diff --git a/en_US.ISO8859-1/articles/committers-guide/article.sgml b/en_US.ISO8859-1/articles/committers-guide/article.sgml
index 5816b521c1..99a5884a48 100644
--- a/en_US.ISO8859-1/articles/committers-guide/article.sgml
+++ b/en_US.ISO8859-1/articles/committers-guide/article.sgml
@@ -1,2035 +1,2003 @@
%man;
%authors;
]>
Committer GuideThe FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.35 2000/08/16 17:41:40 dannyboy Exp $
+ $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.36 2000/08/23 20:36:53 ben Exp $19992000The FreeBSD Documentation ProjectThis document provides information for the FreeBSD committer
community. All new committers should read this document before they
start, and existing committers are strongly encouraged to review it
from time to time.Administrative DetailsMain Repository Hostfreefall.FreeBSD.org
-
-
- International Crypto Repository Host
-
- internat.FreeBSD.org
-
-
Login Methods&man.ssh.1;Main CVSROOT/home/ncvs
-
- International Crypto CVSROOT
- /home/cvs.crypt
-
-
Main CVS Repository Meisters&a.jdp; and &a.peter; as well as &a.asami; for
ports/
-
-
- International Crypto CVS Repository Meister
-
- &a.markm;
-
-
Mailing Listcvs-committers@FreeBSD.orgNoteworthy CVS TagsRELENG_3 (3.x-STABLE), RELENG_4 (4.x-STABLE), HEAD (-CURRENT)It is required that you use &man.ssh.1; or &man.telnet.1;
with Kerberos 5 to connect to the repository hosts. These are
generally more secure than plain &man.telnet.1; or
&man.rlogin.1; since credential negotiation will always be
encrypted. All traffic is encrypted by default with &man.ssh.1;.
With utilities like &man.ssh-agent.1; and &man.scp.1; also
available, &man.ssh.1; is also far more convenient. If you do
not know anything about &man.ssh.1;, please see
.CVS OperationsIt is assumed that you are already familiar with the basic operation
of CVS.The CVS Repository Meisters (Peter Wemm and John Polstra)
are the owners of the CVS repository and are
responsible for any and all direct
modification of it for the purposes of cleanup or fixing some
grievous abuse of CVS by a committer. No one else should
attempt to touch the repository directly. Should you cause some
repository accident, say a bad cvs import or tag operation, do
not attempt to fix it yourself!
Mail or call John or Peter immediately and report the problem to
one of them instead. The only ones allowed to directly fiddle
the repository bits are the repomeisters. Satoshi Asami is also a
repomeister for the ports/ portion of the
- tree. Mark Murray is the repomeister for the International
- Crypto Repository in South Africa.
+ tree.
CVS operations are usually done by logging into
freefall, making sure the
CVSROOT environment variable is set to
/home/ncvs, and then doing the appropriate
check-out/check-in operations. If you wish to add
something which is wholly new (like contrib-ified
sources, etc), a script called easy-import is
also provided for making the process easier. It automatically
adds the new module entry, does the appropriate thing with
cvs import, etc. – just run it without
arguments and it will prompt you for everything it needs to
know.Note that when you use CVS on freefall, you
should set your umask to 2,
as well as setting the CVSUMASK environmenet
variable to 2. This ensures that any new
files created by cvs add will have the correct
permissions. If you add a file or directory and discover that the
file in the repository has incorrect permissions (specifically,
all files in the repository should be group writable by group
ncvs), contact one of the repository meisters
as described below.If you are familiar with remote CVS and consider yourself
pretty studly with CVS in general, you can also do CVS
operations directly from your own machine and local working
sources. Just remember to set CVS_RSH to
ssh so that you are using a relatively
secure and reliable transport. If you have no idea what any of
the above even means, on the other hand, then please stick with
logging into freefall and applying your diffs
with &man.patch.1;.If you need to use CVS add and
delete operations in a manner that is
effectively a mv operation, then a repository
copy is in order rather than your CVS add and
delete. In a repository copy, a CVS Meister will copy the file(s)
to their new name and/or location and let you know when it is
done. The purpose of a repository copy is to preserve file
change history, or logs. We in the FreeBSD Project greatly
value the change history CVS gives to the project.CVS reference information, tutorials, and FAQs can also be found at:
http://www.cyclic.com/CVS/support&a.des; also supplied the following mini primer for
CVS.Check out a module with the co or
checkout command.&prompt.user; cvs checkout shazamThis checks out a copy of the shazam module. If
there is no shazam module in the modules file, looks for a
top-level directory named shazam instead.Useful options:Don't create empty directoriesCheck out a single level, no subdirectoriesCheck out revision, branch or tag
revCheck out the sources as they were on date
dataPractical FreeBSD examples:Check out the miscfs module,
which corresponds to src/sys/miscfs:&prompt.user; cvs co miscfsYou now have a directory named miscfs
with subdirectories CVS,
deadfs, devfs, and so
on. One of these (linprocfs) is
empty.Check out the same files, but with full path:&prompt.user; cvs co src/sys/miscfsYou now have a directory named src,
with subdirectories CVS and
sys. src/sys has
subdirectories CVS and
miscfs, etc.Check out the same files, but prunes empty
directories:&prompt.user; cvs co -P miscfsYou now have a directory named
miscfs with subdirectories
CVS, deadfs,
devfs... but note that there is no
linprocfs subdirectory, because there
are no files in it.Check out the directory miscfs, but
none of the subdirectories:&prompt.root; cvs co -l miscfsYou now have a directory named miscfs
with just one subdirectory named
CVS.Check out the miscfs module as
it is in the 4.x branch:&prompt.user; cvs co -rRELENG_4 miscfsYou can modify the sources and commit along this
branch.Check out the miscfs module as
it was in 3.4-RELEASE.&prompt.user; cvs co -rRELENG_3_4_0_RELEASE miscfsYou will not be able to commit modifications, since
RELENG_3_4_0_RELEASE is a point in time, not a branch.Check out the miscfs module as it was
on Jan 15 2000.&prompt.user; cvs co -D'01/15/2000' miscfsYou will not be able to commit modifications.Check out the miscfs module as it was
one week agao.&prompt.user; cvs co -D'last week' miscfsYou will not be able to commit modifications.Note that cvs stores metadata in subdirectories named
CVS.Arguments to and
are sticky, which means cvs will remember them later, e.g.
when you do a cvs update.Check the status of checked-out files with the
status command.&prompt.user; cvs status shazamThis displays the status of the
shazam file or of every file in the
shazam directory. For every file, the
status is given as one of:Up-to-dateFile is up-to-date and unmodified.Needs PatchFile is unmodified, but there's a newer revision in
the repository.Locally ModifiedFile is up-to-date, but modified.Needs MergeFile is modified, and there's a newer revision in the
repository.File had conflicts on mergeThere were conflicts the last time this file was
updated, and they haven't been resolved yet.You'll also see the local revision and date,
the revision number of the newest applicable version
(newest applicable because if you have a
sticky date, tag or branch, it may not be the actual newest
revision), and any sticky tags, dates or options.Once you've checked something out, update it with the
update command.&prompt.user; cvs update shazamThis updates the shazam file or the
contents of the shazam directory to the
latest version along the branch you checked out. If you
checked out a point in time, does nothing
unless the tags have moved in the repo or some other weird
stuff is going on.Useful options, in addition to those listed above for
checkout:Check out any additional missing directories.Update to head of main branch.More magic (see below).If you checked out a module with or
, running cvs update
with a different or
argument or with will select a new branch,
revision or date. The option clears all
sticky tags, dates or revisions whereas
and set new ones.Theoretically, specifying HEAD as
argument to will give you the same result
as , but that's just theory.The option is useful if:somebody has added subdirectories to the module
you've checked out after you checked it out.you checked out with , and later
change your mind and want to check out the subdirectories
as well.you deleted some subdirectories and want to check
them all back out.Watch the output of the cvs
update with care. The letter in front of
each file name indicates what was done with it:UThe file was updated with no trouble.PThe file was updated with no trouble (you'll only see
this when working against a remote repo).MThe file had been modified, and was merged with no
conflicts.CThe file had been modified, and was merged with
conflicts.Merging is what happens if you check out a copy of
some source code, modify it, then someone else commits a
change, and you run cvs update. CVS notices
that you've made local changes, and tries to merge your
changes with the changes between the version you originally
checked out and the one you updated to. If the changed are to
separate portions of the file, it'll almost always work fine
(though the result might not be syntactically or semantically
correct).CVS will print an 'M' in front of every locally modified
file even if there is no newer version in the repository, so
cvs update is handy for getting a summary
of what you've changed locally.If you get a C, then your changes
conflicted with the changes in the repository (the changes
were to the same lines, or neighboring lines, or you changed
the local file so much that cvs can't
figure out how to apply the repository's changes). You'll have
to go through the file manually and resolve the conflicts;
they'll be marked with rows of <,
= and > signs. For
every conflict, there'll be a marker line with seven
< signs and the name of the file,
followed by a chunk of what your local file contained,
followed by a separator line with seven =
signs, followed by the corresponding chunk in the
repository version, followed by a marker line with seven
> signs and the revision number you
updated to.The option is slightly voodoo. It
updates the local file to the specified revision as if you
used , but it does not change the recorded
revision number or branch of the local file. It's not really
useful except when used twice, in which case it will merge the
changes between the two specified versions into the working
copy.For instance, say you commit a change to
shazam/shazam.c in -CURRENT and later
want to MFC it. The change you want to MFC was revision
1.15:Check out the -STABLE version of the
shazam module:&prompt.user; cvs co -rRELENG_4 shazamApply the changes between rev 1.14 and 1.15:&prompt.user; cvs update -j1.14 -j1.15 shazam/shazam.cYou'll almost certainly get a conflict because
- of the $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ (or in FreeBSD's case,
+ of the $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ (or in FreeBSD's case,
$FreeBSD$) lines, so you'll have to edit
the file to resolve the conflict (remove the marker lines and
- the second $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line, leaving the original
- $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line intact).
+ the second $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line, leaving the original
+ $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line intact).
View differences between the local version and the
repository version with the diff
command.&prompt.user; cvs diff shazamshows you every modification you've made to the
shazam file or module.Useful options:Uses the unified diff format.Shows missing or added files.You always want to use , since
unified diffs are much easier to read than almost any other
diff format (in some circumstances, context diffs may be
better, but they're much bulkier). A unified diff consists of
a series of hunks. Each hunk begins with a line that starts
with two @ signs and specifies where in the
file the differences are and how many lines they span. This
is followed by a number of lines; some (preceded by a blank)
are context; some (preceded by a - sign)
are outtakes and some (preceded by a +) are
additions.You can also diff against a different version
than the one you checked out by specifying a version
with or as in
checkout or update,
or even view the diffs between two arbitrary versions
(with no regard for what you have locally) by specifying
two versions with or
.View log entries with the log
command.&prompt.user; cvs log shazamSee who did what with the annotate command.
This command shows you each line of the specified file or
files, along with which user most recently changed that
line.&prompt.user; cvs annotate shazamAdd new files with the add command.Create the file, cvs add it, then
cvs commit it.Similarly, you can add new directories by creating them
and then cvs adding them. Note that you
don't need to commit directories.Remove obsolete files with the remove command.Remove the file, then cvs rm it, then
cvs commit it.Commit with the commit or
checkin command.Useful options:Force a commit of an unmodified file.Specify a commit message on the command line rather
than invoking an editor.Use the option if you realize that
you left out important information from the commit message.Good commit messages are important. They tell others
why you did the changes you did, not just right here and now,
but months or years from now when someone wonders why some
seemingly illogical or inefficient piece of code snuck into
your source file. It's also an invaluable aid to deciding
which changes to MFC and which not to MFC.Don't waste space in the commit messages explaining
what you did. That's what
cvs diff is for. Instead, tell us
why you did it.Avoid committing several unrelated changes in one go. It
makes merging difficult, and also makes it harder to determine
which change is the culprit if a bug crops up.Avoid committing style or whitespace fixes and
functionality fixes in one go. It makes merging difficult,
and also makes it harder to understand just what functional
changes were made.Avoid committing changes to multiple files in one go
with a generic, vague message. Instead, commit each file (or
small groups of files) with tailored commit messages.Before committing, always:verify which branch you're committing to, using
cvs status.review your diffs, using
cvs diffAlso, ALWAYS specify which files to commit explicitly on
the command line, so you don't accidentally commit other files
than the ones you intended - cvs commit
with no arguments will commit every modification in your
current working directory and every subdirectory.Additional tips and tricks:You can place commonly used options in your
~/.cvsrc, like this:cvs -z3
diff -Nu
update -Pd
checkout -PThis example says:always use compression level 3 when talking to a
remote server. This is a life-saver when working over a
slow connection.always use the (show added or
removed files) and (unified diff
format) options to &man.diff.1;.always use the (prune empty
directories) and (check out new
directories) options when updating.always use the (prune empty
directories) option when checking out.Use Eivind Eklund's cdiff script to
view unidiffs. It's a wrapper for &man.less.1; that adds ANSI
color codes to make hunk headers, outtakes and additions stand
out; context and garbage are unmodified. It also expands tabs
properly (tabs often look wrong in diffs because of the extra
character in front of each line).http://people.freebsd.org/~eivind/cdiffSimply use instead of &man.more.1; or &man.less.1;:&prompt.user; cvs diff -Nu shazam | cdiffAlternatively some editors like &man.vim.1;
(ports/editors/vim5) have color support and when used as
a pager with color syntax highlighting switched on will
highlight many types of file, including diffs, patches,
and cvs/rcs logs. &prompt.user; echo "syn on" >> ~/.vimrc
&prompt.user; cvs diff -Nu shazam | vim -
&prompt.user; cvs log shazam | vim -CVS is old, arcane, crufty and buggy, and sometimes
exhibits non-deterministic behavior which some claim as proof
that it's actually merely the newtonian manifestation of a
sentient transdimensional entity. It's not humanly possible
to know its every quirk inside out, so don't be afraid to ask
the resident AI (cvs@FreeBSD.org) for help when
you screw up.Conventions and TraditionsAs a new committer there are a number of things you should do
first.Add yourself to the Developers section of the
Handbook and remove yourself from the Additional
Contributors section.This is a relatively easy task, but remains a good first test of
your CVS skills.Add an entry for yourself to
www/en/news/newsflash.sgml. Look for the other
entries that look like A new committer and follow the
format.Some people also add an entry for themselves to
ports/astro/xearth/files/freebsd.committers.markers.Introduce yourself to the other committers, otherwise no one
will have any idea who you are or what you are working on. You do
not have to write a comprehensive biography, just write a paragraph
or two about who you are and what you plan to be working on as a
committer in FreeBSD. Email this to
cvs-committers@FreeBSD.org and you will be on your
way!Log into hub.FreeBSD.org and create a
/var/forward/user
(where user is your username) file
containing the e-mail address where you want mail addressed to
yourusername@FreeBSD.org to be forwarded.
This includes all of the commit messages as well as any other mail
addressed to cvs-committers@FreeBSD.org. Really
large mailboxes which have taken up permanent residence on
hub often get accidently truncated
without warning, so forward it or read it and you will not lose
it.All new committers also have a mentor assigned to them for
the first few months. Your mentor is more or less responsible for
explaining anything which is confusing to you and is also
responsible for your actions during this initial period. If you
make a bogus commit, it is only going to embarrass your mentor
and you should probably make it a policy to pass at least your
first few commits by your mentor before committing it to the
repository.All commits should go to -CURRENT first
before being merged to -STABLE. No major new
features or high-risk modifications should be made to the
-STABLE branch.Developer RelationsIf you are working directly on your own code or on code
which is already well established as your responsibility, then
there is probably little need to check with other committers
before jumping in with a commit. If you see a bug in an area of
the system which is clearly orphaned (and there are a few such
areas, to our shame), the same applies. If, however, you are
about to modify something which is clearly being actively
maintained by someone else (and it is only by watching the
cvs-committers mailing list that you can
really get a feel for just what is and is not) then consider
sending the change to them instead, just as you would have
before becoming a committer. For ports, you should contact the
listed MAINTAINER in the
Makefile. For other parts of the
repository, if you are unsure who the active maintainer might
be, it may help to scan the output of cvs log
to see who has committed changes in the past. &a.fenner; has
written a nice shell script that can help determine who the
active maintainer might be. It lists each person who has
committed to a given file along with the number of commits each
person has made. It can be found on freefall
at ~fenner/bin/whodid. If your queries go
unanswered or the committer otherwise indicates a lack of
proprietary interest in the area affected, go ahead and commit
it.If you are unsure about a commit for any reason at
all, have it reviewed by -hackers
before committing. Better to have it flamed then and there
rather than when it is part of the CVS repository. If you do
happen to commit something which results in controversy
erupting, you may also wish to consider backing the change out
again until the matter is settled. Remember – with CVS we
can always change it back.GNATSThe FreeBSD Project utilizes
GNATS for tracking bugs and change
requests. Be sure that if you commit a fix or suggestion found
in a GNATS PR, you use
edit-pr pr-number
on freefall to close it. It is also considered
nice if you take time to close any PRs associated with your
commits, if appropriate. Your can also make use of
&man.send-pr.1; yourself for proposing any change which you feel
should probably be made, pending a more extensive peer-review
first.You can find out more about GNATS
at:http://www.cs.utah.edu/csinfo/texinfo/gnats/gnats.htmlhttp://www.FreeBSD.org/support.htmlhttp://www.FreeBSD.org/send-pr.html&man.send-pr.1;You can run a local copy of GNATS, and then integrate the FreeBSD
GNATS tree in to it using CVSup. Then you can run GNATS commands
locally, or use other interfaces, such as tkgnats.
This lets you query the PR database without needing to be connected to
the Internet.Using a local GNATS treeIf you are not already downloading the GNATS tree, add this line
to your supfile, and re-sup. Note that since
GNATS is not under CVS control it has no tag, so if you are adding
it to your existing supfile it should appear
before any tag= entry as these remain active once set.
gnats release=current prefix=/usrThis will place the FreeBSD GNATS tree in
/usr/gnats. You can use a
refuse file to control which categories to
receive. For example, to only receive docs PRs,
put this line in
/usr/local/etc/cvsup/sup/refuseThe precise path depends on the *default
base setting in your
supfile..gnats/[a-ce-z]*The rest of these examples assume you have only supped the
docs category. Adjust them as necessary,
depending on the categories you are synching.Install the GNATS port from
ports/databases/gnats. This will place the
various GNATS directories under
$PREFIX/share/gnats.Symlink the GNATS directories you are supping under the version
of GNATS you have installed.&prompt.root; cd /usr/local/share/gnats/gnats-db
&prompt.root; ln -s /usr/gnats/docsRepeat as necessary, depending on how many GNATS categories you
are synching.Update the GNATS categories file with these
cageories. The file is
$PREFIX/share/gnats/gnats-db/gnats-adm/categories.# This category is mandatory
pending:Category for faulty PRs:gnats-admin:
#
# FreeBSD categories
#
docs:Documentation Bug:nik:Run $PREFIX/libexec/gnats/gen-index to
recreate the GNATS index. The output has to be redirected to
$PREFIX/share/gnats/gnats-db/gnats-adm/index.
You can do this periodically from &man.cron.8;, or run &man.cvsup.1;
from a shell script that does this as well.&prompt.root; /usr/local/libexec/gnats/gen-index \
> /usr/local/share/gnats/gnats-db/gnats-adm/indexTest the configuration by querying the PR database. This
command shows open docs PRs.&prompt.root; query-pr -c docs -s openOther interfaces, like
ports/databases/tkgnats should also work
nicely.Pick a PR and close it.This procedure only works to allow you to view and query the PRs
locally. To edit or close them you will still have to log in to
freefall and do it from there.Who's WhoBesides Peter Wemm and John Polstra, the repository
meisters, there are other FreeBSD project members whom you will
probably get to know in your role as a committer. Briefly,
and by no means all-inclusively, these are:&a.asami;Satoshi is the Ports Wraith, meaning that he has
ultimate authority over any modifications to the ports
collection or the ports skeleton makefiles. He is also
the one responsible for administering ports freezes before
the releases.&a.bde;Bruce is the Obersturmbahnfuhrer of the Style Police.
When you do a commit that could have been done better,
Bruce will be there to tell you. Be thankful that someone
is.&a.dg;David is our principal architect and overseer of the
VM system. If you have a VM system change in mind,
coordinate it with David. Should you become locked in a
bitter, intractable dispute with some other committer over
a proposed change (which does not happen very often,
thankfully) then an appeal to David to put on his P.A. hat
and make a final decision might be necessary.&a.jkh;Jordan is the release engineer. He is responsible for
setting release deadlines and controlling the release
process. During code freezes, he also has final authority
on all changes to the system for whichever branch is
pending release status. If there is something you want
merged from -CURRENT to
-STABLE (whatever values those may have
at any given time), he is also the one to talk to about
it.
-
- &a.markm;
-
- Mark is the CVS repository meister for the
- international crypto repository kept on
- internat.FreeBSD.org in South Africa.
-
- Mark also oversees most of the crypto code; if you have
- any crypto updates, please ask Mark first.
-
-
-
&a.steve;Steve is the unofficial maintainer of
src/bin. If you have something
significant you'd like to do there, you should probably
coordinate it with Steve first. He is also a Problem
Report-meister, along with &a.phk;.&a.brian;Official maintainer of
/usr/bin/ppp and LPD.&a.wollman;If you need advice on obscure network internals or
aren't sure of some potential change to the networking
subsystem you have in mind, Garrett is someone to talk
to.SSH Quick-Start GuideIf you are using FreeBSD 4.0 or later,
OpenSSH is included in the base system.
If you are using an earlier release,
update and install one of the SSH ports. In general,
you will probably want to get OpenSSH from the port in
/usr/ports/security/openssh. You
may also wish to check out the original ssh1 in
/usr/ports/security/ssh, but make
certain you pay attention to its license. Note that both
of these ports cannot be installed at the same time.If you do not wish to to type your password in every
time you use &man.ssh.1;, and you use RSA keys to
authenticate, &man.ssh-agent.1; is there for your
convenience. If you want to use &man.ssh-agent.1;, make
sure that you run it before running other applications. X
users, for example, usually do this from their
.xsession or
.xinitrc file. See &man.ssh-agent.1;
for details.Generate a key pair using &man.ssh-keygen.1;. The key
pair will wind up in the
$HOME/.ssh
directory.Send your public key
($HOME/.ssh/identity.pub)
to the person setting you up as a committer so it can be put
into your authorized_keys file in your
home directory on freefall
(i.e.
$HOME/.ssh/authorized_keys).
Now you should be able to use &man.ssh-add.1; for
authentication once per session. This will prompt you for
your private key's pass phrase, and then store it in your
authentication agent (&man.ssh-agent.1;). If you no longer
wish to have your key stored in the agent, issuing
ssh-add -d will remove it.Test by doing something such as ssh
freefall.FreeBSD.org ls /usr.For more information, see
/usr/ports/security/openssh, &man.ssh.1;,
&man.ssh-add.1;, &man.ssh-agent.1;, &man.ssh-keygen.1;, and
&man.scp.1;.The FreeBSD Committers' Big List of RulesRespect other committers.Discuss any significant change
before committing.Respect existing maintainers if listed in the
(MAINTAINER field in
Makefile or in the
MAINTAINER file in the top-level
directory).Never touch the repository directly. Ask a
Repomeister.Any disputed change must be backed out pending
resolution of the dispute if requested by a maintainer or
the Principal Architect. Security related changes may
override a maintainer's wishes at the Security Officer's
discretion.Changes go to -CURRENT before
-STABLE unless specifically permitted by
the release engineer or unless they're not applicable to
-CURRENT. Any non-trivial or non-urgent
change which is applicable should also be allowed to sit in
-CURRENT for at least 3 days before
merging so that it can be given sufficient testing. The
release engineer has the same authority over the
-STABLE branch as outlined for the
Principal Architect in rule #5.Don't fight in public with other committers; it looks
bad. If you must strongly disagree about
something, do so only in private.Respect all code freezes and read the
committers mailing list on a timely basis
so you know when a code freeze is in effect.When in doubt on any procedure, ask first!Test your changes before committing them.As noted, breaking some of these rules can be grounds for
suspension or, upon repeated offense, permanent removal of
commit privileges. Three or more members of core, or the
Principal Architect and another member of core acting in unison,
have the power to temporarily suspend commit privileges until
-core as a whole has the chance to review the
issue. In case of an emergency (a committer
doing damage to the repository), a temporary suspension may also
be done by the repository meisters or any other member of core
who may happen to be awake at the time. Only core as a whole
has the authority to suspend commit privileges for any
significant length of time or to remove them permanently, the
latter generally only being done after consultation with
committers. This rule does not exist to set core up as a bunch
of cruel dictators who can dispose of committers as casually as
empty soda cans, but to give the project a kind of safety fuse.
