FreeBSD安全性更新和編譯核心

如果從未編譯過核心或正要編譯新的核心,在此之前可以先做安全性更新。先編輯設定檔,把要fetch的server改成台灣的mirror server︰

# ee /etc/freebsd-update.conf
ServerName update.tw.FreeBSD.org

下載安全性更新檔︰

# freebsd-update fetch

安裝安全性更新檔︰

# freebsd-update install

重新開機,再下載一次安全性更新檔確認是否更新完成,會出現No updates needed to update system to 8.2-RELEASE-p2.訊息。是否需要重新編譯核心,到FreeBSD Security Advisories檢查更新項目,搜尋Recompile your kernel這個字串。其他關於freebsd-update參數和做法請參考ohaha的freebsd-update

編譯核心的方法參考twbsd的編譯核心,先安裝kernel原始碼︰

# sysinstall

選擇[Configure] > [Distribution] > [src] > [sys] > 安裝。因為只有安裝/usr/src/sys,所以只能選擇第一個方法編譯。

把設定檔複製到新目錄,改名和連結︰

# cd /usr/src/sys/i386/conf
# cp GENERIC /root/NEW_KERNEL
# ln -s /root/NEW_KERNEL

編輯設定檔︰

# ee /root/NEW_KERNEL

以下是我的設定檔內容︰如果需要其他功能或硬體(例如防火牆、NAT或音效卡等等),請自行加入︰

#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
#    http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.519.2.12.2.1 2010/12/21 17:09:25 kensmith Exp $

#cpu    I486_CPU
#cpu    I586_CPU
cpu    I686_CPU
ident    NEW_KERNEL

# To statically compile in device wiring instead of /boot/device.hints
#hints    "GENERIC.hints"    # Default places to look for devices.

# Use the following to compile in values accessible to the kernel
# through getenv() (or kenv(1) in userland). The format of the file
# is 'variable=value', see kenv(1)
#
# env    "GENERIC.env"

#makeoptions  DEBUG=-g    # Build kernel with gdb(1) debug symbols

options   SCHED_ULE    # ULE scheduler
options   PREEMPTION    # Enable kernel thread preemption
options   INET      # InterNETworking
options   INET6      # IPv6 communications protocols
options   SCTP      # Stream Control Transmission Protocol
options   FFS      # Berkeley Fast Filesystem
options   SOFTUPDATES    # Enable FFS soft updates support
options   UFS_ACL      # Support for access control lists
options   UFS_DIRHASH    # Improve performance on big directories
options   UFS_GJOURNAL    # Enable gjournal-based UFS journaling
options   MD_ROOT      # MD is a potential root device
options   NFSCLIENT    # Network Filesystem Client
options   NFSSERVER    # Network Filesystem Server
options   NFSLOCKD    # Network Lock Manager
options   NFS_ROOT    # NFS usable as /, requires NFSCLIENT
options   MSDOSFS      # MSDOS Filesystem
options   CD9660      # ISO 9660 Filesystem
options   PROCFS      # Process filesystem (requires PSEUDOFS)
options   PSEUDOFS    # Pseudo-filesystem framework
options   GEOM_PART_GPT    # GUID Partition Tables.
options   GEOM_LABEL    # Provides labelization
options   COMPAT_43TTY    # BSD 4.3 TTY compat (sgtty)
options   COMPAT_FREEBSD4    # Compatible with FreeBSD4
options   COMPAT_FREEBSD5    # Compatible with FreeBSD5
options   COMPAT_FREEBSD6    # Compatible with FreeBSD6
options   COMPAT_FREEBSD7    # Compatible with FreeBSD7
#options   SCSI_DELAY=5000    # Delay (in ms) before probing SCSI
#options   KTRACE      # ktrace(1) support
options   STACK      # stack(9) support
options   SYSVSHM      # SYSV-style shared memory
options   SYSVMSG      # SYSV-style message queues
options   SYSVSEM      # SYSV-style semaphores
options   P1003_1B_SEMAPHORES  # POSIX-style semaphores
options   _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options   PRINTF_BUFR_SIZE=128  # Prevent printf output being interspersed.
options   KBD_INSTALL_CDEV  # install a CDEV entry in /dev
options   HWPMC_HOOKS    # Necessary kernel hooks for hwpmc(4)
options   AUDIT      # Security event auditing
options   MAC      # TrustedBSD MAC Framework
options   FLOWTABLE    # per-cpu routing cache
#options   KDTRACE_HOOKS    # Kernel DTrace hooks
options   INCLUDE_CONFIG_FILE     # Include this file in kernel

options   KDB      # Kernel debugger related code
options   KDB_TRACE    # Print a stack trace for a panic

# To make an SMP kernel, the next two lines are needed
#options   SMP      # Symmetric MultiProcessor Kernel
#device    apic      # I/O APIC

