Adventures in NetBSD/amd64 10.0
When the harddrives in the oldest virtualization server at $WORK died, I was virtually left without any test systems running the other BSDs and some select Linux distros. We have another virtualization server with plenty of resources, and I decided to try NetBSD/amd64 10.0-RELEASE, build a few packages, and upgrade the VM to 10.0-STABLE.
Sadly, I don’t have copies of my configuration files nor any of the scripts from my previous 9.3-STABLE VM, so why not use this opportunity to document my new adventure?
Minor installer issues.
Installing base and kernel with UEFI enabled in the guest was in the end a success. I had to take charge when partitioning the harddrive, otherwise / would get virtually nothing and swap would get the majority of the storage available. Maybe this is a bug in the installer.
Hardening OpenSSH.
This fragment was placed at the end of /etc/ssh/sshd_config.
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
Next, I wanted to ensure the RSA host keys are 4096 bits long.
In /etc/rc.d/sshd, change the line reading
rsa 0 ssh_host_rsa_key
to read
rsa 4096 ssh_host_rsa_key
Get rid of the old RSA host keys and reboot, i.e.
rm /etc/ssh/ssh_host_rsa_key* shutdown -r now "Regenerating the RSA host keys.";exit;logout
Later I noticed ssh_keygen_flags in /etc/defaults/rc.conf. Why aren’t we asked if we want this knob set to a sensible value before sshd(8) is launched for the first time? For future use, put this in /etc/rc.conf:
ssh_keygen_flags="-b 4096"
I wonder how many years will pass before 5120 bits or even 8192 bits is the recommended key length.
Extending the initial message in /etc/gettytab.
/etc/gettytab is amended as shown in the comparison below.
default:\ :ce:ck:np:im=\r\n%s/%m (%h) (%t)\r\n\r\n: default:\ :ce:ck:np:im=\r\n%s/%m %r (%h) (%t)\r\n%v\r\n%d\r\n\r\n:
Getting the source and the pkgsrc trees.
cd /usr mkdir obj src pkgsrc export CVSROOT="anoncvs@anoncvs.NetBSD.org:/cvsroot" export CVS_RSH="ssh" cvs -q -z2 checkout -r netbsd-10 -P src cvs -q -z2 checkout -P pkgsrc
update -dP rdiff -u diff -u cvs -q
Place working directories for pkgsrc within /var/spool/workdirs.
mkdir -p /var/spool/workdirs
Okay, I threw in some other useful settings.
# See mk.conf(5) and /usr/pkgsrc/mk/bsd.prefs.mk. MAKE_JOBS!=/sbin/sysctl -n hw.ncpu WRKOBJDIR=/var/spool/workdirs EMACS_TYPE=emacs29nox # EOF
Building a few packages.
mkdir -p /usr/pkg/pkgdb /usr/sbin/pkg_admin -K /usr/pkg/pkgdb fetch-pkg-vulnerabilities cd /usr/pkgsrc/shells/bash make package && make install cd /usr/pkgsrc/sysutils/mc make package && make install cd /usr/pkgsrc/sysutils/htop make package && make install cd /usr/pkgsrc/misc/screen make package && make install cd /usr/pkgsrc/net/iperf3 make package && make install cd /usr/pkgsrc/security/ssh-audit make package && make install cd /usr/pkgsrc/editors/emacs29-nox make package && make install cd /usr/pkgsrc/sysutils/xe-guest-utilities make package && make install
I hit one snag while building Midnight Commander on 2024-04-15. This test system is IPv6 only, and ninja 1.12.0 was too new, only 4 days young, to appear in https://ftp.netbsd.org/pub/pkgsrc/distfiles/. I resorted to downloading the archive on a system with both IPv4 and IPv6, and transferred the archive to the test system, i.e.
fetch -o ninja-1.12.0.tar.gz https://github.com/ninja-build/ninja/archive/refs/tags/v1.12.0.tar.gz
Configuration files for BASH.
