NetBSD

From Segfault

Installation

This is basically covered in the installation guide, we'll focus on post-install tasks here.

Postinstall

Network

$ grep ^hostname /etc/rc.conf
hostname=alice

For a static IP address configuration: 

$ cat /etc/rc.conf
[...]
auto_ifconfig=YES
ifconfig_re0="inet 10.0.0.123 netmask 255.255.255.0"
defaultroute="10.0.0.1"

For dynamic IP address configuration, configure: 

$ grep ^dhcp /etc/rc.conf
dhcpcd=YES
dhcpcd_flags="-qM re0"

Only slightly related to network, set --panicgate for ntpd to allow for larger adjustments: 

$ grep ntpd /etc/rc.conf
ntpd=YES             ntpd_flags="-g"
ntpdate=YES

mozilla-rootcerts-openssl

Many applications make use of Root certificate authorities so we need to prepare for this: 

pkg_add ca-certificates

Or, for the Mozilla variant:[1] 

pkg_add mozilla-rootcerts-openssl

fstab

$ cat /etc/fstab
/dev/sd0a       /               ffs      rw,log,noatime     1 1
/dev/cgd0a      none            swap     sw,dp              0 0
/dev/sd0b       none            swap     sw                 0 0
/dev/cd0a       /mnt/cdrom      cd9660   ro,noauto
tmpfs           /tmp            tmpfs    rw,nosuid,nodev,-m1777,-sram%25
tmpfs           /var/shm        tmpfs    rw,nosuid,nodev,-m1777,-sram%25
ptyfs           /dev/pts        ptyfs    rw,noexec,nosuid
kernfs          /kern           kernfs   ro,noexec,nosuid,nodev
procfs          /proc           procfs   ro,noexec,nosuid,nodev
none            /sys/mfs        mfs      rw,noauto,-s=128m
none            /sys/sysctl     sysctlfs rw,noauto
nfs0:/home      /home           nfs      rw,nodev,nosuid
/dev/sd1a       /mnt/sd1        ffs      rw,log,noatime
/mnt/sd1/src    /usr/src        null     rw

Note: as soft updates have been removed from NetBSD[2], we're now using WAPBL instead.

Packages

Install some basic (binary) packages to start with: 

PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r | cut -d_ -f1)/All/ \
  pkg_add doas git iftop mercurial pkgin pv screen zsh

Configure doas: 

$ cat /usr/pkg/etc/doas.conf                                                                                                                                                                      
permit keepenv persist dummy as root
permit keepenv persist :wheel                                                          # Alternatively, use nopass instead of persist

On a minimal installation[3] only the most basic install sets were installed. To install e.g. man pages and text utilities: 

set -o braceexpand
ftp https://cdn.netbsd.org/pub/NetBSD/NetBSD-$(uname -r)/$(uname -m)/binary/sets/{SHA512,{comp,man,text}.tgz}
cksum -a SHA512 -c SHA512

for s in {comp,man,text}; do ls -lh ${s}.tgz && doas tar -C / --unlink -xzpf ${s}.tgz; done

Create the index for apropos and whatis: 

doas /etc/rc.d/makemandb start                                                         # Will continue in background

→ See #pkgsrc for more information on software installation.

Encrypted swap

Encrypted swap can be accomplished via cgd(4):

Generate a paramsfile for the cgd device: 

$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts                             # Be sure to choose a fast cipher.[4][5]

$ cat /etc/cgd/swap 
algorithm aes-xts;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen urandomkey;

Initialize a cgd device with these parameters. Make sure, sd0b is currently not in use: 

$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap

Edit the disklabel for cgd0 to create a valid swap slice: 

$ disklabel -e -I cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: swap
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 264129
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

5 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    264129         0     swap                     # (Cyl.      0 -    128*)
d:    264129         0     unused      0     0      # (Cyl.      0 -    128*)

Save the disklabel to a file: 

$ disklabel cgd0 > /etc/cgd/swap.disklabel

Set up the cgd to be configured automatically at boot: 

$ cat /etc/cgd/cgd.conf
cgd0 /dev/sd0b /etc/cgd/swap

We need to restore our disklabel to the newly created cgd device at boot time. For this we'll create /etc/rc.conf.d/cgd with the following content: 

