When the harddrives in the oldest virtualization server at $WORK died, I was virtually left without any test systems running the other BSDs and some select Linux distros. We have another virtualization server with plenty of resources, and I decided to try NetBSD/amd64 10.0-RELEASE, build a few packages, and upgrade the VM to 10.0-STABLE.

Sadly, I don’t have copies of my configuration files nor any of the scripts from my previous 9.3-STABLE VM, so why not use this opportunity to document my new adventure?


Minor installer issues.

Installing base and kernel with UEFI enabled in the guest was in the end a success. I had to take charge when partitioning the harddrive, otherwise / would get virtually nothing and swap would get the majority of the storage available. Maybe this is a bug in the installer.


Hardening OpenSSH.

This fragment was placed at the end of /etc/ssh/sshd_config.

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

RequiredRSASize 4096

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

Next, I wanted to ensure the RSA host keys are 4096 bits long.

In /etc/rc.d/sshd, change the line reading

rsa	0	ssh_host_rsa_key

to read

rsa	4096	ssh_host_rsa_key

Get rid of the old RSA host keys and reboot, i.e.

rm /etc/ssh/ssh_host_rsa_key*
shutdown -r now "Regenerating the RSA host keys.";exit;logout

Later I noticed ssh_keygen_flags in /etc/defaults/rc.conf. Why aren’t we asked if we want this knob set to a sensible value before sshd(8) is launched for the first time? For future use, put this in /etc/rc.conf:

ssh_keygen_flags="-b 4096"

I wonder how many years will pass before 5120 bits or even 8192 bits is the recommended key length.

Don’t add RequiredRSASize 4096 to /etc/ssh/ssh_config, you’ll likely break CVS’ use of SSH.


Extending the initial message in /etc/gettytab.

/etc/gettytab is amended as shown in the comparison below.

default:\
	:ce:ck:np:im=\r\n%s/%m (%h) (%t)\r\n\r\n:

default:\
	:ce:ck:np:im=\r\n%s/%m %r (%h) (%t)\r\n%v\r\n%d\r\n\r\n:

Getting the source and the pkgsrc trees.

cd /usr
mkdir obj src pkgsrc
export CVSROOT="anoncvs@anoncvs.NetBSD.org:/cvsroot"
export CVS_RSH="ssh"
cvs -q -z2 checkout -r netbsd-10 -P src
cvs -q -z2 checkout -P pkgsrc
update  -dP
rdiff   -u
diff    -u
cvs     -q

Place working directories for pkgsrc within /var/spool/workdirs.

mkdir -p /var/spool/workdirs

Okay, I threw in some other useful settings.

# See mk.conf(5) and /usr/pkgsrc/mk/bsd.prefs.mk.

MAKE_JOBS!=/sbin/sysctl -n hw.ncpu
WRKOBJDIR=/var/spool/workdirs

EMACS_TYPE=emacs29nox

# EOF

Building a few packages.

mkdir -p /usr/pkg/pkgdb
/usr/sbin/pkg_admin -K /usr/pkg/pkgdb fetch-pkg-vulnerabilities

cd /usr/pkgsrc/shells/bash
make package && make install

cd /usr/pkgsrc/sysutils/mc
make package && make install

cd /usr/pkgsrc/sysutils/htop
make package && make install

cd /usr/pkgsrc/misc/screen
make package && make install

cd /usr/pkgsrc/net/iperf3
make package && make install

cd /usr/pkgsrc/security/ssh-audit
make package && make install

cd /usr/pkgsrc/editors/emacs29-nox
make package && make install

cd /usr/pkgsrc/sysutils/xe-guest-utilities
make package && make install

I hit one snag while building Midnight Commander on 2024-04-15. This test system is IPv6 only, and ninja 1.12.0 was too new, only 4 days young, to appear in https://ftp.netbsd.org/pub/pkgsrc/distfiles/. I resorted to downloading the archive on a system with both IPv4 and IPv6, and transferred the archive to the test system, i.e.

fetch -o ninja-1.12.0.tar.gz https://github.com/ninja-build/ninja/archive/refs/tags/v1.12.0.tar.gz

