HardenedBSD/UPDATING
2000-09-17 21:01:30 +00:00

436 lines
16 KiB
Plaintext

Updating Information for FreeBSD current users
This file is maintained by imp@village.org. Please send new entries
directly to him. See end of file for further details. For commonly
done items, please see the end of the file. Search for 'COMMON
ITEMS:'
20000916:
/boot/kernel/kernel.ko -> /boot/kernel/kernel change has taken
place. Please update boot loader (not the boot blocks) at the
same time as your kernel.
20000914:
The new pmtimer device is necessary for laptops. Failure to
include the device will cause suspended laptops losing time
when they resume. Include
device pmtimer
in your config file and
hint.pmtimer.0.at="isa"
to your /boot/device.hints file.
20000911:
The random device has been turned into a (pseudo-)device,
rather than an option. The supplied kernel config files have
been updated. You will need to do something similar in your
own kernel config file.
Remove:
options RANDOMDEV
Add:
device random
If you prefer to load the loadable module, you need to do
nothing.
20000909:
The random device module has been renamed from randomdev.ko to
random.ko. You will need to edit your /boot/loader.conf to
reflect this if you load this module at boot time.
The line should read:
random_load="YES"
20000907:
The SMPNG commit has happened. It should work, but if it
doesn't, fallback to the PRE_SMPNG CVS tag. There are likely
to be a variety of minor issues. Please see 20000905 to make
sure you don't have model loading problems which might at
first blush appear related to SMP.
20000906:
nsswitch has been imported from NetBSD. Among other things,
this means that /etc/host.conf is no longer used. See
nsswitch.conf(5) instead. Note that at boot time rc.network
will attempt to produce a new nsswitch.conf file for you if you
don't have one, and you have host.conf.
20000905:
The ucred structure changed size. This breaks the interface
that mountd uses. Trying to use an older mountd with a newer
kernel guarantees a panic. This means that you need to use
kernels newer than today only with matching mountd, but you
needed to do that anyway with the boot loader changes.
20000905:
The boot loader has been updated. The new default kernel is
now /boot/kernel/kernel.ko. The new default module location
is /boot/kernel.
You *MUST* upgrade your boot loader and kernel at the same time.
The easiest way to do this is to do the buildworld/buildkernel/
installkernel/installworld dance.
Furthermore, you are urged to delete your old /modules directory
before booting the new kernel, since kldload will find stale
modules in that directory instead of finding them in the correct
path, /boot/kernel. The most common complaint that this cures
is that the linux module crashes your machine after the update.
if [ ! -d /boot/kernel.old ]; then
mv /modules.old /boot/kernel.old
chflags noschg /kernel.old
mv /kernel.old /boot/kernel.old/kernel.ko
chflags schg /boot/kernel.old/kernel.ko
fi
20000904:
A new issue with the sendmail upgrade has come to light.
/etc/aliases has moved to /etc/mail/aliases. Mergemaster will
incorrectly install the default aliases in /etc/mail rather than
move the old one from /etc. So you'll need to manually move the
file, create a symbolic link, remove the old /etc/aliases.db and
run newaliases. For safety sake, you should stop sendmail
while doing this and run the upgrade when locally sourced email
is not likely to be generated.
20000825:
/boot/device.hints is now required for installkernel to
succeed. You should copy GENERIC.hints for your architecture
into /boot/device.hints. If and only if you compile hints
into your kernel, then this file may be empty. Please note,
if you have an empty or missing /boot/device.hints file and
you neglected to compile hints into your kernel, no boot
messages will appear after the boot loader tries to start the
kernel.
20000821:
If you do NOT have ``options RANDOMDEV'' in your kernel and
you DO want the random device then add randomdev_load="YES" to
/boot/loader.conf.
20000812:
suidperl is now always built and installed on the system, but
with permissions of 511. If you have applications that use
this program, you are now required to add ENABLE_SUIDPERL=true
to /etc/make.conf. If you forget to do this,
chmod 4511 /usr/bin/suidperl
will fix this until the next build.
20000812:
sendmail has been updated from 8.9.3 to 8.11.0. Some of the more
visible changes that may immediately affect your configuration
include:
- New default file locations from src/contrib/sendmail/cf/README
- newaliases limited to root and trusted users
- MSA port (587) turned on by default
- New queue file naming system so can't go from 8.11 -> 8.9
- FEATURE(`rbl') renamed to FEATURE(`dnsbl')
- FEATURE(`nullclient') is more full featured
- FEATURE(`nouucp') requires an argument: `reject' or `nospecial'
- mail.local FreeBSD-only -b option changed to -B
- See src/contrib/sendmail/RELEASE_NOTES for more info
20000810:
suidperl (aka sperl) is no longer build by default. You must
specifically define BUILD_SUIDPERL to "true" for it to be build.
Furthermore, we recommend that you remove /usr/bin/sperl* and
/usr/bin/suidperl files from your system unless you have a
specific use for it.
