Nethence Newdoc Olddoc Lab Your IP BBDock  

Warning: those guides are mostly obsolete, please have a look at the new documentation.


NetBSD post-installation and configuration
Proceed with a netbsd pxe install server, memstick or any other install media. At configuration step, eventually change the root shell,
but that's all, we are going to configure everything by hand.
Note. if you get this error message during installation (at installboot right after newfs stage),
Installboot Old BPB is too big
==> get out of sysinst, erase the start of the disk (1MB is enought) and restart,
dd if=/dev/zero of=/dev/rwd0d bs=1024k count=1
After a quick and dirty installation with no configuration whatsoever, get a DHCP lease to proceed remotely,
hostname host 
echo host > /etc/myname
/etc/rc.d/sshd onestart
dhclient bge0 
Note. we start sshd to generate the key pairs BEFORE we start dhclient, we don't want the dhcp server to give us another hostname which would show up in the SSH keys.
Create an wheeled user to access the ssh service (PermitRootLogin no),
useradd -D -s /bin/ksh
useradd -m -g users -G wheel adminuser 
passwd adminuser 
passwd root
Note. -g users is the default anyway on NetBSD, so it's not required here, but it doesn't harm.
You can now login remotely and switch to root,
su -
Check you've got the right shell e.g. KSH,
#chpass -s /bin/ksh
Check the timezone,
cd /etc/
ll localtime
ln -sf ../usr/share/zoneinfo/Europe/Paris localtime
ll localtime
and fix the date (I think NetBSD also handles the hw clock directly),
ntpdate -b -u 
Note. -b, forcing with settimeofday instead of adjtime call so it's radical and immediate. See manual -b and -B
Enable the NTP daemon as client,
cd /etc/
cp -i ntp.conf ntp.conf.dist
#sed '/^$/d;/^#/d;' ntp.conf.dist > ntp.conf
vi /etc/ntp.conf
enable the daemon, then check with,
vi /etc/rc.conf
/etc/rc.d/ntpd restart
ntpq -p
Enable SSH at startup (already running),
cd /etc/
mv -i rc.conf rc.conf.dist
sed '/^#/d; /^$/d;' rc.conf.dist > rc.conf
vi rc.conf
Further configure and secure the SSH daemon,
cd /etc/ssh/
#mv sshd_config sshd_config.dist #already done
vi sshd_config
#Protocol 2
#Port alternate_port_num 
AllowGroups wheel
PermitRootLogin without-password
#X11Forwarding no
note. netbsd already has ‘Protocol 2’
note. without-password means password auth for root is disabled but you can use key auth
/etc/rc.d/sshd restart
Eventually deploy your RSA or DSA key for SSH2,
cd ~/
mkdir -p .ssh/
cd .ssh/
vi authorized_keys
(paste the one-liner public key)
Note. authorized_keys2 is deprecated since OpenSSH version 3. If you already got one, simply,
ln -s authorized_keys2 authorized_keys
Configure the network,
cd /etc/
ifconfig -a
#echo "dhcp" > ifconfig.interface 
echo “inet ip_address netmask netmask up” > ifconfig.interface 
echo “gateway” > mygate
#echo host > myname # already done
#search example.local
cat > resolv.conf <<EOF9
domain example.local
nameserver DNS1 
nameserver DNS2 
mv hosts hosts.dist
cat >> hosts <<EOF9
::1 localhost localhost. localhost localhost.
ip_address  host  host.example.local 
gateway    gw  gw.example.local 
apply and check the fully qualified hostname,
rc.d/network restart
Eventually define a smarthost for outgoing SMTP,
cd /etc/postfix/
#myorigin = host.example.local (non resolvable domain on the public network only if you are using an internal smtp) 
myorigin = (resolvable domain on the public network) 
relayhost = 
grep ^myorigin
relayhost =
/etc/rc.d/postfix restart
Make it so that new (possibly FTP) users have an empty homedir (admin user got them),
cd /etc/
mv skel/ skel.dist/
mkdir skel/
Note. netbsd DOES complain if non existing /etc/skel/, so it's mandatory.
Configure the system-wide environment e.g.,
cd /etc/
cp profile profile.dist
vi profile
#export PKG_PATH=$(uname -m)/`uname -r`/All
export PKG_PATH=
export PASSIVE_FTP=yes
export CVS_RSH=ssh
cp shrc shrc.dist
vi shrc
#ll(){ ls -l ${1+"$@"}; }
case "$-" in *i*)
if /bin/test -z "${HOST}"; then
(( `id -u` == 0 )) && \
PS1="${HOST%%.*}# " || \
PS1="${HOST%%.*}> "
set -o emacs
# This file is used by shells that might not support
# set -o tabcomplete, so check before trying to use it.
( set -o tabcomplete 2>/dev/null ) && set -o tabcomplete
alias ll='ls -alhF'
alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -i'
alias reboot='shutdown -r now'
[[ -x `whence vim 2>/dev/null` ]] && alias vi='vim'
[[ -x `whence pwgen 2>/dev/null` ]] && alias pwgen='pwgen -AnyB'
bind -m '^L'='clear^M'
. ./profile
. ./shrc
Note. The use of ‘export ENV=...’ seems to be mandatory to get the configurations to work in GNU Screen windows without forcing a login shell (with shell=-/bin/ksh).
