NetBSD
Installation
This is basically covered in the installation guide, we'll focus on post-install tasks here.
Postinstall
Network
$ grep ^hostname /etc/rc.conf hostname=alice
For a static IP address configuration:
$ cat /etc/rc.conf [...] auto_ifconfig=YES ifconfig_re0="inet 10.0.0.123 netmask 255.255.255.0" defaultroute="10.0.0.1"
For dynamic IP address configuration, configure:
$ grep ^dhcp /etc/rc.conf dhcpcd=YES dhcpcd_flags="-qM re0"
Only slightly related to network, set --panicgate
for ntpd to allow for larger adjustments:
$ grep ntpd /etc/rc.conf ntpd=YES ntpd_flags="-g" ntpdate=YES
mozilla-rootcerts-openssl
Many applications make use of Root certificate authorities so we need to prepare for this:
pkg_add ca-certificates
Or, for the Mozilla variant:[1]
pkg_add mozilla-rootcerts-openssl
fstab
$ cat /etc/fstab
/dev/sd0a / ffs rw,log,noatime 1 1
/dev/cgd0a none swap sw,dp 0 0
/dev/sd0b none swap sw 0 0
/dev/cd0a /mnt/cdrom cd9660 ro,noauto
tmpfs /tmp tmpfs rw,nosuid,nodev,-m1777,-sram%25
tmpfs /var/shm tmpfs rw,nosuid,nodev,-m1777,-sram%25
ptyfs /dev/pts ptyfs rw,noexec,nosuid
kernfs /kern kernfs ro,noexec,nosuid,nodev
procfs /proc procfs ro,noexec,nosuid,nodev
none /sys/mfs mfs rw,noauto,-s=128m
none /sys/sysctl sysctlfs rw,noauto
nfs0:/home /home nfs rw,nodev,nosuid
/dev/sd1a /mnt/sd1 ffs rw,log,noatime
/mnt/sd1/src /usr/src null rw
Note: as soft updates have been removed from NetBSD[2], we're now using WAPBL instead.
Packages
Install some basic (binary) packages to start with:
PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r | cut -d_ -f1)/All/ \ pkg_add doas git iftop mercurial pkgin pv screen zsh
Configure doas:
$ cat /usr/pkg/etc/doas.conf permit keepenv persist dummy as root permit keepenv persist :wheel # Alternatively, use nopass instead of persist
On a minimal installation[3] only the most basic install sets were installed. To install e.g. man
pages and text
utilities:
set -o braceexpand ftp https://cdn.netbsd.org/pub/NetBSD/NetBSD-$(uname -r)/$(uname -m)/binary/sets/{SHA512,{comp,man,text}.tgz} cksum -a SHA512 -c SHA512 for s in {comp,man,text}; do ls -lh ${s}.tgz && doas tar -C / --unlink -xzpf ${s}.tgz; done
Create the index for apropos
and whatis
:
doas /etc/rc.d/makemandb start # Will continue in background
→ See #pkgsrc for more information on software installation.
