Editorial review of Applying Security Patches and Major/Minor Version sections.
Clarify the portmaster switch used to disable config screens, in prep for closing PR147946. Sponsored by: iXsystems
This commit is contained in:
parent
cdd8ddaea0
commit
18828ad787
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44772
1 changed files with 44 additions and 36 deletions
|
@ -275,47 +275,58 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
|
|||
</sect2>
|
||||
|
||||
<sect2 xml:id="freebsdupdate-security-patches">
|
||||
<title>Security Patches</title>
|
||||
<title>Applying Security Patches</title>
|
||||
|
||||
<para>The process of applying &os; security patches has been
|
||||
simplified, allowing an administrator to keep a system fully
|
||||
patched using <command>freebsd-update</command>. More
|
||||
information about &os; security advisories can be found in
|
||||
<xref linkend="security-advisories"/>.</para>
|
||||
|
||||
<para>&os; security patches may be downloaded and installed
|
||||
using the following command:</para>
|
||||
using the following commands. The first command will
|
||||
determine if any outstanding patches are available, and if so,
|
||||
will list the files that will be modifed if the patches are
|
||||
applied. The second command will apply the patches.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>freebsd-update fetch</userinput>
|
||||
&prompt.root; <userinput>freebsd-update install</userinput></screen>
|
||||
|
||||
<para>If the update applied any kernel patches, the system will
|
||||
<para>If the update applies any kernel patches, the system will
|
||||
need a reboot in order to boot into the patched kernel.
|
||||
Otherwise, the system should be patched and
|
||||
<command>freebsd-update</command> may be run as a nightly
|
||||
&man.cron.8; job by adding this entry to
|
||||
If the patch was applied to any running binaries, the affected
|
||||
applications should be restarted so that the patched version
|
||||
of the binary is used.</para>
|
||||
|
||||
<para>The system can be configured to automatically check for
|
||||
updates once every day by adding this entry to
|
||||
<filename>/etc/crontab</filename>:</para>
|
||||
|
||||
<programlisting>@daily root freebsd-update cron</programlisting>
|
||||
|
||||
<para>This entry states that <command>freebsd-update</command>
|
||||
will run once every day. When run with <option>cron</option>,
|
||||
<command>freebsd-update</command> will only check if updates
|
||||
exist. If patches exist, they will automatically be
|
||||
downloaded to the local disk but will not be applied. The
|
||||
<para>If patches exist, they will automatically be
|
||||
downloaded but will not be applied. The
|
||||
<systemitem class="username">root</systemitem> user will be
|
||||
sent an email so that they may be reviewed and manually
|
||||
installed.</para>
|
||||
sent an email so that the patches may be reviewed and manually
|
||||
installed with
|
||||
<command>freebsd-update install</command>.</para>
|
||||
|
||||
<para>If anything goes wrong, <command>freebsd-update</command>
|
||||
has the ability to roll back the last set of changes with
|
||||
the following command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>freebsd-update rollback</userinput></screen>
|
||||
<screen>&prompt.root; <userinput>freebsd-update rollback</userinput>
|
||||
Uninstalling updates... done.</screen>
|
||||
|
||||
<para>Once complete, the system should be restarted if the
|
||||
kernel or any kernel modules were modified. This will allow
|
||||
&os; to load the new binaries into memory.</para>
|
||||
<para>Again, the system should be restarted if the
|
||||
kernel or any kernel modules were modified and any affected
|
||||
binaries should be restarted.</para>
|
||||
|
||||
<para>Only the <filename>GENERIC</filename> kernel can be
|
||||
automatically updated by <command>freebsd-update</command>.
|
||||
If a custom kernel is installed, it will have to be rebuilt
|
||||
and reinstalled after <command>freebsd-update</command>
|
||||
finishes installing the rest of the updates. However,
|
||||
finishes installing the updates. However,
|
||||
<command>freebsd-update</command> will detect and update the
|
||||
<filename>GENERIC</filename> kernel if
|
||||
<filename>/boot/GENERIC</filename> exists,
|
||||
|
@ -326,7 +337,7 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
|
|||
<para>It is a good idea to always keep a copy of the
|
||||
<filename>GENERIC</filename> kernel in
|
||||
<filename>/boot/GENERIC</filename>. It
|
||||
will be helpful in diagnosing a variety of problems, and in
|
||||
will be helpful in diagnosing a variety of problems and in
|
||||
performing version upgrades using
|
||||
<command>freebsd-update</command> as described in
|
||||
<xref linkend="freebsdupdate-upgrade"/>.</para>
|
||||
|
@ -339,23 +350,21 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
|
|||
Rebuilding and reinstalling a new custom kernel can then be
|
||||
performed in the usual way.</para>
|
||||
|
||||
<note>
|
||||
<para>The updates distributed by
|
||||
<command>freebsd-update</command> do not always involve the
|
||||
kernel. It is not necessary to rebuild a custom kernel if
|
||||
the kernel sources have not been modified by the execution
|
||||
of <command>freebsd-update install</command>.
|
||||
the kernel sources have not been modified by
|
||||
<command>freebsd-update install</command>.
|
||||
However, <command>freebsd-update</command> will always
|
||||
update <filename>/usr/src/sys/conf/newvers.sh</filename>.
|
||||
The current patch level, as indicated by the
|
||||
<literal>-p</literal> number reported by
|
||||
<command>uname -r</command>, is obtained from this file.
|
||||
Rebuilding a custom kernel, even if nothing else changed,
|
||||
allows &man.uname.1; to accurately report the current
|
||||
allows <command>uname</command> to accurately report the current
|
||||
patch level of the system. This is particularly helpful
|
||||
when maintaining multiple systems, as it allows for a quick
|
||||
assessment of the updates installed in each one.</para>
|
||||
</note>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="freebsdupdate-upgrade">
|
||||
|
@ -369,23 +378,22 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
|
|||
|
||||
<para><emphasis>Major version</emphasis> upgrades occur when
|
||||
&os; is upgraded from one major version to another, like from
|
||||
&os; 8.X to &os; 9.X. Major version upgrades remove
|
||||
old object files and libraries which will break most third
|
||||
party applications. It is recommended that all installed
|
||||
ports either be removed and re-installed or upgraded after a
|
||||
major version upgrade using a utility such as
|
||||
&os; 9.X to &os; 10.X. Major versions use different
|
||||
Application Binary Interfaces (<acronym>ABI</acronym>s), which
|
||||
which will break most third-party
|
||||
applications. After a
|
||||
major version upgrade, all installed packages and
|
||||
ports need to be upgraded using a utility such as
|
||||
<package>ports-mgmt/portmaster</package>. A
|
||||
brute-force rebuild of all installed applications can be
|
||||
rebuild of all installed applications can be
|
||||
accomplished with this command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>portmaster -af</userinput></screen>
|
||||
|
||||
<para>This will ensure everything will be re-installed
|
||||
correctly. Note that setting the
|
||||
<varname>BATCH</varname> environment variable to
|
||||
<literal>yes</literal> will answer <literal>yes</literal> to
|
||||
any prompts during this process, removing the need for
|
||||
manual intervention during the build process.</para>
|
||||
<para>This command will display the configuration screens for
|
||||
each application that has configurable options and wait for the user to interact with those
|
||||
screens. To prevent this behavior, and use only the default
|
||||
options, include <option>-G</option> in the above command.</para>
|
||||
|
||||
<sect3 xml:id="freebsd-update-custom-kernel">
|
||||
<title>Dealing with Custom Kernels</title>
|
||||
|
|
Loading…
Reference in a new issue