Nethence Newdoc Olddoc Lab Your IP BBDock  


Warning: those guides are mostly obsolete, please have a look at the new documentation.

UnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigs

NetBSD post-installation and configuration
 
http://pbraun.nethence.com/unix/sysutils_bsd/netbsd.html
http://pbraun.nethence.com/unix/sysutils_bsd/netbsd-amazon-ec2.html
http://pbraun.nethence.com/unix/sysutils_bsd/netbsd-pxe.html
http://pbraun.nethence.com/unix/sysutils_bsd/netbsd-update.html
 
Installation
Proceed with a netbsd pxe install server, memstick or any other install media. At configuration step, eventually change the root shell,
/bin/ksh
but that's all, we are going to configure everything by hand.
 
Note. if you get this error message during installation (at installboot right after newfs stage),
Installboot Old BPB is too big
==> get out of sysinst, erase the start of the disk (1MB is enought) and restart,
^C
dd if=/dev/zero of=/dev/rwd0d bs=1024k count=1
Refs.
https://mail-index.netbsd.org/port-amd64/2015/06/21/msg002275.html
https://mail-index.netbsd.org/current-users/2015/01/21/msg026523.html
 
Post-installation
After a quick and dirty installation with no configuration whatsoever, get a DHCP lease to proceed remotely,
hostname host 
echo host > /etc/myname
/etc/rc.d/sshd onestart
dhclient bge0 
ifconfig
Note. we start sshd to generate the key pairs BEFORE we start dhclient, we don't want the dhcp server to give us another hostname which would show up in the SSH keys.
 
Create an wheeled user to access the ssh service (PermitRootLogin no),
useradd -D -s /bin/ksh
useradd -m -g users -G wheel adminuser 
passwd adminuser 
passwd root
Note. -g users is the default anyway on NetBSD, so it's not required here, but it doesn't harm.
 
You can now login remotely and switch to root,
su -
 
Check you've got the right shell e.g. KSH,
chsh
#chpass
#chpass -s /bin/ksh
 
Check the timezone,
cd /etc/
ll localtime
ln -sf ../usr/share/zoneinfo/Europe/Paris localtime
ll localtime
and fix the date (I think NetBSD also handles the hw clock directly),
date
ntpdate -b -u ntp.obspm.fr 
date
Note. -b, forcing with settimeofday instead of adjtime call so it's radical and immediate. See manual -b and -B
 
Enable the NTP daemon as client,
cd /etc/
cp -i ntp.conf ntp.conf.dist
#sed '/^$/d;/^#/d;' ntp.conf.dist > ntp.conf
vi /etc/ntp.conf
server ntp.obspm.fr 
#server ntp1.dedibox.fr 
enable the daemon, then check with,
vi /etc/rc.conf
ntpd=YES
/etc/rc.d/ntpd restart
ntpq -p
 
Enable SSH at startup (already running),
cd /etc/
mv -i rc.conf rc.conf.dist
sed '/^#/d; /^$/d;' rc.conf.dist > rc.conf
vi rc.conf
sshd=YES
 
Further configure and secure the SSH daemon,
cd /etc/ssh/
#mv sshd_config sshd_config.dist #already done
vi sshd_config
#Protocol 2
#Port alternate_port_num 
AllowGroups wheel
PermitRootLogin without-password
#X11Forwarding no
note. netbsd already has ‘Protocol 2’
note. without-password means password auth for root is disabled but you can use key auth
apply,
/etc/rc.d/sshd restart
 
Eventually deploy your RSA or DSA key for SSH2,
cd ~/
mkdir -p .ssh/
cd .ssh/
vi authorized_keys
(paste the one-liner public key)
Note. authorized_keys2 is deprecated since OpenSSH version 3. If you already got one, simply,
ln -s authorized_keys2 authorized_keys
 
Configure the network,
cd /etc/
ifconfig -a
#echo "dhcp" > ifconfig.interface 
echo “inet ip_address netmask netmask up” > ifconfig.interface 
echo “gateway” > mygate
#echo host > myname # already done
 
#search example.local
cat > resolv.conf <<EOF9
domain example.local
nameserver DNS1 
nameserver DNS2 
EOF9
 
mv hosts hosts.dist
cat >> hosts <<EOF9
::1 localhost localhost.
127.0.0.1 localhost localhost.
ip_address  host  host.example.local 
gateway    gw  gw.example.local 
EOF9
apply and check the fully qualified hostname,
rc.d/network restart
hostname
 
Eventually define a smarthost for outgoing SMTP,
cd /etc/postfix/
vi main.cf
#myorigin = host.example.local (non resolvable domain on the public network only if you are using an internal smtp) 
myorigin = host.example.net (resolvable domain on the public network) 
relayhost = smtp.bbox.fr 
grep ^myorigin main.cf
relayhost = smtp.bbox.fr
/etc/rc.d/postfix restart
 
Make it so that new (possibly FTP) users have an empty homedir (admin user got them),
cd /etc/
mv skel/ skel.dist/
mkdir skel/
Note. netbsd DOES complain if non existing /etc/skel/, so it's mandatory.
 
