How To Update Your FreeBSD 4.x / 5.x Server

[delo-]

How to update your FreeBSD 4.x or 5.x server.

You will first need the cvsup application and src code if you do not have them already.

first 'su' to root like I explained above. Then do the following.

[root@foobar]/root% pkg_add -r cvsup-without-gui

Your will then see the server download and install a precompiled version of the cvsup appliaction from the ftp.freebsd.org site or mirror.

Once cvsup has been installed you now need to create a cvsup file.

% cd /usr/local/etc
% ee cvsupfile

Copy and paste the following into the server. This is the config to track the 5.2_RELEASE tree so it will only download security patches and fixes and not new features.

*default host=cvsup.layeredtech.com
*default base=/usr
*default prefix=/usr
*default release=cvs
*default tag=RELENG_5_2
*default delete use-rel-suffix

src-all
ports-all tag=.

# End

Then type.

% cvsup -L 2 /usr/local/etc/cvsupfile

You will then see your server connect to the FreeBSD cvs servers and start downloading the most recent ports tree and the FreeBSD system source code. This could take a while depending on your connection speed.

Once the source and ports trees have been synced you can now update your system userland and kernel by doing the following.

First you should read the UPDATING file that is located in the /usr/src directory.

% ee /usr/src/UPDATING

Look for special instructions to follow to upgrade from your existing server version. To find out what version of FreeBSD you are running you can type.

% uname -a

You will see something like:
FreeBSD yourhost.domain.com 4.8-RELEASE-p13 FreeBSD 4.8-RELEASE-p13 #6: Tue Oct 7 01:01:40 CDT 2003 root@yourhost.domain.com:/usr/obj/usr/src/sys/KERNFILENAME i386


Once you have read the UPDATING document and noted any special changes you may have to do you can start with the 'buildworld'.

First cd to the system sources directory.

% cd /usr/src

Now start the build with a -j4 flag. This will start 4 of the build processes and will speed up the build. If you are having problems with the build completing remove the flag. You can raise the -j* flag more on faster systems upto -j12 after that you see no real gains in speed. -j4 is a good flag that will see build speed gains on most any platform.

% make -j4 build
Get a drink and wait a for a bit.
You will see the system sources now getting rebuilt

%... about 20mins - 2hrs later depending on your system speed you will see the build has completed.

You now need to create a custom kernel file and save it to use for the next step.

% cd /usr/src/sys/i386/conf/
% cp GENERIC FOOBAR
% ee GENERIC

This is an example 4.x kernel config I use on a Apache web server with 300+ vhosts.

The system has a Pentium 4 1.8 GHZ CPU and Adaptech SCSI controller and a 3com network card.


### $Layeredtech.com FreeBSD 4.x Kernel Config

machine i386
cpu I686_CPU
ident FOOBAR
maxusers 256
options NMBCLUSTERS=32768

# Drop malacious packets and randomize the TCP stack to help hide the OS type and version also # adds a extra layer of security to your TCP traffic.
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options RANDOM_IP_ID

# Add IPFW firewall Support. Make sure you have support for this in your /etc/rc.conf file
# example rc.conf file lines
#--firewall lines--#
# firewall_enable="YES"
# firewall_script="/etc/rc.firewall"
# firewall_type="simple" # there is also none, open and some others read the /etc/rc.firewall # file more information
# firewall_quiet="NO" This will enable more verbose logging
##

options IPDIVERT # This diverts the packets
options IPFIREWALL # Added for natd support
options IPFIREWALL_VERBOSE # Added for logging
options IPFIREWALL_VERBOSE_LIMIT=100 # Used to stop log flooding

# Note the options I have removed to slim down and speed up the kernel
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories

# This server connects to a central file server via NFS if you do not remove the next to options
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, NFS required

# Leave these
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
# Remove this line if you do not have SCSI devices
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI

# Leave these
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options KBD_INSTALL_CDEV # install a CDEV entry in /dev