Configuration files for BASH.

if [ -r ~/.bashrc ]; then
  source ~/.bashrc
fi

alias x=logout

# EOF
alias eza='/usr/pkg/bin/eza -as Name --icons'
alias ezall='/usr/pkg/bin/eza -HSabghils Name --icons --time-style long-iso'
alias ll='/bin/ls -al'
alias reattach='screen -rx || screen'
alias x=exit

export PATH=/usr/bin:/usr/sbin:/bin:/sbin:/usr/pkg/bin:/usr/pkg/sbin:/usr/local/bin:/usr/local/sbin
export LANG=nb_NO.UTF-8
export LESS=-SX#1
export PAGER=less

PS1='\u@\h:\w>'

if [ -n "${STY}" ]; then
  unset SSH_AUTH_INFO_0
  unset SSH_CLIENT
  unset SSH_CONNECTION
  unset SSH_TTY

  PS1="[screen]${PS1}"
fi

# EOF

For the user root, I ensured the environment variable LANG is set to C.UTF-8 in the myriad of shell configuration files, so that the terminal displays UTF-8 correctly. Take your pick.

export LANG=C.UTF-8

setenv LANG C.UTF-8

Configuration file for htop.

# Beware! This file is rewritten by htop when settings are changed in the interface.
# The parser is also very primitive, and not human-friendly.
htop_version=3.3.0
config_reader_min_version=3
fields=0 48 17 18 38 39 2 46 47 49 1
hide_kernel_threads=0
hide_userland_threads=0
hide_running_in_container=0
shadow_other_users=0
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_deleted_exe=1
shadow_distribution_path_prefix=0
highlight_megabytes=1
highlight_threads=1
highlight_changes=0
highlight_changes_delay_secs=5
find_comm_in_cmdline=1
strip_exe_from_cmdline=1
show_merged_command=0
header_margin=0
screen_tabs=1
detailed_cpu_time=1
cpu_count_from_one=0
show_cpu_usage=1
show_cpu_frequency=1
update_process_names=1
account_guest_in_cpu_meter=1
color_scheme=5
enable_mouse=0
delay=5
hide_function_bar=0
header_layout=two_50_50
column_meters_0=CPU AllCPUs8 Memory Swap
column_meter_modes_0=1 1 1 1
column_meters_1=System Hostname DateTime Uptime Tasks LoadAverage DiskIO NetworkIO FileDescriptors
column_meter_modes_1=2 2 2 2 2 2 2 2 2
tree_view=1
sort_key=46
tree_sort_key=0
sort_direction=-1
tree_sort_direction=1
tree_view_always_by_pid=0
all_branches_collapsed=0
screen:Main=PID USER PRIORITY NICE M_VIRT M_RESIDENT STATE PERCENT_CPU PERCENT_MEM TIME Command
.sort_key=PERCENT_CPU
.tree_sort_key=PID
.tree_view_always_by_pid=0
.tree_view=1
.sort_direction=-1
.tree_sort_direction=1
.all_branches_collapsed=0
screen:Process Tree=Command
.sort_key=PID
.tree_sort_key=PID
.tree_view_always_by_pid=0
.tree_view=1
.sort_direction=1
.tree_sort_direction=1
.all_branches_collapsed=0

Configuration file for GNU Screen.

startup_message off

hardstatus alwayslastline
hardstatus string '%{gk}[%{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= w}%?%+Lw%?%? %{g}][%{d} %l %{g}][ %{= w}%Y-%m-%dT%0c%{g} ]%{W}'

screen -t "Term 1" 1
screen -t "Term 2" 2
screen -t "Term 3" 3
screen -t "Term 4" 4
screen -t "Term 5" 5
screen -t "Term 6" 6
screen -t "Term 7" 7
screen -t "Term 8" 8
screen -t "Term 9" 9

select 1

# EOF

Building world and kernel.

