1.\" $NetBSD: afterboot.8,v 1.1 2002/11/30 14:09:50 jdolecek Exp $ 2.\" 3.\" Copyright (c) 2002 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by the NetBSD 17.\" Foundation, Inc. and its contributors. 18.\" 4. Neither the name of The NetBSD Foundation nor the names of its 19.\" contributors may be used to endorse or promote products derived 20.\" from this software without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 23.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 24.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 25.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 26.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 29.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 30.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32.\" POSSIBILITY OF SUCH DAMAGE. 33.\" 34.\" $OpenBSD: afterboot.8,v 1.72 2002/02/22 02:02:33 miod Exp $ 35.\" 36.\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu 37.\" Adapted to NetBSD by Julio Merino -- 2002-05-10, jmmv@hispabsd.org 38.\" 39.Dd Nov 30, 2002 40.Dt AFTERBOOT 8 41.Os 42.Sh NAME 43.Nm afterboot 44.Nd things to check after the first complete boot 45.Sh DESCRIPTION 46.Ss Starting Out 47This document attempts to list items for the system administrator 48to check and set up after the installation and first complete boot of the 49system. 50The idea is to create a list of items that can be checked off so that you have 51a warm fuzzy feeling that something obvious has not been missed. 52A basic knowledge of 53.Ux 54is assumed. 55.Pp 56Complete instructions for correcting and fixing items is not provided. 57There are manual pages and other methodologies available for doing that. 58For example, to view the man page for the 59.Xr ls 1 60command, type: 61.Bd -literal -offset indent 62.Ic man 1 ls 63.Ed 64.Pp 65Administrators will rapidly become more familiar with 66.Nx 67if they get used to using the manual pages. 68.Ss Security alerts 69By the time that you have installed your system, it is quite likely that 70bugs in the release have been found. 71All significant and easily fixed problems will be reported at 72.Pa http://www.netbsd.org/Security/ . 73It is recommended that you check this page regularly. 74.Ss Login 75Login as 76.Dq Ic root . 77You can do so on the console, or over the network using 78.Xr ssh 1 . 79If you wish to allow root logins over the network (if you have 80enabled the ssh daemon), edit the 81.Pa /etc/ssh/sshd_config 82file and set 83.Cm PermitRootLogin 84to 85.Dq yes 86(see 87.Xr sshd 8 ) . 88The default is to not permit root logins over the network 89after fresh install in 90.Nx . 91Note defaults on other operating systems might be different. 92.Pp 93Upon successful login on the console, you may see the message 94.Dq We recommend creating a non-root account... . 95For security reasons, it is bad practice to login as root during 96regular use and maintenance of the system. 97Instead, administrators are encouraged to add a 98.Dq regular 99user, add said user to the 100.Dq wheel 101group, then use the 102.Ic su 103and 104.Ic sudo 105commands when root privileges are required. 106This process is described in more detail later. 107.Ss Root password 108Change the password for the root user. 109(Note that throughout the documentation, the term 110.Dq superuser 111is a synonym for the root user.) 112Choose a password that has numbers, digits, and special characters (not space) 113as well as from the upper and lower case alphabet. 114Do not choose any word in any language. 115It is common for an intruder to use dictionary attacks. 116Type the command 117.Ic /usr/bin/passwd 118to change it. 119.Pp 120It is a good idea to always specify the full path name for both the 121.Xr passwd 1 122and 123.Xr su 1 124commands as this inhibits the possibility of files placed in your execution 125.Ev PATH 126for most shells. 127Furthermore, the superuser's 128.Ev PATH 129should never contain the current directory 130.Po Dq \&. 131.Pc . 132.Ss System date 133Check the system date with the 134.Xr date 1 135command. 