Add a few packages,
echo $PKG_PATH
pkg_add \
lftp \
lynx \
mc \
pine \
pwgen \
screen \
vim \
and eventually a few more,
e2fsprogs \
Enable package security daily audit,
#ls -l /usr/pkg/etc/audit-packages.conf
#echo 'VUL_SOURCE=""' > /usr/pkg/etc/audit-packages.conf
pkg_admin fetch-pkg-vulnerabilities
pkg_admin audit
echo "fetch_pkg_vulnerabilities=YES" >> /etc/daily.conf
For convenience you may also simplify the system logs’ configuration,
cd /etc/
mv syslog.conf syslog.conf.dist
echo "*.*\t-/var/log/messages" > syslog.conf
cd /var/log/
chmod o-r messages
note. yes a tab-not-a-space is mandatory.
/etc/rc.d/syslogd restart
ls -l /var/log/messages
tail /var/log/messages
Configure GNU Screen,
cd /etc/
mkdir -p /usr/pkg/etc/
cd /usr/pkg/etc/
ln -s /usr/pkg/etc/screenrc /etc/screenrc
then user specifics,
cd ~/
and launch,
cd ~/
Fixing root's crontab,
crontab -e
#*/10 * * * * /usr/libexec/atrun
0 0 * * * /usr/bin/newsyslog
0 1 * * * /usr/libexec/locate.updatedb
and uncomment,
30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | sendmail -t
Eventually add some disk health monitoring using smartctl, see
Eventually use sysmon to monitor the network, see
Updating or upgrading the system
Moved to
Dealing with WIP (work in progress) packages
Fetch the latest snapshot (,
cd /usr/pkgsrc/
wget ""
tar xzf pkgsrc-wip-20130803-snapshot.tar.gz
Try to build one package,
cd net/samba/
then install it,
make install
A few days later if you need to update your repo by CVS (assuming KSH),
cd wip/
[[ ! -f ~/.cvspass ]] && touch ~/.cvspass
cvs -z9 up -dP
Ref. The pkgsrc-wip project (
Setting up pkgin,
#/usr/ binpkg
#uname -r
#vi /usr/pkg/etc/pkgin/repositories.conf (uncomment the ftp line or choose a mirror)
Framebuffer style
Tweak the new bootloader to get VESA, add this line at the top,
vi /boot.cfg
menu=Boot NetBSD:vesa 1280x800;boot netbsd
Ref. Heads up: x86 framebuffer console changes:
Setting up X11 (Xorg)
NetBSD is now shipped with Xorg. No -configure anymore, only thing to do is to configure the keyboard,
cd /etc/X11/
vi xorg.conf
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "fr"
Option "XkbOptions" "ctrl:nocaps"
Ref. 9.4. The keyboard:
Power off
Shutdown the system and power off,
shutdown -p now
Install and configure GRUB,
pkg_add -v grub
grub-install --no-floppy /dev/sd0d
vi /grub/menu.lst
title NetBSD
root (hd0,0,a) # NetBSD on 1st MBR partition of 1st IDE disk
chainloader +1
title NetBSD_multiboot
root (hd0,0,a) # NetBSD on 1st MBR partition of 1st IDE disk
kernel /netbsd
Note. with grub-install, there's no need to proceed manually,
#grub --no-floppy
#root (hd0,a)
#setup (hd0)
Note. you can also proceed manually at grub prompt. By chainloading
the NetBSD bootloader,
grub> rootnoverify (hd0,0)
grub> chainloader +1
grub> boot
or by booting the kernel directly:
grub> root (hd0,0,a)
grub> kernel /netbsd
grub> boot
Ref. (changed hd0,0 and w/o --type)
Disable ACPI
boot -u
disable acpi0
for permanent change,
vi /boot.cfg
change '1' to '3',
You may speed up a bit harddisk i/o performance by activating soft depedencies (safter than async),
vi /etc/fstab
/dev/wd0a  /  ffs  rw,softdep  1 1
ATA Harddrive standby (for idling NAS or a laptop)
/sbin/atactl wd0 smart enable
/sbin/atactl wd1 smart enable
/sbin/atactl wd2 smart enable
/sbin/atactl wd0 setidle 602
/sbin/atactl wd1 setidle 601
/sbin/atactl wd2 setidle 600
/sbin/atactl wd0 setstandby 902
/sbin/atactl wd1 setstandby 901
/sbin/atactl wd2 setstandby 900
If you're inserting CDroms very often,
mkdir /mnt/cdrom
vi /etc/fstab
