Patching/Updating our FreeBSD boxes

There is a tool called CVSup which FreeBSD users can use to update their system libraries and kernel. In our environment, the tool is installed from the ports tree during system installation. This page discusses how to use CVSup to update the system libraries, userland tools, and kernel on our FreeBSD systems. There is also a second section which discusses using CVSup to update clamav on the mail server.

Libraries, Userland, and Kernel

On our FreeBSD servers, polaris and milton, I have customized scripts located in the directory /root/cvsup which will use CVSup to update the system. After the script has run, there will be three manual steps that must be performed by the systems administrator.

The script is run by invoking the command /root/cvsup/update-world on any of the FreeBSD servers. Although CVSup can be used to upgrade to the latest release of FreeBSD, our script will only grab the latest patched version of the current release we are running. In order to update to a newer version of FreeBSD, the file /root/cvsup/astro-supfile should be modified and the `mergemaster' tool should be run; using mergemaster to migrate to a newer version is a process which is outside of the scope of this document.

Please note, when picasso is migrated to the new platform, it will be included in the list of machines which should be updated via CVSup.

After the update-world script has called CVSup to update the source tree, it will compile a new set of libraries, userland binaries, and a new kernel. This process takes anywhere from fifteen to thirty minutes, depending on the machine and the load on the machine. For reference, the old polaris used to take approximately eight hours, but now takes approximately twenty minutes.

Once the libraries and kernel are compiled, the script is done. The next steps are to be performed manually and require superuser intervention.

Log in as root, change to the directory /usr/src and issue the command make installkernel KERNCONF=foo, where foo is replaced with the name of the server in capitals (ex. make installkernel KERNCONF=POLARIS).
As root, and from inside of the directory /usr/src issue the command make installworld.
Reboot the machine immediately after step two has completed.
After the machine has rebooted, login as root and issue the command `chmod u+s /usr/libexec/ssh-keygen'

Discussion: This is a copy of the update-world script from polaris.

#!/bin/sh


# step 1: cvsup

/usr/local/bin/cvsup /root/cvsup/astro-supfile

# step 2: make world
mv /usr/obj /usr/oldobj
cd /usr/src
make buildworld

# step 3: make new kernel
make buildkernel KERNCONF=POLARIS

# step 4: tell me what I need to do next since I'm forgetful and don't remember
cat << _EOF_
To install the new kernel, go into /usr/src and run:

          make installkernel KERNCONF=POLARIS

To install the new system binaries, go into /usr/src and run:

          make installworld

_EOF_

It runs CVSup, then builds a complete new system and kernel. Technically, you should be in single user mode when running a make installworld, but as long as you are staying within the same minor version number, it should be OK to do on a live system. However, whenever you do this on a live multi-user system, it is a good idea to install the kernel first, then the system libraries and binaries.

The reason we suid the file /usr/libexec/ssh-keygen is to allow host-key authentication. Users would be required to enter in their password when ssh'ing to another host if we do not first suid this file.

ClamAV on mail server

Occassionally we will need to update the version of clamav on milton due to security updates, or changes in the virus definition format. Usually, when it is necessary for us to upgrade clamav, we will be given an alert email stating that the version we run is out of date. When we get the alert message, it is time to upgrade clamav. There is no way for me to predict what changes may be made in clamav in the future, and while this document may be accurate for the most recent series of updates, it may be invalid for future updates.

In our setup, clamav is installed through the ports tree. This document discusses how clamav was initially installed in our mail system. You should take a moment to read the docs and familiarize yourself with the process before upgrading clamav.

Because clamav is installed through ports, in order to update it we must first clean up the old port, then update the ports tree.

As root, change directories to /usr/ports/security/clamav and issue the command `make clean'. This will clean up the work and build directories from the old port.

Next, you will need to use cvsup to update the ports tree. On all of our FreeBSD boxes there is a script in the directory /root/cvsup called update-ports that will update the ports tree. As root, execute the command /root/cvsup/update-ports to CVSup the ports tree. Note: this script does not update installed ports, it only updates the tree itself. Although automated updates of all ports can be done with tools like portupgrade, using portupgrade is outside of the scope of this document.

Next, because the clamav port may take a few days before it has been updated, you should verify the port is current with the version you need. The easiest way to do that is to cat the file /usr/ports/security/clamav/distinfo and see which files it will use.

If the version is not correct, then there is nothing to be done except wait for 24 hours.

Once the port for clamav has been updated to the correct version, you can make and install it by issuing the following commands as root:

cd /usr/ports/security/clamav
make
postfix stop
/usr/local/etc/rc.d/amavisd.sh stop
/usr/local/etc/rc.d/clamav-clamd.sh stop
make deinstall
make install
chown -R vscan:vscan /var/log/clamav
chown -R vscan:vscan /var/run/clamav
chown -R vscan:vscan /var/db/clamav
/usr/local/etc/rc.d/clamav-clamd.sh start
/usr/local/etc/rc.d/amavisd.sh start
postfix start
freshclam

Discussion: The first step is to rebuild the port. After it has been rebuilt, all services which interact with clamav (postfix and amavis) are stopped, then the running clamd is stopped. Next the make deinstall removes the installed version, however you can also use pkg_delete to remove the port if you so choose. Next you install the new version of clamav and change the ownership of the clamav directories so amavis will work. Once the ownership has been changed, it is time to restart clamd. If clamd restarts correctly, then it is time to restart the services that use clamav (postfix and amavis). The final step is to use freshclam and grab the updated virus definitions, however this step also will verify that the version running is now current.