136If needed, change the date, and/or change the symbolic link of 137.Pa /etc/localtime 138to appropriate time zone in the 139.Pa /usr/share/zoneinfo 140directory. 141.Pp 142Examples: 143.Bl -tag -width date 144.It Cm date 200205101820 145Set the current date to May 10th, 2002 6:20pm. 146.It Cm ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime 147Set the time zone to Eastern Europe Summer Time. 148.El 149.Ss Console settings 150One of the first things you will likely need to do is to setup your 151keyboard map (and maybe some other aspects about the system console). 152To change your keyboard encoding, edit the 153.Va Dq encoding 154variable found in 155.Pa /etc/wscons.conf . 156.Pp 157.Xr wscons.conf 5 158contains more information about this file. 159.Ss Check hostname 160Use the 161.Ic hostname 162command to verify that the name of your machine is correct. 163See the man page for 164.Xr hostname 1 165if it needs to be changed. 166You will also need to change the contents of the 167.Va Dq hostname 168variable in 169.Pa /etc/rc.conf 170or edit the 171.Pa /etc/myname 172file 173to have it stick around for the next reboot. Note that 174hostname is supposed to be FQDN commonly and should 175not be confused with YP 176.Xr domainname 8 . 177.Ss Verify network interface configuration 178The first thing to do is an 179.Ic ifconfig -a 180to see if the network interfaces are properly configured. 181Correct by editing 182.Pa /etc/ifconfig. Ns Ar interface 183(where 184.Ar interface 185is the interface name, e.g., 186.Dq le0 ) 187and then using 188.Xr ifconfig 8 189to manually configure it 190if you do not wish to reboot. 191Read the 192.Xr ifconfig.if 5 193man page for more information on the format of 194.Pa /etc/ifconfig. Ns Ar interface 195files. 196The loopback interface will look something like: 197.Bd -literal -offset indent 198lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972 199 inet 127.0.0.1 netmask 0xff000000 200 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 201 inet6 ::1 prefixlen 128 202.Ed 203.Pp 204an Ethernet interface something like: 205.Bd -literal -offset indent 206le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> 207 inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 208 inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1 209.Ed 210.Pp 211and, a PPP interface something like: 212.Bd -literal -offset indent 213ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> 214 inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000 215.Ed 216.Pp 217See 218.Xr netstart 8 219for instructions on configuring multicast routing. 220.Pp 221See 222.Xr dhcp 8 223for instructions on configuring interfaces with DHCP. 224.Ss Check routing tables 225Issue a 226.Ic netstat -rn 227command. 228The output will look something like: 229.Bd -literal -offset indent 230Routing tables 231 232Internet: 233Destination Gateway Flags Refs Use Mtu Interface 234default 192.168.4.254 UGS 0 11098028 - le0 235127 127.0.0.1 UGRS 0 0 - lo0 236127.0.0.1 127.0.0.1 UH 3 24 - lo0 237192.168.4 link#1 UC 0 0 - le0 238192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 239192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 240 241Internet6: 242Destination Gateway Flags Refs Use Mtu Interface 243::/96 ::1 UGRS 0 0 32972 lo0 => 244::1 ::1 UH 4 0 32972 lo0 245::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0 246fc80::/10 ::1 UGRS 0 0 32972 lo0 247fe80::/10 ::1 UGRS 0 0 32972 lo0 248fe80::%le0/64 link#1 UC 0 0 1500 le0 249fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0 250ff01::/32 ::1 U 0 0 32972 lo0 251ff02::%le0/32 link#1 UC 0 0 1500 le0 252ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0 253 254.Ed 255.Pp 256The default gateway address is stored in the 257.Va Dq defaultroute 258variable 259.Pa /etc/rc.conf , 260or in the file 261.Pa /etc/mygate . 262If you need to edit this file, a painless way to reconfigure the network 263afterwards is to issue 264.Bd -literal -offset indent 265.Ic /etc/rc.d/network restart 266.Ed 267.Pp 268Or, you may prefer to manually configure using a series of 269.Ic route add 270and 271.Ic route delete 272commands (see 273.Xr route 8 ) . 