NetBSD

From Segfault
Jump to navigation Jump to search

Installation

This is basically covered in the installation guide, we'll focus on post-install tasks here.

Postinstall

Network

$ grep ^hostname /etc/rc.conf
hostname=alice

For a static IP address configuration:

$ cat /etc/rc.conf
[...]
auto_ifconfig=YES
ifconfig_re0="inet 10.0.0.123 netmask 255.255.255.0"
defaultroute="10.0.0.1"

For dynamic IP address configuration, configure:

$ grep ^dhcp /etc/rc.conf
dhcpcd=YES
dhcpcd_flags="-qM re0"

Only slightly related to network, set --panicgate for ntpd to allow for larger adjustments:

$ grep ntpd /etc/rc.conf
ntpd=YES             ntpd_flags="-g"
ntpdate=YES

mozilla-rootcerts

Many applications make use of Root certificate authorities so we need to prepare for this:

pkg_add mozilla-rootcerts
touch /etc/openssl/openssl.cnf
mozilla-rootcerts install

fstab

$ cat /etc/fstab
/dev/sd0a       /               ffs     rw,log,noatime     1 1
/dev/sd0b       none            swap    sw                 0 0
tmpfs           /tmp            tmpfs   rw,nosuid,nodev,-m1777,-sram%25
tmpfs           /var/shm        tmpfs   rw,nosuid,nodev,-m1777,-sram%25
ptyfs           /dev/pts        ptyfs   rw,noexec,nosuid
kernfs          /kern           kernfs  rw,noexec,nosuid,nodev
procfs          /proc           procfs  rw,noexec,nosuid,nodev

/dev/cd0a       /mnt/cdrom      cd9660  ro,noauto
nfs0:/home      /home           nfs     rw,nodev,nosuid    0 0

Note: as soft updates have been removed from NetBSD[1], we're now using WAPBL instead.

Packages

Install some basic (binary) packages to start with:

PKG_PATH=http://cdn.netbsd.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r)/All/ \
  pkg_add doas git htop iftop pkgin pv screen zsh

Configure doas:

$ cat /usr/pkg/etc/doas.conf                                                                                                                                                                      
permit keepenv persist dummy as root
permit keepenv persist :wheel                                                          # Alternatively, use nopass instead of persist

On a minimal installation[2] only the most basic install sets were installed. To install e.g. man pages and text utilities:

set -o braceexpand
ftp https://cdn.netbsd.org/pub/NetBSD/NetBSD-$(uname -r)/$(uname -m)/binary/sets/{SHA512,{comp,man,text}.tgz}
cksum -a SHA512 -c SHA512

for s in {comp,man,text}; do ls -lh ${s}.tgz && doas tar -C / --unlink -xzpf ${s}.tgz; done

Create the index for apropos and whatis:

doas /etc/rc.d/makemandb start                                                         # Will continue in background

→ See #pkgsrc for more information on software installation.

Encrypted swap

Encrypted swap can be accomplished via cgd(4):

Generate a paramsfile for the cgd device:

$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts                             # Be sure to choose a fast cipher.[3][4]

$ cat /etc/cgd/swap 
algorithm aes-xts;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen urandomkey;

Initialize a cgd device with these parameters. Make sure, sd0b is currently not in use:

$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap 

Edit the disklabel for cgd0 to create a valid swap slice:

$ disklabel -e -I cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: swap
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 264129
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

5 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    264129         0     swap                     # (Cyl.      0 -    128*)
d:    264129         0     unused      0     0      # (Cyl.      0 -    128*)

Save the disklabel to a file:

$ disklabel cgd0 > /etc/cgd/swap.disklabel

Set up the cgd to be configured automatically at boot:

$ cat /etc/cgd/cgd.conf
cgd0 /dev/sd0b /etc/cgd/swap

We need to restore our disklabel to the newly created cgd device at boot time. For this we'll create /etc/rc.conf.d/cgd with the following content:

$ cat /etc/rc.conf.d/cgd
swap_device="cgd0"
swap_disklabel="/etc/cgd/swap.disklabel"
start_postcmd="cgd_swap"

cgd_swap() {
if [ -f $swap_disklabel ]; then
       disklabel -R -r $swap_device $swap_disklabel
fi
}

