Upgrading FreeBSD 7.0 to 7.1

My last post on upgrading FreeBSD was Updating FreeBSD 7.0-BETA2 to 7.0-BETA3.

In this post I'll describe how I migrated a test install of FreeBSD 7.0-RELEASE #0 to FreeBSD 7.0-RELEASE-p7 #0, and then from there to FreeBSD 7.1-RELEASE #0.

Here's what I started with.

neely# uname -a
FreeBSD neely.taosecurity.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 
19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

To update to the latest version of 7.0, I ran freebsd-update. First I run without switches to show available options.

neely# freebsd-update
usage: freebsd-update [options] command ... [path]

Options:
  -b basedir   -- Operate on a system mounted at basedir
                  (default: /)
  -d workdir   -- Store working files in workdir
                  (default: /var/db/freebsd-update/)
  -f conffile  -- Read configuration options from conffile
                  (default: /etc/freebsd-update.conf)
  -k KEY       -- Trust an RSA key with SHA256 hash of KEY
  -r release   -- Target for upgrade (e.g., 6.2-RELEASE)
  -s server    -- Server from which to fetch updates
                  (default: update.FreeBSD.org)
  -t address   -- Mail output of cron command, if any, to address
                  (default: root)
Commands:
  fetch        -- Fetch updates from server
  cron         -- Sleep rand(3600) seconds, fetch updates, and send an
                  email if updates were found
  upgrade      -- Fetch upgrades to FreeBSD version specified via -r option
  install      -- Install downloaded updates or upgrades
  rollback     -- Uninstall most recently installed updates

Notice the -s switch. If you decide to pick a specific server, how do you choose? This neat trick gives you options:

$ host -t srv _http._tcp.update.freebsd.org
_http._tcp.update.freebsd.org has SRV record 1 25 80 update2.FreeBSD.org.
_http._tcp.update.freebsd.org has SRV record 1 10 80 update1.FreeBSD.org.

Note results vary depending on what servers are available at any point in time.

Now I start the update process.

neely# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 7.0-RELEASE from update2.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 27 patches.....10....20... done.
Applying patches... done.

The following files will be updated as part of updating to 7.0-RELEASE-p9:
/boot/kernel/if_faith.ko
/boot/kernel/if_fwip.ko
/boot/kernel/if_stf.ko
/boot/kernel/ip_mroute.ko
/boot/kernel/ipfw.ko
/boot/kernel/kernel
/boot/kernel/pf.ko
/boot/kernel/random.ko
/usr/bin/dig
/usr/bin/host
/usr/bin/nslookup
/usr/bin/nsupdate
/usr/bin/openssl
/usr/include/netinet/tcp.h
/usr/include/netinet6/in6.h
/usr/include/netinet6/nd6.h
/usr/lib/libssl.a
/usr/lib/libssl.so.5
/usr/libexec/ftpd
/usr/libexec/lukemftpd
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-signzone
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/ntpd
/usr/sbin/rndc-confgen

WARNING: FreeBSD 7.0-RELEASE is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 2 months.

neely# freebsd-update install
Installing updates... done.
neely# reboot

After I reboot I am running FreeBSD 7.0-RELEASE-p7 #0.

neely# uname -a
FreeBSD neely.taosecurity.com 7.0-RELEASE-p7 FreeBSD 7.0-RELEASE-p7 #0: Sun Dec 21 
12:33:45 UTC 2008     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

For my own reference I see what packages are installed.

neely# pkg_info
cdrtools-2.01_6     CD/CD-R[W] and ISO-9660 image creation and extraction tools
dvd+rw-tools-7.0    DVD burning software

Now I will upgrade to 7.1.

neely# freebsd-update upgrade -r 7.1-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 7.0-RELEASE from update2.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Inspecting system... done.

The following components of FreeBSD seem to be installed:
kernel/generic world/base world/dict world/doc world/games world/info
world/manpages

The following components of FreeBSD do not seem to be installed:
src/base src/bin src/cddl src/compat src/contrib src/crypto src/etc
src/games src/gnu src/include src/krb5 src/lib src/libexec src/release
src/rescue src/sbin src/secure src/share src/sys src/tools src/ubin
src/usbin world/catpages world/proflibs

Does this look reasonable (y/n)? y

Fetching metadata signature for 7.1-RELEASE from update2.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system...done.
Fetching files from 7.0-RELEASE for merging... done.
Preparing to download files...done.
Fetching 10989 patches.....10....20....30....40....50....60....70....80....90....100....110
...edited...
810....6820....6830....6840....6850....6860.. done.
Applying patches... done.
Fetching 4516 files... failed.

That doesn't look good. Maybe the server was loaded? Based on a few searches I decide to start the process again.

neely# freebsd-update upgrade -r 7.1-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 7.0-RELEASE from update2.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.

The following components of FreeBSD seem to be installed:
kernel/generic world/base world/dict world/doc world/games world/info
world/manpages

The following components of FreeBSD do not seem to be installed:
src/base src/bin src/cddl src/compat src/contrib src/crypto src/etc
src/games src/gnu src/include src/krb5 src/lib src/libexec src/release
src/rescue src/sbin src/secure src/share src/sys src/tools src/ubin
src/usbin world/catpages world/proflibs

Does this look reasonable (y/n)? y

Fetching metadata signature for 7.1-RELEASE from update2.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Fetching files from 7.0-RELEASE for merging... done.
Preparing to download files... done.
Fetching 3312 patches.....10....20....30....40....50....60....70....80....90....
...edited...
2620....2630....2640....2650....2660....2670....2680....2690... done.
Applying patches... done.
Fetching 1433 files...done.
Attempting to automatically merge changes in files... done.