/dev/cd0a /mnt/cdrom cd9660 ro,noauto 0 0
wscons mouse
If you're not working remotely and prefer the console over X11, you may need to activate wscons mouse support and some larger screen resolution. To activate wscons' mouse,
cp /usr/share/examples/wsmoused/wsmoused.conf /etc
chmod u+w /etc/wsmoused.conf
vi /etc/wsmoused.conf
device = /dev/wsmouse;
mode selection {
slowdown_x = 1;
slowdown_y = 1;
enable the wsmouse daemon,
vi /etc/rc.conf
and start it,
/etc/rc.d/wsmoused start
80x50 virtual terminals
To get 80x50,
vi /etc/wscons.conf
font ibm - 8 ibm /usr/share/wscons/fonts/vt220l.808
and change those lines,
screen 1 80x50 vt100
screen 2 80x50 vt100
screen 3 80x50 vt100
note. 'vt220' won't work
note. '/etc/ttys' respawns getty on those virtual terminals
wsconscfg -d -F 1
wsconscfg -d -F 2
wsconscfg -d -F 3
/etc/rc.d/wscons restart
Note. 'ps auxw | grep getty' to check the getty processes have their TTYs
Note. to initialize the vterms manually,
#/usr/sbin/wsfontload -h 8 -e ibm -N ibm /usr/share/wscons/fonts/vt220l.808
#/usr/sbin/wsconscfg -t 80x50 -e vt100 1
#/sbin/wsconsctl -w "encoding=fr"
Edit master.passwd
vi /etc/master.passwd
pwd_mkdb /etc/master.passwd
Boot loader usage
You can switch to serial console interactively,
consdev com0
To boot the default kernel from the boot loader prompt,
boot hd0a:netbsd
#boot /netbsd
Boot loader configuration
PC console,
cp /usr/mdec/boot /
fdisk -i wd0
#fdisk -B wd0
#cp boot /
installboot -v -o timeout=5 /dev/rwd0a /usr/mdec/bootxx_ffsv2
Note. the latter needs to be executed after every /boot.cfg change
Note. -o needs to be repeated
Note. to check weather you have FFSv1 or v2,
dumpfs /dev/rwd0a | head -5
Serial console
Note. for serial output,
cp /usr/mdec/boot /
fdisk -i wd0
fdisk -i -c /usr/mdec/mbr_com0_9600 wd0
#fdisk -B wd0
#cp boot /
installboot -v -o timeout=5 -o console=com0 /dev/rwd0a /usr/mdec/bootxx_ffsv2
Note. default -o speed is 9600
Configure a console on the serial port,
vi /etc/ttys
console "/usr/libexec/getty std.9600" vt100 on secure
Ref. (NetBSD serial console) []
Adding a storage device and relocating /var/
Initialize the MBR and make an empty DOS partition table,
fdisk -i xbd1
Create the first partition using the whole disk (offset: sector 63) and check,
fdisk -u -0 xbd1
fdisk xbd1
Note. empty boot menu disables it (press enter)
Create a disk label,
disklabel -i xbd1
default (63)
$ (for all remaining)
verify, write the label and quit,
Make an FFS files ystem,
newfs /dev/rxbd1e
Boot netbsd with single user mode (xen guest here),
cd /data/guests/xenguest/
vi xenguest,
extra = "-s"
note. yes not only the bootloader is '-s' and '-d' capable, but also the kernel! (since 2005-06 by manuel bouyer)
start the guest,
xm cr xenguest -c
Configure the new mount point,
mount -o rw /
cd /etc/
export TERM=xterm
vi fstab
/dev/xbd1e /var ffs rw 1 2
Relocate var/,
cd /
mv var/ var.old/
mkdir var/
mount var/
cd var.old/
pax -rw * ../var/
cd /
#xm destroy xenguest
Note. about the postfix 'Sockets cannot be copied or extracted' errors, indeed those don't seem to be generated at startup. A quick trick is just to disable postfix and eventually use another SMTP daemon.
Note. if there other (non-postfix related) 'Sockets cannot be copied or extracted' errors, you may safely discard them, most daemons creates them at startup
You can now boot the system with the new /var/ (disable extra="-s").
Backup :
(FR) Recuperation mot de passe UNIX :
NetBSD Documentation :
NetBSD Community Blog :
NetBSD News Beat :
FreeBSD vs NetBSD tips :

(obsolete, see the new doc)