If someone is seriously out of control, it's important to be
able to deal with this immediately rather than be paralyzed by
debate. In all cases, a committer whose privileges are
suspended or revoked is entitled to a hearing,
the total duration of the suspension being determined at that
time. A committer whose privileges are suspended may also
request a review of the decision after 30 days and every 30 days
thereafter (unless the total suspension period is less than 30
days). A committer whose privileges have been revoked entirely
may request a review after a period of 6 months have elapsed.
This review policy is strictly informal
and, in all cases, core reserves the right to either act on or
disregard requests for review if they feel their original
decision to be the right one.In all other aspects of project operation, core is a subset
of committers and is bound by the same
rules. Just because someone is in core doesn't mean
that they have special dispensation to step outside of any of
the lines painted here; core's special powers
only kick in when it acts as a group, not on an individual
basis. As individuals, we are all committers first and core
second.DetailsRespect other committers.This means that you need to treat other committers as
the peer-group developers that they are. Despite our
occasional attempts to prove the contrary, one doesn't get
into committers by being stupid and nothing rankles more
than being treated that way by one of your peers. Whether
we always feel respect for one another or not (and
everyone has off days), we still have to
treat other committers with respect
at all times or the whole team structure rapidly breaks
down.Being able to work together long term is this project's
greatest asset, one far more important than any set of
changes to the code, and turning arguments about code into
issues that affect our long-term ability to work
harmoniously together is just not worth the trade-off by
any conceivable stretch of the imagination.To comply with this rule, don't send email when you're
angry or otherwise behave in a manner which is likely to
strike others as needlessly confrontational. First calm
down, then think about how to communicate in the most
effective fashion for convincing the other person(s) that
your side of the argument is correct, don't just blow off
some steam so you can feel better in the short term at the
cost of a long-term flame war. Not only is this very bad
energy economics, but repeated displays of
public aggression which impair our ability to work well
together will be dealt with severely by the project
leadership and may result in suspension or termination of
your commit privileges. That's never an option which the
project's leadership enjoys in the slightest, but unity
comes first. No amount of code or good advice is worth
trading that away.Discuss any significant change
before committing.The CVS repository is not where changes should be
initially submitted for correctness or argued over, that
should happen first in the mailing lists and then
committed only once something resembling consensus has
been reached. This doesn't mean that you have to ask
permission before correcting every obvious syntax error or
man page misspelling, simply that you should try to
develop a feel for when a proposed change isn't quite such
a no-brainer and requires some feedback first. People
really don't mind sweeping changes if the result is
something clearly better than what they had before, they
just don't like being surprised by
those changes. The very best way of making sure that
you're on the right track is to have your code reviewed by
one or more other committers.When in doubt, ask for review!Respect existing maintainers if listed.Many parts of FreeBSD aren't owned in
the sense that any specific individual will jump up and
yell if you commit a change to their area,
but it still pays to check first. One convention we use
is to put a maintainer line in the
Makefile for any package or subtree
which is being actively maintained by one or more people;
see http://www.FreeBSD.org/handbook/policies.html
for documentation on this. Where sections of code have
several maintainers, commits to affected areas by one
maintainer need to be reviewed by at least one other
maintainer. In cases where the
maintainer-ship of something isn't clear,
you can also look at the CVS logs for the file(s) in
question and see if someone has been working recently or
predominantly in that area.Other areas of FreeBSD fall under the control of
someone who manages an overall category of FreeBSD
evolution, such as internationalization or networking.
See http://www.FreeBSD.org/handbook/staff-who.html
for more information on this.Never touch the repository directly. Ask a
Repomeister.This is pretty clear - you're not allowed to make
direct modifications to the CVS repository, period. In
case of difficulty, ask one of the repository meisters by
sending mail to cvs@FreeBSD.org and simply
wait for them to fix the problem and get back to you. Do
not attempt to fix the problem yourself!If you're thinking about putting down a tag or doing a
new import of code on a vendor branch, you might also find
it useful to ask for advice first. A lot of people get
this wrong the first few times and the consequences are
expensive in terms of files touched and angry CVSup/CTM
folks who are suddenly getting a lot of changes sent over
unnecessarily.Any disputed change must be backed out pending
resolution of the dispute if requested by a maintainer or
the Principal Architect. Security related changes may
override a maintainer's wishes at the Security Officer's
discretion.This may be hard to swallow in times of conflict (when
each side is convinced that they're in the right, of
course) but CVS makes it unnecessary to have an ongoing
dispute raging when it's far easier to simply reverse the
disputed change, get everyone calmed down again and then
try and figure out how best to proceed. If the change
turns out to be the best thing after all, it can be easily
brought back. If it turns out not to be, then the users
didn't have to live with the bogus change in the tree
while everyone was busily debating its merits. People
very very rarely call for back-outs in the repository
since discussion generally exposes bad or controversial
changes before the commit even happens, but on such rare
occasions the back-out should be done without argument so
that we can get immediately on to the topic of figuring
out whether it was bogus or not.Changes go to -CURRENT before
-STABLE unless specifically permitted
by the release engineer or unless they're not applicable
to -CURRENT. Any non-trivial or
non-urgent change which is applicable should also be
allowed to sit in -CURRENT for at least
3 days before merging so that it can be given sufficient
testing. The release engineer has the same authority over
the -STABLE branch as outlined in rule
#5.This is another don't argue about it
issue since it's the release engineer who is ultimately
responsible (and gets beaten up) if a change turns out to
be bad. Please respect this and give the release engineer
your full cooperation when it comes to the
-STABLE branch. The management of
-STABLE may frequently seem to be
overly conservative to the casual observer, but also bear
in mind the fact that conservatism is supposed to be the
hallmark of -STABLE and different rules
apply there than in -CURRENT. There's
also really no point in having -CURRENT
be a testing ground if changes are merged over to
-STABLE immediately. Changes need a
chance to be tested by the -CURRENT
developers, so allow some time to elapse before merging
unless the -STABLE fix is critical,
time sensitive or so obvious as to make further testing
unnecessary (spelling fixes to manpages, obvious bug/typo
fixes, etc.) In other words, apply common sense.Don't fight in public with other committers; it looks
bad. If you must strongly disagree about
something, do so only in private.This project has a public image to uphold and that
image is very important to all of us, especially if we are
to continue to attract new members. There will be
occasions when, despite everyone's very best attempts at
self-control, tempers are lost and angry words are
exchanged, and the best we can do is try and minimize the
effects of this until everyone has cooled back down. That
means that you should not air your angry words in public
and you should not forward private correspondence to
public mailing lists or aliases. What people say
one-to-one is often much less sugar-coated than what they
would say in public, and such communications therefore
have no place there - they only serve to inflame an
already bad situation. If the person sending you a
flame-o-gram at least had the grace to send it privately,
then have the grace to keep it private yourself. If you
feel you are being unfairly treated by another developer,
and it is causing you anguish, bring the matter up with
core rather than taking it public. We will do our best to
play peace makers and get things back to sanity. In cases
where the dispute involves a change to the codebase and
the participants do not appear to be reaching an amicable
agreement, core may appoint a mutually-agreeable 3rd party
to resolve the dispute. All parties involved must then
agree to be bound by the decision reached by this 3rd
party.Respect all code freezes and read the
committers mailing list on a timely
basis so you know when they are.Committing changes during a code freeze is a really
big mistake and committers are expected to keep up-to-date
on what's going on before jumping in after a long absence
and committing 10 megabytes worth of accumulated stuff.
People who abuse this on a regular basis will have their
commit privileges suspended until they get back from the
FreeBSD Happy Reeducation Camp we run in Greenland.When in doubt on any procedure, ask first!Many mistakes are made because someone is in a hurry
and just assumes they know the right way of doing
something. If you have not done it before, chances are
good that you do not actually know the way we do things
and really need to ask first or you are going to
completely embarrass yourself in public. There's no shame
in asking how in the heck do I do this? We
already know you are an intelligent person; otherwise, you
would not be a committer.Test your changes before committing them.This may sound obvious, but if it really were so
obvious then we probably wouldn't see so many cases of
people clearly not doing this. If your changes are to the
kernel, make sure you can still compile both GENERIC and
LINT. If your changes are anywhere else, make sure you
can still make world. If your changes are to a branch,
make sure your testing occurs with a machine which is
running that code. If you have a change which also may
break another architecture, be sure and test on all
supported architectures. Currently, this is only the x86
and the alpha so it's pretty easy to do. If you need to
test on the AXP, your account on beast.FreeBSD.org will let you
compile and test alpha binaries/kernels/etc. As other
architectures are added to the FreeBSD supported platforms
list, the appropriate shared testing resources will be
made available.Other SuggestionsWhen committing documentation changes, use a spell checker
before committing. :) For all SGML docs, you should also
verify that your formatting directives are correct by running
make lint.For all on-line manual pages, run manck
(from ports) over the man page to verify the all of the cross
references and file references are correct and that the man
page has all of the appropriate MLINKs
installed.Do not mix style fixes with new functionality. A style
fix is any change which does not modify the functionality of
the code. Mixing the changes obfuscates the functionality
change when using cvs diff, which can hide
any new bugs. Do not include whitespace changes with content
changes in commits to doc/ or
www/. The extra clutter in the diffs
makes the translators' job much more difficult. Instead, make
any style or whitespace changes in seperate commits that are
clearly labeled as such in the commit message.Ports Specific FAQImporting a New PortHow do I import a new port?First, please read the section about repository
copy.The easiest way to import a new port is to use the
addport script on
freefall. It will import a port from the
directory you specify, determining the category automatically
from the port Makefile.
It will also add an entry to the
CVSROOT/modules file and the port's
category Makefile. It was
written by &a.mharo; and &a.will;, but Will is the current
maintainer so please send questions/patches about
addport to him.Any other things I need to know when I import a new
port?Check the port, preferably to make sure it compiles
and packages correctly. This is the recommended
sequence:&prompt.root; make install
&prompt.root; make package
&prompt.root; make deinstall
&prompt.root; pkg_add package you built above
&prompt.root; make deinstall
&prompt.root; make reinstall
&prompt.root; make packageThe
Porters
Handbook contains more detailed
instructions.Use &man.portlint.1; to check the syntax of the port.
You don't necessarily have to eliminate all warnings but
make sure you have fixed the simple ones.If the port came from a submitter who has not
contributed to the project before, add that person's
name to the Handbook's Additional Contributors
section.Close the PR if the port came in as a PR. To close
a PR, just do
edit-pr PR#
on freefall and change the
state from open
to closed. You will be asked to
enter a log message and then you are done.Repository CopiesWhen do we need a repository copy?When you want to import a port that is related to
any port that is already in the tree in a separate
directory, please send mail to the ports manager asking
about it. Here related means
it is a different version or a slightly modified
version. Examples are
print/ghostscript* (different
versions) and x11-wm/windowmaker*
(English-only and internationalized version).Another example is when a port is moved from one
subdirectory to another, or when you want to change the
name of a directory because the author(s) renamed their
software even though it is a
descendant of a port already in a tree.When do we not need a
repository copy?When there is no history to preserve. If a port is
imported into a wrong category and is moved immediately,
it suffices to simply cvs remove the
old one and cvs import the new
one.What do I need to do?Send mail to the ports manager, who will do a copy
from the old location/name to the new location/name.
You will then get a notice, at which point you are
expected to perform the following:cvs remove the old port (if
necessary)Adjust the parent (category)
MakefileUpdate CVSROOT/modulesIf other ports depend on the updated port,
change their Makefiles'
dependency linesIf the port changed categories, modify the
CATEGORIES line of the port's
Makefile accordinglyPorts FreezeWhat is a ports freeze?Before a release, it is necessary to restrict
commits to the ports tree for a short period of time
while the packages and the release itself are being
built. This is to ensure consistency among the various
parts of the release, and is called the ports
freeze.How long is a ports freeze?Usually two to three days.What does it mean to me?During the ports freeze, you are not allowed to
commit anything to the tree without explicit approval
from the ports manager. Explicit
approval here means either of the
following:You asked the ports manager and got a reply
saying, Go ahead and commit
it.The ports manager sent a mail to you or the
mailing lists during the ports freeze pointing out
that the port is broken and has to be fixed.Note that you do not have implicit permission to fix
a port during the freeze just because it is
broken.How do I know when the ports freeze starts?The ports manager will send out warning messages to
the freebsd-ports@FreeBSD.org and
cvs-committers@FreeBSD.org mailing lists
announcing the start of the impending release, usually
two or three weeks in advance. The exact starting time
will not be determined until a few days before the
actual release. This is because the ports freeze has to
be synchronized with the release, and it is usually not
known until then when exactly the release will be
rolled.When the freeze starts, there will be another
announcement to the
cvs-committers@FreeBSD.org list, of
course.How do I know when the ports freeze ends?A few hours after the release, the ports manager
will send out a mail to the
freebsd-ports@FreeBSD.org and
cvs-committers@FreeBSD.org mailing lists
announcing the end of the ports freeze. Note that the
release being cut does not automatically end the freeze.
We have to make sure there will not be any last minute
snafus that result in an immediate re-rolling of the
release.Miscellaneous QuestionsHow do I know if my port is building correctly or
not?First, go check
http://bento.FreeBSD.org/~asami/errorlogs/.
There you will find error logs from the latest package
building runs on 3-stable and 4-current.However, just because the port doesn't show up there
doesn't mean it's building correctly. (One of the
dependencies may have failed, for instance.) Here are
the relevant directories on bento, so feel free to dig
around. /a/asami/portbuild/3/errors error logs from latest 3-stable run
/logs all logs from latest 3-stable run
/packages packages from latest 3-stable run
/bak/errors error logs from last complete 3-stable run
/bak/logs all logs from last complete 3-stable run
/bak/packages packages from last complete 3-stable run
/4/errors error logs from latest 4-current run
/logs all logs from latest 4-current run
/packages packages from latest 4-current run
/bak/errors error logs from last complete 4-current run
/bak/logs all logs from last complete 4-current run
/bak/packages packages from last complete 4-current run
Basically, if the port shows up in
packages, or it is in
logs but not in
errors, it built fine. (The
errors directories are what you get
from the web page.)I added a new port. Do I need to add it to the
INDEX?No. The ports manager will regenerate the
INDEX and commit it every few
days.Are there any other files I'm not allowed to
touch?Any file directly under ports/, or
any file under a subdirectory that starts with an
uppercase letter (Mk/,
Tools/, etc.). In particular, the
ports manager is very protective of
ports/Mk/bsd.port*.mk so don't
commit changes to those files unless you want to face his
wra(i)th.Miscellaneous QuestionsWhy are trivial or cosmetic changes to files on a vendor
branch a bad idea?The RCS file format is quite braindead and certain
operations to achieve things for CVS are hideously
expensive for the repository. Making changes to files on
a vendor branch, thereby pulling the file off that branch,
is one example of this.Suppose you have a file which was first imported on a
vendor branch, and was then re-imported three times (still
on the vendor branch) as the vendor makes updates to the
file.1.1.1.1vendor import1.1.1.2vendor import, +1000, -500 lines1.1.1.3vendor import, +2000, -500 lines1.1.1.4vendor import, +1000, -1000 linesNow suppose that one of the FreeBSD committers makes a
one line change to this file, causing it to go to version
1.2. This causes it to leave the branch, resulting in
4,001 lines being added to the file's history, and 2,001
lines being deleted.This is because the 1.2 delta is stored relative to
1.1.1.1, not 1.1.1.4, and so the
entire vendor history is duplicated in the 1.2 delta.
Now, repeat this for 2000 files in a large directory, it
adds up a lot.This is why we have such
hands off policies for
src/contrib and other things that
track the vendor releases. This is why typo
fixes in man pages and spelling
corrections are so strongly discouraged for
vendor code.How do I add a new file to a CVS branch?To add a file onto a branch, simply checkout or update
to the branch you want to add to and then add the file using
cvs add as you normally would. For
example, if you wanted to MFC the file
src/sys/alpha/include/smp.h from HEAD
to RELENG_4 and it does not exist in RELENG_4 yet, you would
use the following steps:MFC'ing a New File&prompt.user; cd sys/alpha/include
&prompt.user; cvs update -rRELENG_4
cvs update: Updating .
U clockvar.h
U console.h
...
&prompt.user; cvs update -kk -Ap smp.h > smp.h
===================================================================
Checking out smp.h
RCS: /usr/cvs/src/sys/alpha/include/smp.h,v
VERS: 1.1
***************
&prompt.user; cvs add smp.h
cvs add: scheduling file `smp.h' for addition on branch `RELENG_4'
cvs add: use 'cvs commit' to add this file permanently
&prompt.user; cvs commit
diff --git a/en_US.ISO8859-1/books/faq/book.sgml b/en_US.ISO8859-1/books/faq/book.sgml
index ae5bc50a1e..960ecfc0c5 100644
--- a/en_US.ISO8859-1/books/faq/book.sgml
+++ b/en_US.ISO8859-1/books/faq/book.sgml
@@ -1,9546 +1,9495 @@
%man;
%authors;
]>
Frequently Asked Questions for FreeBSD 2.X, 3.X and 4.XThe FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.94 2000/09/22 18:40:00 marko Exp $
+ $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.95 2000/09/22 23:41:25 ben Exp $This is the FAQ for FreeBSD versions 2.X, 3.X, and 4.X. All entries
are assumed to be relevant to FreeBSD 2.0.5 and later, unless
otherwise noted. Any entries with a <XXX> are under
construction. If you are interested in helping with this project,
send email to the FreeBSD documentation project mailing list
freebsd-doc@FreeBSD.org.
The latest version of this document is always available from the
FreeBSD World Wide Web
server. It may also be downloaded as one large HTML file with HTTP or as plain text,
postscript, or PDF from the FreeBSD FTP
server. You may also want to Search the
FAQ.PrefaceWelcome to the FreeBSD 2.X-4.X FAQ!As is usual with Usenet FAQs, this document aims to cover the
most frequently asked questions concerning the FreeBSD operating
system (and of course answer them!). Although originally intended
to reduce bandwidth and avoid the same old questions being asked
over and over again, FAQs have become recognized as valuable
information resources.Every effort has been made to make this FAQ as informative as
possible; if you have any suggestions as to how it may be improved,
please feel free to mail them to the &a.faq;.What is FreeBSD?Briefly, FreeBSD is a UN*X-like operating system for the
i386 and Alpha/AXP platforms based on U.C. Berkeley's
4.4BSD-lite release.
It is also based indirectly on William Jolitz's port of U.C.
Berkeley's Net/2 to the i386, known as 386BSD, though very
little of the 386BSD code remains. A fuller description of
what FreeBSD is and how it can work for you may be found on
the FreeBSD home
page.FreeBSD is used by companies, Internet Service Providers,
researchers, computer professionals, students and home users
all over the world in their work, education and recreation.
See some of them in the FreeBSD
Gallery.For more detailed information on FreeBSD, please see the
FreeBSD
Handbook.What are the goals of FreeBSD?The goals of the FreeBSD Project are to provide software
that may be used for any purpose and without strings attached.
Many of us have a significant investment in the code (and
project) and would certainly not mind a little financial
compensation now and then, but we're definitely not prepared
to insist on it. We believe that our first and foremost
mission is to provide code to any and all comers, and for
whatever purpose, so that the code gets the widest possible
use and provides the widest possible benefit. This is, we
believe, one of the most fundamental goals of Free Software
and one that we enthusiastically support.That code in our source tree which falls under the GNU
General Public License (GPL) or GNU Library General Public
License (LGPL) comes with slightly more strings attached,
though at least on the side of enforced access rather than the
usual opposite. Due to the additional complexities that can
evolve in the commercial use of GPL software, we do, however,
endeavor to replace such software with submissions under the
more relaxed BSD copyright whenever possible.Why is it called FreeBSD?It may be used free of charge, even by commercial
users.Full source for the operating system is freely
available, and the minimum possible restrictions have
been placed upon its use, distribution and incorporation
into other work (commercial or non-commercial).Anyone who has an improvement and/or bug fix is free
to submit their code and have it added to the source tree
(subject to one or two obvious provisos).For those of our readers whose first language is not
English, it may be worth pointing out that the word free
is being used in two ways here, one meaning at no cost,
the other meaning you can do whatever you like. Apart
from one or two things you
cannot do with the FreeBSD code,
for example pretending you wrote it, you really can do
whatever you like with it.What is the latest version of FreeBSD?Version 4.1
is the latest stable version; it was
released in July, 2000. This is also the latest
release version.Briefly explained, -STABLE is aimed
at the ISP or other corporate user who wants stability and a
low change count over the wizzy new features of the latest
-CURRENT snapshot. Releases can come
from either branch, but you should only use
-CURRENT if you're sure that you're
prepared for its increased volatility (relative to
-STABLE, that is).Releases are only made every
few months. While many people stay more up-to-date with
the FreeBSD sources (see the questions on FreeBSD-CURRENT and FreeBSD-STABLE) than that, doing so
is more of a commitment, as the sources are a moving
target.What is FreeBSD-CURRENT?FreeBSD-CURRENT
is the development version of the operating system, which will
in due course become 5.0-RELEASE. As such, it is really only
of interest to developers working on the system and die-hard
hobbyists. See the relevant
section in the handbook for details on
running -CURRENT.If you are not familiar with the operating system or are
not capable of identifying the difference between a real
problem and a temporary problem, you should not use
FreeBSD-CURRENT. This branch sometimes evolves quite quickly
and can be un-buildable for a number of days at a time.
People that use FreeBSD-CURRENT are expected to be able to
analyze any problems and only report them if they are deemed
to be mistakes rather than glitches. Questions such as
make world produces some error about groups on the
-CURRENT mailing list are sometimes treated with
contempt.Every day, snapshot
releases are made based on the current state of the
-CURRENT and -STABLE branches. Nowadays,
distributions of the occasional snapshot are now being made
available. The goals behind each snapshot release are:To test the latest version of the installation
software.To give people who would like to run -CURRENT or
-STABLE but who
don't have the time and/or bandwidth to follow it on a
day-to-day basis an easy way of bootstrapping it onto
their systems.To preserve a fixed reference point for the code in
question, just in case we break something really badly
later. (Although CVS normally prevents anything horrible
like this happening :)To ensure that any new features in need of testing
have the greatest possible number of potential
testers.No claims are made that any -CURRENT snapshot can be considered
production quality for any purpose.
If you want to run a stable and
fully tested system, you will have to stick to full
releases, or use the -STABLE snaphosts.Snapshot releases are directly available from
ftp://current.FreeBSD.org/pub/FreeBSD/
for 5.0-CURRENT and
releng4.FreeBSD.org for 4-STABLE snapshots.