20000729:
Networking defaults have been tightened. Anybody upgrading
/etc/defaults/rc.conf needs to add the following lines to
/etc/rc.conf if they want to have the same setup
afterwards (unless the variables already are set, of course):
# Enable network daemons for user convenience.
inetd_enable="YES"
portmap_enable="YES"
sendmail_enable="YES"
20000728:
If you have null_load="YES" in your /boot/loader.conf, you
will need to change that to nullfs_load="YES".
20000728:
The "installkernel" target has changed slightly. Now even if
you override KERNEL e.g. 'make installkernel KERNEL=MYKERNEL'
it will install the MYKERNEL file (built with the buildkernel
target) as /kernel rather than /MYKERNEL. Those who have
updated their /boot/loader.conf files to point to /MYKERNEL
should remove that entry or perform manual rename of /kernel
to /MYKERNEL.
20000711:
If you use CVSUP or CTM to get CVS trees, AND you used to get
the old crypto files from internat.freebsd.org AND you check
out files from the CVS tree with the cvs command, please read
http://people.freebsd.org/~imp/internat.txt
for details on potential problems that you might have and how
to get around them.
If you are merely a mirror, or don't answer yes to each of the
clauses above, you needn't worry.
20000711:
/etc/security has been updated to print the inode number of
setuid programs that have changed. You will see a large spike
in the number of changed programs the first time when you run
mergemaster to get a new /etc/security.
20000710:
/dev/random now has good entropy collection (from the keyboard
and sysmouse drivers). Please ensure that either `options
RANDOMDEV' is present in your kernel config file or that
`randomdev_load="YES"' is in your /boot/loader.conf. If you do
not have the /dev/random driver, OpenSSL (and consequently
lots of crypto tools (like SSH)) will fail with strange
errors. (see below, 20000624).
FreeBSD-current is safe again to run Crypto.
20000709:
phk made the malloc default options AJ. This may slow things
down and uncover other latent bugs in the code. If you need to
run at full speed, you can disable this by doing the following:
ln -s aj /etc/malloc.conf
20000706:
libftpio's version was accidentally bumped a few days ago. This
has been corrected. You may need to remove /usr/lib/libftpio.so.6
before doing your next buildworld/installworld pair. It certainly
won't hurt to remove it before the update procedure. It will
break fetch until a new one is built, but ftp can be used in the
interim if needed.
20000705:
The crypto packages have changed for the cvsup. This has been done
in a backward compatible way, but the old packages will go away at
some point in the future. Look at /usr/share/examples/cvsup for
details.
20000704:
With the new sys/modules/sound/drivers/*, you will need to
set SYSDIR until you do an installworld after July 7th.
20000704:
rc.shutdown and rc will now call the rc.d scripts with start
or stop. This may cause some harmless warnings from older
rc.d scripts that haven't been updated.
20000630:
The libfetch based version of fetch has gone into the tree.
Minor problems may result on some of the less popular sites,
which should be reported to des@freebsd.org.
20000625:
From approximately this date forward, one must have the crypto
system installed in order to build the system and kernel.
While not technically strictly true, one should treat it as
required and grab the crypto bits. If you are grabbing CVS
trees, src-all and cvs-crypto should be treated as if they
were required. You should check with the latest collections
to make sure that these haven't changed.
20000624:
Mark Murray just committed the first parts of a cleanup of
/dev/zero, et al. This is also cleaning up /dev/random.
The entropy is disconnected, so DO NOT USE VERSIONS OF FREEBSD
-CURRENT FROM THIS POINT FORWARD for cryptographic services
until Mark can merge in the fixes to this work in progress.
openssh and openssl should not be used to generate keys from this
date to the completion of the work.
If you must operate at this reduced level of security, add '
options RANDOMDEV' to your kernel or modload the randomdev
module. You may also need to copy a new MAKEDEV to /dev and
recreate the random and urandom devices.
20000622:
The license on the softupdates is now a standard 2 clause
BSD license. You may need to remove your symbolic links
that used to be required when updating.
20000621:
Scott Flatman <sf@aracnet.com> sent in a decent write-up on
the config file update procedure.
http://people.freebsd.org/~imp/config-upd.html
NOTE: LINT is gone. It has been replaced with NOTES. NOTES
isn't buildable. However, you can generate a LINT file.
20000620:
Binutils 2.10 have hit the tree, or will shortly. As soon
as they do, the problem noted in 20000522 will be resolved and
that workaround will no longer be required.
20000615:
phk removed the compatibility creation of wd devices in the
ad driver. If you haven't done so already, you must update
your fstab, etc to use the ad devices instead of the wd
devices.
In addition, you'll need to update your boot blocks to a
more modern version, if you haven't already done so. Modern
here means 4.0 release or newer (although older releases
may work).
20000612:
Peter took an axe to config(8). Be sure that you read his mail
on the topic before even thinking about updating. You will
need to create a /boot/device.hints or add a hints directive
to your config file to compile them in statically. The format
of the config file has changed as well. Please see GENERIC or
NEWCARD for examples of the new format.