# CPU frequency control
device    cpufreq

# Bus support.
#device    acpi
#device    eisa
device    pci

# Floppy drives
#device    fdc

# ATA and ATAPI devices
device    ata
device    atadisk    # ATA disk drives
#device    ataraid    # ATA RAID drives
device    atapicd    # ATAPI CDROM drives
#device    atapifd    # ATAPI floppy drives
#device    atapist    # ATAPI tape drives
#options   ATA_STATIC_ID  # Static device numbering

# SCSI Controllers
#device    ahb    # EISA AHA1742 family
#device    ahc    # AHA2940 and onboard AIC7xxx devices
#options   AHC_REG_PRETTY_PRINT  # Print register bitfields in debug
          # output.  Adds ~128k to driver.
#device    ahd    # AHA39320/29320 and onboard AIC79xx devices
#options   AHD_REG_PRETTY_PRINT  # Print register bitfields in debug
          # output.  Adds ~215k to driver.
#device    amd    # AMD 53C974 (Tekram DC-390(T))
#device    hptiop    # Highpoint RocketRaid 3xxx series
#device    isp    # Qlogic family
#device    ispfw    # Firmware for QLogic HBAs- normally a module
#device    mpt    # LSI-Logic MPT-Fusion
#device    ncr    # NCR/Symbios Logic
#device    sym    # NCR/Symbios Logic (newer chipsets + those of `ncr')
#device    trm    # Tekram DC395U/UW/F DC315U adapters

#device    adv    # Advansys SCSI adapters
#device    adw    # Advansys wide SCSI adapters
#device    aha    # Adaptec 154x SCSI adapters
#device    aic    # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
#device    bt    # Buslogic/Mylex MultiMaster SCSI adapters

#device    ncv    # NCR 53C500
#device    nsp    # Workbit Ninja SCSI-3
#device    stg    # TMC 18C30/18C50

# SCSI peripherals
device    scbus    # SCSI bus (required for SCSI)
#device    ch    # SCSI media changers
device    da    # Direct Access (disks)
#device    sa    # Sequential Access (tape etc)
#device    cd    # CD
#device    pass    # Passthrough device (direct SCSI access)
#device    ses    # SCSI Environmental Services (and SAF-TE)

# RAID controllers interfaced to the SCSI subsystem
#device    amr    # AMI MegaRAID
#device    arcmsr    # Areca SATA II RAID
#device    asr    # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device    ciss    # Compaq Smart RAID 5*
#device    dpt    # DPT Smartcache III, IV - See NOTES for options
#device    hptmv    # Highpoint RocketRAID 182x
#device    hptrr    # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device    iir    # Intel Integrated RAID
#device    ips    # IBM (Adaptec) ServeRAID
#device    mly    # Mylex AcceleRAID/eXtremeRAID
#device    twa    # 3ware 9000 series PATA/SATA RAID

# RAID controllers
#device    aac    # Adaptec FSA RAID
#device    aacp    # SCSI passthrough for aac (requires CAM)
#device    ida    # Compaq Smart RAID
#device    mfi    # LSI MegaRAID SAS
#device    mlx    # Mylex DAC960 family
#device    pst    # Promise Supertrak SX6000
#device    twe    # 3ware ATA RAID

# atkbdc0 controls both the keyboard and the PS/2 mouse
device    atkbdc    # AT keyboard controller
device    atkbd    # AT keyboard
device    psm    # PS/2 mouse

device    kbdmux    # keyboard multiplexer

device    vga    # VGA video card driver

device    splash    # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device    sc

device    agp    # support several AGP chipsets

# Power management support (see NOTES for more options)
#device    apm
# Add suspend/resume support for the i8254.
device    pmtimer

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device    cbb    # cardbus (yenta) bridge
#device    pccard    # PC Card (16-bit) bus
#device    cardbus    # CardBus (32-bit) bus

# Serial (COM) ports
#device    uart    # Generic UART driver

# Parallel port
#device    ppc
#device    ppbus    # Parallel port bus (required)
#device    lpt    # Printer
#device    plip    # TCP/IP over parallel
#device    ppi    # Parallel port interface device
#device    vpo    # Requires scbus and da

# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to sio, uart and/or ppc drivers):
#device    puc