3-STABLE snapshots are not being produced at the time of
this writing (May 2000).Snapshots are generated, on the average, once a day for
all actively developed branches.What is the FreeBSD-STABLE concept?Back when FreeBSD 2.0.5 was released, we decided to
branch FreeBSD development into two parts. One branch was
named -STABLE,
with the intention that only well-tested bug fixes and small
incremental enhancements would be made to it (for Internet
Service Providers and other commercial enterprises for whom
sudden shifts or experimental features are quite
undesirable). The other branch was -CURRENT,
which essentially has been one unbroken line leading towards
5.0-RELEASE (and beyond) since 2.0 was released. If a little
ASCII art would help, this is how it looks: 2.0
|
|
| [2.1-STABLE]
*BRANCH* 2.0.5 -> 2.1 -> 2.1.5 -> 2.1.6 -> 2.1.7.1 [2.1-STABLE ends]
| (Mar 1997)
|
|
| [2.2-STABLE]
*BRANCH* 2.2.1 -> 2.2.2-RELEASE -> 2.2.5 -> 2.2.6 -> 2.2.7 -> 2.2.8 [end]
| (Mar 1997) (Oct 97) (Apr 98) (Jul 98) (Dec 98)
|
|
3.0-SNAPs (started Q1 1997)
|
|
3.0-RELEASE (Oct 1998)
|
| [3.0-STABLE]
*BRANCH* 3.1-RELEASE (Feb 1999) -> 3.2 -> 3.3 -> 3.4 -> 3.5 -> 3.5.1
| (May 1999) (Sep 1999) (Dec 1999) (June 2000) (July 2000)
|
| [4.0-STABLE]
*BRANCH* 4.0 (Mar 2000) -> 4.1 -> ... future 4.x releases ...
|
| (Jul 2000)
\|/
+
[5.0-CURRENT continues]The -CURRENT branch is slowly progressing towards 5.0 and
beyond, the previous 2.2-STABLE branch having been retired
with the release of 2.2.8. 3-STABLE replaced it,
with 3.5.1 (the final 3.X release) being released in July 2000.
In May 2000 (even though 3.5 came after that), the 3-STABLE branch was more or less replaced
by the 4-STABLE branch.
4.1-RELEASE was released in July 2000. 4-STABLE
is the actively developed -STABLE branch, although some
bugfixes (mostly security-related) are
still being committed to 3-STABLE. It is expected that the
3.X branch will be officially obsoleted some time in
summer 2000.
5.0-CURRENT is now the current
branch, with the no release date planed.When are FreeBSD releases made?As a general principle, the FreeBSD core team only release
a new version of FreeBSD when they believe that there are
sufficient new features and/or bug fixes to justify one, and
are satisfied that the changes made have settled down
sufficiently to avoid compromising the stability of the
release. Many users regard this caution as one of the best
things about FreeBSD, although it can be a little frustrating
when waiting for all the latest goodies to become
available...Releases are made about every 4 months on average.For people needing (or wanting) a little more excitement,
binary snapshots are made every day... see above.Is FreeBSD only available for PCs ?Since 3.x, FreeBSD has run on the DEC Alpha
as well as the x86 architecture. Some interest has also been
expressed in a SPARC port, but details on this project are not yet
clear.If your machine has a different architecture and you need
something right now, we suggest you look at NetBSD or OpenBSD. Who is responsible for FreeBSD?The key decisions concerning the FreeBSD project, such as
the overall direction of the project and who is allowed to add
code to the source tree, are made by a core team of
some 15 people. There is a much larger team of about 200 committers who
are authorized to make changes directly to the FreeBSD source
tree.However, most non-trivial changes are discussed in advance
in the mailing lists, and there
are no restrictions on who may take part in the
discussion.Where can I get FreeBSD?Every significant release of FreeBSD is available via
anonymous ftp from the FreeBSD FTP site:For the current 3.X-STABLE release, 3.4-RELEASE, see
the 3.4-RELEASE directory.The current 4-STABLE release, 4.1-RELEASE can be
found in the 4.1-RELEASE directory.4.X
snapshots are usually made once a day.5.0 Snapshot
releases are made once a day for the -CURRENT branch, these being of
service purely to bleeding-edge testers and
developers.FreeBSD is also available via CDROM, from the following
place(s):
Walnut Creek CDROM
4041 Pike Lane, Suite FConcord, CA94520USAOrders: +1 800 786-9907Questions: +1 925 674-0783FAX: +1 925 674-0821email: WC Orders addressWWW: WC Home pageIn Australia, you may find it at:
Advanced Multimedia Distributors
Factory 1/1 Ovata DriveTullamarine, MelbourneVictoriaAustraliaVoice: +61 3 9338 6777CDROM Support BBS17 Irvine StPeppermint Grove, WA6011Voice: +61 9 385-3793Fax: +61 9 385-2360And in the UK:
The Public Domain & Shareware Library
Winscombe House, Beacon RdCrowboroughSussex. TN6 1ULVoice: +44 1892 663-298Fax: +44 1892 667-473Where do I find info on the FreeBSD mailing lists?You can find full information in the Handbook
entry on mailing-lists.Where do I find the FreeBSD Y2K info?You can find full information in the FreeBSD Y2K
page.What FreeBSD news groups are available?You can find full information in the Handbook entry on
newsgroups.Are there FreeBSD IRC (Internet Relay Chat)
channels?Yes, most major IRC networks host a FreeBSD chat
channel:Channel #FreeBSD on
EFNet is a FreeBSD forum, but don't go there for tech
support or to try and get folks there to help you avoid
the pain of reading man pages or doing your own research.
It is a chat channel, first and foremost, and topics there
are just as likely to involve sex, sports or nuclear
weapons as they are FreeBSD. You Have Been Warned!
Available at server irc.chat.org.Channel #FreeBSDhelp on
EFNet is a channel dedicated to helping FreeBSD users. They
are much more sympathetic to questions then
#FreeBSD is.Channel #FreeBSD on
DALNET is available at irc.dal.net in the
US and irc.eu.dal.net in Europe.Channel #FreeBSD on
UNDERNET is available at us.undernet.org
in the US and eu.undernet.org in Europe.
Since it is a help channel, be prepared to read the
documents you are referred to.Channel #FreeBSD on HybNet is available
at irc.FreeBSD.org. This channel
is a help channel.Each of these channels are distinct and are not connected
to each other. Their chat styles also differ, so you may need
to try each to find one suited to your chat style. As with
*all* types of IRC traffic, if you're easily offended or can't
deal with lots of young people (and more than a few older
ones) doing the verbal equivalent of jello wrestling, don't
even bother with it.Books on FreeBSDThere is a FreeBSD Documentation Project which you may
contact (or even better, join) at the
freebsd-doc mailing list:
freebsd-doc@FreeBSD.org.
This list is for discussion of the FreeBSD documentation. For
actual questions about FreeBSD, there is the
freebsd-questions mailing list:
freebsd-questions@FreeBSD.org.A FreeBSD handbook is available, and can be found as:
the FreeBSD
Handbook. Note that this is a work in progress;
some parts may be incomplete or out-of-date.The definitive printed guide on FreeBSD is The Complete
FreeBSD, written by Greg Lehey and published by Walnut Creek
CDROM Books. Now in its second edition, the book contains
1,750 pages of install & system administration guidance,
program setup help, and manual pages. The book (and current
FreeBSD release) can be ordered from Walnut Creek, CheapBytes, or at your
favorite bookstore. The ISBN is 1-57176-227-2.Since FreeBSD is based upon Berkeley
4.4BSD-Lite2, most of the 4.4BSD manuals are applicable to
FreeBSD. O'Reilly and Associates publishes the following
manuals:4.4BSD System Manager's Manual
By Computer Systems Research Group, UC Berkeley
1st Edition June 1994, 804 pages
ISBN:
1-56592-080-5 4.4BSD User's Reference Manual
By Computer Systems Research Group, UC Berkeley
1st Edition June 1994, 905 pages
ISBN:
1-56592-075-9 4.4BSD User's Supplementary Documents
By Computer Systems Research Group, UC Berkeley
1st Edition July 1994, 712 pages
ISBN:
1-56592-076-7 4.4BSD Programmer's Reference Manual
By Computer Systems Research Group, UC Berkeley
1st Edition June 1994, 886 pages
ISBN:
1-56592-078-3 4.4BSD Programmer's Supplementary Documents
By Computer Systems Research Group, UC Berkeley
1st Edition July 1994, 596 pages
ISBN:
1-56592-079-1 A description of these can be found via WWW as:
4.4BSD
books description. Due to poor sales, however, these
manuals may be hard to get a hold of.For a more in-depth look at the 4.4BSD kernel
organization, you can't go wrong with:McKusick, Marshall Kirk, Keith Bostic, Michael J Karels,
and John Quarterman.The Design and Implementation of the 4.4BSD
Operating System. Reading, Mass. :
Addison-Wesley, 1996.
ISBN
0-201-54979-4A good book on system administration is:Evi Nemeth, Garth Snyder, Scott Seebass & Trent R.
Hein,
Unix System Administration Handbook, Prentice-Hall,
1995
ISBN:
0-13-151051-7Make sure you get the second edition, with a red
cover, instead of the first edition.This book covers the basics, as well as TCP/IP, DNS, NFS,
SLIP/PPP, sendmail, INN/NNTP, printing, etc.. It's expensive
(approx. US$45-$55), but worth it. It also includes
a CDROM with the sources for various tools; most of these,
however, are also on the FreeBSD 2.2.6R CDROM (and the FreeBSD
CDROM often has newer versions).How do I access your Problem Report database?The Problem Report database of all user change requests
may be queried (or submitted to) by using our web-based PR
submission
and
query
interfaces. The send-pr(1) command can
also be used to submit problem reports and change requests via
electronic mail.Is the documentation available in other formats, such as plain
text (ASCII), or Postscript?Yes. The documentation is available in a number of different
formats and compression schemes on the FreeBSD FTP site, in the
/pub/FreeBSD/doc/ directory.The documentation is categorised in a number of different
ways. These include:The document's name, such as faq, or
handbook.The document's language and encoding. These are based on
the locale names you will find under
/usr/share/locale on your FreeBSD
system. The current languages and encodings that we have for
documentation are as follows:NameMeaningen_US.ISO_8859-1US Englishes_ES.ISO_8859-1Spanishfr_FR.ISO_8859-1Frenchja_JP.eucJPJapanese (EUC encoding)ru_RU.KOI8-RRussianzh_TW.Big5Chinese (Big5 encoding)Some documents may not be available in all
languages.The document's format. We produce the documentation in a
number of different output formats to try and make it as
flexible as possible. The current formats are;FormatMeaninghtml-splitA collection of small, linked, HTML
files.htmlOne large HTML file containing the entire
documentpdbPalm Pilot database format, for use with the
iSilo
reader.pdfAdobe's Portable Document FormatpsPostscriptrtfMicrosoft's Rich Text FormatPage numbers are not automatically updated
when loading this format in to Word. Press
CTRL+A,
CTRL+END,
F9 after loading the document, to
update the page numbers.txtPlain textThe compression and packaging scheme. There are three of
these currently in use.Where the format is html-split, the
files are bundled up using &man.tar.1;. The resulting
.tar file is then compressed using
the compression schemes detailed in the next point.All the other formats generate one file, called
book.format
(i.e., book.pdb,
book.html, and so on).These files are then compressed using three
compression schemes.SchemeDescriptionzipThe Zip format. If you want to uncompress
this on FreeBSD you will need to install the
archivers/unzip port
first.gzThe GNU Zip format. Use &man.gunzip.1; to
uncompress these files, which is part of
FreeBSD.bz2The BZip2 format. Less widespread than the
others, but generally gives smaller files.
Install the archivers/bzip2
port to uncompress these files.So the Postscript version of the Handbook, compressed
using BZip2 will be stored in a file called
book.sgml.bz2 in the
handbook/ directory.The formatted documentation is also available as a
FreeBSD package, of which more later.After choosing the format and compression mechanism that you
want to download, you must then decide whether or not you want to
download the document as a FreeBSD
package.The advantage of downloading and installing the package is
that the documentation can then be managed using the normal
FreeBSD package management comments, such as &man.pkg.add.1; and
&man.pkg.delete.1;.If you decide to download and install the package then you
must know the filename to download. The documentation-as-packages
files are stored in a directory called
packages. Each package file looks like
document-name.lang.encoding.format.tgz.For example, the FAQ, in English, formatted as PDF, is in the
package called
faq.en_US.ISO_8859-1.pdf.tgz.Knowing this, you can use the following command to install the
English PDF FAQ package.&prompt.root; pkg_add ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/packages/faq.en_US.ISO_8859-1.pdf.tgzHaving done that, you can use &man.pkg.info.1; to determine
where the file has been installed.&prompt.root; pkg_info -f faq.en_US.ISO_8859-1.pdf
Information for faq.en_US.ISO_8859-1.pdf:
Packing list:
Package name: faq.en_US.ISO_8859-1.pdf
CWD to /usr/share/doc/en_US.ISO_8859-1/books/faq
File: book.pdf
CWD to .
File: +COMMENT (ignored)
File: +DESC (ignored)As you can see, book.pdf will have been
installed in to
/usr/share/doc/en_US.ISO_8859-1/books/faq.If you do not want to use the packages then you will have to
download the compressed files yourself, uncompress them, and then
copy the appropriate documents in to place.For example, the split HTML version of the FAQ, compressed
using &man.gzip.1;, can be found in the
en_US.ISO_8859-1/books/faq/book.html-split.tar.gz
file. To download and uncompress that file you would have to do
this.&prompt.root; fetch ftp://ftp.freebsd.org/pub/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.html-split.tar.gz
&prompt.root; gzip -d book.html-split.tar.gz
&prompt.root; tar xvf book.html-split.tarYou will be left with a collection of
.html files. The main one is called
index.html, which will contain the table of
contents, introductory material, and links to the other parts of
the document. You can then copy or move these to their final
location as necessary.I'd like to become a FreeBSD Web mirror!Certainly! There are multiple ways to mirror the Web
pages.Using CVSup:
You can retrieve the formatted files
using CVSup, and connecting to
a CVSup server.To retrieve the webpages, please look at the example
supfile, which can be found in
/usr/share/examples/cvsup/www-supfile.Using ftp mirror: You can download the FTP server's
copy of the web site sources using your favorite ftp mirror
tool. Keep in mind that you have to build these sources before
publishing them. Simply start at
ftp://ftp.FreeBSD.org/pub/FreeBSD/FreeBSD-current/www.I'd like to translate the documentation into
Friesian.Well, we can't pay, but we might arrange a free CD or
T-shirt and a Contributor's Handbook entry if you submit a
translation of the documentation. Before you begin translating
please contact the
freebsd-doc mailing list at
freebsd-doc@FreeBSD.org; you may find
somebody to help with the translation effort. You may also
find out there is already
a team translating the docs into your chosen language,
who surely wouldn't turn down your help. Other sources of information.The following newsgroups contain pertinent discussion for
FreeBSD users:comp.unix.bsd.freebsd.announce
(moderated)comp.unix.bsd.freebsd.misccomp.unix.bsd.miscWeb resources:The FreeBSD Home Page.If you have a laptop, be sure and see
Tatsumi
Hosokawa's Mobile Computing page in Japan.For information on SMP (Symmetric
MultiProcessing), please see the SMP support page.For information on FreeBSD
multimedia applications, please see the multimedia
page. If you're interested specifically in the Bt848
video capture chip, then follow that link.The FreeBSD handbook also has a fairly complete bibliography
section which is worth reading if you're looking for actual
books to buy.InstallationWhich file do I download to get FreeBSD?Prior to release 3.1, you only needed one floppy image to install
FreeBSD, namely floppies/boot.flp. However,
since release 3.1 the Project has added base support for a wide
variety of hardware which needed more space, and thus for 3.x and 4.x
we now use two floppy images, namely
floppies/kernel.flp and
floppies/mfsroot.flp. These images need to be
copied onto floppies by tools like fdimage or
&man.dd.1;.If you need to download the distributions yourself (for a DOS
filesystem install, for instance), below are some recommendations
for distributions to grab: bin/ manpages/ compat*/ doc/ src/ssys.* Full instructions on this procedure and a little bit more about
installation issues in general can be found in the Handbook entry on installing FreeBSD.Help! The boot floppy image will not fit on a single floppy!
A 3.5 inch (1.44MB) floppy can accomodate 1474560 bytes of data.
The boot image is exactly 1474560 bytes in size.Common mistakes when preparing the boot floppy are:Not downloading the floppy image in binary mode when
using FTP.Some FTP clients default their transfer mode to ascii
and attempt to change any end-of-line characters received to match
the conventions used by the client's system.
This will almost invariably corrupt the boot image. Check the
size of the downloaded boot image: if it is not exactly
that on the server, then the download process is suspect.To workaround: type binary at the FTP command prompt
after getting connected to the server and before starting the
download of the image.Using the DOS copy command (or equivalent GUI tool) to
transfer the boot image to floppy.
Programs like copy will not work as the boot
image has been created to be booted into directly. The image has
the complete content of the floppy, track for track, and is not
meant to be placed on the floppy as a regular file.
You have to transfer it to the floppy raw, using the
low-level tools (e.g. fdimage or rawrite)
described in the installation guide to FreeBSD.Where are the instructions for installing FreeBSD?Installation instructions can be found in the
Handbook entry on installing FreeBSD.What do I need in order to run FreeBSD?You'll need a 386 or better PC, with 5 MB or more of RAM and at
least 60 MB of hard disk space. It can run with a low end MDA
graphics card but to run X11R6, a VGA or better video card is needed.See also the section on I have only 4 MB of RAM. Can I install FreeBSD?FreeBSD 2.1.7 was the last version of FreeBSD that could be installed
on a 4MB system. Newer versions of FreeBSD, like 2.2, need at least 5MB
to install on a new system.All versions of FreeBSD, including 3.0, will run in 4MB of RAM, they
just can't run the installation program in 4MB. You can add
extra memory for the install process, if you like, and then
after the system is up and running, go back to 4MB. Or you could
always just swap your disk into a system which has >4MB, install onto
it and then swap it back.There are also situations in which FreeBSD 2.1.7 will not install
in 4 MB. To be exact: it does not install with 640 kB base + 3 MB
extended memory. If your motherboard can remap some of the lost
memory out of the 640kB to 1MB region, then you may still be able
to get FreeBSD 2.1.7 up.Try to go into your BIOS setup and look for a remap option.
Enable it. You may also have to disable ROM shadowing.It may be easier to get 4 more MB just for the install. Build a
custom kernel with only the options you need and then get the 4
MB out again.You may also install 2.0.5 and then upgrade your system to 2.1.7
with the upgrade option of the 2.1.7 installation program.After the installation, if you build a custom kernel, it will run
in 4 MB. Someone has even succeeded in booting with 2 MB (the
system was almost unusable though :-)) How can I make my own custom install floppy?
Currently there's no way to just make a custom install floppy.
You have to cut a whole new release, which will include your install
floppy. There's some code in /usr/src/release/floppies/Makefile
that's supposed to let you just make those floppies, but it's not
really gelled yet.To make a custom release, follow the instructions here.Can I have more than one operating system on my PC?Have a look at
The multi-OS page.Can Windows 95/98 co-exist with FreeBSD?Install Windows 95/98 first, after that FreeBSD. FreeBSD's boot
manager will then manage to boot Win95/98 and FreeBSD. If you
install Windows 95/98 second, it will boorishly overwrite your
boot manager without even asking. If that happens, see
the next section. Windows 95/98 killed my boot manager! How do I get it back?
You can reinstall the boot manager FreeBSD comes with in one of
three ways:Running DOS, go into the tools/ directory of your FreeBSD
distribution and look for bootinst.exe. You run it like so:
...\TOOLS>bootinst.exe boot.binand the boot manager will be reinstalled.Boot the FreeBSD boot floppy again and go to the Custom
installation menu item. Choose Partition. Select the drive which
used to contain your boot manager (likely the first one) and when you
come to the partition editor for it, as the very first thing (e.g.
do not make any changes) select (W)rite. This will ask for
confirmation, say yes, and when you get the Boot Manager selection
prompt, be sure to select Boot Manager.
This will re-write the boot manager to disk. Now quit out of the
installation menu and reboot off the hard disk as normal.Boot the FreeBSD boot floppy (or CD-ROM) and choose the
Fixit menu item. Select either the Fixit floppy or
CD-ROM #2 (the live file system option) as appropriate
and enter the fixit shell. Then execute the following command:
Fixit#fdisk -B -b /boot/boot0 bootdevicesubstituting bootdevice for your real
boot device such as ad0 (first IDE disk),
ad4 (first IDE disk on auxiliary controller),
da0 (first SCSI disk), etc.Can I install on a disk with bad blocks?Prior to 3.0, FreeBSD included a utility known as
bad144, which automatically remapped bad
blocks. Because modern IDE drives perform this function themselves,
bad144 has been removed from the FreeBSD source
tree. If you wish to install FreeBSD 3.0 or later, we strongly suggest
you purchase a newer disk drive. If you do not wish to do this, you
must run FreeBSD 2.x.If you are seeing bad block errors with a modern IDE drive,
chances are the drive is going to die very soon (the drive's internal
remapping functions are no longer sufficient to fix the bad blocks,
which means the disk is heavily corrupted); we suggest you by a
new hard drive.If you have a SCSI drive with bad blocks, see this answer.Strange things happen when I boot the install floppy!If you're seeing things like the machine grinding to a halt or
spontaneously rebooting when you try to boot the install floppy,
here are three questions to ask yourself:-Did you use a new, freshly-formatted, error-free floppy
(preferably a brand-new one straight out of the box, as
opposed to the magazine coverdisk that's been lying under
the bed for the last three years)?
Did you download the floppy image in binary (or image) mode?
(don't be embarrassed, even the best of us have accidentally
downloaded a binary file in ASCII mode at least once!)
If you're using
Windows95 or Win98 did you run fdimage or
rawrite in pure DOS mode? These OS's can
interfere with programs that write directly to hardware, which
the disk creation program does; even running it inside a DOS
shell in the GUI can cause this problem.There have also been reports of Netscape causing problems when
downloading the boot floppy, so it's probably best to use a different
FTP client if you can.I booted from my ATAPI CD-ROM, but the install program says no
CD-ROM is found. Where did it go?The usual cause of this problem is a mis-configured CD-ROM
drive. Many PCs now ship with the CD-ROM as the slave device on
the secondary IDE controller, with no master device on that
controller. This is illegal according to the ATAPI specification,
but Windows plays fast and loose with the specification, and the
BIOS ignores it when booting. This is why the BIOS was able to
see the CD-ROM to boot from it, but why FreeBSD can not see it to
complete the install.Reconfigure your system so that the CD-ROM is either the
master device on the IDE controller it is attached to, or make
sure that it is the slave on an IDE controller that also has a
master device.Help! I can't install from tape!If you are installing 2.1.7R from tape, you must create the tape
using a tar blocksize of 10 (5120 bytes). The default tar
blocksize is 20 (10240 bytes), and tapes created using this
default size cannot be used to install 2.1.7R; with these tapes,
you will get an error that complains about the record size being
too big.Connect two FreeBSD boxes over a parallel line (PLIP)
Get a laplink cable. Make sure both computer have a kernel
with lpt driver support.&prompt.root; dmesg | grep lp
lpt0 at 0x378-0x37f irq 7 on isa
lpt0: Interrupt-driven
lp0: TCP/IP capable interfacePlug in the laplink cable into the parallel interface.Configure the network interface parameters for lp0 on both
sites as root. For example, if you want connect the host max
with moritz max <-----> moritz
IP Address 10.0.0.1 10.0.0.2on max start&prompt.root; ifconfig lp0 10.0.0.1 10.0.0.2on moritz start&prompt.root; ifconfig lp0 10.0.0.2 10.0.0.1Thats all! Please read also the manpages
&man.lp.4;
and
&man.lpt.4;
.You should also add the hosts to /etc/hosts.127.0.0.1 localhost.my.domain localhost
10.0.0.1 max.my.domain max
10.0.0.2 moritz.my.domainTo check if it works do:on max:&prompt.root; ifconfig lp0
lp0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 --> 10.0.0.2 netmask 0xff000000
&prompt.root; netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
moritz max UH 4 127592 lp0
&prompt.root; ping -c 4 moritz
PING moritz (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=2.774 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=2.530 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=2.556 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=2.714 ms
--- moritz ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms Can I install on my laptop over PLIP (Parallel Line IP)?