20000522:
A new set of binutils went into the tree today. Anybody
building a kernel after this point is advised that they need
to rebuild their binutils (or better yet do a
buildworld/installworld) before building a new kernel.
Due to bugs in binutils, using malloc options (eg /etc/malloc.conf
or MALLOC_OPTIONS env var) J will cause ld to dump core. It
is recommended that you don't set this option until the problem
is resolved.
20000513:
The ethernet drivers were all updated to clean up the BPF handling.
20000510:
The problems with boot blocks on the alphas have been corrected.
This will require some care in updating alphas. A new libstand
is requires for the boot blocks to build properly.
20000503:
Recompile all kld modules. Proper version dependency info
is now available.
20000502:
Modules have been disconnected from the buildworld tree and
connected to the kernel building instead.
2000427:
You may need to build gperf
cd /usr/src/gnu/usr.bin/gperf && make depend all install
when upgrading from 4.0 -> current. The build system now uses
an option only in -current.
20000417:
The method that we brand ELF binaries has changed to be more
acceptable to the binutils maintainers. You will need to
rebrand your ELF binaries that aren't native. One problem
binary is the Linux ldconfig. After your make world, but
before you reboot, you'll need to issue:
brandelf -t Linux /compat/linux/sbin/ldconfig
if you have Linux compatibility enabled on your machine.
20000320:
If you have really bad/marginal IDE drives, you may find they
don't work well. Use pio mode instead. The easiest way to
cope if you have a problem combination is to add:
/sbin/sysctl -w hw.atamodes=pio,pio,pio,pio
to the start of /etc/rc.conf.
20000319:
The ISA and PCI compatibility shims have been connected to the
options COMPAT_OLDISA and COMPAT_OLDPCI. If you are using old
style PCI or ISA drivers (i.e. tx, voxware, etc.) you must
include the appropriate option in your kernel config. Drivers
using the shims should be updated or they won't ship with
5.0-RELEASE, targeted for 2001.
20000318:
We've entered the traditional post release dumping party.
Large kernel changes are being committed and are in the
works. It is important to keep the systems' klds and kernel
in sync as kernel interfaces and structures are changing.
Before reporting kernel panics, make sure that all modules
that you are loading are up to date.
20000315:
If you are upgrading from an older version of FreeBSD, you
need to update your boot blocks as well. 'disklabel -B ad0'
will do the trick. This isn't critical until you remove your
wd device entries in /dev, at which point your system will not
boot.
20000315:
4.0 RELEASE shipped. Please see the 4.0 UPDATING file for how
to upgrade to 4.0 from 3.x.
COMMON ITEMS:
General Notes
-------------
Avoid using make -j when upgrading. From time to time in the
past there have been problems using -j with buildworld and/or
installworld. This is especially true when upgrading between
"distant" versions (eg one that cross a major release boundary
or several minor releases, or when several months have passed
on the -current branch).
To build a kernel
-----------------
If you are updating from a prior version of FreeBSD (even one just
a few days old), you should follow this procedure. With a
/usr/obj tree with a fresh buildworld,
make buildkernel KERNEL=YOUR_KERNEL_HERE
make installkernel KERNEL=YOUR_KERNEL_HERE
To just build a kernel when you know that it won't mess you up
--------------------------------------------------------------
cd src/sys/{i386,alpha}/conf
config KERNEL_NAME_HERE [1]
cd ../../compile/KERNEL_NAME_HERE
make depend
make
make install
[1] If in doubt, -r might help here.
If this fails, go to the "To build a kernel" section.
To rebuild everything and install it on the current system.
-----------------------------------------------------------
make world
Build a new kernel, see above.
To upgrade from 4.x-stable to current
-------------------------------------
make buildworld
make buildkernel KERNEL=YOUR_KERNEL_HERE
cp src/sys/${MACHINE_ARCH}/GENERIC.hints /boot/device.hints [2]
make installkernel KERNEL=YOUR_KERNEL_HERE
make installworld
[1]
<reboot>
Make sure that you've read the UPDATING file to understand the
tweaks to various things you need. At this point in the life
cycle of current, things change often and you are on your own
to cope. The defaults can also change, so please read ALL of
the UPDATING entries.
Also, if you are tracking -current, you must be subscribed to
freebsd-current@freebsd.org. Make sure that before you update
your sources that you have read and understood all the recent
messages there. If in doubt, please track -stable which has
much fewer pitfalls.
[1] If you have third party modules, such as vmware, you
should disable them at this point so they don't crash your
system on reboot.
[2] If you have legacy ISA devices, you may need to create
your own device.hints to reflect your unique hardware
configuration.
FORMAT:
This file contains a list, in reverse chronological order, of major
breakages in tracking -current. Not all things will be listed here,
and it only starts on March 15, 2000. Updating files can found in
previous releases if your system is older than this.
Please filter your entries through Warner Losh (imp@village.org) so
that the style, formatting, etc of this file can be maintained.
$FreeBSD$