HardenedBSD/usr.sbin/freebsd-update/freebsd-update.8

.\"-
.\" Copyright 2006, 2007 Colin Percival
.\" All rights reserved
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted providing that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd February 2, 2024
.Dt FREEBSD-UPDATE 8
.Os
.Sh NAME
.Nm freebsd-update
.Nd fetch and install binary updates to FreeBSD
.Sh SYNOPSIS
.Nm
.Op Fl F
.Op Fl b Ar basedir
.Op Fl -currently-running Ar release
.Op Fl d Ar workdir
.Op Fl f Ar conffile
.Op Fl j Ar jail
.Op Fl k Ar KEY
.Op Fl -not-running-from-cron
.Op Fl r Ar newrelease
.Op Fl s Ar server
.Op Fl t Ar address
.Ar command ...
.Sh DESCRIPTION
The
.Nm
tool is used to fetch, install, and rollback binary
updates to the
.Fx
base system.
.Sh BINARY UPDATES AVAILABILITY
Binary updates are not available for every single
.Fx
version and architecture.
.Pp
In general, binary updates are available for ALPHA, BETA, RC, and RELEASE
versions of
.Fx ,
e.g.:
.Bl -item -offset indent -compact
.It
.Fx 13.1-ALPHA3
.It
.Fx 13.1-BETA2
.It
.Fx 13.1-RC1
.It
.Fx 13.1-RELEASE
.El
They are not available for branches such as PRERELEASE, STABLE, and CURRENT,
e.g.:
.Bl -item -offset indent -compact
.It
.Fx 13.0-PRERELEASE
.It
.Fx 13.1-STABLE
.It
.Fx 14.0-CURRENT
.El
.Pp
In particular, the
.Fx
Security Team only builds updates for releases shipped in binary form by the
.Fx
Release Engineering Team.
.Sh OPTIONS
The following options are supported:
.Bl -tag -width "-r newrelease"
.It Fl b Ar basedir
Operate on a system mounted at
.Ar basedir .
(default:
.Pa / ,
or as given in the configuration file.)
.It Fl d Ar workdir
Store working files in
.Ar workdir .
(default:
.Pa /var/db/freebsd-update/ ,
or as given in the configuration file.)
.It Fl f Ar conffile
Read configuration options from
.Ar conffile .
(default:
.Pa /etc/freebsd-update.conf )
.It Fl F
Force
.Nm Cm fetch
to proceed in the case of an unfinished upgrade.
.It Fl j Ar jail
Operate on the given jail specified by
.Va jid
or
.Va name .
(The version of the installed userland is detected and the
.Fl -currently-running
option is no more required.)
.It Fl k Ar KEY
Trust an RSA key with SHA256 of
.Ar KEY .
(default: read value from configuration file.)
.It Fl r Ar newrelease
Specify the new release (e.g., 11.2-RELEASE) to which
.Nm
should upgrade
.Pq Cm upgrade No command only .
.It Fl s Ar server
Fetch files from the specified server or server pool.
(default: read value from configuration file.)
.It Fl t Ar address
Mail output of
.Cm cron
command, if any, to
.Ar address .
(default: root, or as given in the configuration file.)
.It Fl -not-running-from-cron
Force
.Nm Cm fetch
to proceed when there is no controlling
.Xr tty 4 .
This is for use by automated scripts and orchestration tools.
Please do not run
.Nm Cm fetch
from
.Xr crontab 5
or similar using this flag, see:
.Nm Cm cron
.It Fl -currently-running Ar release
Do not detect the currently-running release; instead, assume that the system is
running the specified
.Ar release .
This is most likely to be useful when upgrading jails.
.El
.Sh COMMANDS
The
.Cm command
can be any one of the following:
.Bl -tag -width "rollback"
.It Cm fetch
Based on the currently installed world and the configuration options set, fetch
all available binary updates.
.It Cm cron
Sleep a random amount of time between 1 and 3600 seconds, then download updates
as if the
.Cm fetch
command was used.
If updates are downloaded, an email will be sent (to root or a different
address if specified via the
.Fl t
option or in the configuration file).
As the name suggests, this command is designed for running from
.Xr cron 8 ;
the random delay serves to minimize the probability that a large number of
machines will simultaneously attempt to fetch updates.
.It Cm upgrade
Fetch files necessary for upgrading to a new release.
Before using this command, make sure that you read the announcement and release
notes for the new release in case there are any special steps needed for
upgrading.
Note that this command may require up to 500 MB of space in
.Ar workdir
depending on which components of the
.Fx
base system are installed.
.It Cm updatesready
Check if there are fetched updates ready to install.
Returns exit code 2 if there are no updates to install.
.It Cm install
Install the most recently fetched updates or upgrade.
Returns exit code 2 if there are no updates to install and the
.Cm fetch
command wasn't passed as an earlier argument in the same invocation.
.It Cm rollback
Uninstall the most recently installed updates.
.It Cm IDS
Compare the system against a "known good" index of the installed release.
.It Cm showconfig
Show configuration options after parsing conffile and command line options.
.El
.Sh TIPS
.Bl -bullet
.It
If your clock is set to local time, adding the line
.Pp
.Dl 0 3 * * * root /usr/sbin/freebsd-update cron
.Pp
to
.Pa /etc/crontab
will check for updates every night.
If your clock is set to UTC, please pick a random time other than 3AM, to avoid
overly imposing an uneven load on the server(s) hosting the updates.
.It
In spite of its name,
.Nm
IDS should not be relied upon as an "Intrusion Detection System", since if the
system has been tampered with it cannot be trusted to operate correctly.
If you intend to use this command for intrusion-detection purposes, make sure
you boot from a secure disk (e.g., a CD).
.El
.Sh ENVIRONMENT
.Bl -tag -width "PAGER"
.It Ev PAGER
The pager program used to present various reports during the execution.
.Po
Default:
.Dq Pa /usr/bin/less .
.Pc
.Pp
.Ev PAGER
can be set to
.Dq cat
when a non-interactive pager is desired.
.El
.Sh FILES
.Bl -tag -width "/etc/freebsd-update.conf"
.It Pa /etc/freebsd-update.conf
Default location of the
.Nm
configuration file.
.It Pa /var/db/freebsd-update/
Default location where
.Nm
stores temporary files, downloaded updates, and files required for rollback.
All files under
.Pa /var/db/freebsd-update/
may be deleted if an upgrade is not in progress and rollback will not be
required.
.El
.Sh SEE ALSO
.Xr freebsd-version 1 ,
.Xr uname 1 ,
.Xr freebsd-update.conf 5 ,
.Xr nextboot 8
.Sh AUTHORS
.An Colin Percival Aq Mt cperciva@FreeBSD.org
.Sh BUGS
In patch level situations – for example, 13.2-RELEASE-p1 up to
13.2-RELEASE-p2: if any previous modification to a file in
.Pa /etc/
will conflict with an available update, then
.Nm
will make no attempt to merge.
Instead:
.Nm
will print a list of affected locally-modified files.