274If you run 275.Xr dhclient 8 276you will have to kill it by running 277.Bd -literal -offset indent 278.Ic /etc/rc.d/dhclient stop 279.Pp 280.Ed 281after you flush the routes. 282.Pp 283If you wish to route packets between interfaces, add the directive 284.Dl net.inet.ip.forwarding=1 285and/or 286.Dl net.inet6.ip6.forwarding=1 287.Pp 288to 289.Pa /etc/sysctl.conf , 290or compile a new kernel with the 291.Cm GATEWAY 292option. 293Packets are not forwarded by default, due to RFC requirements. 294.Pp 295You can add new 296.Dq virtual interfaces 297by adding the required entries to 298.Pa /etc/ifconfig.if . 299.Ss Secure Shell (ssh) 300By default, all services are disabled (and ssh is no exception). You 301may wish to enable it so you can remotely control your system. 302Set "sshd=yes" in 303.Pa /etc/rc.conf 304and then starting the server with the command 305.Bd -literal -offset indent 306.Ic /etc/rc.d/sshd start 307.Ed 308.Pp 309The first time the server is started, it will generate a new keypair, 310which will be stored inside the directory 311.Pa /etc/ssh . 312.Ss BIND Name Server (DNS) 313If you are using the BIND Name Server, check the 314.Pa /etc/resolv.conf 315file. 316It may look something like: 317.Bd -literal -offset indent 318domain some.thing.dom 319nameserver 192.168.0.1 320nameserver 192.168.4.55 321search some.thing.dom. thing.dom. 322.Ed 323.Pp 324For further details, see 325.Xr resolv.conf 5 . 326Note the name service lookup order is set via 327.Xr nsswitch.conf 5 328mechanism. 329.Pp 330If using a caching name server add the line "nameserver 127.0.0.1" first. 331To get a local caching name server to run 332you will need to set "named=yes" in 333.Pa /etc/rc.conf 334and create the 335.Pa named.conf 336file in the appropriate place for 337.Xr named 8 , 338usually in 339.Pa /etc/namedb . 340The same holds true if the machine is going to be a 341name server for your domain. 342In both these cases, make sure that 343.Xr named 8 344is running 345(otherwise there are long waits for resolver timeouts). 346.Ss YP Setup 347Check the YP domain name with the 348.Xr domainname 1 349command. 350If necessary, correct it by editing the 351.Pa /etc/defaultdomain 352file or by setting the 353.Va Dq domainname 354variable in 355.Pa /etc/rc.conf . 356The 357.Pa /etc/rc.d/network 358script reads this file on bootup to determine and set the domain name. 359You may also set the running system's domain name with the 360.Xr domainname 1 361command. 362To start YP client services, simply run 363.Ic ypbind , 364then perform the remaining 365YP activation as described in 366.Xr passwd 5 367and 368.Xr group 5 . 369.Pp 370In particular, to enable YP passwd support, you'd need to update 371.Pa /etc/nsswitch.conf 372to include 373.Dq nis 374for the 375.Dq passwd 376entry. A traditional way to accomplish the same thing is to 377add following entry to local passwd database via 378.Xr vipw 8 : 379.Bd -literal -offset indent 380.Li +:*:::::::: 381.Pp 382.Ed 383Note this entry has to be the very last one. This traditional way 384works with the default 385.Xr nsswitch.conf 5 386setting of 387.Dq passwd , 388which is 389.Dq compat . 390.Pp 391You can find more information by starting with 392.Xr yp 8 . 393.Ss Check disk mounts 394Check that the disks are mounted correctly by 395comparing the 396.Pa /etc/fstab 397file against the output of the 398.Xr mount 8 399and 400.Xr df 1 401commands. 402Example: 403.Bd -literal -offset indent 404.Li # Ic cat /etc/fstab 405/dev/sd0a / ffs rw 1 1 406/dev/sd0b none swap sw 0 0 407/dev/sd0e /usr ffs rw 1 2 408/dev/sd0f /var ffs rw 1 3 409/dev/sd0g /tmp ffs rw 1 4 410/dev/sd0h /home ffs rw 1 5 411.Li # Ic mount 412/dev/sd0a on / type ffs (local) 413/dev/sd0e on /usr type ffs (local) 414/dev/sd0f on /var type ffs (local) 415/dev/sd0g on /tmp type ffs (local) 416/dev/sd0h on /home type ffs (local) 417.Li # Ic df 418Filesystem 1024-blocks Used Avail Capacity Mounted on 419/dev/sd0a 22311 14589 6606 69% / 420/dev/sd0e 203399 150221 43008 78% /usr 421/dev/sd0f 10447 682 9242 7% /var 422/dev/sd0g 18823 2 17879 0% /tmp 423/dev/sd0h 7519 5255 1888 74% /home 424.Li # Ic pstat -s 425Device 512-blocks Used Avail Capacity Priority 426/dev/sd0b 131072 84656 46416 65% 0 427.Ed 428.Pp 429Edit 430.Pa /etc/fstab 431and use the 432.Xr mount 8 433and 434.Xr umount 8 435commands as appropriate. 