There is a tool called CVSup
which FreeBSD users can use to update their system libraries and
kernel. In our environment, the tool is installed from the ports tree
during system installation. This page discusses how to use CVSup to
update the system libraries, userland tools, and kernel on our FreeBSD
systems. There is also a second section which discusses using CVSup
to update clamav on the mail server.
Libraries, Userland, and Kernel
On our FreeBSD servers, polaris and milton, I have
customized scripts located in the directory /root/cvsup which
will use CVSup to update the system. After the script has run, there
will be three manual steps that must be performed by the systems
The script is run by invoking the command
/root/cvsup/update-world on any of the FreeBSD servers.
Although CVSup can be used to upgrade to the latest release of
FreeBSD, our script will only grab the latest patched version of the
current release we are running. In order to update to a
newer version of FreeBSD, the file /root/cvsup/astro-supfile
should be modified and the `mergemaster' tool should be run;
using mergemaster to migrate to a newer version is a process which is
outside of the scope of this document.
Please note, when picasso is migrated to the new platform, it
will be included in the list of machines which should be updated via
After the update-world script has called CVSup to update the source
tree, it will compile a new set of libraries, userland binaries, and a
new kernel. This process takes anywhere from fifteen to thirty
minutes, depending on the machine and the load on the machine. For
reference, the old polaris used to take approximately eight hours, but
now takes approximately twenty minutes.
Once the libraries and kernel are compiled, the script is done. The
next steps are to be performed manually and require superuser
Log in as root, change to the directory /usr/src and
issue the command make installkernel KERNCONF=foo, where foo
is replaced with the name of the server in capitals (ex. make
As root, and from inside of the directory /usr/src issue
the command make installworld.
Reboot the machine immediately after step two has completed.
After the machine has rebooted, login as root and issue the
command `chmod u+s /usr/libexec/ssh-keygen'
Discussion: This is a copy of the update-world script
# step 1: cvsup
# step 2: make world
mv /usr/obj /usr/oldobj
# step 3: make new kernel
make buildkernel KERNCONF=POLARIS
# step 4: tell me what I need to do next since I'm forgetful and don't remember
cat << _EOF_
To install the new kernel, go into /usr/src and run:
make installkernel KERNCONF=POLARIS
To install the new system binaries, go into /usr/src and run:
It runs CVSup, then builds a complete new system and kernel. Technically,
you should be in single user mode when running a make installworld,
but as long as you are staying within the same minor version number,
it should be OK to do on a live system. However, whenever you do this on
a live multi-user system, it is a good idea to install the kernel first,
then the system libraries and binaries.
The reason we suid the file /usr/libexec/ssh-keygen is to allow
host-key authentication. Users would be required to enter in their password
when ssh'ing to another host if we do not first suid this file.
ClamAV on mail server
Occassionally we will need to update the version of clamav on milton
due to security updates, or changes in the virus definition format.
Usually, when it is necessary for us to upgrade clamav, we will be
given an alert email stating that the version we run is out of date.
When we get the alert message, it is time to upgrade clamav.
There is no way for me to predict what changes may be made in
clamav in the future, and while this document may be accurate for the
most recent series of updates, it may be invalid for future
In our setup, clamav is installed through the ports tree. This
document discusses how clamav was initially installed in our mail
system. You should take a moment to read the docs and familiarize
yourself with the process before upgrading clamav.
Because clamav is installed through ports, in order to update it we
must first clean up the old port, then update the ports tree.
As root, change directories to /usr/ports/security/clamav and
issue the command `make clean'. This will clean up the
work and build directories from the old port.
Next, you will need to use cvsup to update the ports tree. On all of
our FreeBSD boxes there is a script in the directory
/root/cvsup called update-ports that will update the
ports tree. As root, execute the command
/root/cvsup/update-ports to CVSup the ports tree.
Note: this script does not update installed ports, it only
updates the tree itself. Although automated updates of all ports can
be done with tools like portupgrade, using portupgrade is
outside of the scope of this document.
Next, because the clamav port may take a few days before it has been
updated, you should verify the port is current with the version you
need. The easiest way to do that is to cat the file
/usr/ports/security/clamav/distinfo and see which files it
If the version is not correct, then there is nothing to be done except
wait for 24 hours.
Once the port for clamav has been updated to the correct version, you can
make and install it by issuing the following commands as root:
chown -R vscan:vscan /var/log/clamav
chown -R vscan:vscan /var/run/clamav
chown -R vscan:vscan /var/db/clamav
Discussion: The first step is to rebuild the port. After it
has been rebuilt, all services which interact with clamav (postfix and
amavis) are stopped, then the running clamd is stopped. Next the
make deinstall removes the installed version, however you can
also use pkg_delete to remove the port if you so choose.
Next you install the new version of clamav and change the ownership of
the clamav directories so amavis will work. Once the ownership has
been changed, it is time to restart clamd. If clamd restarts
correctly, then it is time to restart the services that use clamav
(postfix and amavis). The final step is to use freshclam and grab the
updated virus definitions, however this step also will verify that the
version running is now current.