From Segfault
Jump to: navigation, search


This is basically covered in the installation guide, we'll focus on post-install tasks here.



$ grep ^hostname /etc/rc.conf

For a static IP address configuration:

$ cat /etc/ifconfig.wm0 
inet netmask
!/sbin/route add default

For dynamic IP address configuration, configure:

$ grep ^dhcp /etc/rc.conf


Enable sshd, and disable password authentication once public key authentication has been set up:

$ grep ssh /etc/rc.conf
$ cat /etc/ssh/sshd_config
PermitRootLogin prohibit-password
PasswordAuthentication no
UsePam no


NetBSD ships with pdksh, which is already pretty neat (tab completion, history, incremental search-history), let's use all that:

$ grep ENV .profile                                                                                                                                                       
export ENV=$HOME/.kshrc

$ grep -v ^\# .kshrc
export PS1="$USER@$(hostname -s)# "
export HISTFILE=$HOME/.history
export HISTSIZE=10000
export PAGER=less
export LESS="--ignore-case --squeeze-blank-lines --no-init --RAW-CONTROL-CHARS"

set -o braceexpand on


$ cat /etc/fstab
/dev/sd0a       /               ffs     rw,log,noatime     1 1
/dev/sd0b       none            swap    sw                 0 0
tmpfs           /tmp            tmpfs   rw,nosuid,nodev,-m1777,-sram%25
tmpfs           /var/shm        tmpfs   rw,nosuid,nodev,-m1777,-sram%25
ptyfs           /dev/pts        ptyfs   rw,noexec,nosuid
kernfs          /kern           kernfs  rw,noexec,nosuid,nodev
procfs          /proc           procfs  rw,noexec,nosuid,nodev

/dev/cd0a       /mnt/cdrom      cd9660  ro,noauto
nfs0:/home      /home           nfs     rw,nodev,nosuid    0 0

Note: as soft updates have been removed from NetBSD[1], we're now using WAPBL instead.


On a minimal installation[2] only the most basic install sets were installed. To install e.g. man pages and text utilities:

for s in {man,text}.tgz SHA512; do 
  ftp$(uname -r)/$(uname -m)/binary/sets/${s}
cksum -a SHA512 -C SHA512

sudo tar -C / --unlink -xzvpf man.tgz
sudo tar -C / --unlink -xzvpf text.tgz

Create the index for apropos and whatis:

/etc/rc.d/makemandb start                                                         # Will continue in background

→ See #pkgsrc for more information on softwre installation.

Encrypted swap

Encrypted swap can be accomplished via cgd(4):

Generate a paramsfile for the cgd device:

$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts                             # Be sure to choose a fast cipher.[3][4]

$ cat /etc/cgd/swap 
algorithm aes-xts;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen urandomkey;

Initialize a cgd device with these parameters. Make sure, sd0b is currently not in use:

$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap 

Edit the disklabel for cgd0 to create a valid swap slice:

$ disklabel -e -I cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: swap
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 264129
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

5 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    264129         0     swap                     # (Cyl.      0 -    128*)
d:    264129         0     unused      0     0      # (Cyl.      0 -    128*)

Save the disklabel to a file:

$ disklabel cgd0 > /etc/cgd/swap.disklabel

Set up the cgd to be configured automatically at boot:

$ cat /etc/cgd/cgd.conf
cgd0 /dev/sd0b /etc/cgd/swap

We need to restore our disklabel to the newly created cgd device at boot time. For this we'll create /etc/rc.conf.d/cgd with the following content:

$ cat /etc/rc.conf.d/cgd

cgd_swap() {
if [ -f $swap_disklabel ]; then
       disklabel -R -r $swap_device $swap_disklabel

We also have to add cgd device into /etc/fstab as a swap device:

$ grep swap /etc/fstab 
/dev/cgd0a      none            swap sw               0 0

Make sure that the Crypto file system driver is loaded:

$ grep -i cgd /etc/defaults/rc.conf 

After a reboot, our swap device should reside on cgd0a. Or we can activate it right now:

$ swapctl -a /dev/cgd0a
$ swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0a      264129        0   264129     0%    0


This is explained in Updating a stable NetBSD release. The steps in short:


Before updating, we'll need the source sets from a nearby mirror:

$ ftp$(uname -r)/source/sets/{SHA512,{sys,x,}src.tgz}
$ cksum -a sha512 -c SHA512
src.tgz: OK
syssrc.tgz: OK
xsrc.tgz: OK

