From Segfault
Jump to: navigation, search





$ cat /etc/myname
$ cat /etc/ifconfig.wm0 
inet netmask
!/sbin/route add default


Usually sshd is not enabled after a fresh installation:

$ grep ^sshd /etc/defaults/rc.conf | sed 's/NO/YES/' >> /etc/rc.conf
$ grep Root /etc/ssh/sshd_config
PermitRootLogin yes

$ /etc/rc.d/sshd start


NetBSD ships with pdksh, which is already pretty neat (tab completion, history, incremental search-history), let's use all that:

$ grep ENV .profile                                                                                                                                                       
export ENV=$HOME/.kshrc

$ grep -v ^\# .kshrc
export PS1="$USER@$(hostname -s)# "
export HISTFILE=$HOME/.history
export HISTSIZE=10000
export PAGER=less
export LESS="-isXR"

set -o braceexpand on


$ cat /etc/fstab
/dev/sd0a       /               ffs     rw,log,noatime     1 1
/dev/sd0b       none            swap    sw                 0 0
tmpfs           /tmp            tmpfs   rw,nosuid,nodev,-m1777,-s128M
kernfs          /kern           kernfs  rw,noexec,nosuid,nodev
ptyfs           /dev/pts        ptyfs   rw,noexec,nosuid
procfs          /proc           procfs  rw,noexec,nosuid,nodev
/dev/cd0a       /mnt/cdrom      cd9660  ro,noauto
nfs0:/home      /home           nfs     rw,nodev,nosuid    0 0

Note: as soft updates have been removed from NetBSD[1], we're now using journaling (wapbl[2] instead.

# file -Ls /dev/rwd0a | cut -c-80
/dev/rwd0a: Unix Fast File system [v2] (little-endian) last mounted on /, last w
# dumpfs -s /dev/rwd0a | head -2  
file system: /dev/rwd0a
format  FFSv2


On a minimal installation[3], only the most basic install sets were installed. To install man pages:

for s in comp man text; do tar -C / -xvzf /mnt/cdrom/amd64/binary/sets/"$s".tgz; done

Create index for apropos and whatis:

/etc/rc.d/makemandb                                      # Will continue in background

→ See pkgsrc for more information on softwre installation.

Encrypted swap

Encrypted swap can be accomplished via cgd(4):

Generate a paramsfile for the cgd device:

$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts

$ cat /etc/cgd/swap 
algorithm aes-xts;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen urandomkey;

Initialize a cgd device with these parameters. Make sure, sd0b is currently not in use:

$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap 

Edit the disklabel for cgd0 to create a valid swap slice:

$ disklabel -e -I cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: swap
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 264129
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

5 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    264129         0     swap                     # (Cyl.      0 -    128*)
d:    264129         0     unused      0     0      # (Cyl.      0 -    128*)

Save the disklabel to a file:

$ disklabel cgd0 > /etc/cgd/swap.disklabel

Set up the cgd to be configured automatically at boot:

$ cat /etc/cgd/cgd.conf
cgd0 /dev/sd0b /etc/cgd/swap

We need to restore our disklabel to the newly created cgd device at boot time. For this we'll create /etc/rc.conf.d/cgd with the following content:

$ cat /etc/rc.conf.d/cgd

cgd_swap() {
if [ -f $swap_disklabel ]; then
       disklabel -R -r $swap_device $swap_disklabel

We also have to add cgd device into /etc/fstab as a swap device:

$ grep swap /etc/fstab 
/dev/cgd0a      none            swap sw               0 0

Make sure that the Crypto file system driver is loaded:

$ grep -i cgd /etc/defaults/rc.conf 

After a reboot, our swap device should reside on cgd0a. Or we can activate it right now:

$ swapctl -a /dev/cgd0a
$ swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0a      264129        0   264129     0%    0



Before updating, we'll need the source sets:

  • src.tgz - userland source
  • syssrc.tgz - kernel source
  $ ftp`uname -r`/source/sets/
  > mget src.tgz syssrc.tgz xsrc.tgz SHA512
  $ su -
  # cd /
  # for s in src syssrc xsrc; do
     gzip -dc /download/"$s".tgz | tar -xf -

After unpacking/building, these directories will have grown in size:

 1.0G    /usr/src
 195M    /usr/src/sys
 41M     ../tools
 1.1G    ../obj

We can set a few variables in /etc/mk.conf:

 # /etc/mk.conf
 # Based on /usr/pkgsrc/mk/defaults/mk.conf
 # good if we're building on an SMP machine
 MAKE_JOBS       = 3
 # read-only /usr/pkgsrc
 WRKOBJDIR       = /var/pkgtmp/work
 DISTDIR         = /var/pkgtmp/distfiles
 PACKAGES        = /var/pkgtmp/packages
 .if exists(${LOCALBASE}/bin/sudo)
 SU_CMD          = ${LOCALBASE}/bin/sudo /bin/sh -c

Note: if we're on a readonly /usr/pkgsrc (say, an NFS mount), we have to make a few preparations first:

 # mkdir -p /var/pkgtmp/{distfiles,obj,packages,tools,work}
 # chown dummy:dummy /var/pkgtmp/*


The build is basically 4 steps:

# Updating the sources (as root)
cd /usr/src
sudo cvs -q update -dP -r netbsd-5-1-2-RELEASE
# Building the toolchain
./ -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools
# Building the kernel
./ -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC
# Building the userland
./ -O /var/pkgtmp/obj -T /var/pkgtmp/tools -U distribution

With everything in place, we can now install the new kernel and reboot before installing the new userland (as root):

 sudo mv /netbsd /netbsd.old
 sudo mv /var/pkgtmp/obj/sys/arch/`uname -p`/compile/GENERIC/netbsd /
 sudo shutdown -r now

Now that the new kernel has booted, we can install the new userland (as root):

 cd /usr/src
 sudo ./ -O /var/pkgtmp/obj -T /var/pkgtmp/tools -U install=/ 
 sudo shutdown -r now







ftp$(date +%Y)Q2.tar.xz
ftp$(date +%Y)Q2.tar.xz.SHA1
sha1 -c pkgsrc*.tar.xz.SHA1

xz -dc ~/pkgsrc*.tar.xz | tar -C /usr/ -xf -




mkdir -p /var/db/pkg
pkg_admin fetch-pkg-vulnerabilities

for p in net/wget security/sudo pkgtools/pkgin pkgtools/pkglint; do
   cd /usr/pkgsrc/${p}
   make install

Installation sets

Maybe we chose a minimal installation and some sets were not installed. Let's install them now:

for s in {man,text}.tgz SHA512; do 
  ftp$(uname -r)/$(uname -m)/binary/sets/${s}
cksum -a SHA512 -C SHA512

tar -C / --unlink -xzvpf man.tgz
tar -C / --unlink -xzvpf text.tgz

Binary packages

We have to set PKG_PATH to be able to install from network resources:

export PKG_PATH=$(uname -m)/$(uname -r)/All/
pkg_add -v netcat

Install a few other missing packages, e.g. the new pkgin:

pkg_add pkgin

Now pkgin can be used to install packages:

pkgin update
pkgin install binutils zsh


I find it a bit of a hassle to find the right category for each package (is firefox in www/ or in net/ ?) that's why 2 more helper scripts have been attached:

 for p in /usr/local/bin/; do
    cd "$p"
    sudo make update
 for p in /usr/local/bin/;  do
    cd "$p"
    sudo make update