FreeBSD 7.0 New Install

I’ve been running various versions of FreeBSD since 2001, and over that time the installation procedure has changed several times as new versions of the operating system have been released. Since I’m jack of all trades (or at least many trades), often several months or more passes without significant work in the UNIX environment, and my memory fades as I’m engrossed in something completely different such as software development work. I’m still running FreeBSD 6.1 in production environments, but want to make the move to 7.0 soon. Before doing so, however, I decided to set up a reference system and document the setup process to avoid major surprises (or my own memory glitches) as I reinstall the OS on the production systems — and hopefully have as a result minimum downtime possible.

Step one… FreeBSD installation using the Custom install. I post my notes below; perhaps someone will find this useful. The system is being set up as a web/db/mail server that is administered remotely; no X11 is needed or desired.

  1. Use custom install w/defaults except..
    Skip PCCARD: YES
    Media Type: CDROM
  2. Set keymap if not ASCII (I use Finnish keyboard so I selected “Finnish ISO”) and timezone in post install.
  3. Old mount point & label info is ok (from the older installations). I use “4069M” for boot, “6100M” for swap, and rest for application data (generally a largish RAID-5 or RAID-6 array is used), the respective mount point labels are “/”, swap, and “/usr”. I use standard boot record since no other operating systems are installed on the system. Boot drive is made bootable, softupdates is enabled on the data slice.
  4. Configure network, system name, keyboard map (sysinstall should’ve created delta for it) in /etc/rc.conf.  Much more should and will go into it, but the basics that will get the system online are:

    keymap="finnish.iso" #obviously optional :)
    ifconfig_em0="inet netmask" #currently installing behind a firewall
    fsck_y_enable="yes" #this is good to set in case your system crashes during setup without orderly shutdown.. you don't have to press "yes" a million times

    Note that you may have a different kind of network interface and you might have to adjust the “ifconfig_em0 accordingly.
  5. Configure DNSes in /etc/resolv.conf. I use OpenDNS servers, like so:

  6. If you’re basing this installation on an older install, import your old .cshrc or the equivalent alias/setting file of your favorite shell (makes the life easier as aliases work, etc).
  7. If you’re not using X11, enter `WITHOUT_X11′ in /etc/make.conf so you don’t have to set it in the environment every time.

    WITHOUT_X11=yes #don't compile GUI to ports apps
    CPUTYPE=i686 #set this for modern Intel CPUs
    OPENSSLBASE=/usr/local #obviously if you use OpenSSL
  8. Build /usr/ports/net/cvsup with WITHOUT_X11 set in make.conf (as above) or in the environment, or use /usr/ports/net/cvsup-without-gui/ and update the ports tree.First create /usr/local/etc/cvsup/supfile.ports containing:

    *default base=/usr/local/etc/cvsup
    *default prefix=/usr
    *default release=cvs tag=.
    *default delete use-rel-suffix

    If you want to use the fastest cvs server available, install /usr/ports/sysutils/fastest_cvsup/ and run with fastest_cvsup -c us (replace ‘us’ with your local country code if you’re not in the U.S. :-)), then use the cvs server indicated as the default host. Then update ports with
    /usr/local/bin/cvsup -g -L 2 /usr/local/etc/cvsup/supfile.ports

    You can use an optional `-d 100′ to limit file deletions to 100 initially to make sure update is working and the entire ports tree won’t be wiped out. Then remove it for full run (intial run *will* need to delete more than 100 files, but they’re not all in sequence)

  9. Build & install /usr/ports/editors/joe (or whatever your favorite editor might be); this makes life easier as configuration progresses.
  10. Build & install /usr/ports/security/openssh-portable. Use defaults + select `Enable CHROOT support’ (for later use)
  11. Create a non-root user for remote login. vipw is an easy way to manage users.
  12. Configure OpenSSH daemon in /usr/local/etc/ssh/sshd_config & make sure sshd starts (set openssh_enable=”yes” in /etc/rc.conf, and make sure the start file is called /usr/local/etc/rc.d/; reboot may be required to create the necessary server keys & start the service (confirm with ps -waux | grep “ssh”).sshd_config params of note (for initial access) are..