$ cat /etc/rc.conf.d/cgd
swap_device="cgd0"
swap_disklabel="/etc/cgd/swap.disklabel"
start_postcmd="cgd_swap"

cgd_swap() {
if [ -f $swap_disklabel ]; then
       disklabel -R -r $swap_device $swap_disklabel
fi
}

We also have to add cgd device into /etc/fstab as a swap device: 

$ grep swap /etc/fstab 
/dev/cgd0a      none            swap sw               0 0

Make sure that the Crypto file system driver is loaded: 

$ grep -i cgd /etc/defaults/rc.conf 
cgd=YES

After a reboot, our swap device should reside on cgd0a. Or we can activate it right now: 

$ swapctl -a /dev/cgd0a
$ swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0a      264129        0   264129     0%    0

Firewall

NetBSD is using npf now and example configurations can be found in the /usr/share/examples/npf/ directory. A very basic configuration for a non-routing host, with only one interface would be: 

$ cat /etc/npf.conf
$vif = "vioif0"
$vif_addrs = ifaddrs(vioif0)

alg "icmp"
procedure "log" {
    log: npflog0
}

group "wired" on $vif {
    ruleset "blacklistd"
    pass stateful in on $vif proto tcp to $vif_addrs port ssh apply "log"
}

group default {
    block all apply "log"
    pass on lo0 all
    pass in family inet4 proto udp from any port bootps to any port bootpc
    pass in family inet6 proto udp from any to any port "dhcpv6-client"
    pass family inet6 proto ipv6-icmp all
    pass in family inet4 proto icmp icmp-type echo all
#   pass in proto udp to any port 33434-33600
#   pass in proto udp to any port mdns
    pass stateful out all
}

Add npf=YES to /etc/rc.conf to start NPF automtically on boot or call npfctl start to apply the rules immediately.

Update

This is explained in Updating a stable NetBSD release. The steps in short:

Source

Mercurial

While NetBSD is primarily still being developed via CVS, there are somewhat official Mercurial repositories[6] now in place. Check out the sources via: 

cd /usr
hg clone https://anonhg.NetBSD.org/src
hg clone https://anonhg.NetBSD.org/xsrc

Update via: 

hg pull
hg update

Git

There are offical and regularly updated Git[7][8] mirror repositories in place: 

cd /usr
git clone https://github.com/NetBSD/src.git
cd src
git checkout netbsd-9

Or, for an already existing checkout: 

cd /usr/src
git pull
git checkout netbsd-9
git clean -dfx

It might make sense to checkout the release branch again:[9] 

git checkout trunk
git branch -D netbsd-9
git checkout netbsd-9

CVS

We can also update (checkout?) the sources to a RELEASE tag from CVS 

cd /usr/src
doas cvs -q update -dP -r netbsd-9-0-RELEASE

Tarballs

Before updating, we'll need the source sets from a nearby mirror: 

set -o braceexpand
ftp https://cdn.netbsd.org/pub/NetBSD/NetBSD-$(uname -r)/source/sets/{SHA512,{sys,x,}src.tgz}
cksum -a sha512 -c SHA512

Extract via doas: 

for s in src syssrc xsrc; do ls -lh ${s}.tgz && doas tar -C / -xzpf ${s}.tgz; done

Preparation

After unpacking, these directories will have grown in size, so we need to make sure we have enough disk space: 

$ du -sh /usr/src{,/sys} /usr/xsrc/ 
2.0    /usr/src
500M    /usr/src/sys
800M    /usr/xsrc/

If we're building on a readonly /usr/pkgsrc (say, an NFS mount), we have to make a few preparations first: 

doas mkdir -p -m0770 /var/pkgtmp/{distfiles,obj,packages,tools,work}
doas chgrp -R wsrc   /var/pkgtmp/*                                                                # We have to be a member of wsrc to build here.

Building

Build the toolchain: 

export JOBS=$(/sbin/sysctl -n hw.ncpu)
cd /usr/src/
./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools

If necessary, configure the kernel configuration:[10] 

doas cp -iv /usr/src/sys/arch/$(uname -m)/conf/{GENERIC,FOOBAR}
doas vi /usr/src/sys/arch/$(uname -m)/conf/FOOBAR

Build the kernel: 

./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC               # Use FOOBAR to build the new configuration instead

Build the userland: 

rm -rf /var/pkgtmp/obj/destdir.$(uname -m)                                                    # May be needed for upgrades[11]
doas chmod g+w external/gpl3/gdb/dist/gdb/rust-exp.c                                          # May be needed for netbsd-8[12]
 
./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools distribution                  # Add -o to NOT rebuild "objdirs"; add -u to NOT run "make cleandir" first.