Encrypted swap
Encrypted swap can be accomplished via cgd(4):
Generate a paramsfile for the cgd
device:
$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts # Be sure to choose a fast cipher.[4][5] $ cat /etc/cgd/swap algorithm aes-xts; iv-method encblkno1; keylength 256; verify_method none; keygen urandomkey;
Initialize a cgd
device with these parameters. Make sure, sd0b
is currently not in use:
$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap
Edit the disklabel for cgd0
to create a valid swap slice:
$ disklabel -e -I cgd0 # /dev/rcgd0d: type: cgd disk: cgd label: swap flags: bytes/sector: 512 sectors/track: 2048 tracks/cylinder: 1 sectors/cylinder: 2048 cylinders: 128 total sectors: 264129 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 5 partitions: # size offset fstype [fsize bsize cpg/sgs] a: 264129 0 swap # (Cyl. 0 - 128*) d: 264129 0 unused 0 0 # (Cyl. 0 - 128*)
Save the disklabel to a file:
$ disklabel cgd0 > /etc/cgd/swap.disklabel
Set up the cgd
to be configured automatically at boot:
$ cat /etc/cgd/cgd.conf cgd0 /dev/sd0b /etc/cgd/swap
We need to restore our disklabel to the newly created cgd
device at boot time. For this we'll create /etc/rc.conf.d/cgd
with the following content:
$ cat /etc/rc.conf.d/cgd swap_device="cgd0" swap_disklabel="/etc/cgd/swap.disklabel" start_postcmd="cgd_swap" cgd_swap() { if [ -f $swap_disklabel ]; then disklabel -R -r $swap_device $swap_disklabel fi }
We also have to add cgd
device into /etc/fstab
as a swap device:
$ grep swap /etc/fstab /dev/cgd0a none swap sw 0 0
Make sure that the Crypto file system driver is loaded:
$ grep -i cgd /etc/defaults/rc.conf cgd=YES
After a reboot, our swap
device should reside on cgd0a
. Or we can activate it right now:
$ swapctl -a /dev/cgd0a $ swapctl -l Device 512-blocks Used Avail Capacity Priority /dev/cgd0a 264129 0 264129 0% 0
Firewall
NetBSD is using npf now and example configurations can be found in the /usr/share/examples/npf/
directory. A very basic configuration for a non-routing host, with only one interface would be:
$ cat /etc/npf.conf $vif = "vioif0" $vif_addrs = ifaddrs(vioif0) alg "icmp" procedure "log" { log: npflog0 } group "wired" on $vif { ruleset "blacklistd" pass stateful in on $vif proto tcp to $vif_addrs port ssh apply "log" } group default { block all apply "log" pass on lo0 all pass in family inet4 proto udp from any port bootps to any port bootpc pass in family inet6 proto udp from any to any port "dhcpv6-client" pass family inet6 proto ipv6-icmp all pass in family inet4 proto icmp icmp-type echo all # pass in proto udp to any port 33434-33600 # pass in proto udp to any port mdns pass stateful out all }
Add npf=YES
to /etc/rc.conf
to start NPF automtically on boot or call npfctl start
to apply the rules immediately.
Update
This is explained in Updating a stable NetBSD release. The steps in short:
Source
Mercurial
While NetBSD is primarily still being developed via CVS, there are somewhat official Mercurial repositories[6] now in place. Check out the sources via:
cd /usr hg clone https://anonhg.NetBSD.org/src hg clone https://anonhg.NetBSD.org/xsrc
Update via:
hg pull hg update
Git
There are offical and regularly updated Git[7][8] mirror repositories in place:
cd /usr git clone https://github.com/NetBSD/src.git cd src git checkout netbsd-9
Or, for an already existing checkout:
cd /usr/src git pull git checkout netbsd-9 git clean -dfx
It might make sense to checkout the release branch again:[9]
git checkout trunk git branch -D netbsd-9 git checkout netbsd-9
CVS
We can also update (checkout?) the sources to a RELEASE tag from CVS
cd /usr/src doas cvs -q update -dP -r netbsd-9-0-RELEASE
Tarballs
Before updating, we'll need the source sets from a nearby mirror:
set -o braceexpand ftp https://cdn.netbsd.org/pub/NetBSD/NetBSD-$(uname -r)/source/sets/{SHA512,{sys,x,}src.tgz} cksum -a sha512 -c SHA512
Extract via doas:
for s in src syssrc xsrc; do ls -lh ${s}.tgz && doas tar -C / -xzpf ${s}.tgz; done
Preparation
After unpacking, these directories will have grown in size, so we need to make sure we have enough disk space:
$ du -sh /usr/src{,/sys} /usr/xsrc/ 2.0 /usr/src 500M /usr/src/sys 800M /usr/xsrc/
If we're building on a readonly /usr/pkgsrc
(say, an NFS mount), we have to make a few preparations first:
doas mkdir -p -m0770 /var/pkgtmp/{distfiles,obj,packages,tools,work} doas chgrp -R wsrc /var/pkgtmp/* # We have to be a member of wsrc to build here.
