NAME
afterboot —
things to check after the
first complete boot
DESCRIPTION
Starting Out
This document attempts to list items for the system administrator to check and
set up after the installation and first complete boot of the system. The idea
is to create a list of items that can be checked off so that you have a warm
fuzzy feeling that something obvious has not been missed. A basic knowledge of
UNIX is assumed.
Complete instructions for correcting and fixing items is not provided. There are
manual pages and other methodologies available for doing that. For example, to
view the man page for the
ls(1)
command, type:
Administrators will rapidly become more familiar with
NetBSD if they get used to using the manual pages.
Security alerts
By the time that you have installed your system, it is quite likely that bugs in
the release have been found. All significant and easily fixed problems will be
reported at
http://www.NetBSD.org/support/security/.
It is recommended that you check this page regularly.
Additionally, you should set “fetch_pkg_vulnerabilities=YES” in
/etc/daily.conf to allow your system to automatically update
the local database of known vulnerable packages to the latest version
available on-line. The system will later check, on a daily basis, if any of
your installed packages are vulnerable based on the contents of this database.
See
daily.conf(5) and
security.conf(5) for more
details.
Login
Login as “
root”. You can do so on the console, or
over the network using
ssh(1). If
you have enabled the SSH daemon (see
sshd(8)) and wish to allow root
logins over the network, edit the
/etc/ssh/sshd_config file
and set “PermitRootLogin” to “yes” (see
sshd_config(5)). The
default is to not permit root logins over the network after fresh install in
NetBSD.
Upon successful login on the console, you may see the message “We
recommend creating a non-root account...”. For security reasons, it is
bad practice to login as root during regular use and maintenance of the
system. In fact, the system will only let you login as root on a secure
terminal. By default, only the console is considered to be a secure terminal.
Instead, administrators are encouraged to add a “regular” user,
add said user to the “wheel” group, then use the
su(1) command when root privileges
are required. This process is described in more detail later.
Root password
Change the password for the root user. (Note that throughout the documentation,
the term “superuser” is a synonym for the root user.) Choose a
password that has numbers, digits, and special characters (not space) as well
as from the upper and lower case alphabet. Do not choose any word in any
language. It is common for an intruder to use dictionary attacks. Type the
command
/usr/bin/passwd to change it.
It is a good idea to always specify the full path name for both the
passwd(1) and
su(1) commands as this inhibits the
possibility of files placed in your execution
PATH
for
most shells. Furthermore, the superuser's
PATH
should
never contain the current directory (“.”).
System date
Check the system date with the
date(1) command. If needed, change
the date, and/or change the symbolic link of
/etc/localtime
to the correct time zone in the
/usr/share/zoneinfo
directory.
Examples:
-
-
- date
200205101820
- Set the current date to May 10th, 2002 6:20pm.
-
-
- ln -fs
/usr/share/zoneinfo/Europe/Helsinki /etc/localtime
- Set the time zone to Eastern Europe Summer Time.
Console settings
One of the first things you will likely need to do is to set up your keyboard
map (and maybe some other aspects about the system console). To change your
keyboard encoding, edit the “
encoding”
variable found in
/etc/wscons.conf.
wscons.conf(5) contains more
information about this file.
Check hostname
Use the
hostname command to verify that the name of your
machine is correct. See the man page for
hostname(1) if it needs to be
changed. You will also need to change the contents of the
“
hostname” variable in
/etc/rc.conf or edit the
/etc/myname file
to have it stick around for the next reboot. Note that
“
hostname” is supposed include a domainname,
and that this should not be confused with YP (NIS)
domainname(1). If you are
using
dhcpcd(8) to configure
network interfaces, it might override these local hostname settings if your
DHCP server specifies client's hostname with other network configurations.
Verify network
interface configuration
The first thing to do is an
ifconfig -a to see if the network
interfaces are properly configured. Correct by editing
/etc/ifconfig.interface or the
corresponding
“
ifconfig_interface”
variable in
rc.conf(5) (where
interface is the interface name, e.g.,
“le0”) and then using
ifconfig(8) to manually
configure it if you do not wish to reboot.
