rw,nosuid,nodev,-m1777,-sram%25
ptyfs           /dev/pts        ptyfs   rw,noexec,nosuid
kernfs          /kern           kernfs  rw,noexec,nosuid,nodev
procfs          /proc           procfs  rw,noexec,nosuid,nodev

/dev/cd0a       /mnt/cdrom      cd9660  ro,noauto
nfs0:/home      /home           nfs     rw,nodev,nosuid    0 0

Note: as soft updates have been removed from NetBSD[1], we're now using WAPBL instead.


Install some basic (binary) packages to start with:

PKG_PATH=$(uname -s)/$(uname -m)/$(uname -r)/All/ \
  pkg_add doas git htop iftop pkgin pv screen zsh

Configure doas:

$ cat /usr/pkg/etc/doas.conf                                                                                                                                                                      
permit keepenv persist dummy as root
permit keepenv persist :wheel                                                          # Alternatively, use nopass instead of persist

On a minimal installation[2] only the most basic install sets were installed. To install e.g. man pages and text utilities:

set -o braceexpand
ftp$(uname -r)/$(uname -m)/binary/sets/{SHA512,{comp,man,text}.tgz}
cksum -a SHA512 -c SHA512

for s in {comp,man,text}; do ls -lh ${s}.tgz && doas tar -C / --unlink -xzpf ${s}.tgz; done

Create the index for apropos and whatis:

doas /etc/rc.d/makemandb start                                                         # Will continue in background

→ See #pkgsrc for more information on software installation.

Encrypted swap

Encrypted swap can be accomplished via cgd(4):

Generate a paramsfile for the cgd device:

$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts                             # Be sure to choose a fast cipher.[3][4]

$ cat /etc/cgd/swap 
algorithm aes-xts;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen urandomkey;

Initialize a cgd device with these parameters. Make sure, sd0b is currently not in use:

$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap 

Edit the disklabel for cgd0 to create a valid swap slice:

$ disklabel -e -I cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: swap
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 264129
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

5 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    264129         0     swap                     # (Cyl.      0 -    128*)
d:    264129         0     unused      0     0      # (Cyl.      0 -    128*)

Save the disklabel to a file:

$ disklabel cgd0 > /etc/cgd/swap.disklabel

Set up the cgd to be configured automatically at boot:

$ cat /etc/cgd/cgd.conf
cgd0 /dev/sd0b /etc/cgd/swap

We need to restore our disklabel to the newly created cgd device at boot time. For this we'll create /etc/rc.conf.d/cgd with the following content:

$ cat /etc/rc.conf.d/cgd

cgd_swap() {
if [ -f $swap_disklabel ]; then
       disklabel -R -r $swap_device $swap_disklabel

We also have to add cgd device into /etc/fstab as a swap device:

$ grep swap /etc/fstab 
/dev/cgd0a      none            swap sw               0 0

Make sure that the Crypto file system driver is loaded:

$ grep -i cgd /etc/defaults/rc.conf 

After a reboot, our swap device should reside on cgd0a. Or we can activate it right now:

$ swapctl -a /dev/cgd0a
$ swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0a      264129        0   264129     0%    0


This is explained in Updating a stable NetBSD release. The steps in short:


Before updating, we'll need the source sets from a nearby mirror:

set -o braceexpand
ftp$(uname -r)/source/sets/{SHA512,{sys,x,}src.tgz}
cksum -a sha512 -c SHA512

Extract via doas:

for s in src syssrc xsrc; do ls -lh ${s}.tgz && doas tar -C / -xzpf ${s}.tgz; done

After unpacking, these directories will have grown in size, so we need to make sure we have enough disk space:

$ du -sh /usr/src{,/sys} /usr/xsrc/ 
1.3G    /usr/src
332M    /usr/src/sys
675M    /usr/xsrc/

If we're building on a readonly /usr/pkgsrc (say, an NFS mount), we have to make a few preparations first:

doas mkdir -p -m0750 /var/pkgtmp/{distfiles,obj,packages,tools,work}
doas /sbin/chown -R $(whoami):$(groups | awk '{print $1}') /var/pkgtmp/*


The build is basically 4 steps:

# Updating the sources to a RELEASE tag from CVS
cd /usr/src
doas cvs -q update -dP -r netbsd-8-0-RELEASE                                                  # 10 Minutes...?