Building
Build the toolchain:
export JOBS=$(/sbin/sysctl -n hw.ncpu) cd /usr/src/ ./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools
If necessary, configure the kernel configuration:[10]
doas cp -iv /usr/src/sys/arch/$(uname -m)/conf/{GENERIC,FOOBAR} doas vi /usr/src/sys/arch/$(uname -m)/conf/FOOBAR
Build the kernel:
./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC # Use FOOBAR to build the new configuration instead
Build the userland:
rm -rf /var/pkgtmp/obj/destdir.$(uname -m) # May be needed for upgrades[11] doas chmod g+w external/gpl3/gdb/dist/gdb/rust-exp.c # May be needed for netbsd-8[12] ./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools distribution # Add -o to NOT rebuild "objdirs"; add -u to NOT run "make cleandir" first.
With everything in place, we can now install the new kernel and reboot before installing the new userland:
doas mv -iv /netbsd /netbsd.old
doas mv -iv /var/pkgtmp/obj/sys/arch/$(uname -m)/compile/GENERIC/netbsd /
doas /sbin/chown root:wheel /netbsd*
When doing an upgrade, we also have to install the newly built kernel modules:[13]
MDIR=/var/tmp/modules mkdir -p ${MDIR}/usr/libdata/ldscripts # See PR#55081[14] ./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools installmodules=${MDIR} doas cp -vR ${MDIR}/{stand,usr} / rm -rf ${MDIR}
After kernel (and modules) have been installed, we can reboot with:
doas /sbin/shutdown -r now
Now that the new kernel has booted, we can install the new userland:
cd /usr/src doas ./build.sh -U -O /var/pkgtmp/obj -T /var/pkgtmp/tools install=/
Update the system configuration files as well:
doas /usr/sbin/postinstall -s /usr/src check doas /usr/sbin/postinstall -s /usr/src fix doas /usr/sbin/etcupdate -s /usr/src
Reboot:
doas /sbin/shutdown -r now
Sometimes it's recommended (or necessary)[15] to empty out the build directories:
doas rm -r /var/pkgtmp/{obj,tools,work}/*
Upgrade
Upgrading NetBSD appears to be only supported with boot mediums[16], and maybe sysupgrade
[17], or weird sysinst
tricks[18], but in my experience setting the correct RELEASE tag and then rebuilding the system does work in most cases too.
sysupgrade
sysupgrade auto
This will do the following:
- Fetch distribution sets
- Upgrade the kernel & modules
- Upgrade the system
- Run
etcupdate
to merge configuration file changes - Run
postinstall
to help upgrade tasks - Run cleaning jobs
After that (and a reboot) we should have an upgraded system.
pkgsrc
Source Packages
Download a current pkgsrc
archive from a nearby mirror:
set -o braceexpand
ftp https://cdn.netbsd.org/pub/pkgsrc/stable/pkgsrc.tar.xz{,.SHA1}
cksum -a sha1 -c pkgsrc.tar.xz.SHA1
xz -dc pkgsrc.tar.xz | doas tar -C /usr/ -xpf -
Or, via Mercurial:
cd /usr doas hg clone https://anonhg.NetBSD.org/pkgsrc cd pkgsrc doas hg update -C pkgsrc-2023Q2 # Use hg branches to list available branches.
We can configure the build process via /etc/mk.conf
MAKE_JOBS = 4 WRKOBJDIR = /var/pkgtmp/work DISTDIR = /var/pkgtmp/distfiles PACKAGES = /var/pkgtmp/packages # When building as an unprivileged user[19][20] SU_CMD = ${LOCALBASE}/bin/doas /bin/sh -c
Add some hardening options[21][22]
PKGSRC_USE_FORTIFY = 2 PKGSRC_USE_SSP = strong PKGSRC_MKPIE = yes PKGSRC_MKREPRO = yes PKGSRC_USE_RELRO = full PKGSRC_USE_STACK_CHECK = yes
Install a single package:
$ cd /usr/pkgsrc/*/cowsay $ make install [...] => Checking file-check results for cowsay-3.04nb3 => Creating binary package /var/pkgtmp/work/misc/cowsay/work/.packages/cowsay-3.04nb3.tgz ===> Building binary package for cowsay-3.04nb3 => Creating binary package /var/pkgtmp/packages/All/cowsay-3.04nb3.tgz => Becoming ``root to make su-real-package-install (/usr/pkg/bin/doas) ===> Installing binary package of cowsay-3.04nb3 => Dropping ``root privileges. $ type cowsay cowsay is /usr/pkg/bin/cowsay $ ls -l /usr/pkg/bin/cowsay -rwxr-xr-x 1 root wheel 4498 Mar 5 03:41 /usr/pkg/bin/cowsay