# PCI Ethernet NICs.
#device    de    # DEC/Intel DC21x4x (``Tulip'')
#device    em    # Intel PRO/1000 Gigabit Ethernet Family
#device    igb    # Intel PRO/1000 PCIE Server Gigabit Family
#device    ixgb    # Intel PRO/10GbE Ethernet Card
#device    le    # AMD Am7900 LANCE and Am79C9xx PCnet
#device    ti    # Alteon Networks Tigon I/II gigabit Ethernet
#device    txp    # 3Com 3cR990 (``Typhoon'')
#device    vx    # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device    miibus    # MII bus support
#device    ae    # Attansic/Atheros L2 FastEthernet
#device    age    # Attansic/Atheros L1 Gigabit Ethernet
#device    alc    # Atheros AR8131/AR8132 Ethernet
#device    ale    # Atheros AR8121/AR8113/AR8114 Ethernet
#device    bce    # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device    bfe    # Broadcom BCM440x 10/100 Ethernet
#device    bge    # Broadcom BCM570xx Gigabit Ethernet
#device    dc    # DEC/Intel 21143 and various workalikes
#device    et    # Agere ET1310 10/100/Gigabit Ethernet
#device    fxp    # Intel EtherExpress PRO/100B (82557, 82558)
#device    jme    # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device    lge    # Level 1 LXT1001 gigabit Ethernet
#device    msk    # Marvell/SysKonnect Yukon II Gigabit Ethernet
device    nfe    # nVidia nForce MCP on-board Ethernet
#device    nge    # NatSemi DP83820 gigabit Ethernet
#device    nve    # nVidia nForce MCP on-board Ethernet Networking
#device    pcn    # AMD Am79C97x PCI 10/100 (precedence over 'le')
#device    re    # RealTek 8139C+/8169/8169S/8110S
#device    rl    # RealTek 8129/8139
#device    sf    # Adaptec AIC-6915 (``Starfire'')
#device    sge    # Silicon Integrated Systems SiS190/191
#device    sis    # Silicon Integrated Systems SiS 900/SiS 7016
#device    sk    # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device    ste    # Sundance ST201 (D-Link DFE-550TX)
#device    stge    # Sundance/Tamarack TC9021 gigabit Ethernet
#device    tl    # Texas Instruments ThunderLAN
#device    tx    # SMC EtherPower II (83c170 ``EPIC'')
#device    vge    # VIA VT612x gigabit Ethernet
#device    vr    # VIA Rhine, Rhine II
#device    wb    # Winbond W89C840F
device    xl    # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# ISA Ethernet NICs.  pccard NICs included.
#device    cs    # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device    ed    # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device    ex    # Intel EtherExpress Pro/10 and Pro/10+
#device    ep    # Etherlink III based cards
#device    fe    # Fujitsu MB8696x based cards
#device    ie    # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device    sn    # SMC's 9000 series of Ethernet chips
#device    xe    # Xircom pccard Ethernet

# Wireless NIC cards
#device    wlan    # 802.11 support
#options   IEEE80211_DEBUG  # enable debug msgs
#options   IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
#options   IEEE80211_SUPPORT_MESH  # enable 802.11s draft support
#device    wlan_wep  # 802.11 WEP support
#device    wlan_ccmp  # 802.11 CCMP support
#device    wlan_tkip  # 802.11 TKIP support
#device    wlan_amrr  # AMRR transmit rate control algorithm
#device    an    # Aironet 4500/4800 802.11 wireless NICs.
#device    ath    # Atheros pci/cardbus NIC's
#device    ath_hal    # pci/cardbus chip support
#options   AH_SUPPORT_AR5416  # enable AR5416 tx/rx descriptors
#device    ath_rate_sample  # SampleRate tx rate control for ath
#device    ral    # Ralink Technology RT2500 wireless NICs.
#device    wi    # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device    wl    # Older non 802.11 Wavelan wireless NIC.

# Pseudo devices.
device    loop    # Network loopback
device    random    # Entropy device
device    ether    # Ethernet support
device    vlan    # 802.1Q VLAN support
device    tun    # Packet tunnel.
device    pty    # BSD-style compatibility pseudo ttys
device    md    # Memory "disks"
device    gif    # IPv6 and IPv4 tunneling
device    faith    # IPv6-to-IPv4 relaying (translation)
device    firmware  # firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device    bpf    # Berkeley packet filter

# USB support
options   USB_DEBUG  # enable debug msgs
device    uhci    # UHCI PCI->USB interface
device    ohci    # OHCI PCI->USB interface
device    ehci    # EHCI PCI->USB interface (USB 2.0)
device    usb    # USB Bus (required)
#device    udbp    # USB Double Bulk Pipe devices
device    uhid    # "Human Interface Devices"
device    ukbd    # Keyboard
#device    ulpt    # Printer
device    umass    # Disks/Mass storage - Requires scbus and da
device    ums    # Mouse
#device    urio    # Diamond Rio 500 MP3 player
# USB Serial devices
#device    u3g    # USB-based 3G modems (Option, Huawei, Sierra)
#device    uark    # Technologies ARK3116 based serial adapters
#device    ubsa    # Belkin F5U103 and compatible serial adapters
#device    uftdi    # For FTDI usb serial adapters
#device    uipaq    # Some WinCE based devices
#device    uplcom    # Prolific PL-2303 serial adapters
#device    uslcom    # SI Labs CP2101/CP2102 serial adapters
#device    uvisor    # Visor and Palm devices
#device    uvscom    # USB serial support for DDI pocket's PHS
# USB Ethernet, requires miibus
#device    aue    # ADMtek USB Ethernet
#device    axe    # ASIX Electronics USB Ethernet
#device    cdce    # Generic USB over Ethernet
#device    cue    # CATC USB Ethernet
#device    kue    # Kawasaki LSI USB Ethernet
#device    rue    # RealTek RTL8150 USB Ethernet
#device    udav    # Davicom DM9601E USB
# USB Wireless
#device    rum    # Ralink Technology RT2501USB wireless NICs
#device    uath    # Atheros AR5523 wireless NICs
#device    ural    # Ralink Technology RT2500USB wireless NICs
#device    zyd    # ZyDAS zb1211/zb1211b wireless NICs

