AFTERBOOT(8) | System Manager's Manual | AFTERBOOT(8) |
afterboot
—
Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. For example, to view the man page for the ls(1) command, type:
man 1 ls
Administrators will rapidly become more familiar with NetBSD if they get used to using the manual pages.
Additionally, you should set “fetch_pkg_vulnerabilities=YES” in /etc/daily.conf to allow your system to automatically update the local database of known vulnerable packages to the latest version available on-line. The system will later check, on a daily basis, if any of your installed packages are vulnerable based on the contents of this database. See daily.conf(5) and security.conf(5) for more details.
root
”. You can do so on the console, or
over the network using ssh(1). If
you have enabled the SSH daemon (see
sshd(8)) and wish to allow root
logins over the network, edit the /etc/ssh/sshd_config
file and set “PermitRootLogin” to “yes” (see
sshd_config(5)). The
default is to not permit root logins over the network after fresh install in
NetBSD.
Upon successful login on the console, you may see the message “We recommend creating a non-root account...”. For security reasons, it is bad practice to login as root during regular use and maintenance of the system. In fact, the system will only let you login as root on a secure terminal. By default, only the console is considered to be a secure terminal. Instead, administrators are encouraged to add a “regular” user, add said user to the “wheel” group, then use the su(1) command when root privileges are required. This process is described in more detail later.
/usr/bin/passwd
to change it.
It is a good idea to always specify the full path name for both
the passwd(1) and
su(1) commands as this inhibits
the possibility of files placed in your execution
PATH
for most shells. Furthermore, the superuser's
PATH
should never contain the current directory
(“.”).
Examples:
date
200205101820
ln
-fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
wscons.conf(5) contains more information about this file.
hostname
command to verify that the name of your
machine is correct. See the man page for
hostname(1) if it needs to be
changed. You will also need to change the contents of the
“hostname” variable in
/etc/rc.conf or edit the
/etc/myname file to have it stick around for the next
reboot. Note that “hostname” is supposed
include a domainname, and that this should not be confused with YP (NIS)
domainname(1). If you are
using dhcpcd(8) to configure
network interfaces, it might override these local hostname settings if your
DHCP server specifies client's hostname with other network configurations.
ifconfig -a
to see if the
network interfaces are properly configured. Correct by editing
/etc/ifconfig.interface or the
corresponding
“ifconfig_interface”
variable in rc.conf(5) (where
interface is the interface name, e.g.,
“le0”) and then using
ifconfig(8) to manually
configure it if you do not wish to reboot.
Alternatively, you can configure interfaces automatically via DHCP with dhcpcd(8) if you have a DHCP server running somewhere on your network. To get dhcpcd(8) to start automatically on boot, you will need to have this line in /etc/rc.conf:
dhcpcd=YES
See dhcpcd(8) and dhcpcd.conf(5) for more information on setting up a DHCP client.
You can add new “virtual interfaces” by adding the required entries to /etc/ifconfig.interface. Read the ifconfig.if(5) man page for more information on the format of /etc/ifconfig.interface files. The loopback interface will look something like:
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972 inet 127.0.0.1 netmask 0xff000000 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128
an Ethernet interface something like:
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
and a PPP interface something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
See mrouted(8) for instructions on configuring multicast routing.
netstat -rn
command. The output will look
something like:
Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.4.254 UGS 0 11098028 - le0 127 127.0.0.1 UGRS 0 0 - lo0 127.0.0.1 127.0.0.1 UH 3 24 - lo0 192.168.4 link#1 UC 0 0 - le0 192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 Internet6: Destination Gateway Flags Refs Use Mtu Interface ::/96 ::1 UGRS 0 0 32972 lo0 => ::1 ::1 UH 4 0 32972 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0 fc80::/10 ::1 UGRS 0 0 32972 lo0 fe80::/10 ::1 UGRS 0 0 32972 lo0 fe80::%le0/64 link#1 UC 0 0 1500 le0 fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0 ff01::/32 ::1 U 0 0 32972 lo0 ff02::%le0/32 link#1 UC 0 0 1500 le0 ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
The default gateway address is stored in the “defaultroute” variable in /etc/rc.conf, or in the file /etc/mygate. If you need to edit this file, a painless way to reconfigure the network afterwards is to issue
service network restart
Or, you may prefer to manually configure using a series of
route add
and route delete
commands (see route(8)). If you
run dhcpcd(8) you will have to
kill it by running
service dhcpcd stop
before you flush the routes.
If you wish to route packets between interfaces, add one or both of the following directives (depending on whether IPv4 or IPv6 routing is required) to /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
As an alternative, compile a new kernel with the “GATEWAY” option. Packets are not forwarded by default, due to RFC requirements.
However, if this system has a large number of devices connected (e.g. for large scale storage), you may want to enable devpubd(8) to ensure a sufficient number of nodes are available. Set “devpubd=YES” in /etc/rc.conf to create nodes automatically during system runtime. You can also run the node creation script by hand:
cd /dev && sh MAKEDEV
service sshd start
The first time the server is started, it will generate a new keypair, which will be stored inside the directory /etc/ssh.