Install missing packages:
for p in doas git iftop pkgin pv rsync screen sysupgrade vnstat; do cd /usr/pkgsrc/*/${p} && make install || break; done
Binary packages
We have to set PKG_PATH
to be able to install from network resources:
PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r | cut -d_ -f1)/All/ \ pkg_add -v bash curl doas git htop iftop mercurial mozilla-rootcerts-openssl netcat pv rsync screen sysupgrade zsh zstd
We can also use pkgin to install binary packages:
$ pkg_add -v pkgin $ grep ^http /usr/pkg/etc/pkgin/repositories.conf https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All
Update package database, and install something:
pkgin update pkgin -V install cowsay
Note: pkgin
resp. pkg
is kinda strict on the system's running architecture, so if we have any leftover packages installed from another architecture we may have to remove those:[23]
$ uname -p x86_64 $ for p in $(pkg_info | awk '{print $1}'); do printf "$p "; pkg_info -B $p | grep MACHINE_ARCH; done bash-4.4.019 MACHINE_ARCH=x86_64 pkg_install-20180425 MACHINE_ARCH=i386 pkgin-0.11.6nb1 MACHINE_ARCH=x86_64 lz4-1.8.3 MACHINE_ARCH=x86_64 zstd-1.3.7 MACHINE_ARCH=x86_64 pv-1.6.0 MACHINE_ARCH=i386
After uninstalling those i386
packages, pkgin
would run just fine.
Remove leftover packages:
for p in $(pkg_info | grep -vE 'doas|htop|git|iftop|pkg_install|pkgin|pv|screen|sysupgrade|zsh' | awk '{print $1}' | sed 's/-[0-9].*//' | sort); do echo ${p} && pkg_delete ${p}; done
Updating
The audit-packages
and download-vulnerability-list
commands have been deprecated and the pkg_admin
should be used instead to track and update packages:[24]
$ pkg_admin -v fetch-pkg-vulnerabilities $ pkg_admin -v audit No vulnerabilities found
Then there's pkglint to check on pkgsrc
packages:
$ pkglint /usr/pkgsrc/misc/cowsay ERROR: /usr/pkgsrc/misc/cowsay/patches/patch-aa:3: Each patch must be documented. 1 error and 0 warnings found. (Run "pkglint -e" to show explanations.)
Cleanup
Run make clean
, but only in directories we built in:
for d in /var/pkgtmp/work/*/*; do pdir=$(echo ${d} | sed 's|/var/pkgtmp/work/|/usr/pkgsrc/|'); cd ${pdir} && pwd && make distclean; done
Links
References
- ↑ security/nss/lib/ckfw/builtins/certdata.txt
- ↑ Announcing NetBSD 6.0
- ↑ The NetBSD Guide: Chapter 3. Example installation
- ↑ cgd-on-vnd results on Xen
- ↑ benchmarks/cgd_benchmark.sh
- ↑ Mercurial documentation
- ↑ Fossil and Git mirrors of pkgsrc and src (August 03, 2011)
- ↑ New home for the repository conversion (June 10, 2017)
- ↑ XKCD: Git
- ↑ How to build a kernel
- ↑ Re: Build fails on extra files in DESTDIR, what does that mean?
- ↑ Re: gdb build failure in current with readonly source directory
- ↑ When updating your kernel, remember: to also install new kernel modules if you run NetBSD-current, else your system will not boot any more
- ↑ build.sh installmodules doesn't create all required directories
- ↑ Re: toolchain/53544: trouble building lex in tools using build.sh -u
- ↑ Chapter 4. Upgrading NetBSD
- ↑ Introducing sysbuild and sysupgrade (August 07, 2012)
- ↑ Re: Upgrading NetBSD in-place in a clean way
- ↑ 9.12. Using 'sudo' with pkgsrc
- ↑ Perplexed about LOCALBASE vs. SU_CMD
- ↑ Appendix B. Security hardening
- ↑ Check /usr/pkgsrc/mk/defaults/mk.conf for defaults!
- ↑ Problems with pkgin after upgrading from 6.1.5
- ↑ 4.1.5. Checking for security vulnerabilities in installed packages