Editorial review of Applying Security Patches and Major/Minor Version sections.

Clarify the portmaster switch used to disable config screens, in prep for
closing PR147946.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-05-06 15:23:19 +00:00
parent cdd8ddaea0
commit 18828ad787
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44772

View file

@ -275,47 +275,58 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
</sect2>
<sect2 xml:id="freebsdupdate-security-patches">
<title>Security Patches</title>
<title>Applying Security Patches</title>
<para>The process of applying &os; security patches has been
simplified, allowing an administrator to keep a system fully
patched using <command>freebsd-update</command>. More
information about &os; security advisories can be found in
<xref linkend="security-advisories"/>.</para>
<para>&os; security patches may be downloaded and installed
using the following command:</para>
using the following commands. The first command will
determine if any outstanding patches are available, and if so,
will list the files that will be modifed if the patches are
applied. The second command will apply the patches.</para>
<screen>&prompt.root; <userinput>freebsd-update fetch</userinput>
&prompt.root; <userinput>freebsd-update install</userinput></screen>
<para>If the update applied any kernel patches, the system will
<para>If the update applies any kernel patches, the system will
need a reboot in order to boot into the patched kernel.
Otherwise, the system should be patched and
<command>freebsd-update</command> may be run as a nightly
&man.cron.8; job by adding this entry to
If the patch was applied to any running binaries, the affected
applications should be restarted so that the patched version
of the binary is used.</para>
<para>The system can be configured to automatically check for
updates once every day by adding this entry to
<filename>/etc/crontab</filename>:</para>
<programlisting>@daily root freebsd-update cron</programlisting>
<para>This entry states that <command>freebsd-update</command>
will run once every day. When run with <option>cron</option>,
<command>freebsd-update</command> will only check if updates
exist. If patches exist, they will automatically be
downloaded to the local disk but will not be applied. The
<para>If patches exist, they will automatically be
downloaded but will not be applied. The
<systemitem class="username">root</systemitem> user will be
sent an email so that they may be reviewed and manually
installed.</para>
sent an email so that the patches may be reviewed and manually
installed with
<command>freebsd-update install</command>.</para>
<para>If anything goes wrong, <command>freebsd-update</command>
has the ability to roll back the last set of changes with
the following command:</para>
<screen>&prompt.root; <userinput>freebsd-update rollback</userinput></screen>
<screen>&prompt.root; <userinput>freebsd-update rollback</userinput>
Uninstalling updates... done.</screen>
<para>Once complete, the system should be restarted if the
kernel or any kernel modules were modified. This will allow
&os; to load the new binaries into memory.</para>
<para>Again, the system should be restarted if the
kernel or any kernel modules were modified and any affected
binaries should be restarted.</para>
<para>Only the <filename>GENERIC</filename> kernel can be
automatically updated by <command>freebsd-update</command>.
If a custom kernel is installed, it will have to be rebuilt
and reinstalled after <command>freebsd-update</command>
finishes installing the rest of the updates. However,
finishes installing the updates. However,
<command>freebsd-update</command> will detect and update the
<filename>GENERIC</filename> kernel if
<filename>/boot/GENERIC</filename> exists,
@ -326,7 +337,7 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
<para>It is a good idea to always keep a copy of the
<filename>GENERIC</filename> kernel in
<filename>/boot/GENERIC</filename>. It
will be helpful in diagnosing a variety of problems, and in
will be helpful in diagnosing a variety of problems and in
performing version upgrades using
<command>freebsd-update</command> as described in
<xref linkend="freebsdupdate-upgrade"/>.</para>
@ -339,23 +350,21 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
Rebuilding and reinstalling a new custom kernel can then be
performed in the usual way.</para>
<note>
<para>The updates distributed by
<command>freebsd-update</command> do not always involve the
kernel. It is not necessary to rebuild a custom kernel if
the kernel sources have not been modified by the execution
of <command>freebsd-update install</command>.
the kernel sources have not been modified by
<command>freebsd-update install</command>.
However, <command>freebsd-update</command> will always
update <filename>/usr/src/sys/conf/newvers.sh</filename>.
The current patch level, as indicated by the
<literal>-p</literal> number reported by
<command>uname -r</command>, is obtained from this file.
Rebuilding a custom kernel, even if nothing else changed,
allows &man.uname.1; to accurately report the current
allows <command>uname</command> to accurately report the current
patch level of the system. This is particularly helpful
when maintaining multiple systems, as it allows for a quick
assessment of the updates installed in each one.</para>
</note>
</sect2>
<sect2 xml:id="freebsdupdate-upgrade">
@ -369,23 +378,22 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
<para><emphasis>Major version</emphasis> upgrades occur when
&os; is upgraded from one major version to another, like from
&os;&nbsp;8.X to &os;&nbsp;9.X. Major version upgrades remove
old object files and libraries which will break most third
party applications. It is recommended that all installed
ports either be removed and re-installed or upgraded after a
major version upgrade using a utility such as
&os;&nbsp;9.X to &os;&nbsp;10.X. Major versions use different
Application Binary Interfaces (<acronym>ABI</acronym>s), which
which will break most third-party
applications. After a
major version upgrade, all installed packages and
ports need to be upgraded using a utility such as
<package>ports-mgmt/portmaster</package>. A
brute-force rebuild of all installed applications can be
rebuild of all installed applications can be
accomplished with this command:</para>
<screen>&prompt.root; <userinput>portmaster -af</userinput></screen>
<para>This will ensure everything will be re-installed
correctly. Note that setting the
<varname>BATCH</varname> environment variable to
<literal>yes</literal> will answer <literal>yes</literal> to
any prompts during this process, removing the need for
manual intervention during the build process.</para>
<para>This command will display the configuration screens for
each application that has configurable options and wait for the user to interact with those
screens. To prevent this behavior, and use only the default
options, include <option>-G</option> in the above command.</para>
<sect3 xml:id="freebsd-update-custom-kernel">
<title>Dealing with Custom Kernels</title>