With everything in place, we can now install the new kernel and reboot before installing the new userland: 

doas mv -iv /netbsd /netbsd.old
doas mv -iv /var/pkgtmp/obj/sys/arch/$(uname -m)/compile/GENERIC/netbsd /
doas /sbin/chown root:wheel /netbsd*

When doing an upgrade, we also have to install the newly built kernel modules:[13] 

MDIR=/var/tmp/modules
mkdir -p ${MDIR}/usr/libdata/ldscripts                                                        # See PR#55081[14]

./build.sh -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools installmodules=${MDIR}
doas cp -vR ${MDIR}/{stand,usr} /
rm -rf ${MDIR}

After kernel (and modules) have been installed, we can reboot with: 

doas /sbin/shutdown -r now

Now that the new kernel has booted, we can install the new userland: 

cd /usr/src
doas ./build.sh -U -O /var/pkgtmp/obj -T /var/pkgtmp/tools install=/

Update the system configuration files as well: 

doas /usr/sbin/postinstall -s /usr/src check
doas /usr/sbin/postinstall -s /usr/src fix
doas /usr/sbin/etcupdate -s /usr/src

Reboot: 

doas /sbin/shutdown -r now

Sometimes it's recommended (or necessary)[15] to empty out the build directories: 

doas rm -r /var/pkgtmp/{obj,tools,work}/*

Upgrade

Upgrading NetBSD appears to be only supported with boot mediums[16], and maybe sysupgrade[17], or weird sysinst tricks[18], but in my experience setting the correct RELEASE tag and then rebuilding the system does work in most cases too.

sysupgrade

sysupgrade auto

This will do the following:

  1. Fetch distribution sets
  2. Upgrade the kernel & modules
  3. Upgrade the system
  4. Run etcupdate to merge configuration file changes
  5. Run postinstall to help upgrade tasks
  6. Run cleaning jobs

After that (and a reboot) we should have an upgraded system.

pkgsrc

Source Packages

Download a current pkgsrc archive from a nearby mirror: 

set -o braceexpand
ftp https://cdn.netbsd.org/pub/pkgsrc/stable/pkgsrc.tar.xz{,.SHA1}
cksum -a sha1 -c pkgsrc.tar.xz.SHA1

xz -dc pkgsrc.tar.xz | doas tar -C /usr/ -xpf -

Or, via Mercurial: 

cd /usr
doas hg clone https://anonhg.NetBSD.org/pkgsrc

cd pkgsrc
doas hg update -C pkgsrc-2023Q2                                # Use hg branches to list available branches.

We can configure the build process via /etc/mk.conf 

MAKE_JOBS       = 4

WRKOBJDIR       = /var/pkgtmp/work
DISTDIR         = /var/pkgtmp/distfiles
PACKAGES        = /var/pkgtmp/packages

# When building as an unprivileged user[19][20]
SU_CMD          = ${LOCALBASE}/bin/doas /bin/sh -c

Add some hardening options[21][22] 

PKGSRC_USE_FORTIFY      = 2
PKGSRC_USE_SSP          = strong
PKGSRC_MKPIE            = yes
PKGSRC_MKREPRO          = yes
PKGSRC_USE_RELRO        = full
PKGSRC_USE_STACK_CHECK  = yes

Install a single package: 

$ cd /usr/pkgsrc/*/cowsay
$ make install
[...]
=> Checking file-check results for cowsay-3.04nb3
=> Creating binary package /var/pkgtmp/work/misc/cowsay/work/.packages/cowsay-3.04nb3.tgz
===> Building binary package for cowsay-3.04nb3
=> Creating binary package /var/pkgtmp/packages/All/cowsay-3.04nb3.tgz
=> Becoming ``root to make su-real-package-install (/usr/pkg/bin/doas)
===> Installing binary package of cowsay-3.04nb3
=> Dropping ``root privileges.