Alternatively, you can configure interfaces automatically via DHCP with
dhcpcd(8) if you have a DHCP
server running somewhere on your network. To get
dhcpcd(8) to start automatically
on boot, you will need to have this line in
/etc/rc.conf:
dhcpcd=YES
See
dhcpcd(8) and
dhcpcd.conf(5) for more
information on setting up a DHCP client.
You can add new “virtual interfaces” by adding the required entries
to
/etc/ifconfig.interface. Read the
ifconfig.if(5) man page for
more information on the format of
/etc/ifconfig.interface files. The
loopback interface will look something like:
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
an Ethernet interface something like:
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
and a PPP interface something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
See
mrouted(8) for instructions
on configuring multicast routing.
Check routing tables
Issue a
netstat -rn command. The output will look something
like:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.4.254 UGS 0 11098028 - le0
127 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 24 - lo0
192.168.4 link#1 UC 0 0 - le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/96 ::1 UGRS 0 0 32972 lo0 =>
::1 ::1 UH 4 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
fc80::/10 ::1 UGRS 0 0 32972 lo0
fe80::/10 ::1 UGRS 0 0 32972 lo0
fe80::%le0/64 link#1 UC 0 0 1500 le0
fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
ff01::/32 ::1 U 0 0 32972 lo0
ff02::%le0/32 link#1 UC 0 0 1500 le0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
The default gateway address is stored in the
“
defaultroute” variable in
/etc/rc.conf, or in the file
/etc/mygate.
If you need to edit this file, a painless way to reconfigure the network
afterwards is to issue
Or, you may prefer to manually configure using a series of
route
add and
route delete commands (see
route(8)). If you run
dhcpcd(8) you will have to kill
it by running
before you flush the routes.
If you wish to route packets between interfaces, add one or both of the
following directives (depending on whether IPv4 or IPv6 routing is required)
to
/etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
As an alternative, compile a new kernel with the “GATEWAY” option.
Packets are not forwarded by default, due to RFC requirements.
Secure Shell (SSH)
By default, all services are disabled in a fresh
NetBSD
installation, and SSH is no exception. You may wish to enable it so you can
remotely control your system. Set “
sshd=YES”
in
/etc/rc.conf and then starting the server with the
command
The first time the server is started, it will generate a new keypair, which will
be stored inside the directory
/etc/ssh.
Host names and DNS
The system resolves host names according the rules for hosts in the name service
switch configuration at
/etc/nsswitch.conf. By default, it
will query
/etc/hosts first, and then the DNS resolver
specified in
/etc/resolv.conf.
If your network does not have a usable DNS resolver, e.g. one provided by DHCP,
you can run a local caching recursive resolver by setting
“named=YES” in
/etc/rc.conf and either rebooting
or running the following command:
named(8) is configured in
/etc/named.conf by default to run as a local caching
recursive resolver. Then, to make the system use it, put the following in
/etc/resolv.conf:
Wireless networking
You may scan for nearby wireless networks using:
ifconfig iwm0 up list scan
ifconfig iwm0 down
To connect to a network using WPA, you may use:
echo ctrl_interface=/var/run/wpa_supplicant > /etc/wpa_supplicant.conf
wpa_passphrase networkname password >> /etc/wpa_supplicant.conf
After creating /etc/wpa_supplicant.conf, using
dhcpcd(8) on the wireless
interface will connect to the network.
RPC-based network services
Several services depend on the RPC portmapper
rpcbind(8) - formerly known as
portmap - being running for proper operation. This includes
YP (NIS) and NFS exports, among other services. To get the RPC portmapper to
start automatically on boot, you will need to have this line in
/etc/rc.conf:
rpcbind=YES
YP (NIS) Setup
Check the YP domain name with the
domainname(1) command. If
necessary, correct it by editing the
/etc/defaultdomain file
or by setting the “
domainname” variable in
/etc/rc.conf. The
/etc/rc.d/network script
reads this file on bootup to determine and set the domain name. You may also
set the running system's domain name with the
domainname(1) command. To
start YP client services, simply run
ypbind, then perform
the remaining YP activation as described in
passwd(5) and
group(5).