Configure the system-wide environment e.g.,
cd /etc/
cp profile profile.dist
vi profile
#export PKG_PATH=ftp://ftp.fr.netbsd.org/pub/pkgsrc/packages/NetBSD/$(uname -m)/`uname -r`/All
export PKG_PATH=http://ftp.fr.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/7.0_2016Q1/All
export PASSIVE_FTP=yes
export CVSROOT=user@cvs.example.net:/cvsroot/
export CVS_RSH=ssh
cp shrc shrc.dist
vi shrc
#ll(){ ls -l ${1+"$@"}; }
 
case "$-" in *i*)
if /bin/test -z "${HOST}"; then
HOST="$(hostname)"
fi
#PS1="${HOST%%.*}$PS1"
(( `id -u` == 0 )) && \
PS1="${HOST%%.*}# " || \
PS1="${HOST%%.*}> "
 
set -o emacs
# This file is used by shells that might not support
# set -o tabcomplete, so check before trying to use it.
( set -o tabcomplete 2>/dev/null ) && set -o tabcomplete
 
alias ll='ls -alhF'
alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -i'
alias reboot='shutdown -r now'
[[ -x `whence vim 2>/dev/null` ]] && alias vi='vim'
[[ -x `whence pwgen 2>/dev/null` ]] && alias pwgen='pwgen -AnyB'
bind -m '^L'='clear^M'
;;
esac
apply,
. ./profile
. ./shrc
 
Note. The use of ‘export ENV=...’ seems to be mandatory to get the configurations to work in GNU Screen windows without forcing a login shell (with shell=-/bin/ksh).
 
Add a few packages,
echo $PKG_PATH
pkg_add \
lftp \
lynx \
mc \
pine \
pwgen \
screen \
vim \
wget
and eventually a few more,
e2fsprogs \
 
Enable package security daily audit,
#ls -l /usr/pkg/etc/audit-packages.conf
#echo 'VUL_SOURCE="ftp://ftp.fr.netbsd.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities"' > /usr/pkg/etc/audit-packages.conf
pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit
echo "fetch_pkg_vulnerabilities=YES" >> /etc/daily.conf
Refs.
http://www.netbsd.org/support/security/
https://www.netbsd.org/docs/pkgsrc/using.html#vulnerabilities
 
For convenience you may also simplify the system logs’ configuration,
cd /etc/
mv syslog.conf syslog.conf.dist
echo "*.*\t-/var/log/messages" > syslog.conf
cd /var/log/
chmod o-r messages
note. yes a tab-not-a-space is mandatory.
apply,
/etc/rc.d/syslogd restart
ls -l /var/log/messages
tail /var/log/messages
 
Configure GNU Screen,
cd /etc/
mkdir -p /usr/pkg/etc/
cd /usr/pkg/etc/
wget http://pbraun.nethence.com/configs/misc/screenrc
ln -s /usr/pkg/etc/screenrc /etc/screenrc
then user specifics,
cd ~/
wget http://pbraun.nethence.com/configs/misc/.screenrc
and launch,
cd ~/
screen
 
Fixing root's crontab,
crontab -e
change,
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/pkg/bin:/usr/pkg/sbin:/usr/local/bin:/usr/local/sbin:/root/bin
#*/10 * * * * /usr/libexec/atrun
0 0 * * * /usr/bin/newsyslog
add,
0 1 * * * /usr/libexec/locate.updatedb
and uncomment,
30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | sendmail -t
 
Eventually add some disk health monitoring using smartctl, see http://pbraun.nethence.com/unix/sysutils/smart.html
 
Eventually use sysmon to monitor the network, see http://pbraun.nethence.com/unix/net/sysmon.html
 
Updating or upgrading the system
Moved to http://pbraun.nethence.com/unix/sysutils_bsd/netbsd-update.html
 