$ type cowsay                                                                                                                                                                              
cowsay is /usr/pkg/bin/cowsay

$ ls -l /usr/pkg/bin/cowsay
-rwxr-xr-x  1 root  wheel  4498 Mar  5 03:41 /usr/pkg/bin/cowsay

Install missing packages: 

for p in doas git iftop pkgin pv rsync screen sysupgrade vnstat; do cd /usr/pkgsrc/*/${p} && make install || break; done

Binary packages

We have to set PKG_PATH to be able to install from network resources: 

PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/$(uname -s)/$(uname -m)/$(uname -r | cut -d_ -f1)/All/ \
  pkg_add -v bash curl doas git htop iftop mercurial mozilla-rootcerts-openssl netcat pv rsync screen sysupgrade zsh zstd

We can also use pkgin to install binary packages: 

$ pkg_add -v pkgin

$ grep ^http /usr/pkg/etc/pkgin/repositories.conf
https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All

Update package database, and install something: 

pkgin update
pkgin -V install cowsay

Note: pkgin resp. pkg is kinda strict on the system's running architecture, so if we have any leftover packages installed from another architecture we may have to remove those:[23] 

$ uname -p
x86_64

$ for p in $(pkg_info | awk '{print $1}'); do printf "$p "; pkg_info -B $p | grep MACHINE_ARCH; done
bash-4.4.019 MACHINE_ARCH=x86_64
pkg_install-20180425 MACHINE_ARCH=i386
pkgin-0.11.6nb1 MACHINE_ARCH=x86_64
lz4-1.8.3 MACHINE_ARCH=x86_64
zstd-1.3.7 MACHINE_ARCH=x86_64
pv-1.6.0 MACHINE_ARCH=i386

After uninstalling those i386 packages, pkgin would run just fine.

Remove leftover packages: 

for p in $(pkg_info | grep -vE 'doas|htop|git|iftop|pkg_install|pkgin|pv|screen|sysupgrade|zsh' | awk '{print $1}' | sed 's/-[0-9].*//' | sort); do echo ${p} && pkg_delete ${p}; done

Updating

The audit-packages and download-vulnerability-list commands have been deprecated and the pkg_admin should be used instead to track and update packages:[24] 

$ pkg_admin -v fetch-pkg-vulnerabilities
$ pkg_admin -v audit
No vulnerabilities found

Then there's pkglint to check on pkgsrc packages: 

$ pkglint /usr/pkgsrc/misc/cowsay
ERROR: /usr/pkgsrc/misc/cowsay/patches/patch-aa:3: Each patch must be documented.
1 error and 0 warnings found.
(Run "pkglint -e" to show explanations.)

Cleanup

Run make clean, but only in directories we built in: 

for d in /var/pkgtmp/work/*/*; do pdir=$(echo ${d} | sed 's|/var/pkgtmp/work/|/usr/pkgsrc/|'); cd ${pdir} && pwd && make distclean; done

Links

References

  1. security/nss/lib/ckfw/builtins/certdata.txt
  2. Announcing NetBSD 6.0
  3. The NetBSD Guide: Chapter 3. Example installation
  4. cgd-on-vnd results on Xen
  5. benchmarks/cgd_benchmark.sh
  6. Mercurial documentation
  7. Fossil and Git mirrors of pkgsrc and src (August 03, 2011)
  8. New home for the repository conversion (June 10, 2017)
  9. XKCD: Git
  10. How to build a kernel
  11. Re: Build fails on extra files in DESTDIR, what does that mean?
  12. Re: gdb build failure in current with readonly source directory
  13. When updating your kernel, remember: to also install new kernel modules if you run NetBSD-current, else your system will not boot any more
  14. build.sh installmodules doesn't create all required directories
  15. Re: toolchain/53544: trouble building lex in tools using build.sh -u
  16. Chapter 4. Upgrading NetBSD
  17. Introducing sysbuild and sysupgrade (August 07, 2012)
  18. Re: Upgrading NetBSD in-place in a clean way
  19. 9.12. Using 'sudo' with pkgsrc
  20. Perplexed about LOCALBASE vs. SU_CMD
  21. Appendix B. Security hardening
  22. Check /usr/pkgsrc/mk/defaults/mk.conf for defaults!
  23. Problems with pkgin after upgrading from 6.1.5
  24. 4.1.5. Checking for security vulnerabilities in installed packages
Retrieved from "https://trent.utfs.org/mediawiki/index.php?title=NetBSD&oldid=14290"