From Segfault
Jump to navigation Jump to search


This is basically covered in the installation guide, we'll focus on post-install tasks here.



$ grep ^hostname /etc/rc.conf

For a static IP address configuration:

$ cat /etc/rc.conf
ifconfig_re0="inet netmask"

For dynamic IP address configuration, configure:

$ grep ^dhcp /etc/rc.conf
dhcpcd_flags="-qM re0"

Only slightly related to network, set --panicgate for ntpd to allow for larger adjustments:

$ grep ntpd /etc/rc.conf
ntpd=YES             ntpd_flags="-g"

CA certificates

Many applications make use of Root certificate authorities so we need to prepare for this, and NetBSD offers three versions here:

Each has a slightly different description. Usually it's good to install at least:

pkg_add ca-certificates mozilla-rootcerts-openssl


$ cat /etc/fstab
/dev/sd0a       /               ffs      rw,log,noatime     1 1
/dev/cgd0a      none            swap     sw,dp
/dev/sd0b       none            swap     sw
/dev/cd0a       /mnt/cdrom      cd9660   ro,noauto
tmpfs           /tmp            tmpfs    rw,nosuid,nodev,-m1777,-sram%25
tmpfs           /var/shm        tmpfs    rw,nosuid,nodev,-m1777,-sram%25
ptyfs           /dev/pts        ptyfs    rw,noexec,nosuid
kernfs          /kern           kernfs   ro,noexec,nosuid,nodev
procfs          /proc           procfs   ro,noexec,nosuid,nodev
none            /sys/mfs        mfs      rw,noauto,-s=128m
none            /sys/sysctl     sysctlfs rw,noauto
nfs0:/home      /home           nfs      rw,nodev,nosuid
/dev/sd1a       /mnt/sd1        ffs      rw,log,noatime
/mnt/sd1/src    /usr/src        null     rw

Note: as soft updates have been removed from NetBSD[1], we're now using WAPBL instead.

We could also use a null mount to move our source directories to a second, bigger disk:

$ grep xbd2 /etc/fstab 
/dev/xbd2a           /mnt/xbd2a ffs  rw,log,noatime  1 1
/mnt/xbd2a/src-hg    /usr/src        null    rw
/mnt/xbd2a/pkgsrc-hg /usr/pkgsrc     null    rw
/mnt/xbd2a/pkgtmp    /var/pkgtmp     null    rw

$ mkdir -m0755 /usr/{src,pkgsrc} /var/pkgtmp
$ mount -a


Install some basic (binary) packages to start with:

PKG_PATH=$(uname -s)/$(uname -m)/$(uname -r | cut -d_ -f1)/All/ \
  pkg_add doas git iftop mercurial pkgin pv screen zsh

Configure doas:

$ cat /usr/pkg/etc/doas.conf                                                                                                                                                                      
permit keepenv persist dummy as root
permit keepenv persist :wheel                                                          # Alternatively, use nopass instead of persist

On a minimal installation[2] only the most basic install sets were installed. Install some more:

set -o braceexpand
ftp$(uname -r)/$(uname -m)/binary/sets/{SHA512,{comp,man,text}.tgz}
cksum -a SHA512 -c SHA512

for s in {comp,man,text}; do ls -lh ${s}.tgz && doas tar -C / --unlink -xzpf ${s}.tgz; done

Create the index for apropos and whatis:

doas /etc/rc.d/makemandb start                                                         # Will continue in background

→ See #pkgsrc for more information on software installation.

Encrypted swap

Encrypted swap can be accomplished via cgd(4):

Generate a paramsfile for the cgd device:

$ cgdconfig -g -k urandomkey -o /etc/cgd/swap aes-xts                             # Be sure to choose a fast cipher.[3][4]

$ cat /etc/cgd/swap 
algorithm aes-xts;
iv-method encblkno1;
keylength 256;
verify_method none;
keygen urandomkey;

Initialize a cgd device with these parameters. Make sure, sd0b is currently not in use:

$ cgdconfig cgd0 /dev/sd0b /etc/cgd/swap 

Edit the disklabel for cgd0 to create a valid swap slice:

$ disklabel -e -I cgd0
# /dev/rcgd0d:
type: cgd
disk: cgd
label: swap
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 128
total sectors: 264129
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

5 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
a:    264129         0     swap                     # (Cyl.      0 -    128*)
d:    264129         0     unused      0     0      # (Cyl.      0 -    128*)

Save the disklabel to a file:

$ disklabel cgd0 > /etc/cgd/swap.disklabel

Set up the cgd to be configured automatically at boot:

$ cat /etc/cgd/cgd.conf
cgd0 /dev/sd0b /etc/cgd/swap

We need to restore our disklabel to the newly created cgd device at boot time. For this we'll create /etc/rc.conf.d/cgd with the following content:

$ cat /etc/rc.conf.d/cgd

cgd_swap() {
if [ -f $swap_disklabel ]; then
       disklabel -R -r $swap_device $swap_disklabel

We also have to add cgd device into /etc/fstab as a swap device:

$ grep swap /etc/fstab 
/dev/cgd0a      none            swap sw               0 0