In particular, to enable YP passwd support, you'll need to update
/etc/nsswitch.conf to include “nis” for the
“passwd” and “group” entries. A traditional way to
accomplish the same thing is to add following entry to local passwd database
via
vipw(8):
Note this entry has to be the very last one. This traditional way works with the
default
nsswitch.conf(5)
setting of “passwd”, which is “compat”.
There are many more YP man pages available to help you. You can find more
information by starting with
nis(8).
Check disk mounts
Check that the disks are mounted correctly by comparing the
/etc/fstab file against the output of the
mount(8) and
df(1) commands. Example:
#
cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw
/dev/sd0e /usr ffs rw 1 2
/dev/sd0f /var ffs rw 1 3
/dev/sd0g /tmp ffs rw 1 4
/dev/sd0h /home ffs rw 1 5
#
mount
/dev/sd0a on / type ffs (local)
/dev/sd0e on /usr type ffs (local)
/dev/sd0f on /var type ffs (local)
/dev/sd0g on /tmp type ffs (local)
/dev/sd0h on /home type ffs (local)
#
df
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0e 203399 150221 43008 78% /usr
/dev/sd0f 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home
#
pstat -s
Device 512-blocks Used Avail Capacity Priority
/dev/sd0b 131072 84656 46416 65% 0
Edit
/etc/fstab and use the
mount(8) and
umount(8) commands as
appropriate. Refer to the above example and
fstab(5) for information on the
format of this file.
You may wish to do NFS mounts now too, or you can do them later.
Concatenated disks (ccd)
If you are using
ccd(4) concatenated
disks, edit
/etc/ccd.conf. You may wish to take a look to
ccdconfig(8) for more
information about this file. Use the
ccdconfig -U command to
unload and the
ccdconfig -C command to create tables
internal to the kernel for the concatenated disks. You then
mount(8),
umount(8), and edit
/etc/fstab as needed.
Automounter daemon (AMD)
To use the
amd(8) automounter, create
the
/etc/amd directory, copy example config files from
/usr/share/examples/amd to
/etc/amd and
customize them as needed. Alternatively, you can get your maps with YP.
Clock synchronization
In order to make sure the system clock is synchronized to that of a publicly
accessible NTP server, make sure that
/etc/rc.conf contains
the following:
ntpdate=YES
ntpd=YES
See
date(1),
ntpdate(8),
ntpd(8),
rdate(8), and
timed(8) for more information on
setting the system's date.
CHANGING /etc FILES
The system should be usable now, but you may wish to do more customizing, such
as adding users, etc. Many of the following sections may be skipped if you are
not using that package (for example, skip the
Kerberos section if you won't be using
Kerberos). We suggest that you
cd /etc and edit most of the
files in that directory.
Note that the
/etc/motd file is modified by
/etc/rc.d/motd whenever the system is booted. To keep any
custom message intact, ensure that you leave two blank lines at the top, or
your message will be overwritten.
Add new users
To add new users and groups, there are
useradd(8) and
groupadd(8); see also
user(8) for further programs for
user and group manipulation. You may use
vipw(8) to add users to the
/etc/passwd file and edit
/etc/group by
hand to add new groups. The manual page for
su(1), tells you to make sure to put
people in the ‘wheel’ group if they need root access
(non-Kerberos). For example:
Follow instructions for
kerberos(8) if using Kerberos
for authentication.
System boot scripts
and /etc/rc.local
/etc/rc and the
/etc/rc.d/* scripts are
invoked at boot time after single user mode has exited, and at shutdown. The
whole process is controlled by the master script
/etc/rc.
This script should not be changed by administrators.
The directory
/etc/rc.d contains a series of scripts used at
startup/shutdown, called by
/etc/rc.
/etc/rc is in turn influenced by the configuration variables
present in
/etc/rc.conf.
The script
/etc/rc.local is run as the last thing during
multiuser boot, and is provided to allow any other local hooks necessary for
the system.
rc.conf
To enable or disable various services on system startup, corresponding entries
can be made in
/etc/rc.conf. You can take a look at
/etc/defaults/rc.conf to see a list of default system
variables, which you can override in
/etc/rc.conf. Note you
are
not supposed to change
/etc/defaults/rc.conf directly, edit only
/etc/rc.conf. See
rc.conf(5) for further
information.