# Try and stop some types of DoS and other malicous traffic
options ICMP_BANDLIM #Rate limit bad replies

# If you are running Apache these will speed up your server. See the httpd.apache.org for more # information or google.com

options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP

# Note I removed 'eisa' support since its only used it old hardware
device isa
device pci

# My SCSI system devices
device ahc # AHA2940 and onboard AIC7xxx devices
device aic0 at isa?
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device pass # Passthrough device (direct SCSI access)

# Leave these
device atkbdc0 at isa? port IO_KBD

# note the flag removed here allows you to boot the system without a keyboard and place it back # in later at the local console to access the server locally
device atkbd0 at atkbdc? irq 1
device psm0 at atkbdc? irq 12
device vga0 at isa?

# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13

# Power management support (see LINT for more options)
device apm0 at nexus? disable flags 0x20 # Advanced Power Management

# My 3com network card. If you have a Intel PCI 100mb it will be a 'fxp' and if you have a # realtek it will be 'rl' There are more examples in the /usr/src/sys/i386/conf/LINT or GENERIC # file
#
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)

# Note I removed a few devices here that I do not need this will help secure your server further # and slim down / speed up the kernel.
# All of the USB & Firewire devices and options have been removed since we dont use them
#
#### END

Once you have created your custom kernel config you can now save the file by pressing 'esc' and following the prompts.

Now you can build the kernel and continue with the update.

# Make sure you are back in the /usr/src directory.
% cd /usr/src
% make buildkernel KERNCONF=FOOBAR

Note KERNCONF should be the name of the kernel config file you just created.

You will now see your new custom kernel building. this takes only a few minutes. After the build has completed you now need to install the newly built kernel and userland. ( world )

% make installkernel KERNCONF=FOOBAR

Bunch of kernel files and modules get installed. takes only a mintue.

% make installworld

Now all of the system userland will be installed. This will take 5-10 mins or less. Once the system userland has been installed you need to do the most important step and also most confusing at times. You need to run 'mergemaster'

Lets backup your existing /etc directory just incase something goes wrong.

% cp -Rp /etc /home/backupetc.

NOTE remember delete the backup ***AFTER*** the successful build and install
% rm -r /home/backupetc

Now run mergemaster

% mergemaster

You will see the mergemaster application start comparing your existing /etc directory config files and passwd and group files and other files and it will start prompting you if you want to either install the files or delete them or merge them. For the majority of the files you can just tell them to safely install.

DO NOT EVER INSTALL A NEW master.passwd, passwd or group files. You also be careful about replacing the /etc/mail/aliases and /etc/rc.firewall firewall file if you have a custom IPFW firewall created. If you do you will lock yourself out. If you do happen to install a new password file you will need copy back your old one from the backup you just made.

% At prompt asking you what you to do or showing you part of a file.
Press 'q' and then 'i' to install the file or 'd' to delete it.

Just select 'q' and then 'i' for the most of them except the files I mentioned above or any other files you have edited with custom entries for your system.

You will then be prompted to build the new device tree if you installed the MAKEDEV during mergemaster ( you should have ) select 'y' and let it build. It will then maybe ask you to rebuild the 'aliases' file. Select 'y' After that it will ask you if you want to delete the temp root directory. Select 'y'.

You now have a updated system and need to reboot. Be sure to reboot shortly or it will cause possbile problems if you do this from a remote host.

% shutdown -r now

The system will reboot and you can login and startup any services that you need to.

If the system does not come back up and you have tried installing a firewall have a technician look at the local console and tell them to soft reboot the server with 'ctrl + alt + del'. When he system is booting up you can tell it you want load a custom kernel by pressing any key other then 'enter' when prompted. Then you type.

% unload
% boot kernel.GENERIC
or
% boot kernel.old
% boot kernel.prev

This depends on what your old kernel file was called most systems will have a kernel.GENERIC on them unless you removed it.

That will get the system backup and you can fix any errors with the firewall.

Thanks

Jeremy

[Rahil]

Excellent tutorial!