Extract via sudo:

for s in src syssrc xsrc; do gzip -vdc ${s}.tgz | sudo tar -C / -xf -; done

After unpacking/building, these directories will have grown in size, so we need to make sure we have enough disk space:

2.1G    /usr/src/
331M    /usr/src/sys/
877M    /usr/xsrc/
3.6G    /var/pkgtmp/
3.4G    /var/pkgtmp/obj
124M    /var/pkgtmp/tools
2.0K    /var/pkgtmp/distfiles
2.0K    /var/pkgtmp/packages
2.0K    /var/pkgtmp/work

If we're building on a readonly /usr/pkgsrc (say, an NFS mount), we have to make a few preparations first:

sudo mkdir -p -m0750 /var/pkgtmp/{distfiles,obj,packages,tools,work}
sudo /sbin/chown $(whoami):$(groups | awk '{print $1}') /var/pkgtmp/*


The build is basically 4 steps:

# Updating the sources to a RELEASE tag from CVS[5][6]
cd /usr/src
sudo cvs -q update -dP -r netbsd-8-0-RELEASE
# Building the toolchain
export JOBS=$(/sbin/sysctl -n hw.ncpu)
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools
# Building the kernel
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC
# Building the userland
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools distribution

With everything in place, we can now install the new kernel and reboot before installing the new userland:

sudo mv -iv /netbsd /netbsd.old
sudo mv -iv /var/pkgtmp/obj/sys/arch/$(uname -m)/compile/GENERIC/netbsd /
sudo /sbin/shutdown -r now

Now that the new kernel has booted, we can install the new userland:

cd /usr/src
sudo ./ -U -j4 -O /var/pkgtmp/obj -T /var/pkgtmp/tools install=/ 
sudo /sbin/shutdown -r now

Be sure to run etcupdate to adjust the system's configuration files to its updated environment.


Upgrading NetBSD appears to be only supported with boot mediums[7], and maybe sysupgrade[8], or weird sysinst tricks[9], but in my experience setting the correct RELEASE tag and then rebuilding the system does work in most cases too.


Source Packages

Download a current pkgsrc archive from a nearby mirror:

cksum -a sha1 -c pkgsrc.tar.xz.SHA1

xz -dc pkgsrc.tar.xz | sudo tar -C /usr/ -xf -

We can configure the build process via /etc/mk.conf:

# Adjust as needed
MAKE_JOBS       = 4

# read-only /usr/pkgsrc
WRKOBJDIR       = /var/pkgtmp/work
DISTDIR         = /var/pkgtmp/distfiles
PACKAGES        = /var/pkgtmp/packages

# When building as an unprivileged user[10]
.if exists(${LOCALBASE}/bin/sudo)
  SU_CMD=        ${LOCALBASE}/bin/sudo /bin/sh -c


Binary packages

We have to set PKG_PATH to be able to install from network resources:

export PKG_PATH=$(uname -s)/$(uname -m)/$(uname -r)/All/          # Try http if needed
pkg_add -v netcat

We can also use pkgin to install binary packages:

pkg_add -v pkgin

pkgin update
pkgin -V install cowsay

Note: pkgin resp. pkg is kinda strict on the system's running architecture, so if we have any leftover packages installed from another architecture we may have to remove those:[11]

$ uname -p

$ for p in `pkg_info | awk '{print $1}'`; do printf "$p "; pkg_info -B $p | grep MACHINE_ARCH; done
bash-4.4.019 MACHINE_ARCH=x86_64
pkg_install-20180425 MACHINE_ARCH=i386
pkgin-0.11.6nb1 MACHINE_ARCH=x86_64
lz4-1.8.3 MACHINE_ARCH=x86_64
zstd-1.3.7 MACHINE_ARCH=x86_64
pv-1.6.0 MACHINE_ARCH=i386

After uninstalling those i386 packages, pkgin would run just fine.


The audit-packages and download-vulnerability-list commands have been deprecated and the pkg_admin should be used instead to track and update packages:[12]

$ pkg_admin -v fetch-pkg-vulnerabilities
$ pkg_admin -v audit
No vulnerabilities found

Then there's pkglint to check on pkgsrc packages:

$ pkglint /usr/pkgsrc/misc/cowsay
ERROR: /usr/pkgsrc/misc/cowsay/patches/patch-aa:3: Each patch must be documented.
1 error and 0 warnings found.
(Run "pkglint -e" to show explanations.)