Dealing with WIP (work in progress) packages
Fetch the latest snapshot (http://pkgsrc-wip.sourceforge.net/snapshots/),
cd /usr/pkgsrc/
wget "http://pkgsrc-wip.sourceforge.net/snapshots/pkgsrc-wip-20130803-snapshot.tar.gz"
tar xzf pkgsrc-wip-20130803-snapshot.tar.gz
 
Try to build one package,
cd net/samba/
make
then install it,
make install
 
A few days later if you need to update your repo by CVS (assuming KSH),
cd wip/
[[ ! -f ~/.cvspass ]] && touch ~/.cvspass
cvs -z9 up -dP
 
Ref. The pkgsrc-wip project (http://pkgsrc-wip.sourceforge.net/)
 
Miscellaneous
pkgin
Setting up pkgin,
#/usr/bootstrap.sh binpkg
#uname -r
#vi /usr/pkg/etc/pkgin/repositories.conf (uncomment the ftp line or choose a mirror)
 
Framebuffer style
Tweak the new bootloader to get VESA, add this line at the top,
vi /boot.cfg
menu=Boot NetBSD:vesa 1280x800;boot netbsd
Ref. Heads up: x86 framebuffer console changes: http://blog.netbsd.org/tnf/entry/heads_up_x86_framebuffer_console
 
Setting up X11 (Xorg)
NetBSD is now shipped with Xorg. No -configure anymore, only thing to do is to configure the keyboard,
cd /etc/X11/
vi xorg.conf
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "fr"
Option "XkbOptions" "ctrl:nocaps"
EndSection
Ref. 9.4. The keyboard: http://www.netbsd.org/docs/guide/en/chap-x.html#chap-x-keyboard
 
Power off
Shutdown the system and power off,
shutdown -p now
 
GRUB
Install and configure GRUB,
pkg_add -v grub
grub-install --no-floppy /dev/sd0d
vi /grub/menu.lst
like,
title NetBSD
root (hd0,0,a) # NetBSD on 1st MBR partition of 1st IDE disk
chainloader +1
 
title NetBSD_multiboot
root (hd0,0,a) # NetBSD on 1st MBR partition of 1st IDE disk
kernel /netbsd
Note. with grub-install, there's no need to proceed manually,
#grub --no-floppy
#root (hd0,a)
#setup (hd0)
 
Ref. http://grub.enbug.org/NetBSD
 
Note. you can also proceed manually at grub prompt. By chainloading
the NetBSD bootloader,
grub> rootnoverify (hd0,0)
grub> chainloader +1
grub> boot
or by booting the kernel directly:
grub> root (hd0,0,a)
grub> kernel /netbsd
grub> boot
Ref. http://mail-index.netbsd.org/netbsd-help/2005/04/12/0004.html (changed hd0,0 and w/o --type)
 
Disable ACPI
boot -u
disable acpi0
for permanent change,
vi /boot.cfg
change '1' to '3',
default=3
 
Softdep
You may speed up a bit harddisk i/o performance by activating soft depedencies (safter than async),
vi /etc/fstab
like,
/dev/wd0a  /  ffs  rw,softdep  1 1
 
ATA Harddrive standby (for idling NAS or a laptop)
/sbin/atactl wd0 smart enable
/sbin/atactl wd1 smart enable
/sbin/atactl wd2 smart enable
 
/sbin/atactl wd0 setidle 602
/sbin/atactl wd1 setidle 601
/sbin/atactl wd2 setidle 600
 
/sbin/atactl wd0 setstandby 902
/sbin/atactl wd1 setstandby 901
/sbin/atactl wd2 setstandby 900
 
Cdrom
If you're inserting CDroms very often,
mkdir /mnt/cdrom
vi /etc/fstab
like,
/dev/cd0a /mnt/cdrom cd9660 ro,noauto 0 0
 
wscons mouse
If you're not working remotely and prefer the console over X11, you may need to activate wscons mouse support and some larger screen resolution. To activate wscons' mouse,
cp /usr/share/examples/wsmoused/wsmoused.conf /etc
chmod u+w /etc/wsmoused.conf
vi /etc/wsmoused.conf
like,
device = /dev/wsmouse;
mode selection {
slowdown_x = 1;
slowdown_y = 1;
}
enable the wsmouse daemon,
vi /etc/rc.conf
like,
wsmoused=YES
and start it,
/etc/rc.d/wsmoused start
Ref. http://www.netbsd.org/docs/guide/en/chap-cons.html#chap-cons-wscons
 