436Refer to the above example and 437.Xr fstab 5 438for information on the format of this file. 439.Pp 440You may wish to do NFS mounts now too, or you can do them later. 441.Ss Concatenated disks (ccd) 442If you are using 443.Xr ccd 4 444concatenated disks, edit 445.Pa /etc/ccd.conf . 446You may wish to take a look to 447.Xr ccdconfig 8 448for more information about this file. 449Use the 450.Ic ccdconfig -U 451command to unload and the 452.Ic ccdconfig -C 453command to create tables internal to the kernel for the concatenated disks. 454You then 455.Xr mount 8 , 456.Xr umount 8 , 457and edit 458.Pa /etc/fstab 459as needed. 460.Sh CHANGING /etc FILES 461The system should be usable now, but you may wish to do more 462customization, such as adding users, etc. 463Many of the following sections may be skipped 464if you are not using that package (for example, skip the 465.Sx Kerberos 466section if you won't be using Kerberos). 467We suggest that you 468.Ic cd /etc 469and edit most of the files in that directory. 470.Pp 471Note that the 472.Pa /etc/motd 473file is modified by 474.Pa /etc/rc.d/motd 475whenever the system is booted. 476To keep any custom message intact, ensure that you leave two blank lines 477at the top, or your message will be overwritten. 478.Ss Sushi 479Since 480.Nx 1.6 , 481a new tool for configuring the system has been 482included, called 483.Xr sushi 8 . 484It will allow you to setup many aspects of the 485system from interactive menus. You can launch it typing: 486.Bd -literal -offset indent 487.Ic sushi 488.Ed 489.Ss Add new users 490There are 491.Xr useradd 8 492and 493.Xr groupadd 8 494scripts. 495You may use 496.Xr vipw 8 497to add users to the 498.Pa /etc/passwd 499file 500and edit 501.Pa /etc/group 502by hand to add new groups. 503The manual page for 504.Xr su 1 , 505tells you to make sure to put people in 506the 507.Sq wheel 508group if they need root access (non-Kerberos). 509For example: 510.Bd -literal -offset indent 511wheel:*:0:root,myself 512.Ed 513.Pp 514Follow instructions for 515.Xr kerberos 8 516if using 517Kerberos 518for authentication. 519.Ss rc.conf, rc.local 520Check for any local changes needed in the files 521.Pa /etc/rc.conf , 522and 523.Pa /etc/rc.local . 524.Pp 525.Xr rc.conf 5 526contains configuration for various daemons included with 527the system. 528Script 529.Xr rc.local 5 530is run as the last thing during multiuser boot, and is provided 531to allow any other local hooks necessary for the system. 532.Pp 533You can take a look to 534.Pa /etc/defaults/rc.conf 535to see a list of default system variables, which you can override in 536.Pa /etc/rc.conf . 537Note you are 538.Em not 539supposed to change 540.Pa /etc/defaults/rc.conf 541directly, edit only 542.Pa /etc/rc.conf . 543See 544.Xr rc.conf 5 545for further information. 546.Pp 547The directory 548.Pa /etc/rc.d 549contains a serie of scripts used at startup/shutdown, called by 550.Pa /etc/rc . 551.Pp 552If you've installed X, you may want to turn on 553.Xr xdm 1 , 554the X Display Manager. 555To do this, set the variable xdm to yes, i.e. "xdm=yes", in 556.Pa /etc/rc.conf . 557.Ss Printers 558Edit 559.Pa /etc/printcap 560and 561.Pa /etc/hosts.lpd 562to get any printers set up. 563Consult 564.Xr lpd 8 565and 566.Xr printcap 5 567if needed. 568.Ss Tighten up security 569In 570.Pa /etc/inetd.conf 571comment out any extra entries you do not need, and only add things 572that are really needed. Note that by default all services are disabled 573for security reasons. 574.Ss Kerberos 575If you are going to use 576.Xr kerberos 8 577for authentication, and you already have a 578Kerberos 579master, change directory to 580.Pa /etc/kerberosIV 581or 582.Pa /etc/kerberosV 583and configure. 