Connect the two computers using a Laplink parallel cable to use
this feature:
See also this note on the Mobile Computing page. Which geometry should I use for a disk drive?
(By the geometry of a disk, we mean the number of cylinders,
heads and sectors/track on a disk - I'll refer to this as
C/H/S for convenience. This is how the PC's BIOS works out
which area on a disk to read/write from).This seems to cause a lot of confusion for some reason. First
of all, the physical geometry of a SCSI drive is totally
irrelevant, as FreeBSD works in term of disk blocks. In fact, there
is no such thing as the physical geometry, as the sector density
varies across the disk - what manufacturers claim is the quote
physical geometry is usually the geometry that they've worked out
results in the least wasted space. For IDE disks, FreeBSD does
work in terms of C/H/S, but all modern drives will convert this
into block references internally as well.All that matters is the logical geometry - the answer that the
BIOS gets when it asks what is your geometry? and then uses to access
the disk. As FreeBSD uses the BIOS when booting, it's very important
to get this right. In particular, if you have more than one operating
system on a disk, they must all agree on the geometry, otherwise you
will have serious problems booting!For SCSI disks, the geometry to use depends on whether extended
translation support is turned on in your controller (this is
often referred to as support for DOS disks >1GB or something
similar). If it's turned off, then use N cylinders, 64 heads
and 32 sectors/track, where N is the capacity of the disk in
MB. For example, a 2GB disk should pretend to have 2048 cylinders,
64 heads and 32 sectors/track.If it is turned on (it's often supplied this way to get around
certain limitations in MSDOS) and the disk capacity is more than 1GB,
use M cylinders, 63 sectors per track (*not* 64), and 255 heads, where
'M' is the disk capacity in MB divided by 7.844238 (!). So our
example 2GB drive would have 261 cylinders, 63 sectors per track and
255 heads.If you are not sure about this, or FreeBSD fails to detect the
geometry correctly during installation, the simplest way around
this is usually to create a small DOS partition on the disk. The
correct geometry should then be detected (and you can always remove
the DOS partition in the partition editor if you don't want to keep
it, or leave it around for programming network cards and the like).Alternatively, there is a freely available utility distributed with
FreeBSD called pfdisk.exe (located in the tools
subdirectory on the FreeBSD CDROM or on the various FreeBSD
ftp sites) which can be used to work out what geometry the other
operating systems on the disk are using. You can then enter this
geometry in the partition editor.Any restrictions on how I divide the disk up?Yes. You must make sure that your root partition is below 1024
cylinders so the BIOS can boot the kernel from it. (Note that this
is a limitation in the PC's BIOS, not FreeBSD).For a SCSI drive, this will normally imply that the root partition
will be in the first 1024MB (or in the first 4096MB if extended
translation is turned on - see previous question). For IDE, the
corresponding figure is 504MB. What about disk managers? Or, I have a large drive!
FreeBSD recognizes the Ontrack Disk Manager and makes allowances
for it. Other disk managers are not supported.If you just want to use the disk with FreeBSD you don't need a
disk manager. Just configure the disk for as much space as the
BIOS can deal with (usually 504 megabytes), and FreeBSD
should figure out how much space you really have. If you're using
an old disk with an MFM controller, you may need to explicitly
tell FreeBSD how many cylinders to use.If you want to use the disk with FreeBSD and another operating
system, you may be able to do without a disk manager: just make sure
the the FreeBSD boot partition and the slice for the other
operating system are in the first 1024 cylinders. If you're
reasonably careful, a 20 megabyte boot partition should be plenty. When I boot FreeBSD I get Missing Operating SystemThis is classically a case of FreeBSD and DOS or some other OS
conflicting over their ideas of disk geometry. You will have to reinstall FreeBSD, but obeying the
instructions given above will almost always get you going.I can't get past the boot manager's F? prompt.This is another symptom of the problem described in the preceding
question. Your BIOS geometry and FreeBSD geometry settings do
not agree! If your controller or BIOS supports cylinder
translation (often marked as >1GB drive support), try
toggling its setting and reinstalling FreeBSD.Do I need to install the complete sources?In general, no. However, we would strongly recommend that you
install, at a minimum, the base source kit, which
includes several of the files mentioned here, and the
sys (kernel) source kit, which includes sources for the
kernel. There is nothing in the system which requires the
presence of the sources to operate, however, except for the
kernel-configuration program
&man.config.8;. With the exception
of the kernel sources, our build structure is set up so that you
can read-only mount the sources from elsewhere via NFS and still
be able to make new binaries. (Because of the kernel-source
restriction, we recommend that you not mount this on
/usr/src directly, but rather in some other location
with appropriate symbolic links to duplicate the top-level
structure of the source tree.)Having the sources on-line and knowing how to build a system with
them will make it much easier for you to upgrade to future
releases of FreeBSD.To actually select a subset of the sources, use the Custom
menu item when you are in the Distributions menu of the
system installation tool.Do I need to build a kernel?Building a new kernel was originally pretty much a required
step in a FreeBSD installation, but more recent releases have
benefited from the introduction of a much friendlier kernel
configuration tool. When at the FreeBSD boot prompt (boot:),
use the flag and you will be dropped into a visual
configuration screen which allows you to configure the kernel's
settings for most common ISA cards.It's still recommended that you eventually build a new
kernel containing just the drivers that you need, just to save a
bit of RAM, but it's no longer a strict requirement for most
systems.
-
-I live outside the US. Can I use DES encryption?
-
-If it is not absolutely imperative that you use DES style
-encryption, you can use FreeBSD's default encryption for even
-better security, and with no export restrictions. FreeBSD
-2.0's password default scrambler is now MD5-based, and is
-more CPU-intensive to crack with an automated password cracker
-than DES, and allows longer passwords as well. The only reason
-for not using the MD5-based crypt today would be to use the
-the same password entries on FreeBSD and non-FreeBSD systems.
-
-Since the DES encryption algorithm cannot legally be exported
-from the US, non-US users should not download this software (as
-part of the secrdist from US FTP sites.
-
-There is however a replacement libcrypt available, based on
-sources written in Australia by David Burren. This code is now
-available on some non-US FreeBSD mirror sites. Sources for the
-unencumbered libcrypt, and binaries of the programs which use it,
-can be obtained from the following FTP sites:
-
-
-
-South Africa
-
-ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/,
-ftp://storm.sea.uct.ac.za/pub/FreeBSD/
-
-
-
-
-
-
-Brazil
-
-
-ftp://ftp.iqm.unicamp.br/pub/FreeBSD/
-
-
-
-
-
-
-Finland
-
-
-ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/
-
-
-
-
-
-
-The non-US securedist can be used as a direct replacement
-for the encumbered US securedist. This securedist
-package is installed the same way as the US package (see
-installation notes for details). If you are going to install DES
-encryption, you should do so as soon as possible, before
-installing other software.
-
-Non-US users should please not download any encryption software
-from the USA. This can get the maintainers of the sites from
-which the software is downloaded into severe legal difficulties.
-
-A non-US distribution of Kerberos is also being developed, and
-current versions can generally be obtained by anonymous FTP from
-braae.ru.ac.za.
-
-There is also a mailing list for the
-discussion of non-US encryption software. For more information, send
-an email message with a single line saying help in the body
-of your message to majordomo@braae.ru.ac.za.
+
+
+ Should I use DES passwords, or MD5, and how do I specify
+ which form my users receive?
+
-
+
+ The default password format on FreeBSD is to use
+ MD5-based passwords. These are believed to
+ be more secure than the traditional UNIX password format, which
+ used a scheme based on the DES algorithm.
+ DES passwords are still available if you need to share your
+ password file with legacy operating systems which still use the
+ less secure password format (they are available if you choose to
+ install the crypto distribution in sysinstall, or
+ by installing the crypto sources if building from source). Which
+ password format to use for new passwords is controlled by the
+ passwd_format login capability in
+ /etc/login.conf, which takes values of either
+ des (if available) or md5. See the
+ login.conf(5) manpage for more information about login
+ capabilities.
+
+
The boot floppy starts but hangs at the Probing Devices...
screen.If you have a IDE Zip or Jaz drive installed, remove it and try again.
The boot floppy can get confused by the drives.
After the system is installed you can reconnect the drive. Hopefully
this will be fixed in a later release.I get a panic: cant mount root
error when rebooting the system after installation.This error comes from confusion between the boot block's and the
kernel's understanding of the disk devices. The error usually
manifests on two-disk IDE systems, with the hard disks arranged as the
master or single device on separate IDE controllers, with FreeBSD
installed on the secondary IDE controller. The boot blocks think
the system is installed on wd1 (the second BIOS disk) while the kernel
assigns the first disk on the secondary controller device wd2. After
the device probing, the kernel tries to mount what the boot blocks
think is the boot disk, wd1, while it is really wd2, and fails.To fix the problem, do one of the following:For FreeBSD 3.3 and later, reboot the system and hit
Enter at the Booting kernel in 10 seconds; hit
[Enter] to interrupt prompt. This will drop you into the boot
loader.Then type set
root_disk_unit="disk_number". disk_number
will be 0 if FreeBSD is installed on the master drive
on the first IDE controller, 1 if it is installed
on the slave on the first IDE controller, 2 if it
is installed on the master of the second IDE controller, and
3 if it is installed on the slave of the second
IDE controller.Then type boot, and your system should boot
correctly.To make this change permanent (ie so you don't have to do this
everytime you reboot or turn on your FreeBSD machine), put the line
root_disk_unit="disk_number" in
/boot/loader.conf.local.If using FreeBSD 3.2 or earlier, at the Boot: prompt, enter
1:wd(2,a)kernel and press Enter. If the system starts, then
run the command
echo "1:wd(2,a)kernel" > /boot.config
to make it the default boot string.Move the FreeBSD disk onto the primary IDE controller, so the
hard disks are consecutive.Rebuild your kernel,
modify the wd configuration lines to read:controller wdc0 at isa? port "IO_WD1" bio irq 14 vector wdintr
disk wd0 at wdc0 drive 0
# disk wd1 at wdc0 drive 1 # comment out this line
controller wdc1 at isa? port "IO_WD2" bio irq 15 vector wdintr
disk wd1 at wdc1 drive 0 # change from wd2 to wd1
disk wd2 at wdc1 drive 1 # change from wd3 to wd2Install the new kernel.
If you moved your disks and wish to restore the previous
configuration, replace the disks in the desired configuration and reboot.
Your system should boot successfully.
What are the limits for memory?For memory, the limit is 4 gigabytes. This configuration has
been tested, see wcarchive's
configuration for more details. If you plan to install this
much memory into a machine, you need to be careful. You'll probably
want to use ECC memory and to reduce capacitive loading use 9 chip
memory modules vice 18 chip memory modules.What are the limits for ffs filesystems?For ffs filesystems, the maximum theoretical limit is 8 terabytes
(2G blocks), or 16TB for the default block size of 8K.
In practice, there is a soft limit of 1 terabyte, but with modifications
filesystems with 4 terabytes are possible (and exist).The maximum size of a single ffs file is approximately 1G blocks
(4TB) if the block size is 4K.
Maximum file sizesfs block size2.2.7-stable3.0-currentworksshould work4K4T-14T-14T-14+t8K32+G8T-132+G32T-116K128+G16T-1128+G32T-132K512+G32T-1512+G64T-164K2048+G64T-12048+G128T-1
When the fs block size is 4K, triple indirect blocks work and
everything should be limited by the maximum fs block number that can
be represented using triple indirect blocks (approx. 1K^3 + 1K^2 +
1K), but everything is limited by a (wrong) limit of 1G-1 on fs block
numbers. The limit on fs block numbers should be 2G-1. There are
some bugs for fs block numbers near 2G-1, but such block numbers are
unreachable when the fs block size is 4K.For block sizes of 8K and larger, everything should be limited
by the 2G-1 limit on fs block numbers, but is actually limited by the
1G-1 limit on fs block numbers, except under -STABLE triple indirect
blocks are unreachable, so the limit is the maxiumum fs block number
that can be represented using double indirect blocks
(approx. (blocksize/4)^2 + (blocksize/4)), and under -CURRENT
exceeding this limit may cause problems. Using the correct limit of
2G-1 blocks does cause problems.How can I put 1TB files on my floppy?I keep several virtual ones on floppies :-). The maxiumum
file size is not closely related to the maximum disk size. The
maximum disk size is 1TB. It is a feature that the file size can be
larger than the disk size.The following example creates a file of size 8T-1 using a
whole 32K of disk space (3 indirect blocks and 1 data block) on a
small root partition. The dd command requires a dd that works with
large files.&prompt.user; cat foo
df .
dd if=/dev/zero of=z bs=1 seek=`echo 2^43 - 2 | bc` count=1
ls -l z
du z
df .
&prompt.user; sh foo
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/da0a 64479 27702 31619 47% /
1+0 records in
1+0 records out
1 bytes transferred in 0.000187 secs (5346 bytes/sec)
-rw-r--r-- 1 bde bin 8796093022207 Sep 7 16:04 z
32 z
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/da0a 64479 27734 31587 47% /Bruce Evans, September 1998I compiled a new kernel and now I get the error message archsw.readin.failed when booting.You can boot by specifying the kernel directly at the second
stage, pressing any key when the | shows up before loader is
started. More specifically, you have upgraded the source for your
kernel, and installed a new kernel builtin from them without making
world. This is not supported. Make world.How do I upgrade from 3.X -> 4.X?We strongly recommend that you use
binary snapshots to do this. 4-STABLE snapshots are available at
releng4.FreeBSD.org.If you wish to upgrade using source, please see the FreeBSD
Handbook for more information.Upgrading via source is never recommended for new
users, and upgading from 3.X -> 4.X is even less so; make sure you
have read the instructions carefully before attempting to upgrade via
source this!Hardware compatibility What kind of hard drives does FreeBSD support?FreeBSD supports EIDE and SCSI drives (with a compatible
controller; see the next section), and all drives using the
original Western Digital interface (MFM, RLL, ESDI, and
of course IDE). A few ESDI controllers that use proprietary
interfaces may not work: stick to WD1002/3/6/7 interfaces
and clones.Which SCSI controllers are supported?See the complete list in the
Handbook.Which CD-ROM drives are supported by FreeBSD?Any SCSI drive connected to a supported controller is supported.The following proprietary CD-ROM interfaces are also supported:Mitsumi LU002 (8bit), LU005 (16bit) and FX001D (16bit 2x Speed).Sony CDU 31/33ASound Blaster Non-SCSI CD-ROMMatsushita/Panasonic CD-ROMATAPI compatible IDE CD-ROMsAll non-SCSI cards are known to be extremely slow compared to
SCSI drives, and some ATAPI CDROMs may not work.As of 2.2 the FreeBSD CDROM from Walnut Creek supports booting
directly from the CD.Does FreeBSD support ZIP drives?FreeBSD supports the SCSI ZIP drive out of the box, of course. The
ZIP drive can only be set to run at SCSI target IDs 5 or 6, but if
your SCSI host adapter's BIOS supports it you can even boot from
it. I don't know which host adapters let you boot from targets
other than 0 or 1... look at your docs (and let me know if it works
out for you).ATAPI (IDE) Zip drives are supported in FreeBSD 2.2.6 and
later releases.FreeBSD has contained support for Parallel Port Zip Drives since
version 3.0. If you are using a sufficiently up to date version, then
you should check that your kernel contains the scbus0,
da0, ppbus0, and
vp0 drivers (the GENERIC kernel
contains everything except vp0). With all these drivers present, the
Parallel Port drive should be available as /dev/da0s4. Disks can
be mounted using mount /dev/da0s4 /mnt OR (for dos disks)
mount_msdos /dev/da0s4 /mnt as appropriate.Also check out this note on removable drives,
and this note on formatting. Does FreeBSD support JAZ, EZ and other removable drives?
Apart from the IDE version of the EZ drive, these are all SCSI
devices, so the should all look like SCSI disks to FreeBSD, and
the IDE EZ should look like an IDE drive.I'm not sure how well FreeBSD supports changing
the media out while running. You will of course need to dismount the
drive before swapping media, and make sure that any external units are
powered on when you boot the system so FreeBSD can see them.See this note on formatting.Which multi-port serial cards are supported by FreeBSD?There is a list of these in the Miscellaneous devices
section of the handbook.Some unnamed clone cards have also been known to work, especially
those that claim to be AST compatible.Check the
sio man page to get more information on configuring such cards.I have a USB keyboard. Does FreeBSD support it?USB device support was added to FreeBSD 3.1. However, it is
still in preliminary state and may not always work as of version
3.2. If you want to experiment with the USB mouse support, follow
the procedure described below.Use FreeBSD 3.2 or later.Add the following lines to your kernel configuration file,
and rebuild the kernel.
device uhci
device ohci
device usb
device ukbd
options KBD_INSTALL_CDEVIn versions of FreeBSD before 4.0, use this instead:
controller uhci0
controller ohci0
controller usb0
controller ukbd0
options KBD_INSTALL_CDEVGo to the /dev directory and create
device nodes as follows:&prompt.root; cd /dev
&prompt.root; ./MAKEDEV kbd0 kbd1Edit /etc/rc.conf and add the following
lines:
usbd_enable="YES"
usbd_flags=""After the system is rebooted, the AT keyboard becomes
/dev/kbd0 and the USB keyboard becomes
/dev/kbd1, if both are connected to the
system. If there is the USB keyboard only, it will be
/dev/ukbd0.If you want to use the USB keyboard in the console, you have to
explicitly tell the console driver to use the existence of the USB
keyboard. This can be done by running the following command as a
part of system initialization.&prompt.root; kbdcontrol -k /dev/kbd1 < /dev/ttyv0 > /dev/nullNote that if the USB keyboard is the only keyboard, it is
accessed as /dev/kbd0, thus, the command
should look like:&prompt.root; kbdcontrol -k /dev/kbd0 < /dev/ttyv0 > /dev/null/etc/rc.i386 is a good place to add the
above command.Once this is done, the USB keyboard should work in the X
environment as well without any special settings.Hot-plugging and unplugging of the USB keyboard may not work
quite right yet. It is a good idea to connect the keyboard before
you start the system and leave it connected until the system is
shutdown to avoid troubles.See the &man.ukbd.4; man page for more information.I have an unusual bus mouse. How do I set it up?FreeBSD supports the bus mouse and the InPort bus mouse from such
manufactures as Microsoft, Logitech and ATI. The bus device driver
is compiled in the GENERIC kernel by default in FreeBSD versions 2.X, but
not included in version 3.0 or later. If you are building
a custom kernel with the bus mouse driver, make sure to add the
following line to the kernel config fileIn FreeBSD 3.0 or before, add:device mse0 at isa? port 0x23c tty irq5 vector mseintrIn FreeBSD 3.X, the line should be:device mse0 at isa? port 0x23c tty irq5And in FreeBSD 4.X and later, the line should read:device mse0 at isa? port 0x23c irq5Bus mice usually comes with dedicated interface cards.
These cards may allow you to set the port address and the IRQ number other
than shown above. Refer to the manual of your mouse and the
&man.mse.4; man page for more information. How do I use my PS/2 (mouse port
or keyboard) mouse?If you're running a post-2.2.5 version of FreeBSD, the necessary
driver, psm, is included and enabled in the kernel. The kernel
should detect your PS/2 mouse at boot time.If you're running a previous but relatively recent version of
FreeBSD (2.1.x or better) then you can simply enable it in the
kernel configuration menu at installation time, otherwise later with
at the boot: prompt. It is disabled by default, so you will need
to enable it explicitly.If you're running an older version of FreeBSD then you'll have to
add the following lines to your kernel configuration file and compile
a new kernel.In FreeBSD 3.0 or earlier, the line should be:device psm0 at isa? port "IO_KBD" conflicts tty irq 12 vector psmintrIn FreeBSD 3.1 or later, the line should be:device psm0 at isa? tty irq 12In FreeBSD 4.0 or later, the line should be:device psm0 at atkbdc? irq 12See the Handbook entry on configuring the kernel if you've no
experience with building kernels.Once you have a kernel detecting psm0 correctly at boot time,
make sure that an entry for psm0 exists in /dev. You can do this
by typing:&prompt.root; cd /dev; sh MAKEDEV psm0when logged in as root.Is it possible to make use of a mouse in any way outside the X Window?If you are using the default console driver, syscons, you can
use a mouse pointer in text consoles to cut & paste text.
Run the mouse daemon, moused, and turn on the mouse pointer
in the virtual console:&prompt.root; moused -p /dev/xxxx -t yyyy
&prompt.root; vidcontrol -m onWhere xxxx is the mouse device name and
yyyy
is a protocol type for the mouse. See the
&man.moused.8; man page for supported protocol types. You may wish to run the mouse daemon automatically when the
system starts. In version 2.2.1, set the following variables in
/etc/sysconfig.mousedtype="yyyy"
mousedport="xxxx"
mousedflags=""In versions 2.2.2 to 3.0, set the following variables in
/etc/rc.conf.moused_type="yyyy"
moused_port="xxxx"
moused_flags=""In 3.1 and later, assuming you have a PS/2 mouse, all you need
to is add moused_enable="YES" to
/etc/rc.conf.In addition, if you would like to be able to use the mouse
daemon on all virtual terminals instead of just console at boot-time,
add the following to /etc/rc.conf.allscreens_flags="-m on"Staring from FreeBSD 2.2.6, the mouse daemon is capable of
determining the correct protocol type automatically unless the mouse
is a relatively old serial mouse model. Specify auto
the protocol to invoke automatic detection.When the mouse daemon is running, access to the mouse needs to be
coordinated between the mouse daemon and other programs such as the
X Window. Refer to another section
on this issue.How do I cut and paste text with mouse in the text console?Once you get the mouse daemon running (see previous section), hold down the button 1 (left button)
and move the mouse to select a region of
text. Then, press the button 2 (middle button) or the button 3 (right
button) to paste it at the text cursor.In versions 2.2.6 and later, pressing the button 2 will paste
the text. Pressing the button 3 will extend the selected region
of text. If your mouse does not have the middle button, you may wish
to emulate it or remap buttons using moused options. See the
moused(8)
man page for details.I have a USB mouse. Does FreeBSD support the USB mouse?USB device support was added to FreeBSD 3.1. However, it is
still in a preliminary state and may not always work as of version
3.2. If you want to experiment with the USB mouse support, follow
the procedure described below.Use FreeBSD 3.2 or later.Add the following lines to your kernel configuration file,
and rebuild the kernel.
device uhci
device ohci
device usb
device umsIn versions of FreeBSD before 4.0, use this instead:
controller uhci0
controller ohci0
controller usb0
device ums0Go to the /dev directory and create a
device node as follows:&prompt.root; cd /dev
&prompt.root; ./MAKEDEV ums0Edit /etc/rc.conf and add the following
lines:
moused_enable="YES"
moused_type="auto"
moused_port="/dev/ums0"
moused_flags=""
usbd_enable="YES"
usbd_flags=""See the previous section for
more detailed discussion on moused.In order to use the USB mouse in the X session, edit
XF86Config. If you are using XFree86 3.3.2
or later, be sure to have the following lines in the
Pointer section:
Device "/dev/sysmouse"
Protocol "Auto"If you are using earlier versions of XFree86, be sure to
have the following lines in the Pointer
section:
Device "/dev/sysmouse"
Protocol "SysMouse"Refer to another section on
the mouse support in the X environment.Hot-plugging and unplugging of the USB mouse may not work quite
right yet. It is a good idea connect the mouse before you start the
system and leave it connected until the system is shutdown to avoid
trouble.My mouse has a fancy wheel and buttons. Can I use them in FreeBSD?The answer is, unfortunately, It depends. These mice with
additional features require specialized driver in most cases.
Unless the mouse device driver or the user program has specific
support for the mouse, it will act just like a standard two, or
three button mouse.For the possible usage of wheels in the X Window environment,
refer to that section.My mouse does not seem working. The mouse cursor jumps around
on the screen. The mouse has a wheel and is connected to the PS/2
mouse port.The PS/2 mouse driver psm in FreeBSD versions 3.2 or earlier has
difficulty with some wheel mice, including Logitech model M-S48 and
its OEM siblings. Apply the following patch to
/sys/i386/isa/psm.c and rebuild the
kernel.