Make sure that the Crypto file system driver is loaded:

$ grep -i cgd /etc/defaults/rc.conf 

After a reboot, our swap device should reside on cgd0a. Or we can activate it right now:

$ swapctl -a /dev/cgd0a
$ swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0a      264129        0   264129     0%    0


NetBSD is using npf now and example configurations can be found in the /usr/share/examples/npf/ directory. A very basic configuration for a non-routing host, with only one interface would be:

$ cat /etc/npf.conf
$vif = "vioif0"
$vif_addrs = ifaddrs(vioif0)

alg "icmp"
procedure "log" {
    log: npflog0

group "wired" on $vif {
    ruleset "blacklistd"
    pass stateful in on $vif proto tcp to $vif_addrs port ssh apply "log"

group default {
    block all apply "log"
    pass on lo0 all
    pass in family inet4 proto udp from any port bootps to any port bootpc
    pass in family inet6 proto udp from any to any port "dhcpv6-client"
    pass family inet6 proto ipv6-icmp all
    pass in family inet4 proto icmp icmp-type echo all
#   pass in proto udp to any port 33434-33600
#   pass in proto udp to any port mdns
    pass stateful out all

Add npf=YES to /etc/rc.conf to start NPF automtically on boot or call npfctl start to apply the rules immediately.


This is explained in Updating a stable NetBSD release. The steps in short:



While NetBSD is primarily still being developed via CVS, there are somewhat official Mercurial repositories[5] now in place. Check out the sources via:

cd /usr
hg clone
hg clone

Update via:

hg pull
hg update


There are offical and regularly updated Git[6][7] mirror repositories in place:

cd /usr
git clone
cd src
git checkout netbsd-9

Or, for an already existing checkout:

cd /usr/src
git pull
git checkout netbsd-9
git clean -dfx

It might make sense to checkout the release branch again:[8]

git checkout trunk
git branch -D netbsd-9
git checkout netbsd-9


We can also update (checkout?) the sources to a RELEASE tag from CVS

cd /usr/src
doas cvs -q update -dP -r netbsd-9-0-RELEASE


Before updating, we'll need the source sets from a nearby mirror:

set -o braceexpand
ftp$(uname -r)/source/sets/{SHA512,{sys,x,}src.tgz}
cksum -a sha512 -c SHA512

Extract via doas:

for s in src syssrc xsrc; do ls -lh ${s}.tgz && doas tar -C / -xzpf ${s}.tgz; done


After unpacking, these directories will have grown in size, so we need to make sure we have enough disk space:

$ du -sh /usr/src{,/sys} /usr/xsrc/ 
2.0    /usr/src
500M    /usr/src/sys
800M    /usr/xsrc/

If we're building on a readonly /usr/pkgsrc (say, an NFS mount), we have to make a few preparations first:

doas mkdir -p -m0770 /var/pkgtmp/{distfiles,obj,packages,tools,work}
doas chgrp -R wsrc   /var/pkgtmp/*                                                                # We have to be a member of wsrc to build here.


Build the toolchain:

export JOBS=$(/sbin/sysctl -n hw.ncpu)
cd /usr/src/
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools tools

If necessary, configure the kernel configuration:[9]

doas cp -iv /usr/src/sys/arch/$(uname -m)/conf/{GENERIC,FOOBAR}
doas vi /usr/src/sys/arch/$(uname -m)/conf/FOOBAR

Build the kernel:

./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools kernel=GENERIC               # Use FOOBAR to build the new configuration instead

Build the userland:

rm -rf /var/pkgtmp/obj/destdir.$(uname -m)                                                    # May be needed for upgrades[10]
doas chmod g+w external/gpl3/gdb/dist/gdb/rust-exp.c                                          # May be needed for netbsd-8[11]
./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools distribution                  # Add -o to NOT rebuild "objdirs"; add -u to NOT run "make cleandir" first.

With everything in place, we can now install the new kernel and reboot before installing the new userland:

doas mv -iv /netbsd /netbsd.old
doas mv -iv /var/pkgtmp/obj/sys/arch/$(uname -m)/compile/GENERIC/netbsd /
doas /sbin/chown root:wheel /netbsd*

When doing an upgrade, we also have to install the newly built kernel modules:[12]

mkdir -p ${MDIR}/usr/libdata/ldscripts                                                        # See PR#55081[13]

./ -U -j${JOBS} -O /var/pkgtmp/obj -T /var/pkgtmp/tools installmodules=${MDIR}
doas cp -vR ${MDIR}/{stand,usr} /
rm -rf ${MDIR}

After kernel (and modules) have been installed, we can reboot with:

doas /sbin/shutdown -r now

Now that the new kernel has booted, we can install the new userland:

cd /usr/src
doas ./ -U -O /var/pkgtmp/obj -T /var/pkgtmp/tools install=/

Update the system configuration files as well:

doas /usr/sbin/postinstall -s /usr/src check
doas /usr/sbin/postinstall -s /usr/src fix
doas /usr/sbin/etcupdate -s /usr/src


doas /sbin/shutdown -r now

Sometimes it's recommended (or necessary)[14] to empty out the build directories:

doas rm -r /var/pkgtmp/{obj,tools,work}/*


Upgrading NetBSD appears to be only supported with boot mediums[15], and maybe sysupgrade[16], or weird sysinst tricks[17], but in my experience setting the correct RELEASE tag and then rebuilding the system does work in most cases too.


sysupgrade auto

This will do the following:

  1. Fetch distribution sets
  2. Upgrade the kernel & modules
  3. Upgrade the system
  4. Run etcupdate to merge configuration file changes
  5. Run postinstall to help upgrade tasks
  6. Run cleaning jobs

After that (and a reboot) we should have an upgraded system.