Multicast DNS and DNS Service Discovery are usually not enabled by default on a fresh NetBSD system, and can be enabled by setting “mdnsd=YES” in /etc/rc.conf, and either rebooting or running the following command:
service mdnsd start
If your network does not have a usable DNS resolver, e.g. one provided by DHCP, you can run a local caching recursive resolver by setting “named=YES” in /etc/rc.conf and either rebooting or running the following command:
service named start
named(8) is configured in /etc/named.conf by default to run as a local caching recursive resolver. Then, to make the system use it, put the following in /etc/resolv.conf:
nameserver 127.0.0.1
wpa_passphrase networkname password >> /etc/wpa_supplicant.conf
To to configure the system to connect to an open wireless network with no password, edit /etc/wpa_supplicant.conf instead of using wpa_passphrase(8):
network={ ssid="Public-WiFi" key_mgmt=NONE priority=100 }
Then bring up the interface and start the necessary daemons:
ifconfig iwm0 up
service wpa_supplicant onestart
service dhcpcd onestart
To automatically connect at boot, add the following to /etc/rc.conf:
ifconfig_iwm0="up"
dhcpcd=YES
wpa_supplicant=YES
While using wpa_supplicant(8), you can easily retrieve network scan results with wpa_cli(8):
wpa_cli scan_results
Or trigger a rescan:
wpa_cli scan
portmap
- being running for proper operation. This
includes YP (NIS) and NFS exports, among other services. To get the RPC
portmapper to start automatically on boot, you will need to have this line in
/etc/rc.conf:
rpcbind=YES
ypbind
, then
perform the remaining YP activation as described in
passwd(5) and
group(5).
In particular, to enable YP passwd support, you'll need to update /etc/nsswitch.conf to include “nis” for the “passwd” and “group” entries. A traditional way to accomplish the same thing is to add following entry to local passwd database via vipw(8):
+:*::::::::
Note this entry has to be the very last one. This traditional way works with the default nsswitch.conf(5) setting of “passwd”, which is “compat”.
There are many more YP man pages available to help you. You can find more information by starting with nis(8).
#
cat /etc/fstab
/dev/sd0a / ffs rw 1 1 /dev/sd0b none swap sw /dev/sd0e /usr ffs rw 1 2 /dev/sd0f /var ffs rw 1 3 /dev/sd0g /tmp ffs rw 1 4 /dev/sd0h /home ffs rw 1 5#
mount
/dev/sd0a on / type ffs (local) /dev/sd0e on /usr type ffs (local) /dev/sd0f on /var type ffs (local) /dev/sd0g on /tmp type ffs (local) /dev/sd0h on /home type ffs (local)#
df
Filesystem 1024-blocks Used Avail Capacity Mounted on /dev/sd0a 22311 14589 6606 69% / /dev/sd0e 203399 150221 43008 78% /usr /dev/sd0f 10447 682 9242 7% /var /dev/sd0g 18823 2 17879 0% /tmp /dev/sd0h 7519 5255 1888 74% /home#
pstat -s
Device 512-blocks Used Avail Capacity Priority /dev/sd0b 131072 84656 46416 65% 0
Edit /etc/fstab and use the mount(8) and umount(8) commands as appropriate. Refer to the above example and fstab(5) for information on the format of this file.
You may wish to do NFS mounts now too, or you can do them later.
ccdconfig -U
command to unload and the ccdconfig -C
command to
create tables internal to the kernel for the concatenated disks. You then
mount(8),
umount(8), and edit
/etc/fstab as needed.
ntpdate=YES
ntpd=YES
See date(1), ntpdate(8), ntpd(8), rdate(8), and timed(8) for more information on setting the system's date.
cd /etc
and edit most
of the files in that directory.
Note that the /etc/motd file is modified by /etc/rc.d/motd whenever the system is booted. To keep any custom message intact, ensure that you leave two blank lines at the top, or your message will be overwritten.
wheel:*:0:root,myself
Follow instructions for kerberos(8) if using Kerberos for authentication.
The directory /etc/rc.d contains a series of scripts used at startup/shutdown, called by /etc/rc. /etc/rc is in turn influenced by the configuration variables present in /etc/rc.conf.
The script /etc/rc.local is run as the last thing during multiuser boot, and is provided to allow any other local hooks necessary for the system.
Run newaliases(1) after changes.
nfs_server=YES mountd=YES rpcbind=YES
Edit /etc/exports and get it correct. After this, you can start the server by issuing:
service rpcbind start
service mountd start
service nfsd start
These scripts have been limited so as to keep the system running without filling up disk space from normal running processes and database updates. (You probably do not need to understand them.)
crontab -l
as root and
see if anything unexpected is present. Do you need anything else? Do you wish
to change things? For example, if you do not like root getting standard output
of the daily scripts, and want only the security scripts that are mailed
internally, you can type crontab -e
and change some of
the lines to read:
30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out 30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out 30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
See crontab(5).
var/mail: permissions (0755, 0775) etc/daily: user (0, 3)
The best bet is to follow the advice in that list. The recommended setting is the first item in parentheses, while the current setting is the second one. This list is generated by mtree(8) using /etc/mtree/special. Use chmod(1), chgrp(1), and chown(8) as needed.
For most users, using pkgin to manage binary packages is recommended.
To install pkgin, if it was not done by the installer:
export PKG_PATH=https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$(uname -p)/$(uname -r
|cut -d_ -f1)/All
pkg_add pkgin
pkgin update
pkgin install bash mpg123 fluxbox ...
See https://www.NetBSD.org/docs/pkgsrc/ and pkgsrc/doc/pkgsrc.txt for more details.
Copy vendor binaries and install them. You will need to install
any shared libraries, etc. (Hint: man -k compat
to
find out how to install and use compatibility mode.)
There is also other third-party software that is available in source form only, either because it has not been ported to NetBSD yet, because licensing restrictions make binary redistribution impossible, or simply because you want to build your own binaries. Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted.
October 5, 2020 | NetBSD 9.4 |