Index: psm.c
===================================================================
RCS file: /src/CVS/src/sys/i386/isa/Attic/psm.c,v
retrieving revision 1.60.2.1
retrieving revision 1.60.2.2
diff -u -r1.60.2.1 -r1.60.2.2
--- psm.c 1999/06/03 12:41:13 1.60.2.1
+++ psm.c 1999/07/12 13:40:52 1.60.2.2
@@ -959,14 +959,28 @@
sc->mode.packetsize = vendortype[i].packetsize;
/* set mouse parameters */
+#if 0
+ /*
+ * A version of Logitech FirstMouse+ won't report wheel movement,
+ * if SET_DEFAULTS is sent... Don't use this command.
+ * This fix was found by Takashi Nishida.
+ */
i = send_aux_command(sc->kbdc, PSMC_SET_DEFAULTS);
if (verbose >= 2)
printf("psm%d: SET_DEFAULTS return code:%04x\n", unit, i);
+#endif
if (sc->config & PSM_CONFIG_RESOLUTION) {
sc->mode.resolution
= set_mouse_resolution(sc->kbdc,
- (sc->config & PSM_CONFIG_RESOLUTION) - 1);
+ (sc->config & PSM_CONFIG_RESOLUTION) - 1);
+ } else if (sc->mode.resolution >= 0) {
+ sc->mode.resolution
+ = set_mouse_resolution(sc->kbdc, sc->dflt_mode.resolution);
+ }
+ if (sc->mode.rate > 0) {
+ sc->mode.rate = set_mouse_sampling_rate(sc->kbdc, sc->dflt_mode.rate);
}
+ set_mouse_scaling(sc->kbdc, 1);
/* request a data packet and extract sync. bits */
if (get_mouse_status(sc->kbdc, stat, 1, 3) < 3) {Versions later than 3.2 should be all right. How do I use the mouse/trackball/touchpad on my laptop?
Please refer to the answer to the previous question. And check out this note on the Mobile
Computing page.What types of tape drives are supported?FreeBSD supports SCSI, QIC-36 (with a QIC-02 interface) and
QIC-40/80 (Floppy based) tape drives. This includes 8-mm (aka Exabyte)
and DAT drives. The QIC-40/80 drives are known to be slow.Some of the early 8-mm drives are not quite compatible with SCSI-2,
and may not work well with FreeBSD.Does FreeBSD support tape changers?FreeBSD 2.2 supports SCSI changers using the ch(4) device and
the chio(1)
command. The details of how you actually control the changer can be
found in the chio(1)
man page.If you're not using AMANDA or
some other product that already understands changers, remember that
they're only know how to move a tape from one point to another, so
you need to keep track of which slot a tape is in, and which slot the
tape currently in the drive needs to go back to.Which sound cards are supported by FreeBSD?FreeBSD supports the SoundBlaster, SoundBlaster Pro, SoundBlaster
16, Pro Audio Spectrum 16, AdLib and Gravis UltraSound sound cards.
There is also limited support for MPU-401 and compatible MIDI cards.
Cards conforming to the Microsoft Sound System specification are also
supported through the pcm driver.This is only for sound! This driver does not support
CD-ROMs, SCSI or joysticks on these cards, except for the
SoundBlaster. The SoundBlaster SCSI interface and some non-SCSI
CDROMS are supported, but you can't boot off this
device.Workarounds for no sound from es1370 with pcm driver?You can run the following command everytime the machine booted up:&prompt.root; mixer pcm 100 vol 100 cd 100Which network cards does FreeBSD support?See the Ethernet cards section of the handbook for a more
complete list. I don't have a math co-processor - is that bad?This will only affect 386/486SX/486SLC owners - other
machines will have one built into the CPU.In general this will not cause any problems, but there are
circumstances where you will take a hit, either in performance or
accuracy of the math emulation code (see the section on FP emulation). In particular, drawing arcs in X will be
VERY slow. It is highly recommended that you buy a math
co-processor; it's well worth it.Some math co-processors are better than others. It pains
us to say it, but nobody ever got fired for buying Intel. Unless
you're sure it works with FreeBSD, beware of clones.What other devices does FreeBSD support?See the Handbook
for the list of other devices supported.Does FreeBSD support power management on my laptop?FreeBSD supports APM on certain machines. Please look in the
LINT kernel config file, searching for the APM keyword.My Micron system hangs at boot timeCertain Micron motherboards have a non-conforming PCI BIOS
implementation that causes grief when FreeBSD boots because
PCI devices don't get configured at their reported addresses.Disable the Plug and Play Operating System flag in the BIOS
to work around this problem. More information can be found at
http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micronI have a newer Adaptec controller and FreeBSD can't find it.
The newer AIC789x series Adaptec chips are supported under the CAM SCSI
framework which made it's debut in 3.0. Patches against 2.2-STABLE
are in ftp://ftp.FreeBSD.org/pub/FreeBSD/development/cam/.
A CAM-enhanced boot floppy is available at http://people.FreeBSD.org/~abial/cam-boot/. In both cases read the README before
beginning. I have an internal Plug & Play modem and FreeBSD can't find it.
You will need to add the modem's PnP ID to the PnP ID list in the serial driver.
To enable Plug & Play support, compile a new kernel with
controller pnp0 in
the configuration file, then reboot the system. The kernel will print the PnP IDs
of all the devices it finds. Copy the PnP ID from the modem to the table in
/sys/i386/isa/sio.c, at about line 2777. Look for the string SUP1310
in the structure siopnp_ids[] to
find the table. Build the kernel again, install, reboot, and your modem should be found.You may have to manually configure the PnP devices using the pnp command in the
boot-time configuration with a command like
pnp 1 0 enable os irq0 3 drq0 0 port0 0x2f8
to make the modem show.How do I get the boot: prompt to show on the serial console?
Build a kernel with options COMCONSOLE.Create /boot.config and place as the only text in the file.Unplug the keyboard from the system.See /usr/src/sys/i386/boot/biosboot/README.serial for information.Why doesn't my 3Com PCI network card work with my Micron computer?Certain Micron motherboards have a non-conforming PCI BIOS
implementation that does not configure PCI devices at
the addresses reported. This causes grief when FreeBSD boots.To work around this problem, disable the Plug and Play Operating
System flag in the BIOS. More information on this problem is available at URL:
http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micronDoes FreeBSD support Symmetric Multiprocessing (SMP)?
SMP is supported in 3.0-STABLE and later releases only. SMP is
not enabled in the GENERIC kernel, so you will
have to recompile your kernel to enable SMP. Take a look at
/sys/i386/conf/LINT to figure out what options to put in
your kernel config file.The boot floppy hangs on a system with an ASUS K7V
motherboard. How do I fix this?Go in to the BIOS setup and disable the boot virus
protection.TroubleshootingI have bad blocks on my hard drive!With SCSI drives, the drive should be capable of re-mapping
these automatically. However, many drives are shipped with
this feature disabled, for some mysterious reason...To enable this, you'll need to edit the first device page mode,
which can be done on FreeBSD by giving the command (as root)&prompt.root; scsi -f /dev/rsd0c -m 1 -e -P 3and changing the values of AWRE and ARRE from 0 to 1:-AWRE (Auto Write Reallocation Enbld): 1
ARRE (Auto Read Reallocation Enbld): 1The following paragraphs were submitted by
Ted Mittelstaedt:For IDE drives, any bad block is usually a sign of potential trouble.
All modern IDE drives come with internal bad-block remapping turned
on. All IDE hard drive manufacturers today offer extensive
warranties and will replace drives with bad blocks on them.If you still want to attempt to rescue an IDE drive with bad blocks,
you can attempt to download the IDE drive manufacturer's IDE diagnostic
program, and run this against the drive. Sometimes these programs can
be set to force the drive electronics to rescan the drive for bad blocks
and lock them out.For ESDI, RLL and MFM drives, bad blocks are a normal part of the
drive and are no sign of trouble, generally. With a PC, the disk drive
controller card and BIOS handle the task of locking out bad sectors.
This is fine for operating systems like DOS that use BIOS code to
access the disk. However, FreeBSD's disk driver does not go through
BIOS, therefore a mechanism, bad144, exists that replaces this
functionality. bad144 only works with the wd driver (which means it
is not supported in FreeBSD 4.0),
it is NOT able to be used with SCSI. bad144 works by entering all bad
sectors found into a special file.One caveat with bad144 - the bad block special file is placed on the
last track of the disk. As this file may possibly contain a listing for
a bad sector that would occur near the beginning of the disk, where the
/kernel file might be located, it therefore must be accessible to the
bootstrap program that uses BIOS calls to read the kernel file. This
means that the disk with bad144 used on it must not exceed 1024
cylinders, 16 heads, and 63 sectors. This places an effective limit
of 500MB on a disk that is mapped with bad144.To use bad144, simply set the Bad Block scanning to ON in the
FreeBSD fdisk screen during the initial install. This works up through
FreeBSD 2.2.7. The disk must have less than 1024 cylinders. It is
generally recommended that the disk drive has been in operation for at
least 4 hours prior to this to allow for thermal expansion and track
wandering.If the disk has more than 1024 cylinders (such as a large ESDI drive)
the ESDI controller uses a special translation mode to make it work
under DOS. The wd driver understands about these translation modes,
IF you enter the translated geometry with the set geometry command
in fdisk. You must also NOT use the dangerously dedicated mode of
creating the FreeBSD partition, as this ignores the geometry. Also,
even though fdisk will use your overridden geometry, it still knows the
true size of the disk, and will attempt to create a too large FreeBSD
partition. If the disk geometry is changed to the translated geometry,
the partition MUST be manually created with the number of blocks.A quick trick to use is to set up the large ESDI disk with the ESDI
controller, boot it with a DOS disk and format it with a DOS partition.
Then, boot the FreeBSD install and in the fdisk screen, read off and
write down the blocksize and block numbers for the DOS partition. Then,
reset the geometry to the same that DOS uses, delete the DOS partition,
and create a cooperative FreeBSD partition using the blocksize you
recorded earlier. Then, set the partition bootable and turn on bad
block scanning. During the actual install, bad144 will run first,
before any filesystems are created. (you can view this with an Alt-F2)
If it has any trouble creating the badsector file, you have set too
large a disk geometry - reboot the system and start all over again
(including repartitioning and reformatting with DOS).If remapping is enabled and you are seeing bad blocks, consider
replacing the drive. The bad blocks will only get worse as time goes on.FreeBSD does not recognize my Bustek 742a EISA SCSI!This info is specific to the 742a but may also cover other
Buslogic cards. (Bustek = Buslogic)There are 2 general versions of the 742a card. They are
hardware revisions A-G, and revisions H - onwards. The revision
letter is located after the Assembly number on the edge of the
card. The 742a has 2 ROM chips on it, one is the BIOS chip and
the other is the Firmware chip. FreeBSD doesn't care what
version of BIOS chip you have but it does care about what version
of firmware chip. Buslogic will send upgrade ROMS out if you
call their tech support dept. The BIOS and Firmware chips are
shipped as a matched pair. You must have the most current
Firmware ROM in your adapter card for your hardware revision.The REV A-G cards can only accept BIOS/Firmware sets up to
2.41/2.21. The REV H- up cards can accept the most current
BIOS/Firmware sets of 4.70/3.37. The difference between the
firmware sets is that the 3.37 firmware supports round robinThe Buslogic cards also have a serial number on them. If you
have a old hardware revision card you can call the Buslogic RMA
department and give them the serial number and attempt to
exchange the card for a newer hardware revision. If the card is
young enough they will do so.FreeBSD 2.1 only supports Firmware revisions 2.21 onward. If you
have a Firmware revision older than this your card will not be
recognized as a Buslogic card. It may be recognized as an
Adaptec 1540, however. The early Buslogic firmware contains an
AHA1540 emulation mode. This is not a good thing for an EISA
card, however.If you have an old hardware revision card and you obtain the 2.21
firmware for it, you will need to check the position of jumper W1
to B-C, the default is A-B. My HP Netserver's SCSI controller is not detected!
This is basically a known problem. The EISA on-board SCSI controller
in the HP Netserver machines occupies EISA slot number 11, so all
the true EISA slots are in front of it. Alas, the address space
for EISA slots >= 10 collides with the address space assigned to PCI,
and FreeBSD's auto-configuration currently cannot handle this
situation very well.So now, the best you can do is to pretend there is no address
range clash :), by bumping the kernel option EISA_SLOTS
to a value of 12.
Configure and compile a kernel, as described in the
Handbook entry on configuring the kernel.Of course, this does present you with a chicken-and-egg problem when
installing on such a machine. In order to work around this
problem, a special hack is available inside UserConfig.
Do not use the visual interface, but the plain command-line
interface there. Simply typeeisa 12
quitat the prompt, and install your system as usual. While it's
recommended you compile and install a custom kernel anyway,Hopefully, future versions will have a proper fix for this problem.You can not use a dangerously dedicated disk with
an HP Netserver. See this note for
more info.What's up with this CMD640 IDE controller?It's broken. It cannot handle commands on both channels
simultaneously.There's a workaround available now and it is enabled automatically
if your system uses this chip. For the details refer to the
manual page of the disk driver (man 4 wd).If you're already running FreeBSD 2.2.1 or 2.2.2 with a
CMD640 IDE controller and you want to use the second channel,
build a new kernel with options "CMD640" enabled. This
is the default for 2.2.5 and later.I keep seeing messages like ed1: timeout.This is usually caused by an interrupt conflict (e.g., two boards
using the same IRQ). FreeBSD prior to 2.0.5R used to be tolerant
of this, and the network driver would still function in the
presence of IRQ conflicts. However, with 2.0.5R and later, IRQ
conflicts are no longer tolerated. Boot with the -c option and
change the ed0/de0/... entry to match your board.If you're using the BNC connector on your network card, you may
also see device timeouts because of bad termination. To check this,
attach a terminator directly to the NIC (with no cable) and see if
the error messages go away. Some NE2000 compatible cards will give this error if there is
no link on the UTP port or if the cable is disconnected.When I mount a CDROM, I get Incorrect super block.You have to tell
mount
the type of the device that you want to mount. By default,
mount(8)
will assume the filesystem is of type ufs. You want to mount
a CDROM filesystem, and you do this by specifying the
option to mount(8)
. This does, of course, assume that the
CDROM contains an ISO 9660 filesystem, which is what most CDROMs
have. As of 1.1R, FreeBSD automatically understands the Rock Ridge
(long filename) extensions as well.As an example, if you want to mount the CDROM device,
/dev/cd0c, under /mnt, you would execute:&prompt.root; mount -t cd9660 /dev/cd0c /mntNote that your device name (/dev/cd0c in this
example) could be different, depending on the CDROM interface.
Note that the option just causes the
mount_cd9660 command to be executed, and so the
above example could be shortened to:&prompt.root; mount_cd9660 /dev/cd0c /mntWhen I mount a CDROM, I get Device not configured.This generally means that there is no CDROM in the CDROM drive,
or the drive is not visible on the bus. Feed the drive
something, and/or check its master/slave status if it is
IDE (ATAPI). It can take a couple of seconds for a CDROM drive
to notice that it's been fed, so be patient.Sometimes a SCSI CD-ROM may be missed because it hadn't enough time
to answer the bus reset. If you have a SCSI CD-ROM please try to
add the following symbol into your kernel configuration file
and recompile.options "SCSI_DELAY=15"My printer is ridiculously slow. What can I do ?If it's parallel, and the only problem is that it's terribly
slow, try setting your printer port into polled mode:&prompt.root; lptcontrol -pSome newer HP printers are claimed not to work correctly in
interrupt mode, apparently due to some (not yet exactly
understood) timing problem.My programs occasionally die with Signal 11 errors.Signal 11 errors are caused when your process has attempted to
access memory which the operating system has not granted it access to.
If something like this is happening at seemingly random intervals then
you need to start investigating things very carefully.These problems can usually be attributed to either:If the problem is occurring only in a specific application
that you are developing yourself it is probably a bug in your code.
If it's a problem with part of the base FreeBSD system, it
may also be buggy code, but more often than not these problems are
found and fixed long before us general FAQ readers get to use
these bits of code (that's what -current is for).In particular, a dead giveaway that this is *not* a FreeBSD bug
is if you see the problem when you're compiling a program, but the
activity that the compiler is carrying out changes each time.
For example, suppose you're running "make buildworld", and the
compile fails while trying to compile ls.c in to ls.o. If you next run
"make buildworld" again, and the compile fails in the same place then
this is a broken build -- try updating your sources and try again. If
the compile fails elsewhere then this is almost certainly hardware.
What you should do:In the first case you can use a debugger e.g. gdb to find the
point in the program which is attempting to access a bogus address and
then fix it.
In the second case you need to verify that it's not your hardware
at fault. Common causes of this include :Your hard disks might be overheating: Check the fans in
your case are still working, as your disk (and perhaps other hardware
might be overheating).The processor running is overheating: This might be because the
processor has been overclocked, or the fan on the processor might
have died. In either case you need to ensure that you have hardware
running at what it's specified to run at, at least while trying to
solve this problem. i.e. Clock it back to the default settings. If you are overclocking then note that it's far cheaper
to have a slow system than a fried system that needs replacing!
Also the wider community is not often sympathetic to problems on
overclocked systems, whether you believe it's safe or not.Dodgy memory: If you have multiple memory SIMMS/DIMMS installed
then pull them all out and try running the machine with each SIMM or
DIMM individually and narrow the problem down to either the problematic
DIMM/SIMM or perhaps even a combination.Over-optimistic Motherboard settings: In your BIOS settings, and
some motherboard jumpers you have options to set various timings, mostly
the defaults will be sufficient, but sometimes, setting the wait
states on RAM too low, or setting the "RAM Speed: Turbo" option,
or similar in the BIOS will cause strange behaviour.
A possible idea is to set to BIOS defaults, but it might be worth
noting down your settings first!Unclean or insufficient power to the motherboard. If you
have any unused I/O boards, hard disks, or CDROMs in your system,
try temporarily removing them or disconnecting the power cable
from them, to see if your power supply can manage a smaller load.
Or try another power supply, preferably one with a little more
power (for instance, if your current power supply is rated at 250
Watts try one rated at 300 Watts).You should also read the SIG11 FAQ (listed below) which has
excellent explanations of all these problems, albeit from a Linux
viewpoint. It also discusses how memory testing software or hardware
can still pass faulty memory.Finally, if none of this has helped it is possible that you've
just found a bug in FreeBSD, and you should follow the instructions to
send a problem report.There's an extensive FAQ on this at
the SIG11 problem FAQWhen I boot, the screen goes black and loses sync!This is a known problem with the ATI Mach 64 video card.
The problem is that this card uses address 2e8, and
the fourth serial port does too. Due to a bug (feature?) in the
sio(4)
driver it will touch this port even if you don't have the
fourth serial port, and even if you disable sio3 (the fourth
port) which normally uses this address.Until the bug has been fixed, you can use this workaround:Enter at the bootprompt. (This will put the kernel
into configuration mode).
Disable sio0, sio1,
sio2 and sio3
(all of them). This way the sio driver doesn't get activated
-> no problems.
Type exit to continue booting.If you want to be able to use your serial ports,
you'll have to build a new kernel with the following
modification: in /usr/src/sys/i386/isa/sio.c find the
one occurrence of the string 0x2e8 and remove that string
and the preceding comma (keep the trailing comma). Now follow
the normal procedure of building a new kernel.Even after applying these workarounds, you may still find that
the X Window System does not work properly. If this is the case, make
sure that the XFree86 version you are using is at least XFree86 3.3.3
or higher. This version and upwards has built-in support for the
Mach64 cards and even a dedicated X server for those cards. I have 128 MB of RAM but the system only uses 64 MB.
Due to the manner in which FreeBSD gets the memory size from the
BIOS, it can only detect 16 bits worth of Kbytes in size (65535
Kbytes = 64MB) (or less... some BIOSes peg the memory size to 16M).
If you have more than 64MB, FreeBSD will attempt to detect it;
however, the attempt may fail.To work around this problem, you need to use the
kernel option specified below. There is a way to get complete
memory information from the BIOS, but we don't have room in the
bootblocks to do it. Someday when lack of room in the bootblocks
is fixed, we'll use the extended BIOS functions to get the full
memory information...but for now we're stuck with the kernel
option.options "MAXMEM=n"Where n is your memory in Kilobytes. For a 128 MB machine,
you'd want to use 131072.FreeBSD 2.0 panics with kmem_map too small!The message may also be
mb_map too small!The panic indicates that the system ran out of virtual memory for
network buffers (specifically, mbuf clusters). You can increase
the amount of VM available for mbuf clusters by adding:options "NMBCLUSTERS=n"to your kernel config file, where n is a number in the
range 512-4096, depending on the number of concurrent TCP
connections you need to support. I'd recommend trying 2048 - this
should get rid of the panic completely. You can monitor the
number of mbuf clusters allocated/in use on the system with
netstat -m. The default value for NMBCLUSTERS is
512 + MAXUSERS * 16.CMAP busy panic when rebooting with a new kernel.The logic that attempts to detect an out of date
/var/db/kvm_*.db files sometimes fails and using a
mismatched file can sometimes lead to panics.If this happens, reboot single-user and do:&prompt.root; rm /var/db/kvm_*.dbahc0: brkadrint, Illegal Host Access at seqaddr 0x0This is a conflict with an Ultrastor SCSI Host Adapter. During the boot process enter the kernel configuration menu and
disable uha0,
which is causing the problem.Sendmail says mail loops back to myselfThis is answered in the sendmail FAQ as follows:- * I'm getting "Local configuration error" messages, such as:
553 relay.domain.net config error: mail loops back to myself
554 <user@domain.net>... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be
forwarded to a specific host (in this case, relay.domain.net)
by using an MX record, but the relay machine doesn't recognize
itself as domain.net. Add domain.net to /etc/sendmail.cw
(if you are using FEATURE(use_cw_file)) or add "Cw domain.net"
to /etc/sendmail.cf.
The current version of the sendmail FAQ is no longer maintained with the sendmail
release. It is however regularly posted to
comp.mail.sendmail,
comp.mail.misc,
comp.mail.smail,
comp.answers, and
news.answers.
You can also receive a copy via email by sending a message to
mail-server@rtfm.mit.edu
with the command send usenet/news.answers/mail/sendmail-faq as the body of the
message.Full screen applications on remote machines misbehaveThe remote machine may be setting your terminal type
to something other than the cons25 terminal type
required by the FreeBSD console.There are a number of possible work-arounds for this problem:
After logging on to the remote machine, set your TERM shell
variable to ansi or
sco if the remote machine knows
about these terminal types.Use a VT100 emulator like screen
at the FreeBSD console.
screen offers you the ability to run multiple
concurrent sessions from one terminal, and is a neat program in its own right.
Each screen window behaves like a VT100 terminal,
so the TERM variable at the remote end should be set to
vt100.
Install the cons25 terminal database entry on
the remote machine. The way to do this depends on the operating system on the
remote machine. The system administration manuals for the remote system
should be able to help you here.Fire up an X server at the FreeBSD end and login to the remote machine
using an X based terminal emulator such as xterm or
rxvt. The TERM variable at the remote host
should be set to xterm or vt100.My machine prints calcru: negative time...This can be caused by various hardware and/or software ailments
relating to interrupts. It may be due to bugs but can also happen
by nature of certain devices. Running TCP/IP over the parallel
port using a large MTU is one good way to provoke this problem.