    AllowUsers root MyUserName
    PermitRootLogin without-password #allow root login only with a RSA-key
    PasswordAuthentication yes
    UsePAM no
    UseDNS no

    ** remote login should be possible at this point **
  13. Create /usr/local/etc/cvsup/supfile.sources with the below content, then update sources with /usr/local/bin/cvsup -g -L 2 /usr/local/etc/cvsup/supfile.sources

    *default base=/usr/local/etc/cvsup
    *default prefix=/usr
    *default release=cvs tag=RELENG_7_0
    *default delete use-rel-suffix
  14. Review kernel configuration at /usr/src/sys/i386/conf (see my kernel defaults in the next post).
  15. Build & install new world if any deltas were applied in source update:
    cd /usr/src && make buildworld.
    If there are problems, try the following, then run buildworld again.

    cd /usr/obj
    chflags -R noschg *
    rm -rf *

    When buildworld completes, reboot the system, select option 4, or interrupt the reboot (option 6) and type boot -s to boot into single user mode; accept /bin/sh as the shell, then continue with the following commands to install new world:

    mount -u /
    mount -a -t ufs
    swapon -a

    cd /usr/src
    make installworld

    exit (goes multi-user)

  16. Build custom kernel & install with below commands:

    cd /usr/src
    make cleandir
    make buildkernel
    if this fails, try cd /usr/src/usr.sbin/config/ && make depend all install clean and also check your kernel configuration file for problems, then start the above build process again.
  17. Make a backup copy of the old kernel and install the new:

    cp -Rp /boot/kernel /boot/kernel.recent
    make installkernel
  18. Reboot & confirm that the latest kernel version is running with uname -a (or uname -rs).
  19. Make a copy of the functional kernel if boot is ok:chflags -R noschg /boot/kernel && cp -Rp /boot/kernel /boot/ && chflags -R schg /boot/kernel
  20. Set /boot/loader.conf parameters, like so:

    kern.ipc.nmbclusters=16384 # Set the number of mbuf clusters
    kern.ipc.maxsockets=16384 # Set the number of tcp sockets

Basic install & kernel setup is now complete.

5 thoughts on “FreeBSD 7.0 New Install”

  1. Hi!

    Very useful article, many thanks, earlier I used portsnap and freebsd-update, but a year ago I changed OS to Solaris and since then I haven’t had FreeBSD. But now I’m thinking of returning to FreeBSD… 🙂

  2. Hello,

    I am finding some interesting posts here on your blog, while I am going through a couple of FreeBSD 7.0 installs myself.

    I also wanted to mention that you can use portsnap instead of cvsup, it’s easier to use and installed by default on FreeBSD 7.0. You can find more useful info about portsnap here:

    What I am curious about are the changes you made in loader.conf. Could you explain what and why you made those changes? Since my servers are also web/db/mail servers, these settins may be relevant for me as well.


  3. Actually I don’t remember why I made those changes :-). They were in response to some kind of persistent console messages I was getting a year or so ago. If memory serves, they had to do with “system running low on resource/file handles” type problem which the setting changes remedied (and since the new server is going to be used for the same type of use, general web/mail/database use, I adopted them as part of my “standard” settings).

  4. By the way, thanks for the info about portsnap; I wasn’t aware of it. Seems like it’s a better (less bandwidth-hungry) way to update the ports tree. I found a good synopsis on why it’s better than cvsup:

    »Portsnap is a system for securely updating the ports tree by distributing signed compressed snapshots. This is the client half of that system; it downloads compressed snapshots into /usr/local/portsnap (“portsnap fetch”) and uses those to extract a ports tree into /usr/ports (“portsnap extract”) or update an existing tree (“portsnap update”).

    In addition to operating entirely over HTTP, portsnap can use under a tenth of the bandwidth required by CVSup if a copy of the ports tree is being updated every few days.»

    One thing that I haven’t figured out how to do but that would be immensely useful is how to automatically generate a list of ports that have been updated (as compared to the installed versions).

  5. I switched to portsnap; much better than cvsup! It also solved another item on my wish list. For long time I’ve wished there would be some automated way to indicate, say, day on daily basis as to which ports have been updated. Portsnap does this automatically!

    I also installed portaudit (/usr/ports/ports-mgmt/portaudit) which provides a daily list of installed ports that have security vulnerabilities. This list along with the updated ports list (provided by portsnap) makes system management a whole lot easier.

    While portsnap must be added to the crontab to run daily (for example), portaudit install adds a similarly named script to /usr/local/etc/periodic/security/ directory from where it’s triggered daily.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.