#!/bin/sh

TIMESTAMP="`date +%Y%m%d-%H%M%S`"

SRCDIR="/usr/src"
OBJDIR="/usr/obj"

BUILDLOGDIR="/var/log/buildlog/src"

UPDATELOGFILE="cvs-update-${TIMESTAMP}.txt"
UPDATECMD="cvs -q -z2 update -Pd"

BUILDLOGFILE="mkbwbk-netbsd-${TIMESTAMP}.txt"
BUILDCMD="${SRCDIR}/build.sh -N 2 -j `/sbin/sysctl -n hw.ncpu` -u obj tools build kernel=GENERIC modules distribution sets"

Mkdir()
{
  if [ "${#}" -ne 1 ]; then
    return 1
  fi

  if [ ! -d "${1}" ]; then
    mkdir -p ${1}

    if [ ! -d "${1}" ]; then
      echo "${0}: cannot create directory ${1}, exiting." > /dev/stderr
      exit 73 # EX_CANTCREAT, see sysexits(3).
    fi
  fi
}

echo "${0}: verifying the presence of vital output directories ..."
Mkdir ${OBJDIR}      || exit
Mkdir ${BUILDLOGDIR} || exit

echo "${0}: verifying the presence of the source tree ..."
cd "${SRCDIR}" || exit
if [ ! -r Makefile ]; then
  echo "${0}: did you run \"cvs checkout\" prior to running this script? I cannot find Makefile." > /dev/stderr
  exit 72 # EX_OSFILE, see sysexits(3).
fi

echo "${0}: updating the source tree `pwd` ..."
script -efc "${UPDATECMD}" "${BUILDLOGDIR}/${UPDATELOGFILE}" || exit

echo "${0}: doing the actual build ..."
script -efc "${BUILDCMD}" "${BUILDLOGDIR}/${BUILDLOGFILE}"

# EOF

Installing the new kernel.

Assuming the new kernel was successfully built, let’s create a copy of the running kernel, copy the new kernel in place, and reboot.

#!/bin/sh

cp -p /netbsd /netbsd.old
cp -p /usr/obj/sys/arch/amd64/compile/GENERIC/netbsd /.

# EOF
/root/bin/install-kernel.sh
shutdown -r now "Upgrading the kernel to the latest version.";exit;logout

Installing the new world.

Assuming the new world was successfully built, let’s install the new world, merge system configuration files, and reboot.

#!/bin/sh

TIMESTAMP="`date +%Y%m%d-%H%M%S`"

SRCDIR="/usr/src"
OBJDIR="/usr/obj"

INSTALLLOGDIR="/var/log/installlog/src"

INSTALLWORLDLOGFILE="install-world-${TIMESTAMP}.txt"
INSTALLCMD="${SRCDIR}/build.sh install=/ installmodules=/"

cd "${OBJDIR}" || exit

if [ ! -x "${OBJDIR}/bin/sh/sh" ]; then
  echo "${0}: did you run \"mkbwbk-netbsd.sh\" prior to running this script? I cannot find the standard shell." > /dev/stderr
  exit 72 # EX_OSFILE, see sysexits(3).
fi

cd "${SRCDIR}" || exit

if [ ! -r Makefile ]; then
  echo "${0}: did you run \"cvs checkout\" prior to running this script? I cannot find Makefile." > /dev/stderr
  exit 72 # EX_OSFILE, see sysexits(3).
fi

Mkdir()
{
  if [ "${#}" -ne 1 ]; then
    return 1
  fi

  if [ ! -d "${1}" ]; then
    mkdir -p ${1}

    if [ ! -d "${1}" ]; then
      echo "${0}: cannot create directory ${1}, exiting." > /dev/stderr
      exit 73 # EX_CANTCREAT, see sysexits(3).
    fi
  fi
}

echo "${0}: verifying the presence of vital directories ..."
Mkdir ${INSTALLLOGDIR} || exit

echo "${0}: doing the actual install ..."
script -efc "${INSTALLCMD}" "${INSTALLLOGDIR}/${INSTALLWORLDLOGFILE}" || exit

echo "${0}: merging system configuration files ..."
/usr/sbin/etcupdate -s /usr/src

# EOF
/root/bin/install-world.sh
shutdown -r now "Upgrading world to the latest version.";exit;logout

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>