Graphics accelerators can also get you here, in which case you
should check the interrupt setting of the card first.A side effect of this problem are dying processes with the
message SIGXCPU exceeded cpu time limit.For FreeBSD 3.0 and later from Nov 29, 1998 forward: If the
problem cannot be fixed otherwise the solution is to set
this sysctl variable:&prompt.root; sysctl -w kern.timecounter.method=1 This means a performance impact, but considering the cause of
this problem, you probably will not notice. If the problem
persists, keep the sysctl set to one and set the NTIMECOUNTER
option in your kernel to increasingly large values. If by the
time you have reached NTIMECOUNTER=20 the problem isn't
solved, interrupts are too hosed on your machine for reliable
timekeeping.Commercial ApplicationsThis section is still very sparse, though we're hoping, of
course, that companies will add to it! :) The FreeBSD group has no
financial interest in any of the companies listed here but simply
lists them as a public service (and feels that commercial interest
in FreeBSD can have very positive effects on FreeBSD's long-term
viability). We encourage commercial software vendors to send their
entries here for inclusion. See
the Vendors
page for a longer list.Where can I get Motif for FreeBSD?Contact Apps2go for the least expensive
ELF Motif 2.1.20 distribution for FreeBSD (either i386 or
Alpha).There are two distributions, the developement edition and the
runtime edition (for much less). These distributions includes:
OSF/Motif manager, xmbind, panner, wsm.
Development kit with uil, mrm, xm, xmcxx, include and Imake
files.
Static and dynamic ELF libraries (for use with FreeBSD 3.0
and above).
Demonstration applets.Be sure to specify that you want the FreeBSD version of Motif when
ordering (don't forget to mention the architecture you want too)! Versions
for NetBSD and OpenBSD are also sold by Apps2go.
This is currently a FTP only download.More infoApps2go WWW pageorSales or
Support email addresses.orphone (817) 431 8775 or +1 817 431-8775Contact Metro Link for an either ELF or
a.out Motif 2.1 distribution for FreeBSD.This distribution includes:
OSF/Motif manager, xmbind, panner, wsm.
Development kit with uil, mrm, xm, xmcxx, include and Imake
files.
Static and dynamic libraries (specify ELF for use with FreeBSD
3.0 and later; or a.out for use with FreeBSD 2.2.8 and eariler).
Demonstration applets.
Preformatted man pages.Be sure to specify that you want the FreeBSD version of Motif
when ordering! Versions for Linux are also sold by
Metro Link. This is available on either a CDROM or for
FTP download.Contact Xi Graphics for an a.out Motif 2.0
distribution for FreeBSD.This distribution includes:
OSF/Motif manager, xmbind, panner, wsm.
Development kit with uil, mrm, xm, xmcxx, include and Imake
files.
Static and dynamic libraries (for use with FreeBSD 2.2.8 and
eariler).
Demonstration applets.
Preformatted man pages.Be sure to specify that you want the FreeBSD version of Motif
when ordering! Versions for BSDI and Linux are also sold by
Xi Graphics. This is currently a 4 diskette set... in the
future this will change to a unified CD distribution like their CDE.Where can I get CDE for FreeBSD?Xi Graphics used to sell CDE for
FreeBSD, but no longer do.KDE is an open source
X11 desktop which is similar to CDE in many respects.
You might also like the look and feel of xfce. KDE and xfce are both
in the ports
system. Are there any commercial high-performance X servers?
Yes, Xi Graphics and
Metro Link sells
Accelerated-X product for FreeBSD and other Intel based systems.
The Metro Link offering is a high performance X Server that offers
easy configuration using the FreeBSD Package suite of tools, support
for multiple concurrent video boards and is distributed in binary
form only, in a convienent FTP download. Not to mention the Metro
Link offering is available at the very reasonable price of $39.
Metro Link also sells both ELF and a.out Motif for FreeBSD (see above).More infoMetro Link WWW pageorSales or
Support email addresses.orphone (954) 938-0283 or +1 954 938-0283The Xi Graphics offering is a high performance X Server that offers
easy configuration, support
for multiple concurrent video boards and is distributed in binary
form only, in a unified diskette distribution for FreeBSD and Linux.
Xi Graphics also offers a high performance X Server taylored for
laptop support.There is a free compatibility demo of version 5.0 available.Xi Graphics also sells Motif and CDE for FreeBSD (see above).More infoXi Graphics WWW pageorSales or
Support email addresses.orphone (800) 946 7433 or +1 303 298-7478.Are there any Database systems for FreeBSD?Yes! See the
Commercial Vendors section of FreeBSD's Web site.Also see the Databases section of the Ports collection.Can I run Oracle on FreeBSD?Yes. The following pages tell you exactly how to setup Linux-Oracle
on FreeBSD:http://www.scc.nl/~marcel/howto-oracle.htmlhttp://www.lf.net/lf/pi/oracle/install-linux-oracle-on-freebsdUser ApplicationsSo, where are all the user applications?Please take a look at the
ports page for info on software packages ported to
FreeBSD. The list currently tops 3400 and is growing daily, so come
back to check often or subscribe to the freebsd-announce
mailing list for periodic updates on new
entries.Most ports should be available for the 2.2, 3.x and 4.x
branches, and many of them should work on 2.1.x systems as
well. Each time a FreeBSD release is made, a snapshot of the
ports tree at the time of release in also included in the
ports/ directory.We also support the concept of a package, essentially no
more than a gzipped binary distribution with a little extra
intelligence embedded in it for doing whatever custom installation
work is required. A package can be installed and uninstalled
again easily without having to know the gory details of which
files it includes.Use the package installation menu in /stand/sysinstall
(under the post-configuration menu item) or invoke the
pkg_add(1) command on the specific package files you're
interested in installing. Package files can usually be identified by
their .tgz suffix and CDROM distribution people will have
a packages/All directory on their CD which contains such
files. They can also be downloaded over the net for various versions
of FreeBSD at the following locations:for 2.2.8-RELEASE/2.2.8-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-2.2.8/for 3.X-RELEASE/3.X-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/for 4.1-RELEASE/4-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/for 5.X-CURRENTftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-currentor your nearest local mirror site.Note that all ports may not be available as packages since
new ones are constantly being added. It is always a good
idea to check back periodically to see which packages are available
at the ftp.FreeBSD.org master site.Why is /bin/sh so minimal? Why doesn't
FreeBSD use bash or another shell?Because POSIX says that there shall be such a shell.The more complicated answer: many people need to write shell
scripts which will be portable across many systems. That's why
POSIX specifies the shell and utility commands in great detail.
Most scripts are written in Bourne shell, and because several
important programming interfaces (&man.make.1;, &man.system.3;,
&man.popen.3;, and analogues in higher-level scripting languages
like Perl and Tcl) are specified to use the Bourne shell to
interpret commands. Because the Bourne shell is so often and
widely used, it is important for it to be quick to start, be
deterministic in its behavior, and have a small memory
footprint.The existing implementation is our best effort at meeting as
many of these requirements simultaneously as we can. In order to
keep /bin/sh small, we have not provided many
of the convenience features that other shells have. That's why the
Ports Collection includes more featureful shells like bash, scsh,
tcsh, and zsh. (You can compare for yourself the memory
utilization of all these shells by looking at the
VSZ and RSS columns in a ps
-u listing.)Where do I find libc.so.3.0?You are trying to run a package built on 2.2 and later on a 2.1.x
system. Please take a look at the previous section and get
the correct port/package for your system.I get a message Error: can't find
libc.so.4.0You accidently downloaded packages meant for 4.X and 5.X
systems and attempted to install them on your 2.X or 3.X FreeBSD system.
Please download the correct version of the
packages. ghostscript gives lots of errors with my 386/486SX.
You don't have a math co-processor, right?
You will need to add the alternative math emulator to your kernel;
you do this by adding the following to your kernel config file
and it will be compiled in.options GPL_MATH_EMULATEYou will need to remove the MATH_EMULATE
option when you do this. When I run a SCO/iBCS2 application, it bombs on
socksys (FreeBSD 3.0 and older only).
You first need to edit the /etc/sysconfig
(or /etc/rc.conf) file in the last section to change the
following variable to YES:# Set to YES if you want ibcs2 (SCO) emulation loaded at startup
ibcs2=NOIt will load the ibcs2
kernel module at startup.You'll then need to set up /compat/ibcs2/dev to look like:lrwxr-xr-x 1 root wheel 9 Oct 15 22:20 X0R@ -> /dev/null
lrwxr-xr-x 1 root wheel 7 Oct 15 22:20 nfsd@ -> socksys
-rw-rw-r-- 1 root wheel 0 Oct 28 12:02 null
lrwxr-xr-x 1 root wheel 9 Oct 15 22:20 socksys@ -> /dev/null
crw-rw-rw- 1 root wheel 41, 1 Oct 15 22:14 spxYou just need socksys to go to /dev/null
to fake the open & close. The code in -CURRENT will handle the
rest. This is much cleaner than the way it was done before. If you
want the spx driver for a local socket X connection, define
SPX_HACK when you compile the system. How do I configure INN (Internet News) for my machine?
After installing the inn package or port, an excellent place to
start is Dave Barr's INN Page where you'll find the INN FAQ.What version of Microsoft FrontPage should I get?Use the Port, Luke! A pre-patched version of Apache is available
in the ports tree.Does FreeBSD support Java?Yes. Please see http://www.FreeBSD.org/java/.Why can't I build this port on my 3.X-STABLE machine?If you're running a FreeBSD version that lags significantly behind
-CURRENT or -STABLE, you may need a ports upgrade kit from
http://www.FreeBSD.org/ports/. If you are up to date, then
someone might have committed a change to the port which works for
-CURRENT but which broke the port for -STABLE. Please submit a bug
report on this with the send-pr(1) command, since the ports
collection is supposed to work for both the -CURRENT and -STABLE
branches.Where do I find ld.so?If you want to run some aout applications like
Netscape Navigator on an Elf'ened machine such as 3.1-R or later,
it would need /usr/libexec/ld.so and some aout libs.
They are included in the compat22 distribution.
Use /stand/sysinstall or
install.sh in the compat22 subdirectory
and install it.
Also read ERRATAs for 3.1-R and 3.2-R.Kernel Configuration I'd like to customize my kernel. Is it difficult?
Not at all! Check out the kernel config section of the Handbook.I recommend making a dated snapshot of your kernel
in kernel.YYMMDD after you get it all working, that way if
you do something dire the next time you play with your configuration
you can boot that kernel instead of having to go all the way back
to kernel.GENERIC. This is particularly important if you're
now booting off a controller that isn't supported in the GENERIC
kernel (yes, personal experience). My kernel compiles fail because _hw_float is missing.
Let me guess. You removed npx0 from your
kernel configuration file because you don't have a math co-processor,
right? Wrong! :-) The npx0 is MANDATORY. Even if you don't
have a mathematic co-processor, you must
include the npx0
device.Why is my kernel so big (over 10MB)?Chances are, you compiled your kernel in
debug mode. Kernels built in debug
mode contain many symbols that are used for debugging, thus
greatly increasing the size of the kernel. Note that if you
running a FreeBSD 3.0 or later system, there will be little
or no performance decrease from running a debug kernel,
and it is useful to keep one around in case of a system
panic.However, if you are running low on disk space, or
you simply don't want to run a debug kernel, make sure
that both of the following are true:You do not have a line in your kernel
configuration file that reads:makeoptions DEBUG=-gYou are not running config with
the option.Both of the above situations will cause your kernel to
be built in debug mode. As long as you make sure you follow
the steps above, you can build your kernel normally, and you
should notice a fairly large size decrease; most kernels
tend to be around 1.5MB to 2MB.Interrupt conflicts with multi-port serial code.Q. When I compile a kernel with multi-port serial code, it
tells me that only the first port is probed and the rest skipped due to
interrupt conflicts. How do I fix this?A. The problem here is that FreeBSD has code built-in to keep
the kernel from getting trashed due to hardware or software
conflicts. The way to fix this is to leave out the IRQ settings
on all but one port. Here is a example:#
# Multiport high-speed serial line - 16550 UARTS
#
device sio2 at isa? port 0x2a0 tty irq 5 flags 0x501 vector siointr
device sio3 at isa? port 0x2a8 tty flags 0x501 vector siointr
device sio4 at isa? port 0x2b0 tty flags 0x501 vector siointr
device sio5 at isa? port 0x2b8 tty flags 0x501 vector siointrHow do I enable support for QIC-40/80 drives?You need to uncomment the following line in the generic config
file (or add it to your config file), add a flags 0x1
on the fdc line and recompile.controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 flags 0x1 vector fdintr
disk fd0 at fdc0 drive 0 ^^^^^^^^^
disk fd1 at fdc0 drive 1
#tape ft0 at fdc0 drive 2
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Next, you create a device called /dev/ft0 by going into
/dev and run the following command:&prompt.root; sh MAKEDEV ft0for the first device. ft1 for a second one and so on.You will have a device called /dev/ft0, which you can
write to through a special program to manage it called
fd - see the man page on ft
for further details.Versions previous to also had some trouble dealing
with bad tape media; if you have trouble where ft seems to
go back and forth over the same spot, try grabbing the latest
version of ft from /usr/src/sbin/ft in
and try that.System AdministrationWhere are the system start-up configuration files?From 2.0.5R to 2.2.1R, the primary configuration file is
/etc/sysconfig. All the options are to be specified in
this file and other files such as /etc/rc and
/etc/netstart just include it.Look in the /etc/sysconfig file and change the value to
match your system. This file is filled with comments to show what
to put in there.In post-2.2.1 and 3.0, /etc/sysconfig was renamed
to a more self-describing rc.conf
file and the syntax cleaned up a bit in the process.
/etc/netstart was also renamed to /etc/rc.network
so that all files could be copied with a cp /usr/src/etc/rc*
/etc command.And, in 3.1 and later, /etc/rc.conf has
been moved to /etc/defaults/rc.conf. Do not edit
this file! Instead, if there is any entry in
/etc/defaults/rc.conf that you want to change,
you should copy the line into /etc/rc.conf and
change it there.For example, if you wish to start named, the DNS server included
with FreeBSD in FreeBSD 3.1 or later, all you need to do is:&prompt.root; echo named_enable="YES" >>
/etc/rc.confTo start up local services in FreeBSD 3.1 or later, place shell
scripts in the /usr/local/etc.rd directory. These
shell scripts should be set executable, and end with a .sh. In FreeBSD
3.0 and earlier releases, you should edit the
/etc/rc.local file.The /etc/rc.serial is for serial port initialization
(e.g. locking the port characteristics, and so on.).The /etc/rc.i386 is for Intel-specifics settings, such
as iBCS2 emulation or the PC system console configuration.How do I add a user easily?Use the adduser command. For more complicated usage, the
pw command.To remove the user again, use the rmuser
command. Once again, pw will work as well.How can I add my new hard disk to my FreeBSD system?See the Disk Formatting Tutorial at
www.FreeBSD.org.I have a new removable drive, how do I use it?Whether it's a removable drive like a ZIP or an EZ drive (or
even a floppy, if you want to use it that way), or a new hard
disk, once it's installed and recognized by the system, and
you have your cartridge/floppy/whatever slotted in, things are
pretty much the same for all devices.(this section is based on Mark Mayo's ZIP FAQ)If it's a ZIP drive or a floppy , you've already got a DOS
filesystem on it, you can use a command like this:&prompt.root; mount -t msdos /dev/fd0c /floppyif it's a floppy, or this:&prompt.root; mount -t msdos /dev/da2s4 /zipfor a ZIP disk with the factory configuration.For other disks, see how they're laid out using fdisk or
/stand/sysinstall.The rest of the examples will be for a ZIP drive on da2, the third
SCSI disk.Unless it's a floppy, or a removable you plan on sharing with
other people, it's probably a better idea to stick a BSD file
system on it. You'll get long filename support, at least a 2X
improvement in performance, and a lot more stability. First, you
need to redo the DOS-level partitions/filesystems. You can either
use fdisk or /stand/sysinstall, or for a small
drive that you don't want to bother with multiple operating system
support on, just blow away the whole FAT partition table (slices)
and just use the BSD partitioning:&prompt.root; dd if=/dev/zero of=/dev/rda2 count=2
&prompt.root; disklabel -Brw da2 autoYou can use disklabel or /stand/sysinstall to create multiple
BSD partitions. You'll certainly want to do this if you're adding
swap space on a fixed disk, but it's probably irrelevant on a
removable drive like a ZIP.Finally, create a new file system, this one's on our ZIP drive
using the whole disk:&prompt.root; newfs /dev/rda2cand mount it:&prompt.root; mount /dev/da2c /zipand it's probably a good idea to add a line like this to
/etc/fstab so you can just type
mount /zip in the
future:/dev/da2c /zip ffs rw,noauto 0 0Why do I keep getting messages like root: not
found after editing my crontab file?This is normally caused by editing the system crontab
(/etc/crontab) and then using
&man.crontab.1; to install it:&prompt.root; crontab /etc/crontabThis is not the correct way to do things. The system
crontab has a different format to the per-user crontabs
which &man.crontab.1; updates (the &man.crontab.5; manual
page explains the differences in more detail).If this is what you did, you should delete the
/var/cron/tabs/root, since it will
simply be a copy of /etc/crontab,
in the wrong format. Next time, when you edit
/etc/crontab, you should not do
anything to inform &man.cron.8; of the changes, since it
will notice them automatically.The actual reason for the error is that the system
crontab has an extra field, specifying which user to run the
command as. In the default system crontab provided with
FreeBSD, this is root for all entries.
When this crontab is used as the root
user's crontab (which is not the
same as the system crontab), &man.cron.8; assumes the string
root is the first word of the command to
execute, but no such command exists.I made a mistake in rc.conf, and
now I can't edit it because the filesystem is read-only.
What should I do?When you get the prompt to enter the shell
pathname, simply press ENTER, and run
mount / to re-mount the root filesystem
in read/write mode. You may also need to run mount
-a -t ufs to mount the filesystem where your
favourite editor is defined. If your favourite editor is on
a network filesystem, you will need to either configure the
network manually before you can mount network filesystems,
or use an editor which resides on a local filesystem, such
as &man.ed.1;.If you intend to use a full screen editor such
as &man.vi.1; or &man.emacs.1;, you may also need to
run export TERM=cons25 so that these
editors can load the correct data from the &man.termcap.5;
database.Once you have performed these steps, you can edit
/etc/rc.conf as you usually would
to fix the syntax error. The error message displayed
immediately after the kernel boot messages should tell you
the number of the line in the file which is at fault.How do I mount a secondary DOS partition?The secondary DOS partitions are found after ALL the primary
partitions. For example, if you have an E partition as the
second DOS partition on the second SCSI drive, you need to create
the special files for slice 5 in /dev, then mount /dev/da1s5:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV da1s5
&prompt.root; mount -t msdos /dev/da1s5 /dos/eCan I mount other foreign filesystems under FreeBSD? Digital UNIX UFS CDROMs can be mounted directly on FreeBSD.
Mounting disk partitions from Digital UNIX and other systems
that support UFS may be more complex, depending on the details
of the disk partitioning for the operating system in question. Linux: 2.2 and later have support for ext2fs partitions.
See mount_ext2fs for more information. NT: A read-only NTFS driver exists for FreeBSD. For more
information, see this tutorial by Mark Ovens at
http://ukug.uk.freebsd.org/~mark/ntfs_install.html.Any other information on this subject would be appreciated.How can I use the NT loader to boot FreeBSD?This procedure is slightly different for 2.2.x and 3.x (with the
3-stage boot) systems.The general idea is that you copy the first sector of your
native root FreeBSD partition into a file in the DOS/NT
partition. Assuming you name that file something like
c:\bootsect.bsd (inspired by c:\bootsect.dos),
you can then edit the c:\boot.ini file to come up with
something like this:[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows NT"
C:\BOOTSECT.BSD="FreeBSD"
C:\="DOS"For 2.2.x systems this procedure assumes that DOS, NT, FreeBSD, or whatever
have been installed into their respective fdisk partitions on the
same disk. In my case DOS & NT are in the first fdisk
partition and FreeBSD is in the second. I also installed FreeBSD
to boot from its native partition, not the disk MBR.Mount a DOS-formatted floppy (if you've converted to NTFS) or the
FAT partition, under, say, /mnt.&prompt.root; dd if=/dev/rda0a of=/mnt/bootsect.bsd bs=512 count=1Reboot into DOS or NT. NTFS users copy the bootsect.bsd
and/or the bootsect.lnx file from the floppy to
C:\. Modify the attributes (permissions) on
boot.ini with:C:\>attrib -s -r c:\boot.iniEdit to add the appropriate entries from the example
boot.ini above, and restore the attributes:C:\>attrib +s +r c:\boot.iniIf FreeBSD is booting from the MBR, restore it with the DOS
fdisk command after you reconfigure them to boot from their
native partitions.For FreeBSD 3.x systems the procedure is somewhat simpler.If FreeBSD is installed on the same disk as the NT boot partition
simply copy /boot/boot1 to
C:\BOOTSECT.BSD However, if FreeBSD is installed
on a different disk /boot/boot1 will not work,
/boot/boot0 is needed.
DO NOT SIMPLY COPY /boot/boot0 INSTEAD OF
/boot/boot1, YOU WILL OVERWRITE YOUR PARTITION
TABLE AND RENDER YOUR COMPUTER UN-BOOTABLE!/boot/boot0 needs to be installed using
sysinstall by selecting the FreeBSD boot manager on the screen which
asks if you wish to use a boot manager. This is because
/boot/boot0 has the partition table area filled
with NULL characters but sysinstall copies the partition table before
copying /boot/boot0 to the MBR.When the FreeBSD boot manager runs it records the last OS booted
by setting the active flag on the partition table entry for that OS
and then writes the whole 512-bytes of itself back to the MBR so if
you just copy /boot/boot0 to
C:\BOOTSECT.BSD then it writes an empty partition
table, with the active flag set on one entry, to the MBR. How do I boot FreeBSD and Linux from LILO?
If you have FreeBSD and Linux on the same disk, just follow
LILO's installation instructions for booting a non-Linux operating
system. Very briefly, these are:Boot Linux, and add the following lines to
/etc/lilo.conf:
other=/dev/hda2
table=/dev/hda
label=FreeBSD
(the above assumes that your FreeBSD slice is known to Linux as
/dev/hda2; tailor to suit your setup). Then,
run lilo as root and you should be done.If FreeBSD resides on another disk, you need to add
loader=/boot/chain.b to the LILO entry.
For example:
other=/dev/dab4
table=/dev/dab
loader=/boot/chain.b
label=FreeBSDIn some cases you may need to specify the BIOS drive number
to the FreeBSD boot loader to successfully boot off the second disk.
For example, if your FreeBSD SCSI disk is probed by BIOS as BIOS
disk 1, at the FreeBSD boot loader prompt you need to specify:Boot: 1:da(0,a)/kernelOn FreeBSD 2.2.5 and later, you can configure boot(8)
to automatically do this for you at boot time.The Linux+FreeBSD mini-HOWTO is a good reference for
FreeBSD and Linux interoperability issues. How do I boot FreeBSD and Linux using BootEasy?
Install LILO at the start of your Linux boot partition instead of
in the Master Boot Record. You can then boot LILO from BootEasy.If you're running Windows-95 and Linux this is recommended anyway,
to make it simpler to get Linux booting again if you should need
to reinstall Windows95 (which is a Jealous Operating System, and
will bear no other Operating Systems in the Master Boot Record). Will a dangerously dedicated disk endanger my health?
The installation procedure allows you to chose
two different methods in partitioning your harddisk(s). The default way
makes it compatible with other operating systems on the same machine,
by using fdisk table entries (called slices in FreeBSD),
with a FreeBSD slice that employs partitions of its own.
Optionally, one can chose to install a boot-selector to switch
between the possible operating systems on the disk(s).
The alternative uses the entire disk for FreeBSD, and makes
no attempt to be compatible with other operating systems.So why it is called dangerous? A disk in this mode
doesn't contain what normal PC utilities would consider a
valid fdisk table. Depending on how well they have been
designed, they might complain at you once they are getting
in contact with such a disk, or even worse, they might
damage the BSD bootstrap without even asking or notifying
you. In addition, the dangerously dedicated disk's layout
is known to confuse many BIOSsen, including those from AWARD
(eg. as found in HP Netserver and Micronics systems as well as
many others) and Symbios/NCR (for the popular 53C8xx range of
SCSI controllers). This isn't a complete list, there are more.