We also have to add cgd device into /etc/fstab as a swap device:

$ grep swap /etc/fstab 
/dev/cgd0a      none            swap sw               0 0

Make sure that the Crypto file system driver is loaded:

$ grep -i cgd /etc/defaults/rc.conf 
cgd=YES

After a reboot, our swap device should reside on cgd0a. Or we can activate it right now:

$ swapctl -a /dev/cgd0a
$ swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0a      264129        0   264129     0%    0

Firewall

NetBSD is using npf now and example configurations can be found in the /usr/share/examples/npf/ directory. A very basic configuration for a non-routing host, with only one interface would be:

$ cat /etc/npf.conf
$vif = "vioif0"
$vif_addrs = ifaddrs(vioif0)

alg "icmp"
procedure "log" {
    log: npflog0
}

group "wired" on $vif {
    ruleset "blacklistd"
    pass stateful in on $vif proto tcp to $vif_addrs port ssh apply "log"
}

group default {
    block all apply "log"
    pass on lo0 all
    pass in family inet4 proto udp from any port bootps to any port bootpc
    pass in family inet6 proto udp from any to any port "dhcpv6-client"
    pass family inet6 proto ipv6-icmp all
    pass in family inet4 proto icmp icmp-type echo all
#   pass in proto udp to any port 33434-33600
#   pass in proto udp to any port mdns
    pass stateful out all
}

Add npf=YES to /etc/rc.conf to start NPF automtically on boot or call npfctl start to apply the rules immediately.

Update

This is explained in Updating a stable NetBSD release. The steps in short:

Prerequisites

Tarballs

Before updating, we'll need the source sets from a nearby mirror:

set -o braceexpand
ftp https://cdn.netbsd.org/pub/NetBSD/NetBSD-$(uname -r)/source/sets/{SHA512,{sys,x,}src.tgz}
cksum -a sha512 -c SHA512

Extract via doas:

for s in src syssrc xsrc; do ls -lh ${s}.tgz && doas tar -C / -xzpf ${s}.tgz; done

After unpacking, these directories will have grown in size, so we need to make sure we have enough disk space:

$ du -sh /usr/src{,/sys} /usr/xsrc/ 
1.3G    /usr/src
332M    /usr/src/sys
675M    /usr/xsrc/

If we're building on a readonly /usr/pkgsrc (say, an NFS mount), we have to make a few preparations first:

doas mkdir -p -m0770 /var/pkgtmp/{distfiles,obj,packages,tools,work}
doas chgrp -R wsrc   /var/pkgtmp/*                                                                # We have to be a member of wsrc to build here.

CVS

We can also update (checkout?) the sources to a RELEASE tag from CVS

cd /usr/src
doas cvs -q update -dP -r netbsd-9-0-RELEASE

Git

We can also use Git[5][6] instead:

cd /usr
git clone https://github.com/NetBSD/src.git
cd src
git checkout netbsd-9

Building

Build the toolchain:

export JOBS=$(/sbin/sysctl -n hw.ncpu)
cd /usr/src/
./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools

If necessary, configure the kernel configuration:[7]

doas cp -iv /usr/src/sys/arch/$(uname -m)/conf/{GENERIC,FOOBAR}
doas vi /usr/src/sys/arch/$(uname -m)/conf/FOOBAR

Build the kernel:

./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC

Build the userland:

rm -rf /var/pkgtmp/obj/destdir.$(uname -m)                                                    # May be needed for upgrades[8]
doas chmod g+w external/gpl3/gdb/dist/gdb/rust-exp.c                                          # May be needed for netbsd-8[9]
 
./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools distribution                  # Add -o to NOT rebuild "objdirs"; add -u to NOT run "make cleandir" first.

With everything in place, we can now install the new kernel and reboot before installing the new userland:

doas mv -iv /netbsd /netbsd.old
doas mv -iv /var/pkgtmp/obj/sys/arch/$(uname -m)/compile/GENERIC/netbsd /
doas /sbin/chown root:wheel /netbsd*

When doing an upgrade, we also have to install the newly built kernel modules:[10]

MDIR=/var/tmp/modules
mkdir -p ${MDIR}/usr/libdata/ldscripts                                                        # See PR#55081[11]
./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools installmodules=${MDIR}
doas cp -vR ${MDIR}/{stand,usr} /

rm -rf ${MDIR}

After kernel (and modules) have been installed, we can reboot with:

doas /sbin/shutdown -r now

Now that the new kernel has booted, we can install the new userland:

cd /usr/src
doas ./build.sh -U -O /var/pkgtmp/obj -T /var/pkgtmp/tools install=/ 
doas /sbin/shutdown -r now

Be sure to run etcupdate to adjust the system's configuration files to its updated environment.