584Remember to get a 585.Pa srvtab 586from the master so that the remote commands work. 587.Ss Mail Aliases 588Check 589.Pa /etc/mail/aliases 590and update appropriately if you want e-mail to be routed 591to non-local address or to different users. 592.Pp 593Run 594.Xr newaliases 8 595after changes. 596.Ss Sendmail 597.Nx 598ships with a default 599.Pa /etc/mail/sendmail.cf 600file that will work for simple installations; it was generated from 601.Pa netbsd-proto.mc 602in 603.Pa /usr/share/sendmail/cf . 604Please see 605.Pa /usr/share/sendmail/README 606and 607.Pa /usr/share/doc/smm/08.sendmailop/op.me 608for information on generating your own sendmail configuration files. 609.Ss Postfix 610.Nx 611comes also with Postfix in the base system. You may wish to 612setup it in favour of sendmail. Take a look to 613.Pa /etc/postfix/main.cf 614and enable the daemon in 615.Pa /etc/rc.conf 616using "postfix=yes". 617It is very important to configure 618.Pa /etc/mailer.conf 619to point to Postfix binaries. 620.Ss DHCP server 621If this is a 622DHCP 623server, edit 624.Pa /etc/dhcpd.conf 625and 626.Pa /etc/dhcpd.interfaces 627as needed. 628You will have to make sure 629.Pa /etc/rc.conf 630has "dhcpd=yes" 631or run 632.Xr dhcpd 8 633manually. 634.Ss Bootparam server 635If this is a 636Bootparam 637server, edit 638.Pa /etc/bootparams 639as needed. 640You will have to turn it on in 641.Pa /etc/rc.conf 642by adding "bootparamd=yes". 643.Ss NFS server 644If this is an NFS server, make sure 645.Pa /etc/rc.conf 646has: 647.Bd -literal -offset indent 648nfs_server=yes 649mountd=yes 650rpcbind=yes 651.Ed 652.Pp 653Edit 654.Pa /etc/exports 655and get it correct. After this, you can start the server by issuing: 656.Bd -literal -offset indent 657.Ic /etc/rc.d/nfsd start 658.Ed 659which will also start dependancies. 660.Ss HP remote boot server 661Edit 662.Pa /etc/rbootd.conf 663if needed for remote booting. 664If you do not have HP computers doing remote booting, do not enable this. 665.Ss Daily, weekly, monthly scripts 666Look at and possibly edit the 667.Pa /etc/daily.conf , /etc/weekly.conf , 668and 669.Pa /etc/monthly.conf 670configuration files. You can check which values you can set by looking 671to their matching files in 672.Pa /etc/defaults . 673Your site specific things should go into 674.Pa /etc/daily.local , /etc/weekly.local , 675and 676.Pa /etc/monthly.local . 677.Pp 678These scripts have been limited so as to keep the system running without 679filling up disk space from normal running processes and database updates. 680(You probably do not need to understand them.) 681.Ss Other files in /etc 682Look at the other files in 683.Pa /etc 684and edit them as needed. 685(Do not edit files ending in 686.Pa .db 687\(em like 688.Pa pwd.db , spwd.db , 689nor 690.Pa localtime , 691nor 692.Pa rmt , 693nor any directories.) 694.Ss Crontab (background running processes) 695Check what is running by typing 696.Ic crontab -l 697as root 698and see if anything unexpected is present. 699Do you need anything else? 700Do you wish to change things? 701e.g., if you do not 702like root getting standard output of the daily scripts, and want only 703the security scripts that are mailed internally, you can type 704.Ic crontab -e 705and change some of the lines to read: 706.Bd -literal -offset indent 70730 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out 70830 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out 70930 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out 710.Ed 711.Pp 712See 713.Xr crontab 5 . 714.Ss Next day cleanup 715After the first night's security run, change ownerships and permissions 716on files, directories, and devices; root should have received mail 717with subject: "<hostname> daily insecurity output.". 718This mail contains 719a set of security recommendations, presented as a list looking like this: 720.Bd -literal -offset indent 721var/mail: 722 permissions (0755, 0775) 723etc/daily: 724 user (0, 3) 725.Ed 726.Pp 727The best bet is to follow the advice in that list. 728The recommended setting is the first item in parentheses, while 729the current setting is the second one. 730This list is generated by 731.Xr mtree 8 732using 733.Pa /etc/mtree/special . 