Configuring FreeBSD Part II - Upgrading the base system (kernel + system utilities)

Posted by Pat Thu, 25 Aug 2005 00:21:00 GMT

This is the nitty-gritty

Now we’re going to upgrade the base system. FreeBSD is different from linux in that “FreeBSD” isn’t simply a kernel like linux is – it’s a combination of the kernel and all the basic system utilities you’re used to. Those are called the “userland apps” in FreeBSD-speak.

Some of you may be wondering when we’re getting to the Rails stuff…that’s a bit later. As I said in the first post, this series of guides is to help you set up a deployment platform. A key component of that is making sure that your system is up-to-date, so you don’t have to worry about any security issues.

Upgrading the kernel isn’t all that hard…though it can be kind of scary at first. I’ll be honest, the first few times I upgraded my kernel I was scared shitless, hoping my machine would boot up. But don’t worry, it’s pretty easy stuff.

Most importantly, be sure to read the FreeBSD Handbook section on Configuring the FreeBSD Kernel. Failure do so will lead to you being lost, and may even screw up your machine. I’ll take you through the steps necessary, but you should still read up on it. Don’t say I didn’t warn you.

Install cvsup and update your sources

cvsup is a nifty little utility that updates your system sources, so you can upgrade your base system whenever you need. It can actually be used for updating anything basically, including the ports tree, but I just use it for the base. portsnap is excellent for managing the ports tree. 
# cd /usr/ports/net/cvsup-without-gui/ && make install clean
Once you’ve got it installed, you need to tell cvsup what sources to update, where to get them from, and what versions. These are all read in by default from a file of your choosing, sometimes called a supfile. The following is my supfile, which updates the base system for FreeBSD 5.4, and only does security updates. 
# vi /usr/local/etc/security-supfile

*default host=cvsup7.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs tag=RELENG_5_4
*default delete use-rel-suffix
src-all
Now update the base system sources using cvsup. It’ll connect to the cvs servers and download all the latest code: 
# cvsup -L 2 /usr/local/etc/security-supfile
h3. Create a kernel config file The first thing I do now is create a custom kernel config file. I’ll show you where to go, but I won’t give my example config file because you need to enable different settings based on your machine. Take a look at The Configuration File to find out what all the options are. 
# cd /usr/src/sys/i386/conf/
# cp GENERIC HOSTNAME
# vi HOSTNAME
What I will recommend you put in the kernel config is PF support. PF is a firewall, though you can use a couple others if you don’t want it. For more info, check out the info on The OpenBSD Packet Filter. 
# pf support
device          pf
device          pflog
device          pfsync

# ALTQ support
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)

I like to copy my config file to /root as well, just because when I do backups, I don’t backup the /usr/src directory and its subdirectories.

Rebuild the kernel and system binaries

Very first thing to do is check to see if you need to do anything special when upgrading…to do so, read the /usr/src/UPDATING file

Note: If you’ve got /tmp set to noexec, you’ll run into problems here. The system updating process requires that /tmp be executable, so just temporarily enable it.

Now go to the sources directory and start the build. The -j4 flag just makes it run faster. This will take a while, depending on the speed of your machine. 
# cd /usr/src
# make -j4 buildworld
Now build the kernel. This will only take a few minutes. Substitute HOSTNAME with whatever you named your kernel config file earlier. 
# make buildkernel KERNCONF=HOSTNAME
Once this is done, install the kernel. This should be pretty quick. 
# make installkernel KERNCONF=HOSTNAME
Then install the world (userland apps). 
# make installworld
The last step is to run mergemaster. This takes all your existing configuration files and merges necessary changes into them. You’ll want to back up your existing config files, in case something goes wrong. 
# cp -Rp /etc /home/backupetc
Now run mergemaster 
# mergemaster
This will prompt you to make changes to your files. For the most part, you can just install the changes. However, DO NOT INSTALL A NEW master.passwd, passwd, or group files. If you do, you’ll have to recover them from the backup you just made. Also, don’t overwrite any custom files you may have like firewall config files.

If you’re prompted to make a change, enter ‘i’ to install the change, and ‘d’ to discard it. Sometimes the file may be longer than the screen, in which case you can scroll down to see it in its entirety, or just hit ‘q’.

When the last file is done, you’ll be asked to delete the temp root directory. Choose ‘yes’.

Now reboot your machine and pray (just kidding! sorta…)

Rejoice or recover

In all likelihood your machine booted just fine. If not, you can recover it by loading the old kernel. Do this by doing a soft reboot (ctrl+alt+delete). When the machine is booting up, it will ask if you want to boot a different kernel by pressing any key other than ‘Enter’. So press something other than ‘Enter’ and type 
# unload
# boot kernel.GENERIC
If your server is hosted at a datacenter, and you don’t have physical access to it, submit a support ticket and have one of their techs boot to the old kernel.

Posted in  | Tags , ,  | 2 comments