The following changes, which occurred between FreeBSD 7.0-RELEASE and
FreeBSD 7.1-RELEASE have been merged into /etc/group:
--- current version
+++ new version
@@ -1,6 +1,6 @@
-# $FreeBSD: src/etc/group,v 1.35 2007/06/11 18:36:39 ceri Exp $
+# $FreeBSD: src/etc/group,v 1.35.6.1 2008/11/25 02:59:29 kensmith Exp $
 #
 wheel:*:0:root,richard
 daemon:*:1:
 kmem:*:2:
 sys:*:3:
Does this look reasonable (y/n)? y

The following changes, which occurred between FreeBSD 7.0-RELEASE and
FreeBSD 7.1-RELEASE have been merged into /etc/master.passwd:
--- current version
+++ new version
@@ -1,6 +1,6 @@
-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
+# $FreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/11/25 02:59:29 kensmith Exp $
 #
 root:$1$qmgoobYq$tNDy/Y2N8QDJVjFk5E.NB.:0:0::0:0:Charlie &:/root:/bin/csh
 toor:*:0:0::0:0:Bourne-again Superuser:/root:
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
Does this look reasonable (y/n)? y

The following changes, which occurred between FreeBSD 7.0-RELEASE and
FreeBSD 7.1-RELEASE have been merged into /etc/passwd:
--- current version
+++ new version
@@ -1,6 +1,6 @@
-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
+# $FreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/11/25 02:59:29 kensmith Exp $
 #
 root:*:0:0:Charlie &:/root:/bin/csh
 toor:*:0:0:Bourne-again Superuser:/root:
 daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5:System &:/:/usr/sbin/nologin
Does this look reasonable (y/n)? y
The following files will be removed as part of updating to 7.1-RELEASE-p2:
/etc/rc.d/kernel
/usr/include/netgraph/atm/ng_atmpif.h
/usr/sbin/pkg_check
/usr/sbin/pkg_sign
/usr/share/doc/de_DE.ISO8859-1/books/handbook/portsnap.html
...edited...
The following files will be added as part of updating to 7.1-RELEASE-p2:
/boot/gptboot
/boot/kernel/cmx.ko
/boot/kernel/cmx.ko.symbols
...edited...
The following files will be updated as part of updating to 7.1-RELEASE-p2:
/.cshrc
/.profile
/COPYRIGHT
/bin/[
/bin/cat
...edited...
/var/named/etc/namedb/named.root
/var/yp/Makefile.dist

neely# freebsd-update install -r 7.1-RELEASE
Installing updates...
Kernel updates have been installed.  Please reboot and run
"/usr/sbin/freebsd-update install" again to finish installing updates.
neely# reboot

After rebooting I run install again.

$ su -
Password:
neely# freebsd-update install
Installing updates...... done.
neely# reboot

$ uname -a
FreeBSD neely.taosecurity.com 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 
14:37:25 UTC 2009     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

All done! If I want to see if any other patches are available I can run fetch again.

$ su -
Password:

neely# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 7.1-RELEASE from update2.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 7.1-RELEASE-p2.

Looks like that's it.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Comments

Anonymous said…
It may be worth noting that from previous personal experience this process is not entirely fault free.

After updating the system in the usual way and receiving no errors (i.e everything appeared normal) upon reboot the bootloader couldn't find the kernel. The kernel was never created so I attempted to load the previous one but this had also been removed. I searched for the kernel but it was nowhere to be found.

I'm not entirely sure what happend but it was a frustrating few hours and it still puzzles me why a backup of the previous version is not created.

I had to use the installation disk to create the kernel in the appropriate location but this wasn't as straight forward either.

Whilst this problem seems to the be in the minority I've gone back to using CVS and the typical buildworld process.

This was from a 7.1 RC2 to 7.1 when it was first released but when I looked into it has happend since its introduction in a handful of cases.
5:40 AM
Unknown said…
I am new to FreeBSD kernel customization, and I have learned that freebsd-update does not deal with CUSTOM kernels.

I had to:

cd /usr/src
make buildkernel KERNCONF=CUSTOM
make installkernel KERNCONF=CUSTOM

after the update to introduce the changes.

Reading Chris's post it looks like it may be a good thing to leave kernel stuff alone for now when binary updating...

Thanks for the post.
11:31 PM
Jason Wood said…
Just as an add on, the upgrade seems to require that you recompile your kernel to get to 7.1-RELEASE-p2.

After doing the second "freebsd-udpate install", my system reported the version as "7.1-RELEASE FreeBSD 7.1-RELEASE #0"

I was using GENERIC on my test box, so I performed

[root@freebsd2 ~] make buildkernel KERNCONF=GENERIC
[root@freebsd2 ~] make installkernel KERNCONF=GENERIC

reboot again

After this, uname -a reports the system at 7.1-RELEASE-p2.

[me@freebsd2 ~]$ uname -a
FreeBSD freebsd2.foo.com 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #1: Tue Feb 3 17:00:46 MST 2009
8:37 PM
Anonymous said…
This comment has been removed by a blog administrator.
10:14 AM
Anonymous said…
This comment has been removed by a blog administrator.
4:58 AM
Anonymous said…
This comment has been removed by a blog administrator.
11:46 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more