Sometimes it's recommended (or necessary)[12] to empty out the build directories:

rm -r /var/pkgtmp/{obj,tools,work}/*

Upgrade

Upgrading NetBSD appears to be only supported with boot mediums[13], and maybe sysupgrade[14], or weird sysinst tricks[15], but in my experience setting the correct RELEASE tag and then rebuilding the system does work in most cases too.

pkgsrc

Source Packages

Download a current pkgsrc archive from a nearby mirror:

set -o braceexpand
ftp https://cdn.netbsd.org/pub/pkgsrc/stable/pkgsrc.tar.xz{,.SHA1}
cksum -a sha1 -c pkgsrc.tar.xz.SHA1

xz -dc pkgsrc.tar.xz | doas tar -C /usr/ -xpf -

Or, via git:

cd /usr
doas git clone https://github.com/NetBSD/pkgsrc.git
doas git checkout pkgsrc-2021Q1

We can configure the build process via /etc/mk.conf

MAKE_JOBS       = 4

WRKOBJDIR       = /var/pkgtmp/work
DISTDIR         = /var/pkgtmp/distfiles
PACKAGES        = /var/pkgtmp/packages

# When building as an unprivileged user[16][17]
SU_CMD          = ${LOCALBASE}/bin/doas /bin/sh -c

Add some hardening options:

PKGSRC_USE_FORTIFY      = 2
PKGSRC_USE_SSP          = strong
PKGSRC_MKPIE            = yes
PKGSRC_MKREPRO          = yes
PKGSRC_USE_RELRO        = full
PKGSRC_USE_STACK_CHECK  = yes

Install missing packages:

for p in doas git iftop pkgin pv rsync screen sysupgrade vnstat; do cd /usr/pkgsrc/*/${p} && make install || break; done

Binary packages

We have to set PKG_PATH to be able to install from network resources:

PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r)/All/ \
  pkg_add -v netcat

We can also use pkgin to install binary packages:

$ pkg_add -v pkgin

$ grep ^http /usr/pkg/etc/pkgin/repositories.conf
https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All

Update package database, and install something:

pkgin update
pkgin -V install cowsay

Note: pkgin resp. pkg is kinda strict on the system's running architecture, so if we have any leftover packages installed from another architecture we may have to remove those:[18]

$ uname -p
x86_64

$ for p in $(pkg_info | awk '{print $1}'); do printf "$p "; pkg_info -B $p | grep MACHINE_ARCH; done
bash-4.4.019 MACHINE_ARCH=x86_64
pkg_install-20180425 MACHINE_ARCH=i386
pkgin-0.11.6nb1 MACHINE_ARCH=x86_64
lz4-1.8.3 MACHINE_ARCH=x86_64
zstd-1.3.7 MACHINE_ARCH=x86_64
pv-1.6.0 MACHINE_ARCH=i386

After uninstalling those i386 packages, pkgin would run just fine.

Remove leftover packages:

for p in $(pkg_info | egrep -v 'doas|htop|git|iftop|pkg_install|pkgin|pv|screen|sysupgrade|zsh' | awk '{print $1}' | sed 's/-[0-9].*//' | sort); do echo ${p} && pkg_delete ${p}; done

Updating

The audit-packages and download-vulnerability-list commands have been deprecated and the pkg_admin should be used instead to track and update packages:[19]

$ pkg_admin -v fetch-pkg-vulnerabilities
$ pkg_admin -v audit
No vulnerabilities found

Then there's pkglint to check on pkgsrc packages:

$ pkglint /usr/pkgsrc/misc/cowsay
ERROR: /usr/pkgsrc/misc/cowsay/patches/patch-aa:3: Each patch must be documented.
1 error and 0 warnings found.
(Run "pkglint -e" to show explanations.)

Links

References