Editorial review of Applying Security Patches and Major/Minor Version sections.

Clarify the portmaster switch used to disable config screens, in prep for
closing PR147946.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-05-06 15:23:19 +00:00
parent cdd8ddaea0
commit 18828ad787
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44772

View file

@ -275,47 +275,58 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
</sect2> </sect2>
<sect2 xml:id="freebsdupdate-security-patches"> <sect2 xml:id="freebsdupdate-security-patches">
<title>Security Patches</title> <title>Applying Security Patches</title>
<para>The process of applying &os; security patches has been
simplified, allowing an administrator to keep a system fully
patched using <command>freebsd-update</command>. More
information about &os; security advisories can be found in
<xref linkend="security-advisories"/>.</para>
<para>&os; security patches may be downloaded and installed <para>&os; security patches may be downloaded and installed
using the following command:</para> using the following commands. The first command will
determine if any outstanding patches are available, and if so,
will list the files that will be modifed if the patches are
applied. The second command will apply the patches.</para>
<screen>&prompt.root; <userinput>freebsd-update fetch</userinput> <screen>&prompt.root; <userinput>freebsd-update fetch</userinput>
&prompt.root; <userinput>freebsd-update install</userinput></screen> &prompt.root; <userinput>freebsd-update install</userinput></screen>
<para>If the update applied any kernel patches, the system will <para>If the update applies any kernel patches, the system will
need a reboot in order to boot into the patched kernel. need a reboot in order to boot into the patched kernel.
Otherwise, the system should be patched and If the patch was applied to any running binaries, the affected
<command>freebsd-update</command> may be run as a nightly applications should be restarted so that the patched version
&man.cron.8; job by adding this entry to of the binary is used.</para>
<para>The system can be configured to automatically check for
updates once every day by adding this entry to
<filename>/etc/crontab</filename>:</para> <filename>/etc/crontab</filename>:</para>
<programlisting>@daily root freebsd-update cron</programlisting> <programlisting>@daily root freebsd-update cron</programlisting>
<para>This entry states that <command>freebsd-update</command> <para>If patches exist, they will automatically be
will run once every day. When run with <option>cron</option>, downloaded but will not be applied. The
<command>freebsd-update</command> will only check if updates
exist. If patches exist, they will automatically be
downloaded to the local disk but will not be applied. The
<systemitem class="username">root</systemitem> user will be <systemitem class="username">root</systemitem> user will be
sent an email so that they may be reviewed and manually sent an email so that the patches may be reviewed and manually
installed.</para> installed with
<command>freebsd-update install</command>.</para>
<para>If anything goes wrong, <command>freebsd-update</command> <para>If anything goes wrong, <command>freebsd-update</command>
has the ability to roll back the last set of changes with has the ability to roll back the last set of changes with
the following command:</para> the following command:</para>
<screen>&prompt.root; <userinput>freebsd-update rollback</userinput></screen> <screen>&prompt.root; <userinput>freebsd-update rollback</userinput>
Uninstalling updates... done.</screen>
<para>Once complete, the system should be restarted if the <para>Again, the system should be restarted if the
kernel or any kernel modules were modified. This will allow kernel or any kernel modules were modified and any affected
&os; to load the new binaries into memory.</para> binaries should be restarted.</para>
<para>Only the <filename>GENERIC</filename> kernel can be <para>Only the <filename>GENERIC</filename> kernel can be
automatically updated by <command>freebsd-update</command>. automatically updated by <command>freebsd-update</command>.
If a custom kernel is installed, it will have to be rebuilt If a custom kernel is installed, it will have to be rebuilt
and reinstalled after <command>freebsd-update</command> and reinstalled after <command>freebsd-update</command>
finishes installing the rest of the updates. However, finishes installing the updates. However,
<command>freebsd-update</command> will detect and update the <command>freebsd-update</command> will detect and update the
<filename>GENERIC</filename> kernel if <filename>GENERIC</filename> kernel if
<filename>/boot/GENERIC</filename> exists, <filename>/boot/GENERIC</filename> exists,