734Use 735.Xr chmod 1 , 736.Xr chgrp 1 , 737and 738.Xr chown 8 739as needed. 740.Ss Packages 741Install your own packages. 742The 743.Nx 744package collection includes a large set of Third-Party 745software. A lot of it is available as binary packages that you can 746download from 747.Pa ftp://ftp.netbsd.org 748or a mirror, and install using 749.Xr pkg_add 1 . 750See 751.Pa http://www.netbsd.org/Documentation/software/ 752and 753.Xr packages 7 754for more details. 755.Pp 756Copy vendor binaries and install them. 757You will need to install any shared libraries, etc. 758(Hint: 759.Ic man -k compat 760to find out how to install and use compatibility mode.) 761.Pp 762There is also other Third-Party Software that is available 763in source form only, either because it has not been ported to 764.Nx 765yet, because licensing restrictions make binary redistribution 766impossible, or simply because you want to build your own binaries. 767This group is called pkgsrc. Sometimes checking the mailing lists for 768past problems that people have encountered will result in a fix posted. 769.Sh COMPILING A KERNEL 770First, review the system message buffer using the 771.Xr dmesg 8 772command to find out information on your system's devices as probed by the 773kernel at boot. 774In particular, note which devices were not configured. 775This information will prove useful when editing kernel configuration files. 776.Pp 777To compile a kernel inside a writable source tree, do the following: 778.Sm off 779.Bd -literal -offset indent 780.Li #\ Xo 781.Ic cd\ /usr/src/sys/arch/ 782.Ar somearch 783.Ic /conf 784.Xc 785.Li #\ Xo 786.Ic vi\ \& 787.Ar SOMEFILE 788.No \ \ \ (to\ make\ any\ changes) 789.Xc 790.Li #\ Xo 791.Ic config\ \& 792.Ar SOMEFILE 793.Xc 794.Li #\ Xo 795.Ic cd\ ../compile/ 796.Ar SOMEFILE 797.Xc 798.Li #\ Xo 799.Ic make 800.Xc 801.Ed 802.Sm on 803.Pp 804where 805.Ar somedir 806is a writable directory, 807.Ar somearch 808is the architecture (e.g. 809.Ic i386 ) , 810and 811.Ar SOMEFILE 812should be a name indicative of a particular configuration (often 813that of the hostname). 814You can also do a 815.Ic make depend 816so that you will have dependencies there the next time you do a compile. 817.Pp 818If you are building your kernel again, before you do a 819.Ic make 820you should do a 821.Ic make depend 822after making changes (including updates or patches) to your kernel source, 823or a 824.Ic make clean 825after making changes to your kernel options. 826.Pp 827After either of these two methods, you can place the new kernel (called 828.Pa netbsd ) 829in 830.Pa / 831(i.e. 832.Pa /netbsd ) 833by issuing 834.Ic make install 835and the system will boot it next time. 836The old kernel is stored as 837.Pa /onetbsd 838so you can boot it in case of failure. 839.Pp 840If you are using toolchain to build your kernel, you will also need to 841build a new set of toolchain binaries. You can do it by entering 842.Pa /usr/src 843and issuing 844.Ic ./build.sh -t . 845.Sh SEE ALSO 846.Xr chgrp 1 , 847.Xr chmod 1 , 848.Xr crontab 1 , 849.Xr date 1 , 850.Xr df 1 , 851.Xr domainname 1 , 852.Xr hostname 1 , 853.Xr make 1 , 854.Xr man 1 , 855.Xr netstat 1 , 856.Xr passwd 1 , 857.Xr su 1 , 858.Xr ccd 4 , 859.Xr aliases 5 , 860.Xr crontab 5 , 861.Xr exports 5 , 862.Xr fstab 5 , 863.Xr group 5 , 864.Xr krb.conf 5 , 865.Xr krb.realms 5 , 866.Xr passwd 5 , 867.Xr rc.conf 5 , 868.Xr resolv.conf 5 , 869.Xr hostname 7 , 870.Xr packages 7 , 871.Xr adduser 8 , 872.Xr amd 8 , 873.Xr bootparamd 8 , 874.Xr ccdconfig 8 , 875.Xr chown 8 , 876.Xr config 8 , 877.Xr dhcp 8 , 878.Xr dhcpd 8 , 879.Xr ext_srvtab 8 , 880.Xr ifconfig 8 , 881.Xr inetd 8 , 882.Xr kerberos 8 , 883.Xr mount 8 , 884.Xr mtree 8 , 885.Xr named 8 , 886.Xr netstart 8 , 887.Xr newaliases 8 , 888.Xr rbootd 8 , 889.Xr rc 8 , 890.Xr rmt 8 , 891.Xr route 8 , 892.Xr sushi 8 , 893.Xr umount 8 , 894.Xr vipw 8 , 895.Xr ypbind 8 896.Sh HISTORY 897This document first appeared in 898.Ox 2.2 . 899It has been adapted to 900.Nx 901and first appeared in 902.\" NEXTRELEASE 903.Nx 2.0 . 904