FreeBSD Update
This updates source, world and kernel.

• I choose to use the defaults in /etc/freebsd-update.conf
• Fetch the updates freebsd-update fetch
• Apply the updates freebsd-update install
• Reboot the systems shutdown -r now

If a rollback is needed the freebsd-update rollback

Updating Ports Collections

• Download updated ports portsnap fetch
• The first time portsnap is executed, you have to use extract to install the downloaded files. portsnap extract
• Rest of the time portsnap update is OK.

Upgrading Ports
pkgdb -aF
portupgrade -ay

Updating Documentation Sources
cvsup -h cvsup1.us.FreeBSD.org -g -L 2 /usr/share/examples/cvsup/doc-supfile

Cleaning up Obsolete files, Directories and Libraries

• check for obsolete files and libraries
  cd /usr/src
make check-old
make check-old-libs
• If any obsolete files are found, deleted
  make delete-old
make delete-old-libs
• portsclean -D will purge old distfiles.
• portsclean -C will clean all ‘work’ directories.
• portsclean -L will clean up unused libraries in /usr/local/lib/compat/pkg.
• portsclean -P will clean up outdated packages.

Seeing this I also noticed my documentation on updating was out of date, especially in light of a few FreeBSD ports that now make it easier. This is the quick and dirty way of updating a 6.2 FreeBSD System

Dependencies: portmanager, portsnap, pkg_version

Applying Binary Security Patches

1. Grab the latest binary updates
   

   # freebsd-update fetch

2. Install the updates
   

   # freebsd-update install

3. Check OS Level
   

   # uname -a

4. Reboot the System
   

   # shutdown -r now

5. Confirm Update
   

   # uname -a

Updating Software & Applications

1. Update your ports tree
   

   # portsnap fetch

   If you are running Portsnap for the first time, extract the snapshot into /usr/ports:

   # portsnap extract

   If you already have a populated /usr/ports and you are just updating, run the following command instead:

   # portsnap update

2. Display ports that need updating
   

   # pkg_version -vIL=

3. upgrade installed ports:
   

   # portmanager -u

mkdir /CERTS/ldap-certs/ca
cd /CERTS/ldap-certs/ca
openssl req -new -x509 -keyout ./ca.key -out ./ca.crt
echo 01 > /CERTS/ldap-certs/ca/serial
touch > /CERTS/ldap-certs/ca/index.txt

2) Create the openssl.cf file in /CERTS/ldap-certs

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = /CERTS/ldap-certs/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext

#default_days = 365 # how long to certify for
default_days = 3650 # how long to certify for
#default_crl_days= 30 # how long before next CRL
default_crl_days= 0 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that.
policy = policy_anything

# For the ‘anything’ policy
# At this point in time, you must list all acceptable ‘object’
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

3) Generate a Certificate Signing Request

mkdir /CERTS/ldap-certs/server
cd /CERTS/ldap-certs/server
openssl genrsa -out hostname.key
openssl req -new -key hostname.key -out hostname.csr

4) Sign the hostname certificate with your certificate authority

openssl ca -config ../openssl.cf -out hostname.crt -infiles ./hostname.csr

1) First make sure that you have cvsup installed

pkg_add -r cvsup-without-gui
rehash

2) Setup your standard-supfile to update to the Release English 6.1 Sources

cp /usr/src/share/examples/cvsup/standard-supfile ~/

3) Edit the standard-supfile file:

vi standard-supfile

Change

*default release=cvs tag=RELENG_6_0

to

*default release=cvs tag=RELENG_6_1

Also make sure that you edit the

*default host=CHANGE_THIS.FreeBSD.org

to the mirror that you want to use.

Updating your Source Tree

1) Download and install your new sources

cvsup -g -L 2 standard-supfile

2) Be sure to read /usr/src/UPDATING.

Installing New Sources

1) Build your world

cd /usr/src
make clean;make cleanworld
make buildworld

2) Back up your current kernel. If you have a custom kernel config, back it up, make a copy of the new GENERIC to your old custom config name, and then edit the new file since some things may have changed since the last time you updated. In the example below, our custom kernel config is MYKERNEL.

cd /usr/src/sys/i386/conf/
cp MYKERNEL MYKERNEL.060519

3) Build and install the new kernel.

cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
mergemaster -p

Mergemaster checks to see if any critical files need updated to ensure the rest of the process will work smoothly. Just follow the prompts and PAY ATTENTION to what its asking you. Do not just overwrite files or you may lose users, groups etc.

Now reboot and drop into single user mode:

shutdown -h now

and at the boot prompt, choose single user mode. On some systems you have to hit the SPACE bar and then enter boot -s at the prompt if you do not see an option.

At the shell prompt mount the disks and turn on swap

fsck -p
mount -u /
mount -a -t ufs
swapon -a

Install and run mergemaster again:

cd /usr/src
make installworld
mergemaster

This last run of mergemaster checks any other files that should be merged/updated due to the upgrade. Do the same as last time, pay attention.

reboot

At this point the system should be on the 6.1 release.  I then run:

portmanager -u -f

This rebuild all installed ports to ensure we are using all our new libs and installs.

Before you start
Setup environment for packages:

setenv PACKAGESITE ftp://ftp2.us.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/

Using freebsd-update to update standard kernels
1) Add freebsd update package:

pkg_add -r freebsd-update

2) Setup and use freebsd-update:

cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf
mkdir /usr/local/freebsd-update
freebsd-update fetch
freebsd-update install
shutdown -r now

Updating packages and ports

1) install portaudit package

pkg_add -r portaudit
rehash

2) Check for updates

/usr/local/sbin/portaudit -Fda

3) Updating of Ports tree

pkg_add -r portsnap (bundled with 6.x)
portsnap fetch
portsnap extract (only have to do this once on a new install)
portsnap update

4) Updating Applications

pkg_add -r portupgrade
rehash
portversion -v -l “<"
portupgrade -varRPP (tells it to be verbose, act on up and down depends, and upgrade only with packages)
on any that fail then do portupgrade -varR (this tells it to build from ports)