[dan35]

Until this step:
make -j4 build
make: don't know how to make build. Stop

I used LT server instead of freebsd.org

*default host=cvsup.layeredtech.com
*default base=/usr
*default prefix=/usr
*default release=cvs
*default tag=RELENG_5_2
*default delete use-rel-suffix

src-all
ports-all tag=.

[LTADMIN]

Hello,

Did you run that command as root from /usr/src and it should be 'make -j4 buildworld'

Thanks

Jeremy

[dan35]

cool! It's working with "buildworld" instead of "build" only.
Thank you a lot, Jeremy

[scorpion]

How to build kernel with quota support?

[scorpion]

Found it.
Place options QUOTA in kernel configuration file

[input]

I'm lost on trying to select my hard drive options -
I don't have SCSI drives, only an ATA drive
dmesg at the moment gives this line

ad0: 190782MB <WDC WD2000JB-00GVA0/08.02D08> [387621/16/63] at ata0-master UDMA100

So what do I need to do to enable it? the GENERIC ATA options are given as:

# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID #Static device numbering

[LTADMIN]

Choose the following options.

# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
options ATA_STATIC_ID #Static device numbering

make sure you do a backup of your known good kernel before doing any installs of custom ones.

5.x
cp -Rp /boot/kernel /boot/kernel.good
or
4.x
cp -Rp /kernel /kernel.good

if your upgrade fails then we can reboot it to your old good kernel and you can try again.


Thanks

Jeremy

[input]

Thanks Jeremy, esp for the reminder to backup the old kernel. I've never done a kernel config before (hence why it's taken me so long to set up ipfw!) and would likely have forgotten to do that.

Anyway, my kernel config is exactly the same as above (although removing any SCSI drive options and adding the ATA stuff instead, and yet when I run

make buildkernel KERNCONF=kern20050124

I get the following error:

Code:

--------------------------------------------------------------
>>> Kernel build for kern20050124 started on Mon Jan 24 21:02:35 CET 2005
--------------------------------------------------------------
===> kern20050124
mkdir -p /usr/obj/usr/src/sys

--------------------------------------------------------------
>>> stage 1: configuring the kernel
--------------------------------------------------------------
cd /usr/src/sys/i386/conf;  PATH=/usr/obj/usr/src/i386/legacy/usr/sbin:/usr/obj/usr/src/i386/legacy/usr/bin:/usr/obj/usr/src/i386/legacy/usr/games:/usr/obj/usr/src/i386/usr/sbin:/usr/obj/usr/src/i386/usr/bin:/usr/obj/usr/src/i386/usr/games:/sbin:/bin:/usr/sbin:/usr/bin  config  -d /usr/obj/usr/src/sys/kern20050124  /usr/src/sys/i386/conf/kern20050124
config: /usr/src/sys/i386/conf/kern20050124:77: devices with zero units are not likely to be correct
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src.

The only difference, which I may have been mistaken on is the instructions:

% cd /usr/src/sys/i386/conf/
% cp GENERIC FOOBAR
% ee GENERIC

I executed

# cd /usr/src/sys/i386/conf/
# cp GENERIC kern20050124
# pico kern20050124

since (probably wrongly) that the command 'ee GENERIC' was a typo and should read 'ee FOOBAR'

If you (or anyone) could give some pointers, I'd be very greatful (I could attach the config file, but it's exactly as above, replacing the SCSI options for ATA)

Andy

--edit
also, my cvsupfile was changed to reflect the OS version for the update:

Code:

*default host=cvsup12.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs
*default tag=RELENG_5_3
*default delete use-rel-suffix

src-all
ports-all tag=.

# End

In the error output:
config: /usr/src/sys/i386/conf/kern20050124:77: devices with zero units are not likely to be correct
If the number 77 after the config file refers to the line number, then the following line is the culprit:

# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
options ATA_STATIC_ID #Static device numbering

# Leave these
#
device atkbdc0 at isa? port IO_KBD

(# Leave these is actually line 77, so I think that the build is expecting a value for ATA_STATIC_ID