@ -326,7 +337,7 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
<para>It is a good idea to always keep a copy of the <para>It is a good idea to always keep a copy of the
<filename>GENERIC</filename> kernel in <filename>GENERIC</filename> kernel in
<filename>/boot/GENERIC</filename>. It <filename>/boot/GENERIC</filename>. It
will be helpful in diagnosing a variety of problems, and in will be helpful in diagnosing a variety of problems and in
performing version upgrades using performing version upgrades using
<command>freebsd-update</command> as described in <command>freebsd-update</command> as described in
<xref linkend="freebsdupdate-upgrade"/>.</para> <xref linkend="freebsdupdate-upgrade"/>.</para>
@ -339,23 +350,21 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
Rebuilding and reinstalling a new custom kernel can then be Rebuilding and reinstalling a new custom kernel can then be
performed in the usual way.</para> performed in the usual way.</para>
<note>
<para>The updates distributed by <para>The updates distributed by
<command>freebsd-update</command> do not always involve the <command>freebsd-update</command> do not always involve the
kernel. It is not necessary to rebuild a custom kernel if kernel. It is not necessary to rebuild a custom kernel if
the kernel sources have not been modified by the execution the kernel sources have not been modified by
of <command>freebsd-update install</command>. <command>freebsd-update install</command>.
However, <command>freebsd-update</command> will always However, <command>freebsd-update</command> will always
update <filename>/usr/src/sys/conf/newvers.sh</filename>. update <filename>/usr/src/sys/conf/newvers.sh</filename>.
The current patch level, as indicated by the The current patch level, as indicated by the
<literal>-p</literal> number reported by <literal>-p</literal> number reported by
<command>uname -r</command>, is obtained from this file. <command>uname -r</command>, is obtained from this file.
Rebuilding a custom kernel, even if nothing else changed, Rebuilding a custom kernel, even if nothing else changed,
allows &man.uname.1; to accurately report the current allows <command>uname</command> to accurately report the current
patch level of the system. This is particularly helpful patch level of the system. This is particularly helpful
when maintaining multiple systems, as it allows for a quick when maintaining multiple systems, as it allows for a quick
assessment of the updates installed in each one.</para> assessment of the updates installed in each one.</para>
</note>
</sect2> </sect2>
<sect2 xml:id="freebsdupdate-upgrade"> <sect2 xml:id="freebsdupdate-upgrade">
@ -369,23 +378,22 @@ MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
<para><emphasis>Major version</emphasis> upgrades occur when <para><emphasis>Major version</emphasis> upgrades occur when
&os; is upgraded from one major version to another, like from &os; is upgraded from one major version to another, like from
&os;&nbsp;8.X to &os;&nbsp;9.X. Major version upgrades remove &os;&nbsp;9.X to &os;&nbsp;10.X. Major versions use different
old object files and libraries which will break most third Application Binary Interfaces (<acronym>ABI</acronym>s), which
party applications. It is recommended that all installed which will break most third-party
ports either be removed and re-installed or upgraded after a applications. After a
major version upgrade using a utility such as major version upgrade, all installed packages and
ports need to be upgraded using a utility such as
<package>ports-mgmt/portmaster</package>. A <package>ports-mgmt/portmaster</package>. A
brute-force rebuild of all installed applications can be rebuild of all installed applications can be
accomplished with this command:</para> accomplished with this command:</para>
<screen>&prompt.root; <userinput>portmaster -af</userinput></screen> <screen>&prompt.root; <userinput>portmaster -af</userinput></screen>
<para>This will ensure everything will be re-installed <para>This command will display the configuration screens for
correctly. Note that setting the each application that has configurable options and wait for the user to interact with those
<varname>BATCH</varname> environment variable to screens. To prevent this behavior, and use only the default
<literal>yes</literal> will answer <literal>yes</literal> to options, include <option>-G</option> in the above command.</para>
any prompts during this process, removing the need for
manual intervention during the build process.</para>
<sect3 xml:id="freebsd-update-custom-kernel"> <sect3 xml:id="freebsd-update-custom-kernel">
<title>Dealing with Custom Kernels</title> <title>Dealing with Custom Kernels</title>