X Display Manager
If you've installed X, you may want to turn on
xdm(1), the X Display Manager. To
do this, set “xdm=YES” in
/etc/rc.conf.
Printers
Edit
/etc/printcap and
/etc/hosts.lpd to get
any printers set up. Consult
lpd(8)
and
printcap(5) if needed.
Tighten up security
In
/etc/inetd.conf comment out any extra entries you do not
need, and only add things that are really needed. Note that by default all
services are disabled for security reasons.
Kerberos
If you are going to use Kerberos for authentication, see
kerberos(8) and “info
heimdal” for more information. If you already have a Kerberos master,
change directory to
/etc/kerberosV and configure. Remember
to get a
srvtab from the master so that the remote commands
work.
Mail Aliases
Check
/etc/mail/aliases and update appropriately if you want
e-mail to be routed to non-local addresses or to different users.
Run
newaliases(1) after
changes.
Postfix
NetBSD uses Postfix as its MTA. Postfix is started by
default, but its initial configuration does not cause it to listen on the
network for incoming connections. To configure Postfix, see
/etc/postfix/main.cf and
/etc/postfix/master.cf. If you wish to use a different MTA
(e.g., sendmail), install your MTA of choice and edit
/etc/mailer.conf to point to the proper binaries.
DHCP server
If this is a DHCP server, edit
/etc/dhcpd.conf and
/etc/dhcpd.interfaces as needed. You will have to make sure
/etc/rc.conf has “dhcpd=YES” or run
dhcpd(8) manually.
Bootparam server
If this is a Bootparam server, edit
/etc/bootparams as needed.
You will have to turn it on in
/etc/rc.conf by adding
“bootparamd=YES”.
NFS server
If this is an NFS server, make sure
/etc/rc.conf has:
nfs_server=YES
mountd=YES
rpcbind=YES
Edit
/etc/exports and get it correct. After this, you can
start the server by issuing:
service rpcbind start
service mountd start
service nfsd start
which will also start dependencies.
HP remote boot server
Edit
/etc/rbootd.conf if needed for remote booting. If you do
not have HP computers doing remote booting, do not enable this.
Daily, weekly, monthly
scripts
Look at and possibly edit the
/etc/daily.conf,
/etc/weekly.conf, and
/etc/monthly.conf
configuration files. You can check which values you can set by looking to
their matching files in
/etc/defaults. Your site specific
things should go into
/etc/daily.local,
/etc/weekly.local, and
/etc/monthly.local.
These scripts have been limited so as to keep the system running without filling
up disk space from normal running processes and database updates. (You
probably do not need to understand them.)
Other files in /etc
Look at the other files in
/etc and edit them as needed. (Do
not edit files ending in
.db — like
pwd.db,
spwd.db, nor
localtime, nor
rmt, nor any directories.)
Crontab (background
running processes)
Check what is running by typing
crontab -l as root and see if
anything unexpected is present. Do you need anything else? Do you wish to
change things? For example, if you do not like root getting standard output of
the daily scripts, and want only the security scripts that are mailed
internally, you can type
crontab -e and change some of the
lines to read:
30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
See
crontab(5).
Next day cleanup
After the first night's security run, change ownerships and permissions on
files, directories, and devices; root should have received mail with subject:
"<hostname> daily insecurity output.". This mail contains a
set of security recommendations, presented as a list looking like this:
var/mail:
permissions (0755, 0775)
etc/daily:
user (0, 3)
The best bet is to follow the advice in that list. The recommended setting is
the first item in parentheses, while the current setting is the second one.
This list is generated by
mtree(8) using
/etc/mtree/special. Use
chmod(1),
chgrp(1), and
chown(8) as needed.
Packages
Install your own packages. The
NetBSD packages
collection, pkgsrc, includes a large set of third-party software. A lot of it
is available as binary packages that you can download from
ftp://ftp.NetBSD.org/pub/NetBSD/packages/
or a mirror, and install using
pkg_add(1). See
http://www.NetBSD.org/docs/pkgsrc/
and
pkgsrc/doc/pkgsrc.txt for more details.