Symptoms of this confusion include the read error message
printed by the FreeBSD bootstrap when it can't find itself,
as well as system lockups when booting.Why have this mode at all then? It only saves a few kbytes
of disk space, and it can cause real problems for a new
installation. Dangerously dedicated mode's origins lie
in a desire to avoid one of the most common problems plaguing
new FreeBSD installers - matching the BIOS geometry numbers
for a disk to the disk itself.Geometry is an outdated concept, but one still at the
heart of the PC's BIOS and its interaction with disks. When
the FreeBSD installer creates slices, it has to record the
location of these slices on the disk in a fashion that
corresponds with the way the BIOS expects to find them. If
it gets it wrong, you won't be able to boot.Dangerously dedicated mode tries to work around this
by making the problem simpler. In some cases, it gets it right.
But it's meant to be used as a last-ditch alternative - there
are better ways to solve the problem 99 times out of 100.So, how do you avoid the need for DD mode when you're
installing? Start by making a note of the geometry that your
BIOS claims to be using for your disks. You can arrange to have
the kernel print this as it boots by specifying at the
boot: prompt, or using boot -v in the loader. Just
before the installer starts, the kernel will print a list of
BIOS geometries. Don't panic - wait for the installer to start
and then use scrollback to read the numbers. Typically the BIOS
disk units will be in the same order that FreeBSD lists your
disks, first IDE, then SCSI.When you're slicing up your disk, check that the disk geometry
displayed in the FDISK screen is correct (ie. it matches the BIOS
numbers); if it's wrong, use the g key to fix it. You may have
to do this if there's absolutely nothing on the disk, or if the
disk has been moved from another system. Note that this is only
an issue with the disk that you're going to boot from; FreeBSD
will sort itself out just fine with any other disks you may have.Once you've got the BIOS and FreeBSD agreeing about the
geometry of the disk, your problems are almost guaranteed to be
over, and with no need for DD mode at all. If, however,
you are still greeted with the dreaded read error message
when you try to boot, it's time to cross your fingers and
go for it - there's nothing left to lose.To return a dangerously dedicated disk for normal PC
use, there are basically two options. The first is, you
write enough NULL bytes over the MBR to make any subsequent
installation believe this to be a blank disk. You can do
this for example with&prompt.root; dd if=/dev/zero of=/dev/rda0 count=15Alternatively, the undocumented DOS featureC:\>fdisk /mbrwill to install a new master boot record as well, thus clobbering the
BSD bootstrap.How can I add more swap space?The best way is to increase the size of your swap partition, or
take advantage of this convenient excuse to add another disk. The
general rule of thumb is to have around 2x the swap space as you have
main memory. However, if you have a very small amount of main memory
you may want to configure swap beyond that. It is also a good idea
to configure sufficient swap relative to anticipated future memory
upgrades so you do not have to futz with your swap configuration later.Adding swap onto a separate disk makes things faster than
simply adding swap onto the same disk. As an example, if you
are compiling source located on one disk, and the swap is on
another disk, this is much faster than both swap and compile
on the same disk. This is true for SCSI disks specifically.When you have several disks, configuring a swap partition on
each one is usually beneficial, even if you wind up putting swap on a
work disk. Typically, each fast disk in your system should have some
swap configured. FreeBSD supports up to 4 interleaved swap devices by
default. When configuring multiple swap partitions you generally
want to make them all about the same size, but people sometimes make
their primary swap parition larger in order to accomodate a kernel
core dump. Your primary swap partition must be at least as large as
main memory in order to be able to accomodate a kernel core.IDE drives are not able to allow access to both drives on
the same channel at the same time (FreeBSD doesn't support mode 4, so
all IDE disk I/O is programmed). I would still suggest putting
your swap on a separate drive however. The drives are so cheap,
it is not worth worrying about.Swapping over NFS is only recommended if you do not have a local
disk to swap to. Swapping over NFS is slow and inefficient in FreeBSD
releases prior to 4.x, but reasonably fast in releases greater or
equal to 4.0. Even so, it will be limited to the network bandwidth
available and puts an additional burden on the NFS server.Here is an example for 64Mb vn-swap (/usr/swap0, though
of course you can use any name that you want).Make sure your kernel was built with the linepseudo-device vn 1 #Vnode driver (turns a file into a device)in your config-file. The GENERIC kernel already contains this.create a vn-device&prompt.root; cd /dev
&prompt.root; sh MAKEDEV vn0create a swapfile (/usr/swap0)&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1024k count=64set proper permissions on (/usr/swap0)&prompt.root; chmod 0600 /usr/swap0enable the swap file in /etc/rc.confswapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired.reboot the machineTo enable the swap file immediately, type&prompt.root; vnconfig -ce /dev/vn0c /usr/swap0 swapI'm having problems setting up my printer.Please have a look at the Handbook entry on printing. It
should cover most of your problem. See the
Handbook entry on printing.The keyboard mappings are wrong for my system.The kbdcontrol program has an option to load a keyboard map file.
Under /usr/share/syscons/keymaps are a number of map
files. Choose the one relevant to your system and load it.&prompt.root; kbdcontrol -l uk.isoBoth the /usr/share/syscons/keymaps and the .kbd
extension are assumed by
kbdcontrol.This can be configured in /etc/sysconfig (or rc.conf).
See the appropriate comments in this file.In 2.0.5R and later, everything related to text fonts, keyboard
mapping is in /usr/share/examples/syscons.The following mappings are currently supported:Belgian ISO-8859-1 Brazilian 275 keyboard Codepage 850 Brazilian 275 keyboard ISO-8859-1 Danish Codepage 865 Danish ISO-8859-1 French ISO-8859-1 German Codepage 850 German ISO-8859-1 Italian ISO-8859-1 Japanese 106 Japanese 106x Latin American Norwegian ISO-8859-1 Polish ISO-8859-2 (programmer's) Russian Codepage 866 (alternative) Russian koi8-r (shift) Russian koi8-r Spanish ISO-8859-1 Swedish Codepage 850 Swedish ISO-8859-1 Swiss-German ISO-8859-1 United Kingdom Codepage 850 United Kingdom ISO-8859-1 United States of America ISO-8859-1 United States of America dvorak United States of America dvorakx I can't get user quotas to work properly.Don't turn on quotas on /,
Put the quota file on the file system that the quotas are
to be enforced on. ie:
FS QUOTA FILE
/usr /usr/admin/quotas
/home /home/admin/quotas
...What's inappropriate about my ccd?The symptom of this is:&prompt.root; ccdconfig -C
ccdconfig: ioctl (CCDIOCSET): /dev/ccd0c: Inappropriate file type or formatThis usually happens when you are trying to concatenate the
c partitions, which default to type unused. The ccd
driver requires the underlying partition type to be
FS_BSDFFS. Edit the disklabel of the disks you are trying
to concatenate and change the types of partitions to
4.2BSD.Why can't I edit the disklabel on my ccd?The symptom of this is:&prompt.root; disklabel ccd0
(it prints something sensible here, so let's try to edit it)
&prompt.root; disklabel -e ccd0
(edit, save, quit)
disklabel: ioctl DIOCWDINFO: No disk label on disk;
use "disklabel -r" to install initial labelThis is because the disklabel returned by ccd is actually a
fake one that is not really on the disk. You can solve
this problem by writing it back explicitly, as in:&prompt.root; disklabel ccd0 > /tmp/disklabel.tmp
&prompt.root; disklabel -Rr ccd0 /tmp/disklabel.tmp
&prompt.root; disklabel -e ccd0
(this will work now)Does FreeBSD support System V IPC primitives?Yes, FreeBSD supports System V-style IPC. This includes shared
memory, messages and semaphores. You need to add the following
lines to your kernel config to enable them.options SYSVSHM
options SYSVSHM # enable shared memory
options SYSVSEM # enable for semaphores
options SYSVMSG # enable for messagingIn FreeBSD 3.2 and later, these options are already part
of the GENERIC kernel, which means they should
already be compiled into your system.Recompile and install your kernel. How do I use sendmail for mail delivery with UUCP?
The sendmail configuration that ships with FreeBSD is
suited for sites that connect directly to the Internet.
Sites that wish to exchange their mail via UUCP must install
another sendmail configuration file.Tweaking /etc/sendmail.cf manually is considered
something for purists. Sendmail version 8 comes with a
new approach of generating config files via some
m4 preprocessing, where the actual hand-crafted configuration
is on a higher abstraction level. You should use the
configuration files under
/usr/src/usr.sbin/sendmail/cfIf you didn't install your system with full sources, the sendmail
config stuff has been broken out into a separate source distribution
tarball just for you. Assuming you've got your CD-ROM mounted, do:&prompt.root; cd /cdrom/src
&prompt.root; cat scontrib.?? | tar xzf - -C /usr/src contrib/sendmailDon't panic, this is only a few hundred kilobytes in size.
The file README in the cf directory can
serve as a basic introduction to m4 configuration.For UUCP delivery, you are best advised to use the
mailertable feature. This constitutes a database
that sendmail can use to base its routing decision upon.First, you have to create your .mc file. The
directory /usr/src/usr.sbin/sendmail/cf/cf is the
home of these files. Look around, there are already a few
examples. Assuming you have named your file foo.mc,
all you need to do in order to convert it into a valid
sendmail.cf is:
&prompt.root; cd /usr/src/usr.sbin/sendmail/cf/cf
&prompt.root; make foo.cf
&prompt.root; cp foo.cf /etc/sendmail.cfA typical .mc file might look like:include(`../m4/cf.m4')
VERSIONID(`Your version number')
OSTYPE(bsd4.4)
FEATURE(nodns)
FEATURE(nocanonify)
FEATURE(mailertable)
define(`UUCP_RELAY', your.uucp.relay)
define(`UUCP_MAX_SIZE', 200000)
MAILER(local)
MAILER(smtp)
MAILER(uucp)
Cw your.alias.host.name
Cw youruucpnodename.UUCPThe nodns and nocanonify features will
prevent any usage of the DNS during mail delivery. The
UUCP_RELAY clause is needed for bizarre reasons,
don't ask. Simply put an Internet hostname there that
is able to handle .UUCP pseudo-domain addresses; most likely,
you will enter the mail relay of your ISP there.Once you've got this, you need this file called
/etc/mailertable. A typical example of this
gender again:#
# makemap hash /etc/mailertable.db < /etc/mailertable
#
horus.interface-business.de uucp-dom:horus
.interface-business.de uucp-dom:if-bus
interface-business.de uucp-dom:if-bus
.heep.sax.de smtp8:%1
horus.UUCP uucp-dom:horus
if-bus.UUCP uucp-dom:if-bus
. uucp-dom:As you can see, this is part of a real-life file. The first
three lines handle special cases where domain-addressed mail
should not be sent out to the default route, but instead to
some UUCP neighbor in order to shortcut the delivery
path. The next line handles mail to the local Ethernet
domain that can be delivered using SMTP. Finally, the UUCP
neighbors are mentioned in the .UUCP pseudo-domain notation,
to allow for a
uucp-neighbor!recipient
override of the
default rules. The last line is always a single dot, matching
everything else, with UUCP delivery to a UUCP neighbor that
serves as your universal mail gateway to the world. All of
the node names behind the uucp-dom: keyword must
be valid UUCP neighbors, as you can verify using the
command uuname.As a reminder that this file needs to be converted into a
DBM database file before being usable, the command line to
accomplish this is best placed as a comment at the top of
the mailertable. You always have to execute this command
each time you change your mailertable.Final hint: if you are uncertain whether some particular
mail routing would work, remember the option to
sendmail. It starts sendmail in address test mode;
simply enter 0 , followed by the address you wish to
test for the mail routing. The last line tells you the used
internal mail agent, the destination host this agent will be
called with, and the (possibly translated) address. Leave
this mode by typing Control-D.&prompt.user; sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
>0 foo@interface-business.de
rewrite: ruleset 0 input: foo @ interface-business . de
...
rewrite: ruleset 0 returns: $# uucp-dom $@ if-bus $: foo \
< @ interface-business . de >
>^D How do I set up mail with a dialup connection to the 'net?
If you've got a statically assigned IP number, you should not
need to adjust anything from the default. Set your host name up
as your assigned internet name and sendmail will do the rest.If you've got a dynamically assigned IP number and use a dialup
ppp connection to the internet, you will probably be given a
mailbox on your ISPs mail server. Lets assume your ISPs domain is
myISP.com, and that your user name is user. Lets also
assume you've called your machine bsd.home and that your ISP
has told you that you may use relay.myISP.com as a mail relay.In order to retrieve mail from your mailbox, you'll need to
install a retrieval agent. Fetchmail is a good choice as it
supports many different protocols. Usually, POP3 will be provided
by your ISP. If you've chosen to use user-ppp, you can automatically
fetch your mail when a connection to the 'net is established with the
following entry in /etc/ppp/ppp.linkup:MYADDR:
!bg su user -c fetchmailIf you are using sendmail (as shown below) to deliver mail to
non-local accounts, put the command !bg su user -c "sendmail -q"after the above shown entry. This forces sendmail to process your
mailqueue as soon as the connection to the 'net is established.I'm assuming that you have an account for user on bsd.home.
In the home directory of user on bsd.home, create a
.fetchmailrc file:poll myISP.com protocol pop3 fetchall pass MySecretNeedless to say, this file should not be readable by anyone except
user as it contains the password MySecret.In order to send mail with the correct from: header, you must
tell sendmail to use user@myISP.com rather than
user@bsd.home. You may also wish to tell sendmail to send all
mail via relay.myISP.com, allowing quicker mail transmission.The following .mc file should suffice:VERSIONID(`bsd.home.mc version 1.0')
OSTYPE(bsd4.4)dnl
FEATURE(nouucp)dnl
MAILER(local)dnl
MAILER(smtp)dnl
Cwlocalhost
Cwbsd.home
MASQUERADE_AS(`myISP.com')dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(nocanonify)dnl
FEATURE(nodns)dnl
define(SMART_HOST, `relay.myISP.com')
Dmbsd.home
define(`confDOMAIN_NAME',`bsd.home')dnl
define(`confDELIVERY_MODE',`deferred')dnlRefer to the previous section for details of how to turn this
.mc file into a sendmail.cf file. Also, don't forget to
restart sendmail after updating sendmail.cf.Eek! I forgot the root password!Don't Panic! Simply restart the system, type boot -s
at the Boot: prompt (just -s for FreeBSD releases before 3.2)
to enter Single User mode. At the question about the shell to use,
hit ENTER. You'll be dropped to a &prompt.root; prompt. Enter mount -u / to
remount your root filesystem read/write, then run mount -a to
remount all the filesystems. Run passwd root to
change the root password then run exit
to continue booting. How do I keep Control-Alt-Delete from rebooting the system?
If you are using syscons (the default console driver)
in FreeBSD 2.2.7-RELEASE or later,
build and install a new kernel with the lineoptions SC_DISABLE_REBOOTin the configuration file.
If you use the PCVT console driver
in FreeBSD 2.2.5-RELEASE or later,
use the following kernel configuration line instead:options PCVT_CTRL_ALT_DELFor older versions of FreeBSD,
edit the keymap you are using for the console and replace the
boot keywords with nop. The default keymap is
/usr/share/syscons/keymaps/us.iso.kbd. You may have to instruct
/etc/rc.conf to load this keymap explicitly for the change to
take effect. Of course if you are using an alternate keymap for your
country, you should edit that one instead.How do I reformat DOS text files to UNIX ones?Simply use this perl command:&prompt.user; perl -i.bak -npe 's/\r\n/\n/g' file ...file is the file(s) to process. The modification is done in-place,
with the original file stored with a .bak extension.Alternatively you can use the tr command:&prompt.user; tr -d '\r' < dos-text-file > unix-filedos-text-file is the file containing DOS text while
unix-file will contain the converted output. This can
be quite a bit faster than using perl.How do I kill processes by name?Use killall.Why is su bugging me about not being in root's ACL?
The error comes from the Kerberos distributed authentication system.
The problem isn't fatal but annoying. You can either run su with the -K
option, or uninstall Kerberos as described in the next question.How do I uninstall Kerberos?To remove Kerberos from the system, reinstall the bin distribution
for the release you are running. If you have the CDROM, you can
mount the cd (we'll assume on /cdrom) and run&prompt.root; cd /cdrom/bin
&prompt.root; ./install.shHow do I add pseudoterminals to the system?If you have lots of telnet, ssh, X, or screen users, you'll probably run
out of pseudoterminals. Here's how to add more:Build and install a new kernel with the linepseudo-device pty 256in the configuration file.Run the commands&prompt.root; cd /dev
&prompt.root; sh MAKEDEV pty{1,2,3,4,5,6,7}to make 256 device nodes for the new terminals.Edit /etc/ttys and add lines for each of the 256
terminals. They should match the form of the existing entries, i.e. they look
likettyqc none networkThe order of the letter designations is tty[pqrsPQRS][0-9a-v],
using a regular expression. Reboot the system with the new kernel and you're ready to go.I can't create the snd0 device!There is no snd device. The name is
used as a shorthand for the various devices that make up the
FreeBSD sound driver, such as mixer,
sequencer, and
dsp.To create these devices you should&prompt.root; cd /dev
&prompt.root; sh MAKEDEV snd0How do I re-read /etc/rc.conf and re-start /etc/rc without
a reboot?Go into single user mode and than back to multi user mode.On the console do:&prompt.root; shutdown now
(Note: without -r or -h)
&prompt.root; return
&prompt.root; exitWhat is a sandbox?Sandbox is a security term. It can mean two things:A process which is placed inside a set of virtual walls
that are designed to prevent someone who breaks into the
process from being able to break into the wider system.The process is said to be able to play inside the
walls. That is, nothing the process does in regards to
executing code is supposed to be able to breech the walls
so you do not have to do a detailed audit of its code to
be able to say certain things about its security.The walls might be a userid, for example. This is the
definition used in the security and named man pages.Take the ntalk service, for example (see
/etc/inetd.conf). This service used to run as userid
root. Now it runs as userid tty. The tty user is a
sandbox designed to make it more difficult for someone
who has successfully hacked into the system via ntalk from
being able to hack beyond that user id.A process which is placed inside a simulation of the
machine. This is more hard-core. Basically it means that
someone who is able to break into the process may believe
that he can break into the wider machine but is, in fact,
only breaking into a simulation of that machine and not
modifying any real data.The most common way to accomplish this is to build a
simulated environment in a subdirectory and then run the
processes in that directory chroot'd (i.e. / for that
process is this directory, not the real / of the
system).Another common use is to mount an underlying filesystem
read-only and then create a filesystem layer on top of it
that gives a process a seemingly writeable view into that
filesystem. The process may believe it is able to write
to those files, but only the process sees the effects
- other processes in the system do not, necessarily.An attempt is made to make this sort of sandbox so
transparent that the user (or hacker) does not realize
that he is sitting in it.UNIX implements two core sanboxes. One is at the process
level, and one is at the userid level.Every UNIX process is completely firewalled off from every
other UNIX process. One process can not modify the address space
of another. This is unlike Windows where a process can easily
overwrite the address space of any other, leading to a crash.A UNIX process is owned by a patricular userid. If the
userid is not the root user, it serves to firewall the process
off from processes owned by other users. The userid is also
used to firewall off on-disk data.How do I let ordinary users mount floppies and other removable
media?Ordinary users can be permitted to mount devices. Here is
how:As root assign the appropriate
permissions to the block device associated with the removable
media.For example, to allow users to mount the first floppy
drive, use:&prompt.root; chmod 777 /dev/fd0As root set the sysctl variable
vfs.usermount to
1.&prompt.root; sysctl -w vfs.usermount=1Users can now mount /dev/fd0 onto a
directory that they own:&prompt.user; mkdir ~/my-mount-point
&prompt.user; mount -t msdos /dev/fd0 ~/my-mount-pointUnmounting the device is simple:&prompt.user; umount ~/my-mount-pointEnabling vfs.usermount, however, has
negative security implications. A better way to access MSDOS
formatted media is to use the
mtools package in the ports collection.How do I move my system over to my huge new disk?The best way is to reinstall the OS on the new
disk, then move the user data over. This is highly
recommended if you've been tracking -stable for more
than one release, or have updated a release instead of
installing a new one. You can install booteasy on both
disks with &man.boot0cfg.8;, and dual boot them until
you are happy with the new configuration. Skip the
next paragraph to find out how to move the data after
doing this.Should you decide not to do a fresh install, you
need to partition and label the new disk with either
/stand/sysinstall, or &man.fdisk.8;
and &man.disklabel.8;. You should also install booteasy
on both disks with &man.boot0cfg.8;, so that you can
dual boot to the old or new system after the copying
is done. See the formatting-media
tutorial for details on this process.Now you've got the new disk set up, and are ready
to move the data. Unfortunately, you can't just blindly
copy the data. Things like device files (in
/dev) and symbolic links tend to
screw that up. You need to use tools that understand
these things, which means &man.dump.8; and &man.tar.1;.
I recommend doing the data moves in single user mode,
but it's not required.You should never use anything but &man.dump.8; and
&man.restore.8; to move the root file system. The
&man.tar.1; command may work - then again, it may not.
You should also use &man.dump.8; and &man.restore.8;
if you are moving a single partition to another empty
partition. The sequence of steps to use dump to move
a partitions data to a new partition is:newfs the new partition.mount it on a temporary mount point.cd to that directory.dump the old partition, piping output to the
new one.For example, if you are going to move root to
/dev/ad1s1a, with
/mnt as the temporary mount point,
it's:&prompt.root; newfs /dev/ad1s1a
&prompt.root; mount /dev/ad1s1a
&prompt.root; cd /mnt
&prompt.root; dump 0uaf - / | restore xf -If you are going to rearrange your partitions -
say, splitting one into two, or combing two into one,
you may find yourself needing to move everything under
a subdirectory to a new location. Since &man.dump.8;
works with file systems, it can't do this. So you use
&man.tar.1;. The general command to move
/old to /new
for &man.tar.1; is:&prompt.root; (cd /old; tar cf - .) | (cd /new; tar xpf -)If /old has file systems
mounted on that, and you
don't want to move that data or unmount them, you just
add the 'l' flag to the first &man.tar.1;:&prompt.root; (cd /old; tar clf - .) | (cd /new; tar xpf -).You might prefer cpio(1), pax(1) or cpdup
(in ports/sysutils/cpdup) to tar.The X Window System and Virtual ConsolesI want to run X, how do I go about it?The easiest way is to simply specify that you want to run X
during the installation process.Then read and follow the documentation on the xf86config tool, which assists you in configuring XFree86(tm)
for your particular graphics card/mouse/etc.You may also wish to investigate the Xaccel server.
See the section on Xi Graphics or
Metro Link for more details.Why doesn't my mouse work with X?If you are using syscons (the default console driver), you can
configure FreeBSD to support a mouse pointer on each virtual
screen. In order to avoid conflicting with X, syscons supports
a virtual device called /dev/sysmouse. All mouse events
received from the real mouse device are written to the sysmouse
device via moused. If you wish to use your
mouse on one or more virtual consoles, and use X,
see and set up moused.Then edit /etc/XF86Config and make sure you
have the following lines.
Section Pointer
Protocol "SysMouse"
Device "/dev/sysmouse"
.....The above example is for XFree86 3.3.2 or later. For earlier
versions, the Protocol should be
MouseSystems.Some people prefer to use /dev/mouse under X. To
make this work, /dev/mouse should be linked to
/dev/sysmouse:&prompt.root; cd /dev
&prompt.root; rm -f mouse
&prompt.root; ln -s sysmouse mouseMy mouse has a fancy wheel. Can I use it in X?Yes. But you need to customize X client programs. See Colas Nahaboo's web page (http://www.inria.fr/koala/colas/mouse-wheel-scroll/).If you want to use the
imwheel program, just follow
these simple steps.Translate the Wheel EventsThe imwheel program
works by translating mouse button 4 and mouse button 5
events into key events. Thus, you have to get the
mouse driver to translate mouse wheel events to button
4 and 5 events. There are two ways of doing this, the
first way is to have &man.moused.8; do the
translation. The second way is for the X server
itself to do the event translation.Using &man.moused.8; to Translate Wheel
EventsTo have &man.moused.8; perform the event
translations, simply add to
the command line used to start &man.moused.8;.