if [ -r ~/.bashrc ]; then source ~/.bashrc fi alias x=logout # EOF
alias eza='/usr/pkg/bin/eza -as Name --icons'
alias ezall='/usr/pkg/bin/eza -HSabghils Name --icons --time-style long-iso'
alias ll='/bin/ls -al'
alias reattach='screen -rx || screen'
alias x=exit
export PATH=/usr/bin:/usr/sbin:/bin:/sbin:/usr/pkg/bin:/usr/pkg/sbin:/usr/local/bin:/usr/local/sbin
export LANG=nb_NO.UTF-8
export LESS=-SX#1
export PAGER=less
PS1='\u@\h:\w>'
if [ -n "${STY}" ]; then
unset SSH_AUTH_INFO_0
unset SSH_CLIENT
unset SSH_CONNECTION
unset SSH_TTY
PS1="[screen]${PS1}"
fi
# EOF
For the user root, I ensured the environment variable LANG is set to C.UTF-8 in the myriad of shell configuration files, so that the terminal displays UTF-8 correctly. Take your pick.
export LANG=C.UTF-8 setenv LANG C.UTF-8
Configuration file for htop.
# Beware! This file is rewritten by htop when settings are changed in the interface. # The parser is also very primitive, and not human-friendly. htop_version=3.3.0 config_reader_min_version=3 fields=0 48 17 18 38 39 2 46 47 49 1 hide_kernel_threads=0 hide_userland_threads=0 hide_running_in_container=0 shadow_other_users=0 show_thread_names=1 show_program_path=1 highlight_base_name=1 highlight_deleted_exe=1 shadow_distribution_path_prefix=0 highlight_megabytes=1 highlight_threads=1 highlight_changes=0 highlight_changes_delay_secs=5 find_comm_in_cmdline=1 strip_exe_from_cmdline=1 show_merged_command=0 header_margin=0 screen_tabs=1 detailed_cpu_time=1 cpu_count_from_one=0 show_cpu_usage=1 show_cpu_frequency=1 update_process_names=1 account_guest_in_cpu_meter=1 color_scheme=5 enable_mouse=0 delay=5 hide_function_bar=0 header_layout=two_50_50 column_meters_0=CPU AllCPUs8 Memory Swap column_meter_modes_0=1 1 1 1 column_meters_1=System Hostname DateTime Uptime Tasks LoadAverage DiskIO NetworkIO FileDescriptors column_meter_modes_1=2 2 2 2 2 2 2 2 2 tree_view=1 sort_key=46 tree_sort_key=0 sort_direction=-1 tree_sort_direction=1 tree_view_always_by_pid=0 all_branches_collapsed=0 screen:Main=PID USER PRIORITY NICE M_VIRT M_RESIDENT STATE PERCENT_CPU PERCENT_MEM TIME Command .sort_key=PERCENT_CPU .tree_sort_key=PID .tree_view_always_by_pid=0 .tree_view=1 .sort_direction=-1 .tree_sort_direction=1 .all_branches_collapsed=0 screen:Process Tree=Command .sort_key=PID .tree_sort_key=PID .tree_view_always_by_pid=0 .tree_view=1 .sort_direction=1 .tree_sort_direction=1 .all_branches_collapsed=0
Configuration file for GNU Screen.
startup_message off
hardstatus alwayslastline
hardstatus string '%{gk}[%{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= w}%?%+Lw%?%? %{g}][%{d} %l %{g}][ %{= w}%Y-%m-%dT%0c%{g} ]%{W}'
screen -t "Term 1" 1
screen -t "Term 2" 2
screen -t "Term 3" 3
screen -t "Term 4" 4
screen -t "Term 5" 5
screen -t "Term 6" 6
screen -t "Term 7" 7
screen -t "Term 8" 8
screen -t "Term 9" 9
select 1
# EOF
Building world and kernel.