Copy vendor binaries and install them. You will need to install any shared
libraries, etc. (Hint:
man -k compat to find out how to
install and use compatibility mode.)
There is also other third-party software that is available in source form only,
either because it has not been ported to
NetBSD yet,
because licensing restrictions make binary redistribution impossible, or
simply because you want to build your own binaries. Sometimes checking the
mailing lists for past problems that people have encountered will result in a
fix posted.
Check the running system
You can use
ps(1),
netstat(1), and
fstat(1) to check on running
processes, network connections, and opened files, respectively. Other tools
you may find useful are
systat(1) and
top(1).
COMPILING A KERNEL
Note: The standard
NetBSD kernel configuration (GENERIC)
is suitable for most purposes.
First, review the system message buffer in
/var/run/dmesg.boot
and by using the
dmesg(8) command
to find out information on your system's devices as probed by the kernel at
boot. In particular, note which devices were not configured. This information
will prove useful when editing kernel configuration files.
To compile a kernel inside a writable source tree, do the following:
$ cd /usr/src/sys/arch/SOMEARCH/conf
$ cp GENERIC SOMEFILE (only the first time)
$ vi SOMEFILE (adapt to your needs)
$ config SOMEFILE
$ cd ../compile/SOMEFILE
$ make depend
$ make
where
SOMEARCH is the architecture (e.g., i386), and
SOMEFILE should be a name indicative of a particular
configuration (often that of the hostname).
If you are building your kernel again, before you do a
make
you should do a
make clean after making changes to your
kernel options.
After either of these two methods, you can place the new kernel (called
netbsd) in
/ (i.e.,
/netbsd) by issuing
make install and the
system will boot it next time. The old kernel is stored as
/onetbsd so you can boot it in case of failure.
If you are using toolchain to build your kernel, you will also need to build a
new set of toolchain binaries. You can do it by changing into
/usr/src and issuing:
$ cd /usr/src
$ K=sys/arch/`uname -m`/conf
$ cp $K/GENERIC $K/SOMEFILE
$ vi $K/SOMEFILE (adapt to your needs)
$ ./build.sh tools
$ ./build.sh kernel=SOMEFILE
SYSTEM TESTING
At this point, the system should be fully configured to your liking. It is now a
good time to ensure that the system behaves according to its specifications
and that it is stable on your hardware. Please refer to
tests(7) for details on how to do
so.
SEE ALSO
chgrp(1),
chmod(1),
config(1),
crontab(1),
date(1),
df(1),
domainname(1),
fstat(1),
hostname(1),
make(1),
man(1),
netstat(1),
newaliases(1),
passwd(1),
pkg_add(1),
ps(1),
ssh(1),
su(1),
systat(1),
top(1),
xdm(1),
ccd(4),
aliases(5),
crontab(5),
dhcpcd.conf(5),
exports(5),
fstab(5),
group(5),
hosts(5),
ifconfig.if(5),
mailer.conf(5),
named.conf(5),
nsswitch.conf(5),
passwd(5),
printcap(5),
rc.conf(5),
resolv.conf(5),
sshd_config(5),
wpa_supplicant.conf(5),
wscons.conf(5),
hier(7),
hostname(7),
pkgsrc(7),
tests(7),
amd(8),
ccdconfig(8),
chown(8),
dhcpcd(8),
dhcpd(8),
dmesg(8),
groupadd(8),
ifconfig(8),
inetd(8),
kerberos(8),
lpd(8),
mount(8),
mrouted(8),
mtree(8),
named(8),
nis(8),
ntpd(8),
ntpdate(8),
rbootd(8),
rc(8),
rdate(8),
rmt(8),
route(8),
rpc.bootparamd(8),
rpcbind(8),
sshd(8),
timed(8),
umount(8),
useradd(8),
vipw(8),
wpa_supplicant(8),
yp(8),
ypbind(8)
HISTORY
This document first appeared in
OpenBSD 2.2. It has been
adapted to
NetBSD and first appeared in
NetBSD 2.0.