Source Packages

Download a current pkgsrc archive from a nearby mirror:

set -o braceexpand
cksum -a sha1 -c pkgsrc.tar.xz.SHA1

xz -dc pkgsrc.tar.xz | doas tar -C /usr/ -xpf -

Or, via Mercurial:

cd /usr
doas hg clone

cd pkgsrc
doas hg update -C pkgsrc-2024Q2                                # Use hg branches to list available branches.

We can configure the build process via /etc/mk.conf

MAKE_JOBS       = 4

WRKOBJDIR       = /var/pkgtmp/work
DISTDIR         = /var/pkgtmp/distfiles
PACKAGES        = /var/pkgtmp/packages

# When building as an unprivileged user[18][19]
SU_CMD          = ${LOCALBASE}/bin/doas /bin/sh -c

Add some hardening options[20][21]

PKGSRC_USE_SSP          = strong
PKGSRC_MKPIE            = yes
PKGSRC_MKREPRO          = yes
PKGSRC_USE_RELRO        = full

Install a single package:

$ cd /usr/pkgsrc/*/cowsay
$ make install
=> Checking file-check results for cowsay-3.04nb3
=> Creating binary package /var/pkgtmp/work/misc/cowsay/work/.packages/cowsay-3.04nb3.tgz
===> Building binary package for cowsay-3.04nb3
=> Creating binary package /var/pkgtmp/packages/All/cowsay-3.04nb3.tgz
=> Becoming ``root to make su-real-package-install (/usr/pkg/bin/doas)
===> Installing binary package of cowsay-3.04nb3
=> Dropping ``root privileges.

$ type cowsay                                                                                                                                                                              
cowsay is /usr/pkg/bin/cowsay

$ ls -l /usr/pkg/bin/cowsay
-rwxr-xr-x  1 root  wheel  4498 Mar  5 03:41 /usr/pkg/bin/cowsay

Install missing packages:

for p in doas git iftop pkgin pv rsync screen sysupgrade vnstat; do cd /usr/pkgsrc/*/${p} && make install || break; done

Binary packages

We have to set PKG_PATH to be able to install from network resources:

PKG_PATH=$(uname -s)/$(uname -m)/$(uname -r | cut -d_ -f1)/All/ \
  pkg_add -v bash curl doas git htop iftop mercurial mozilla-rootcerts-openssl netcat pv rsync screen sysupgrade zsh zstd

We can also use pkgin to install binary packages:

$ pkg_add -v pkgin

$ grep ^http /usr/pkg/etc/pkgin/repositories.conf$arch/$osrelease/All

Update package database, and install something:

pkgin update
pkgin -V install cowsay

Note: pkgin resp. pkg is kinda strict on the system's running architecture, so if we have any leftover packages installed from another architecture we may have to remove those:[22]

$ uname -p

$ for p in $(pkg_info | awk '{print $1}'); do printf "$p "; pkg_info -B $p | grep MACHINE_ARCH; done
bash-4.4.019 MACHINE_ARCH=x86_64
pkg_install-20180425 MACHINE_ARCH=i386
pkgin-0.11.6nb1 MACHINE_ARCH=x86_64
lz4-1.8.3 MACHINE_ARCH=x86_64
zstd-1.3.7 MACHINE_ARCH=x86_64
pv-1.6.0 MACHINE_ARCH=i386

After uninstalling those i386 packages, pkgin would run just fine.

Remove leftover packages:

for p in $(pkg_info | grep -vE 'doas|htop|git|iftop|pkg_install|pkgin|pv|screen|sysupgrade|zsh' | awk '{print $1}' | sed 's/-[0-9].*//' | sort); do echo ${p} && pkg_delete ${p}; done


The audit-packages and download-vulnerability-list commands have been deprecated and the pkg_admin should be used instead to track and update packages:[23]

$ pkg_admin -v fetch-pkg-vulnerabilities
$ pkg_admin -v audit
No vulnerabilities found

Then there's pkglint to check on pkgsrc packages:

$ pkglint /usr/pkgsrc/misc/cowsay
ERROR: /usr/pkgsrc/misc/cowsay/patches/patch-aa:3: Each patch must be documented.
1 error and 0 warnings found.
(Run "pkglint -e" to show explanations.)


Run make clean, but only in directories we built in:

for d in /var/pkgtmp/work/*/*; do pdir=$(echo ${d} | sed 's|/var/pkgtmp/work/|/usr/pkgsrc/|'); cd ${pdir} && pwd && make distclean; done