#!/bin/sh
TIMESTAMP="`date +%Y%m%d-%H%M%S`"
SRCDIR="/usr/src"
OBJDIR="/usr/obj"
BUILDLOGDIR="/var/log/buildlog/src"
UPDATELOGFILE="cvs-update-${TIMESTAMP}.txt"
UPDATECMD="cvs -q -z2 update -Pd"
BUILDLOGFILE="mkbwbk-netbsd-${TIMESTAMP}.txt"
BUILDCMD="${SRCDIR}/build.sh -N 2 -j `/sbin/sysctl -n hw.ncpu` -u obj tools distribution kernel=GENERIC modules"
Mkdir()
{
if [ "${#}" -ne 1 ]; then
return 1
fi
if [ ! -d "${1}" ]; then
mkdir -p ${1}
if [ ! -d "${1}" ]; then
echo "${0}: cannot create directory ${1}, exiting." > /dev/stderr
exit 73 # EX_CANTCREAT, see sysexits(3).
fi
fi
}
echo "${0}: verifying the presence of vital output directories ..."
Mkdir ${OBJDIR} || exit
Mkdir ${BUILDLOGDIR} || exit
echo "${0}: verifying the presence of the source tree ..."
cd "${SRCDIR}" || exit
if [ ! -r Makefile ]; then
echo "${0}: did you run \"cvs checkout\" prior to running this script? I cannot find Makefile." > /dev/stderr
exit 72 # EX_OSFILE, see sysexits(3).
fi
echo "${0}: updating the source tree `pwd` ..."
script -c "${UPDATECMD}" "${BUILDLOGDIR}/${UPDATELOGFILE}" || exit
echo "${0}: doing the actual build ..."
script -c "${BUILDCMD}" "${BUILDLOGDIR}/${BUILDLOGFILE}"
# EOF
Installing the new kernel.
Assuming the new kernel was successfully built, let’s create a copy of the running kernel, copy the new kernel in place, and reboot.
#!/bin/sh cp -p /netbsd /netbsd.old cp -p /usr/obj/sys/arch/amd64/compile/GENERIC/netbsd /. # EOF
/root/bin/install-kernel.sh shutdown -r now "Upgrading the kernel to the latest version.";exit;logout
Installing the new world.
Assuming the new world was successfully built, let’s install the new world, merge system configuration files, and reboot.
#!/bin/sh
TIMESTAMP="`date +%Y%m%d-%H%M%S`"
SRCDIR="/usr/src"
OBJDIR="/usr/obj"
INSTALLLOGDIR="/var/log/installlog/src"
INSTALLWORLDLOGFILE="install-world-${TIMESTAMP}.txt"
INSTALLCMD="./build.sh install=/ installmodules=/"
cd "${OBJDIR}" || exit
if [ ! -x "${OBJDIR}/bin/sh/sh" ]; then
echo "${0}: did you run \"mkbwbk-netbsd.sh\" prior to running this script? I cannot find the standard shell." > /dev/stderr
exit 72 # EX_OSFILE, see sysexits(3).
fi
cd "${SRCDIR}" || exit
if [ ! -r Makefile ]; then
echo "${0}: did you run \"cvs checkout\" prior to running this script? I cannot find Makefile." > /dev/stderr
exit 72 # EX_OSFILE, see sysexits(3).
fi
Mkdir()
{
if [ "${#}" -ne 1 ]; then
return 1
fi
if [ ! -d "${1}" ]; then
mkdir -p ${1}
if [ ! -d "${1}" ]; then
echo "${0}: cannot create directory ${1}, exiting." > /dev/stderr
exit 73 # EX_CANTCREAT, see sysexits(3).
fi
fi
}
echo "${0}: verifying the presence of vital directories ..."
Mkdir ${INSTALLLOGDIR} || exit
echo "${0}: doing the actual install ..."
script -c "${INSTALLCMD}" "${INSTALLLOGDIR}/${INSTALLLOGFILE}" || exit
echo "${0}: merging system configuration files ..."
/usr/sbin/etcupdate -s /usr/src
# EOF
/root/bin/install-world.sh shutdown -r now "Upgrading world to the latest version.";exit;logout