80x50 virtual terminals
To get 80x50,
vi /etc/wscons.conf
uncomment,
font ibm - 8 ibm /usr/share/wscons/fonts/vt220l.808
and change those lines,
screen 1 80x50 vt100
screen 2 80x50 vt100
screen 3 80x50 vt100
note. 'vt220' won't work
note. '/etc/ttys' respawns getty on those virtual terminals
apply,
wsconscfg -d -F 1
wsconscfg -d -F 2
wsconscfg -d -F 3
/etc/rc.d/wscons restart
Note. 'ps auxw | grep getty' to check the getty processes have their TTYs
Note. to initialize the vterms manually,
#/usr/sbin/wsfontload -h 8 -e ibm -N ibm /usr/share/wscons/fonts/vt220l.808
#/usr/sbin/wsconscfg -t 80x50 -e vt100 1
#/sbin/wsconsctl -w "encoding=fr"
 
Edit master.passwd
Either,
vipw
or,
vi /etc/master.passwd
pwd_mkdb /etc/master.passwd
 
Boot loader usage
You can switch to serial console interactively,
consdev com0
 
To boot the default kernel from the boot loader prompt,
boot hd0a:netbsd
#boot /netbsd
 
Boot loader configuration
PC console,
cp /usr/mdec/boot /
fdisk -i wd0
#fdisk -B wd0
#cp boot /
installboot -v -o timeout=5 /dev/rwd0a /usr/mdec/bootxx_ffsv2
Note. the latter needs to be executed after every /boot.cfg change
Note. -o needs to be repeated
Note. to check weather you have FFSv1 or v2,
dumpfs /dev/rwd0a | head -5
 
Serial console
Note. for serial output,
cp /usr/mdec/boot /
fdisk -i wd0
fdisk -i -c /usr/mdec/mbr_com0_9600 wd0
#fdisk -B wd0
#cp boot /
installboot -v -o timeout=5 -o console=com0 /dev/rwd0a /usr/mdec/bootxx_ffsv2
Note. default -o speed is 9600
 
Configure a console on the serial port,
vi /etc/ttys
like,
console "/usr/libexec/getty std.9600" vt100 on secure
Ref. (NetBSD serial console) [http://wiki.gcu.info/doku.php?id=netbsd:serial_console]
 
Adding a storage device and relocating /var/
Initialize the MBR and make an empty DOS partition table,
fdisk -i xbd1
y
y
 
Create the first partition using the whole disk (offset: sector 63) and check,
fdisk -u -0 xbd1
fdisk xbd1
Note. empty boot menu disables it (press enter)
 
Create a disk label,
disklabel -i xbd1
P
e
4.2BSD
default (63)
$ (for all remaining)
verify, write the label and quit,
E
W
Q
 
Make an FFS files ystem,
newfs /dev/rxbd1e
 
Boot netbsd with single user mode (xen guest here),
cd /data/guests/xenguest/
vi xenguest,
add,
extra = "-s"
note. yes not only the bootloader is '-s' and '-d' capable, but also the kernel! (since 2005-06 by manuel bouyer)
start the guest,
xm cr xenguest -c
 
Configure the new mount point,
mount -o rw /
cd /etc/
export TERM=xterm
vi fstab
add,
/dev/xbd1e /var ffs rw 1 2
 
Relocate var/,
cd /
mv var/ var.old/
mkdir var/
mount var/
cd var.old/
pax -rw * ../var/
cd /
sync
halt
#xm destroy xenguest
Note. about the postfix 'Sockets cannot be copied or extracted' errors, indeed those don't seem to be generated at startup. A quick trick is just to disable postfix and eventually use another SMTP daemon.
Note. if there other (non-postfix related) 'Sockets cannot be copied or extracted' errors, you may safely discard them, most daemons creates them at startup
Ref. http://wiki-static.aydogan.net/pax
 
You can now boot the system with the new /var/ (disable extra="-s").
 
References
Backup : http://pbraun.nethence.com/doc/sysutils/backup.html
(FR) Recuperation mot de passe UNIX : http://pbraun.nethence.com/doc/sysutils/regain_root_fr.html
NetBSD Documentation : http://www.netbsd.org/docs/guide/en/
NetBSD Community Blog : http://blog.onetbsd.de/
NetBSD News Beat : http://netbsd.gw.com/
FreeBSD vs NetBSD tips : http://home.nyc.rr.com/computertaijutsu/netbsd.html
 

(obsolete, see the new doc)