We can also use Git[5][6] instead:

cd /usr
git clone
cd src
git checkout netbsd-8
# Building the toolchain
export JOBS=$(/sbin/sysctl -n hw.ncpu)
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools
# Building the kernel
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC
# Building the userland
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools distribution

Space requirements:

$ du -csh /usr/*src
5.0G    /usr/src                                                                              #    2 GB for the CVS checkout
2.0G    /usr/pkgsrc                                                                           #  1.5 GB for the CVS checkout
1.0G    /usr/xsrc                                                                             # ~700 MB for the CVS checkout
8.0GB   total

And for the build directories:

$ du -csh /var/pkgtmp/*         
14M     /var/pkgtmp/distfiles
2.9G    /var/pkgtmp/obj
2.7M    /var/pkgtmp/packages
142M    /var/pkgtmp/tools
97M     /var/pkgtmp/work
3.2G    total

With everything in place, we can now install the new kernel and reboot before installing the new userland:

doas mv -iv /netbsd /netbsd.old
doas mv -iv /var/pkgtmp/obj/sys/arch/$(uname -m)/compile/GENERIC/netbsd /
doas /sbin/chown root:wheel /netbsd
doas /sbin/shutdown -r now

Now that the new kernel has booted, we can install the new userland:

cd /usr/src
doas ./ -U -O /var/pkgtmp/obj -T /var/pkgtmp/tools install=/ 
doas /sbin/shutdown -r now

Be sure to run etcupdate to adjust the system's configuration files to its updated environment.

Sometimes it's recommended (or necessary)[7] to empty out the build directories:

/bin/rm -r /var/pkgtmp/{obj,tools,work}/*


Upgrading NetBSD appears to be only supported with boot mediums[8], and maybe sysupgrade[9], or weird sysinst tricks[10], but in my experience setting the correct RELEASE tag and then rebuilding the system does work in most cases too.


Source Packages

Download a current pkgsrc archive from a nearby mirror:

set -o braceexpand
cksum -a sha1 -c pkgsrc.tar.xz.SHA1

xz -dc pkgsrc.tar.xz | doas tar -C /usr/ -xpf -

Or, via git:

cd /usr
doas git clone
doas git checkout pkgsrc-2020Q1

We can configure the build process via /etc/mk.conf:

MAKE_JOBS       = 4

WRKOBJDIR       = /var/pkgtmp/work
DISTDIR         = /var/pkgtmp/distfiles
PACKAGES        = /var/pkgtmp/packages

# When building as an unprivileged user[11][12]
SU_CMD          = ${LOCALBASE}/bin/doas /bin/sh -c

Install missing packages:

for p in doas git iftop pkgin pv rsync screen sysupgrade vnstat; do cd /usr/pkgsrc/*/${p} && make install || break; done

Binary packages

We have to set PKG_PATH to be able to install from network resources:

PKG_PATH=$(uname -s)/$(uname -m)/$(uname -r)/All/ \
  pkg_add -v netcat

We can also use pkgin to install binary packages:

pkg_add -v pkgin

pkgin update
pkgin -V install cowsay

Note: pkgin resp. pkg is kinda strict on the system's running architecture, so if we have any leftover packages installed from another architecture we may have to remove those:[13]

$ uname -p

$ for p in $(pkg_info | awk '{print $1}'); do printf "$p "; pkg_info -B $p | grep MACHINE_ARCH; done
bash-4.4.019 MACHINE_ARCH=x86_64
pkg_install-20180425 MACHINE_ARCH=i386
pkgin-0.11.6nb1 MACHINE_ARCH=x86_64
lz4-1.8.3 MACHINE_ARCH=x86_64
zstd-1.3.7 MACHINE_ARCH=x86_64
pv-1.6.0 MACHINE_ARCH=i386

After uninstalling those i386 packages, pkgin would run just fine.

Remove leftover packages:

for p in $(pkg_info | egrep -v 'doas|htop|git|iftop|pkg_install|pkgin|pv|screen|sysupgrade|zsh' | awk '{print $1}' | sed 's/-[0-9].*//' | sort); do echo ${p} && pkg_delete ${p}; done


The audit-packages and download-vulnerability-list commands have been deprecated and the pkg_admin should be used instead to track and update packages:[14]

$ pkg_admin -v fetch-pkg-vulnerabilities
$ pkg_admin -v audit
No vulnerabilities found

Then there's pkglint to check on pkgsrc packages:

$ pkglint /usr/pkgsrc/misc/cowsay
ERROR: /usr/pkgsrc/misc/cowsay/patches/patch-aa:3: Each patch must be documented.
1 error and 0 warnings found.
(Run "pkglint -e" to show explanations.)