Kamis, 16 Juni 2005

FreeBSD Post-Installation Tasks

05.39  ,  No comments

Last night I installed FreeBSD 5.4 on my Dell PowerEdge 2300 server. Immediately following the installation, these are the tasks I performed. These are the same post-installation tasks I perform, in the same order, on every FreeBSD system I build.

1. When I install FreeBSD, I create a user and give him the /bin/sh shell. I used Linux before I used FreeBSD, and I remain more familiar with bash. Therefore, I install the most recent package available. I do this using the PACKAGESITE environment variable. Notice how pkg_add satisfies dependencies automatically.


$ su -
Password:
janney# setenv PACKAGESITE 
 ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/Latest/
janney# pkg_add -r bash
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 Latest/bash.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 All/libiconv-1.9.2_1.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 All/gettext-0.14.4_1.tbz... Done.
janney# rehash

I need the rehash command so root's shell can find bash, or any newly installed program. I now use chsh to my user's shell from /bin/sh to /usr/local/bin/bash. Thanks to erson from Sweden for the tip!

$ chsh -s /usr/local/bin/bash
Password: 
chsh: user information updated

Now I install freebsd-update to facilitate fixing any kernel and OS security vulnerabilities.

janney# pkg_add -r freebsd-update
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 Latest/freebsd-update.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 All/bsdiff-4.2.tbz... Done.
janney# rehash
janney# cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf
janney# mkdir /usr/local/freebsd-update
janney# freebsd-update fetch
Fetching public key...
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/usr/bin/gunzip...
/usr/bin/gzcat...
/usr/bin/gzip...
/usr/bin/zcat...
/usr/include/machine/cpufunc.h...
/usr/sbin/tcpdump...
Updates fetched

To install these updates, run: '/usr/local/sbin/freebsd-update install'

janney# freebsd-update install
Backing up /usr/bin/gunzip...
Installing new /usr/bin/gunzip...
Backing up /usr/bin/gzcat...
Recreating hard link from /usr/bin/gunzip to /usr/bin/gzcat...
Backing up /usr/bin/gzip...
Recreating hard link from /usr/bin/gunzip to /usr/bin/gzip...
Backing up /usr/bin/zcat...
Recreating hard link from /usr/bin/gunzip to /usr/bin/zcat...
Backing up /usr/include/machine/cpufunc.h...
Installing new /usr/include/machine/cpufunc.h...
Backing up /usr/sbin/tcpdump...
Installing new /usr/sbin/tcpdump...

All of these updates affected the userland. No changes to the kernel were made. If kernel changes were involved, I would have to reboot to have them take effect.

I continue with portaudit. This program checks installed packages for security vulnerabilities. portaudit compares the installed packages against a database it downloads.

janney# pkg_add -r portaudit
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/
 Latest/portaudit.tbz... Done.

===>  To check your installed ports for known vulnerabilities now, do:

      /usr/local/sbin/portaudit -Fda

janney# rehash
janney# portaudit -Fda
auditfile.tbz                                 100% of   25 kB   79 kBps
New database installed.
Database created: Thu Jun 16 09:10:15 EDT 2005
0 problem(s) in your installed packages found.

Next I install portsnap to update my ports tree. I don't install the ports tree on systems I build to be appliances. On general purpose servers, however, I like having the ports tree available. A current ports tree is needed if you want to use portupgrade (described later) to assess and update installed packages.

janney# pkg_add -r portsnap
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 Latest/portsnap.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 All/freebsd-sha256-20050310.tbz... Done.
janney# rehash
janney# cp /usr/local/etc/portsnap.conf.sample /usr/local/etc/portsnap.conf
janney# portsnap fetch
Fetching public key... done.
Fetching snapshot tag... done.
Fetching snapshot metadata... done.
Fetching snapshot generated at Wed Jun 15 20:51:48 EDT 2005:
2cae03da4bde1d1eb260ce3e6eb237f014d930245442fe100% of   34 MB  469 kBps 00m00s
Extracting snapshot... done.
Verifying snapshot integrity... 
Fetching snapshot tag... done.
Fetching snapshot metadata... done.
Updating from Wed Jun 15 20:51:48 EDT 2005 to Thu Jun 16 06:39:30 EDT 2005.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 33 patches.....10....20....30. done.
Applying patches... done.
Fetching 5 new ports or files... done.
janney# portsnap extract
/usr/ports/.cvsignore
/usr/ports/CHANGES
/usr/ports/LEGAL
/usr/ports/MOVED
/usr/ports/Makefile
/usr/ports/Mk/bsd.autotools.mk
/usr/ports/Mk/bsd.emacs.mk
/usr/ports/Mk/bsd.gcc.mk
...edited...
Building new INDEX files... done.

Next I install portupgrade. This is the best way I've found to keep packages up-to-date.

janney# pkg_add -r portupgrade
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 Latest/portupgrade.tbz... Done.
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 All/ruby-1.8.2_3.tbz... Done.
...edited...
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-5-stable/
 All/ruby18-bdb1-0.2.2.tbz... Done.

I run portversion to quickly see what packages need updating. I will take care of that later.

janney:/root# rehash
janney:/root# portversion -v -l "<"
[Rebuilding the pkgdb  in /var/db/pkg ... - 32 packages foun.................... done]
[Updating the portsdb  in /usr/ports ... - 13089 port entries found 
 .........1000.........2000.........3000.........4000.........5000.........6000........
 .7000.........8000.........9000.........10000.........11000.........12000.........
 13000 ..... done]
expat-1.95.8                <  needs updating (port has 1.95.8_3)
pkgconfig-0.15.0_1          <  needs updating (port has 0.17.2)
png-1.2.8_1                 <  needs updating (port has 1.2.8_2)
portupgrade-20041226_3      <  needs updating (port has 20041226_4)
xorg-server-6.8.2           <  needs updating (port has 6.8.2_2)
xterm-200_2                 <  needs updating (port has 202)

I edit root's .cshrc as follows to change the prompt.

#       set prompt = "`/bin/hostname -s`# "
        set prompt = "%m:%/# "

The prompt will now look like this.

janney:/root#

I make a similar edit to my user prompt in the .profile file for my user's bash shell/.

PS1='`hostname -s`:$PWD$ '; export PS1

The prompt will now look like this.

janney:/home/richard$

Finally I run the sockstat command to see if there are any listening services for which I cannot account. This box is running NFS by design, so there are more listening services that usual.

janney# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
richard  sshd       56174 5  tcp4   192.168.2.7:22        192.168.2.5:55803
root     sshd       56171 5  tcp4   192.168.2.7:22        192.168.2.5:55803
root     sendmail   408   4  tcp4   127.0.0.1:25          *:*
root     sshd       402   4  tcp4   *:22                  *:*
root     nfsd       326   3  tcp4   *:2049                *:*
root     mountd     324   4  udp4   *:782                 *:*
root     mountd     324   5  tcp4   *:797                 *:*
root     rpcbind    257   9  udp4   *:111                 *:*
root     rpcbind    257   10 udp4   *:686                 *:*
root     rpcbind    257   11 tcp4   *:111                 *:*
root     syslogd    244   6  udp4   *:514                 *:*

If I need to recompile the kernel, I take that step next. On most systems I do not have to recompile the kernel.

From here I begin adding packages and other customizations to make this system perform its specific role.

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)