# FireWire support
#device    firewire  # FireWire bus code
#device    sbp    # SCSI over FireWire (Requires scbus and da)
#device    fwe    # Ethernet over FireWire (non-standard!)
#device    fwip    # IP over FireWire (RFC 2734,3146)
#device    dcons    # Dumb console driver
#device    dcons_crom  # Configuration ROM for dcons

準備編譯核心,config產生一個編譯使用的資料夾︰

# cd /usr/src/sys/i386/conf
# config NEW_KERNEL

進入編譯資料夾︰

# cd ../compile/NEW_KERNEL/

檢查相依性是否有錯誤︰

# make depend

開始編譯︰

# make

編譯完成,安裝新核心︰

# make install

刪除編譯產生的檔案︰

# cd / ; rm -rf /usr/src/sys/i386/compile/NEW_KERNEL

重新開機,如果新核心無法開機完成,在開機選單按6(loader mode),輸入指令用舊核心開機︰

OK unload
OK boot /boot/kernel.old

編譯核心有幾點要注意︰
1.對該電腦硬體裝置一定要有所了解,如果編輯設定檔選擇錯誤,編譯時可能會有錯誤,或是用新核心無法開機完成。
2.設定檔硬體相依性一定要選擇正確,否則編譯到一半時會出現錯誤。例如選擇某些網卡(大多為PCI和USB介面),就一定要加入mii bus;選擇USB隨身碟,就一定要加入scbus和da。
3.使用第二種方法編譯時出現訊息︰make: don't know how to make buildkernel. Stop,表示原始碼安裝不完全,所以要安裝除了base、sys,還有其他會用到的原始碼,這樣才能編譯。
4.第一個編譯方法,自加參數錯誤(例如音效卡),在︰

# config NEW_KERNEL

就會出現錯誤訊息。

2011/09/30︰如果要用第二種方法,需要安裝完整的source tree,先複製和編輯設定檔︰

# cp /usr/share/examples/cvsup/stable-supfile /root
# ee /root/stable-supfile

此處請先詳讀CVSUP-更新 Security Patch談談FreeBSD如何更新系統


*default host=CHANGE_THIS.FreeBSD.org
改成
*default host=cvsup.tw.FreeBSD.org


*default release=cvs tag=RELENG_8
改成
*default release=cvs tag=RELENG_8_2

開始安裝或更新source tree︰

# csup -g -L 2 /root/stable-supfile

另外/usr/src/Makefile有寫:

# buildworld          - Rebuild *everything*, including glue to help do upgrades.
# installworld        - Install everything built by "buildworld".
# world               - buildworld + installworld, no kernel.
# buildkernel         - Rebuild the kernel and the kernel-modules.
# installkernel       - Install the kernel and the kernel-modules.

由此可知,安裝更新整個source tree,表示整個基本系統都更新了(userland + kernel),所以得做buildworld和buildkernel,再installkernel和installworld。

先編譯系統程式︰

# cd /usr/src
# make buildworld

編譯核心:

# make buildkernel KERNCONF=NEW_KERNEL

重新開機,進入單人模式,再安裝核心:

# mount -a
# cd /usr/src
# make installkernel KERNCONF=NEW_KERNEL

安裝系統程式:

# make installworld

刪除/usr/obj暫存檔︰

# cd /usr/obj
# chflags -R noschg *
# rm -rf *

重開機使用新核心開機,檢查版號是否有更新security patch。

如果只是做安全性更新,一樣安裝更新取得完整的source tree(或用sysinstall安裝),但是使用freebsd-update抓binary直接安裝到系統裡,再使用第二種方法編譯核心就可以完成,就不需要buildworld和installworld,因為真的要等非常久的時間。但有些即使使用freebsd-update install,還是會顯示需要新增檔案到/usr/src(記得更新保留/usr/src),應該都是要buildworld和installworld(請到FreeBSD Security Advisories更新項目內,搜尋Recompile the operating system字串)。以上任一更新和編譯方法,請依照你的實際狀況判斷使用。