For example, if you normally start &man.moused.8;
via moused -p /dev/psm0 you
would start it by entering moused -p
/dev/psm0 -z 4 instead. If you start
&man.moused.8; automatically during bootup via
/etc/rc.conf, you can simply
add to the
moused_flags variable in
/etc/rc.conf.You now need to tell X that you have a 5
button mouse. To do this, simply add the line
Buttons 5 to the
Pointer section of
/etc/XF86Config. For
example, you might have the following
Pointer section in
/etc/XF86Config.Pointer Section for Wheeled
Mouse in XF86Config with moused
TranslationSection "Pointer"
Protocol "SysMouse"
Device "/dev/sysmouse"
Buttons 5
EndSection
Using Your X Server to Translate the Wheel
EventsIf you aren't running &man.moused.8;, or if
you don't want &man.moused.8; to translate your
wheel events, you can have the X server do the
event translation instead. This requires a couple
of modifications to your
/etc/XF86Config file. First,
you need to choose the proper protocol for your
mouse. Most wheeled mice use the
IntelliMouse protocol. However,
XFree86 does support other protocols, such as
MouseManPlusPS/2 for the Logitech
MouseMan+ mice. Once you have chosen the protocol
you will use, you need to add a
Protocol line to the
Pointer section.Secondly, you need to tell the X server to
remap wheel scroll events to mouse buttons 4 and
5. This is done with the
ZAxisMapping option.For example, if you aren't using
&man.moused.8;, and you have an IntelliMouse
attached to the PS/2 mouse port you would use
the following in
/etc/XF86Config.Pointer Section for Wheeled
Mouse in XF86Config with X
Server TranslationSection "Pointer"
Protocol "IntelliMouse"
Device "/dev/psm0"
ZAxisMapping 4 5
EndSection
Install imwheelNext, install imwheel
from the Ports collection. It can be found in the
x11 category. This program will
map the wheel events from your mouse into keyboard
events. For example, it might send Page
Up to a program when you scroll the wheel
forwards. Imwheel uses a
configuration file to map the wheel events to
keypresses so that it can send different keys to
different applications. The default
imwheel configuration file
is installed in
/usr/X11R6/etc/imwheelrc. You
can copy it to ~/.imwheelrc and
then edit it if you wish to customize
imwheel's configuration.
The format of the configuration file is documented in
&man.imwheel.1;.Configure Emacs to Work
with Imwheel
(optional)If you use emacs or
Xemacs, then you need to
add a small section to your
~/.emacs file. For
emacs, add the
following:Emacs Configuration
for Imwheel;;; For imwheel
(setq imwheel-scroll-interval 3)
(defun imwheel-scroll-down-some-lines ()
(interactive)
(scroll-down imwheel-scroll-interval))
(defun imwheel-scroll-up-some-lines ()
(interactive)
(scroll-up imwheel-scroll-interval))
(global-set-key [?\M-\C-\)] 'imwheel-scroll-up-some-lines)
(global-set-key [?\M-\C-\(] 'imwheel-scroll-down-some-lines)
;;; end imwheel section
For Xemacs, add the
following to your ~/.emacs file
instead:Xemacs Configuration
for Imwheel;;; For imwheel
(setq imwheel-scroll-interval 3)
(defun imwheel-scroll-down-some-lines ()
(interactive)
(scroll-down imwheel-scroll-interval))
(defun imwheel-scroll-up-some-lines ()
(interactive)
(scroll-up imwheel-scroll-interval))
(define-key global-map [(control meta \))] 'imwheel-scroll-up-some-lines)
(define-key global-map [(control meta \()] 'imwheel-scroll-down-some-lines)
;;; end imwheel section
Run ImwheelYou can just type imwheel
in an xterm to start it up once it is installed. It
will background itself and take effect immediately.
If you want to always use
imwheel, simply add it to
your .xinitrc or
.xsession file. You can safely
ignore any warnings imwheel
displays about PID files. Those warnings only apply
to the Linux version of
imwheel.X Window menus and dialog boxes don't work right!Try turning off the Num Lock key.If your Num Lock key is on by default at boot-time, you may add
the following line in the Keyboard section of the
XF86Config file.# Let the server do the NumLock processing. This should only be
# required when using pre-R6 clients
ServerNumLockWhat is a virtual console and how do I make more?Virtual consoles, put simply, enable you to have several
simultaneous sessions on the same machine without doing anything
complicated like setting up a network or running X.When the system starts, it will display a login prompt on
the monitor after displaying all the boot messages. You can
then type in your login name and password and start working (or
playing!) on the first virtual console.At some point, you will probably wish to start another
session, perhaps to look at documentation for a program
you are running or to read your mail while waiting for an
FTP transfer to finish. Just do Alt-F2 (hold down the Alt
key and press the F2 key), and you will find a login prompt
waiting for you on the second virtual console! When you
want to go back to the original session, do Alt-F1.The default FreeBSD installation has three virtual consoles
enabled (8 starting with 3.3-RELEASE), and Alt-F1, Alt-F2, and
Alt-F3 will switch between these virtual consoles.To enable more of them, edit /etc/ttys
and add entries for ttyv4 to ttyvc after the
comment on Virtual terminals:# Edit the existing entry for ttyv3 in /etc/ttys and change
# "off" to "on".
ttyv3 "/usr/libexec/getty Pc" cons25 on secure
ttyv4 "/usr/libexec/getty Pc" cons25 on secure
ttyv5 "/usr/libexec/getty Pc" cons25 on secure
ttyv6 "/usr/libexec/getty Pc" cons25 on secure
ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/libexec/getty Pc" cons25 on secure
ttyv9 "/usr/libexec/getty Pc" cons25 on secure
ttyva "/usr/libexec/getty Pc" cons25 on secure
ttyvb "/usr/libexec/getty Pc" cons25 on secureUse as many or as few as you want. The more virtual terminals
you have, the more resources that are used; this can be important
if you have 8MB RAM or less. You may also want to change the
secure to insecure.If you want to run an X server you MUST
leave at least one virtual terminal unused (or turned off) for it
to use. That is to say that if you want to have a login
prompt pop up for all twelve of your Alt-function keys,
you're out of luck - you can only do this for eleven of them
if you also want to run an X server on the same
machine.The easiest way to disable a console is by turning it off. For
example, if you had the full 12 terminal allocation mentioned
above and you wanted to run X, you would change settings for
virtual terminal 12 from:ttyvb "/usr/libexec/getty Pc" cons25 on secureto:ttyvb "/usr/libexec/getty Pc" cons25 off secureIf your keyboard has only ten function keys, you would end up with:ttyv9 "/usr/libexec/getty Pc" cons25 off secure
ttyva "/usr/libexec/getty Pc" cons25 off secure
ttyvb "/usr/libexec/getty Pc" cons25 off secure(You could also just delete these lines.)Once you have edited /etc/ttys,
the next step is to make sure that you have enough virtual terminal
devices. The easiest way to do this is:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV vty12Next, the easiest (and cleanest) way to activate the virtual
consoles is to reboot. However, if you really don't want to
reboot, you can just shut down the X Window system and execute (as
root):&prompt.root; kill -HUP 1It's imperative that you completely shut down X Window if it is
running, before running this command. If you don't, your system
will probably appear to hang/lock up after executing the kill
command.How do I access the virtual consoles from X?If the console is currently displaying X Window, you can use
Ctrl-Alt-F1, etc. to switch to a virtual console. Note, however,
that once you've switched away from X Window to a virtual
terminal, you may use only the Alt- function key to switch to another
virtual terminal or back to X Window. You do not need to also press the
Ctrl key. If you use the control key to switch back to X on some
older releases, you can find your text console stuck in control-lock
mode. Tap the control key to wake it up again.How do I start XDM on boot?There are two schools of thought on how to start xdm. One school starts xdm from
/etc/ttys using the supplied example, while the other
simply runs xdm from rc.local or
from a X.sh script in /usr/local/etc/rc.d.
Both are equally valid, and one may work in
situations where the other doesn't. In both cases the result is the
same: X will popup a graphical login: prompt. The ttys method has the advantage
of documenting which vty X will start on and passing the responsibility
of restarting the X server on logout to init. The rc.local method
makes it easy to kill xdm if there is a problem starting the X server. If loaded from rc.local, xdm should be started without any
arguments (i.e., as a daemon). xdm must start AFTER getty runs, or
else getty and xdm will conflict, locking out the console. The best
way around this is to have the script sleep 10 seconds or so then
launch xdm.If you are to start xdm from
/etc/ttys, there still is a chance of conflict
between xdm and getty. One way to
avoid this is to add the vt number in the
/usr/X11R6/lib/X11/xdm/Xservers file.:0 local /usr/X11R6/bin/X vt4The above example will direct the X server to run in
/dev/ttyv3. Note the number is offset by one. The
X server counts the vty from one, whereas the FreeBSD kernel numbers the
vty from zero.When I run xconsole, I get Couldn't open console.If you start X with startx,
the permissions on /dev/console will not get
changed, resulting in things like xterm -C and xconsole not working.This is because of the way console permissions are set by default.
On a multi-user system, one doesn't necessarily want just any user
to be able to write on the system console. For users who are logging
directly onto a machine with a VTY, the
fbtab
file exists to solve such problems.In a nutshell, make sure an uncommented line of the form/dev/ttyv0 0600 /dev/consoleis in /etc/fbtab and it will ensure that whomever logs in on
/dev/ttyv0 will own the console.My PS/2 mouse doesn't behave properly under X.Your mouse and the mouse driver may have somewhat become out of
synchronization.In versions 2.2.5 and earlier, switching away from X to a
virtual terminal and getting back to X again may make them
re-synchronized. If the problem occurs often, you may add the
following option in your kernel configuration file and recompile it.options PSM_CHECKSYNCSee the section on building a kernel
if you've no experience with building kernels.With this option, there should be less chance of synchronization
problem between the mouse and the driver. If, however, you
still see the problem, click any mouse button while holding
the mouse still to re-synchronize the mouse and the driver.Note that unfortunately this option may not work with all the
systems and voids the tap feature of the ALPS GlidePoint
device attached to the PS/2 mouse port.In versions 2.2.6 and later, synchronization check is done
in a slightly better way and is standard in the PS/2 mouse driver.
It should even work with GlidePoint. (As the check code has become
a standard feature, PSM_CHECKSYNC option is not available in these
versions.) However, in rare case the driver may erroneously report
synchronization problem and you may see the kernel message:psmintr: out of sync (xxxx != yyyy)and find your mouse doesn't seem to work properly.If this happens, disable the synchronization check code by
setting the driver flags for the PS/2 mouse driver to 0x100.
Enter UserConfig by giving the option
at the boot prompt:boot: -cThen, in the UserConfig command line, type:UserConfig> flags psm0 0x100
UserConfig> quitMy PS/2 mouse from MouseSystems doesn't seem to work.There have been some reports that certain model of PS/2 mouse
from MouseSystems works only if it is put into the high resolution
mode. Otherwise, the mouse cursor may jump to the upper-left
corner of the screen every so often.Unfortunately there is no workaround for versions 2.0.X and
2.1.X. In versions 2.2 through 2.2.5, apply the following patch
to /sys/i386/isa/psm.c and rebuild the kernel. See the
section on building a kernel
if you've no experience with building kernels.@@ -766,6 +766,8 @@
if (verbose >= 2)
log(LOG_DEBUG, "psm%d: SET_DEFAULTS return code:%04x\n",
unit, i);
+ set_mouse_resolution(sc->kbdc, PSMD_RES_HIGH);
+
#if 0
set_mouse_scaling(sc->kbdc); /* 1:1 scaling */
set_mouse_mode(sc->kbdc); /* stream mode */In versions 2.2.6 or later, specify the flags 0x04 to the PS/2
mouse driver to put the mouse into the high resolution mode.
Enter UserConfig by giving the option
at the boot prompt:boot: -cThen, in the UserConfig command line, type:UserConfig> flags psm0 0x04
UserConfig> quitSee the previous section for another possible cause of mouse
problems.When building an X app, imake can't find Imake.tmpl. Where is it?
Imake.tmpl is part of the Imake package, a standard X application building tool.
Imake.tmpl, as well as several header files that are required to build X apps,
is contained in the X prog distribution. You can install this from sysinstall or
manually from the X distribution files. How do I reverse the mouse buttons?
Run the command xmodmap -e "pointer = 3 2 1" from your .xinitrc or .xsession.How do I install a splash screen and where do I find them?
Just prior to the release of FreeBSD 3.1, a new feature was
added to allow the display of splash screens during
the boot messages. The splash screens currently must be a 256
color bitmap (*.BMP) or ZSoft PCX
(*.PCX) file. In addition, they must have a
resolution of 320x200 or less to work on standard VGA adapters.
If you compile VESA support into your kernel, then you can use
larger bitmaps up to 1024x768. Note that VESA support requires
the VM86 kernel option to be compiled into the
kernel. The actual VESA support can either be compiled directly
into the kernel with the VESA kernel config option
or by loading the VESA kld module during bootup.To use a splash screen, you need to modify the startup files
that control the boot process for FreeBSD. The files for this
changed prior to the release of FreeBSD 3.2, so there are now
two ways of loading a splash screen:FreeBSD 3.1
The first step is to find a bitmap version of your splash
screen. Release 3.1 only supports Windows bitmap splash
screens. Once you've found your splash screen of choice
copy it to /boot/splash.bmp. Next, you need to
have a /boot/loader.rc file that contains the
following lines:load kernel
load -t splash_image_data /boot/splash.bmp
load splash_bmp
autobootFreeBSD 3.2+
In addition to adding support for PCX splash screens,
FreeBSD 3.2 includes a nicer way of configuring the boot
process. If you wish, you can use the method listed above
for FreeBSD 3.1. If you do and you want to use PCX, replace
splash_bmp with splash_pcx. If,
on the other hand, you want to use the newer boot
configuration, you need to create a
/boot/loader.rc file that contains the
following lines:include /boot/loader.4th
startand a /boot/loader.conf that contains the
following:splash_bmp_load="YES"
bitmap_load="YES"This assumes you are using /boot/splash.bmp
for your splash screen. If you'd rather use a PCX file,
copy it to /boot/splash.pcx, create a
/boot/loader.rc as instructed above, and
create a /boot/loader.conf that contains:splash_pcx_load="YES"
bitmap_load="YES"
bitmap_name="/boot/splash.pcx"Now all you need is a splash screen. For that you can surf
on over to the gallery at http://www.cslab.vt.edu/~jobaldwi/splash/.Can I use the Windows(tm) keys on my keyboard in X?Yes. All you need to do is use &man.xmodmap.1; to define what
function you wish them to perform.Assuming all Windows(tm) keyboards are standard
then the keycodes for the 3 keys are115 - Windows(tm) key, between the left-hand Ctrl and
Alt keys116 - Windows(tm) key, to the right of the Alt-Gr
key117 - Menu key, to the left of the right-hand Ctrl
keyTo have the left Windows(tm) key print a comma, try
this.&prompt.root; xmodmap -e "keycode 115 = comma"You will probably have to re-start your window manager
to see the result.To have the Windows(tm) key-mappings enabled automatically
everytime you start X either put the xmodmap
commands in your ~/.xinitrc file or,
preferably, create a file ~/.xmodmaprc and
include the xmodmap options, one per line,
then add the linexmodmap $HOME/.xmodmaprcto your ~/.xinitrc.For example, I have mapped the 3 keys to be F13, F14, and F15
respectively. This makes it easy to map them to useful functions
within applications or your window manager.To do this put the following in
~/.xmodmaprc.keycode 115 = F13
keycode 116 = F14
keycode 117 = F15I use fvwm2 and have mapped the keys so
that F13 iconifies (or de-iconifies) the window the cursor is in,
F14 brings the window the cursor is in to the front or, if it is
already at the front, pushes it to the back, and F15 pops up the
main Workplace (application) menu even if the cursor is not on the
desktop, which is useful if you don't have any part of the desktop
visible (and the logo on the key matches its
functionality).The entries in my ~/.fvwmrc which map the
keys this way are:Key F13 FTIWS A Iconify
Key F14 FTIWS A RaiseLower
Key F15 A A Menu Workplace NopNetworkingWhere can I get information on diskless booting?Diskless booting means that the FreeBSD box is booted over a
network, and reads the necessary files from a server instead of
its hard disk. For full details, please read
the Handbook entry on diskless booting Can a FreeBSD box be used as a dedicated network router?
Internet standards and good engineering practice prohibit us from
providing packet forwarding by default in FreeBSD. You can
however enable this feature by changing the following variable to
YES in rc.conf:gateway_enable=YES # Set to YES if this host will be a gatewayThis option will put the sysctl variable
net.inet.ip.forwarding to 1.In most cases, you will also need to run a routing process to
tell other systems on your network about your router; FreeBSD
comes with the standard BSD routing daemon
routed, or for more complex situations you may want to try
GaTeD (available from http://www.gated.org/ ) which
supports FreeBSD as of 3_5Alpha7.It is our duty to warn you that, even when FreeBSD is configured
in this way, it does not completely comply with the Internet
standard requirements for routers; however, it comes close enough
for ordinary usage.Can I connect my Win95 box to the Internet via FreeBSD?Typically, people who ask this question have two PC's at home, one
with FreeBSD and one with Win95; the idea is to use the FreeBSD
box to connect to the Internet and then be able to access the
Internet from the Windows95 box through the FreeBSD box. This
is really just a special case of the previous question. ... and the answer is yes! In FreeBSD 3.x, user-mode ppp contains a
option. If you run ppp with
the , set gateway_enable to
YES in /etc/rc.conf, and
configure your Windows machine correctly, this should work
fine.More detailed information about setting this up can be found in
the Pedantic PPP
Primer by Steve Sims.If you are using kernel-mode ppp, or have an Ethernet connection
to the Internet, you will have to use natd. Please
look at the natd section of this FAQ. Why does recompiling the latest BIND from ISC fail?
There is a conflict between the cdefs.h file in the
distribution and the one shipped with FreeBSD. Just remove
compat/include/sys/cdefs.h.Does FreeBSD support SLIP and PPP?Yes. See the man pages for
slattach, sliplogin,
pppd and
ppp.
pppd and ppp provide support for both incoming and outgoing
connections. Sliplogin deals exclusively with incoming connections and
slattach deals exclusively with outgoing connections.These programs are described in the following sections of the
handbook:Handbook entry on SLIP (server side)Handbook entry on SLIP (client side)Handbook entry on PPP (kernel version)Handbook entry on PPP (user-mode version)If you only have access to the Internet through a shell
account, you may want to have a look at the slirp
package. It can provide you with (limited) access to services
such as ftp and http direct from your local machine. Does FreeBSD support NAT or Masquerading
If you have a local subnet (one or more local machines), but have
been allocated only a single IP number from your Internet provider
(or even if you receive a dynamic IP number), you may want to look at
the natd
program. natd allows you to connect an entire subnet to the
internet using only a single IP number.The ppp program has similar functionality built in via
the switch. The alias library
is used in both cases.I can't create a /dev/ed0 device!In the Berkeley networking framework, network interfaces are only
directly accessible by kernel code. Please see the
/etc/rc.network file and the manual pages for the various
network programs mentioned there for more information. If this
leaves you totally confused, then you should pick up a book
describing network administration on another BSD-related
operating system; with few significant exceptions, administering
networking on FreeBSD is basically the same as on SunOS 4.0 or
Ultrix.How can I setup Ethernet aliases?Add netmask 0xffffffff to your ifconfig
command-line like the following:&prompt.root; ifconfig ed0 alias 204.141.95.2 netmask 0xffffffffHow do I get my 3C503 to use the other network port?If you want to use the other ports, you'll have to specify an
additional parameter on the
ifconfig command line. The
default port is link0. To use the AUI port instead of
the BNC one, use link2. These flags should be specified
using the ifconfig_* variables in /etc/rc.conf.I'm having problems with NFS to/from FreeBSD.Certain PC network cards are better than others (to put it
mildly) and can sometimes cause problems with network intensive
applications like NFS.See the Handbook entry on NFS
for more information on this topic.Why can't I NFS-mount from a Linux box?Some versions of the Linux NFS code only accept mount requests
from a privileged port; try&prompt.root; mount -o -P linuxbox:/blah /mntWhy can't I NFS-mount from a Sun box?Sun workstations running SunOS 4.X only accept mount requests
from a privileged port; try&prompt.root; mount -o -P sunbox:/blah /mntI'm having problems talking PPP to NeXTStep machines.Try disabling the TCP extensions in /etc/rc.conf by
changing the following variable to NO:tcp_extensions=NOXylogic's Annex boxes are also broken in this regard and you must
use the above change to connect thru them.How do I enable IP multicast support?Multicast host operations are fully supported in FreeBSD 2.0 and
later by default. If you want your box to run as a multicast router,
you will need to recompile your kernel with the MROUTING
option and run mrouted. FreeBSD 2.2 and later will start
mrouted at boot time if the flag mrouted_enable is set
to "YES" in /etc/rc.conf.MBONE tools are available in their own ports category, mbone. If
you are looking for the conference tools vic and
vat,
look there!For more information, see the
Mbone Information Web.Which network cards are based on the DEC PCI chipset?Here is a list compiled by Glen Foster, with some more modern additions:Vendor Model
----------------------------------------------
ASUS PCI-L101-TB
Accton ENI1203
Cogent EM960PCI
Compex ENET32-PCI
D-Link DE-530
Dayna DP1203, DP2100
DEC DE435, DE450
Danpex EN-9400P3
JCIS Condor JC1260
Linksys EtherPCI
Mylex LNP101
SMC EtherPower 10/100 (Model 9332)
SMC EtherPower (Model 8432)
TopWare TE-3500P
Znyx (2.2.x) ZX312, ZX314, ZX342, ZX345, ZX346, ZX348
(3.x) ZX345Q, ZX346Q, ZX348Q, ZX412Q, ZX414, ZX442,
ZX444, ZX474, ZX478, ZX212, ZX214 (10mbps/hd)Why do I have to use the FQDN for hosts on my site?You will probably find that the host is actually in a different
domain; for example, if you are in foo.bar.edu and you wish to reach
a host called mumble in the bar.edu domain, you will have to
refer to it by the fully-qualified domain name, mumble.bar.edu,
instead of just mumble.Traditionally, this was allowed by BSD BIND resolvers. However
the current version of bind that ships
with FreeBSD no longer provides default abbreviations for non-fully
qualified domain names other than the domain you are in.
So an unqualified host mumble must either be found
as mumble.foo.bar.edu, or it will be searched for
in the root domain.This is different from the previous behavior, where the
search continued across mumble.bar.edu, and
mumble.edu. Have a look at RFC 1535 for why this
was considered bad practice, or even a security hole.As a good workaround, you can place the linesearch foo.bar.edu bar.eduinstead of the previousdomain foo.bar.eduinto your /etc/resolv.conf file. However, make sure that the search order
does not go beyond the boundary between local and public
administration, as RFC 1535 calls it.Permission denied for all networking operations.If you have compiled your kernel with the IPFIREWALL
option, you need to be aware that the default policy as of
2.1.7R (this actually changed during 2.1-STABLE development)
is to deny all packets that are not explicitly allowed.If you had unintentionally misconfigured your system for
firewalling, you can restore network operability by typing
the following while logged in as root:&prompt.root; ipfw add 65534 allow all from any to anyYou can also set firewall_type="open" in /etc/rc.conf.For further information on configuring a FreeBSD firewall,
see the Handbook section.How much overhead does IPFW incur?The answer to this depends mostly on your rule set and processor
speed. For most applications dealing with ethernet and small
rule sets, the answer is, negligible. For those of you that need
actual measurements to satisfy your curiosity, read on.The following measurements were made using 2.2.5-STABLE on
a 486-66. IPFW was modified to measure the time spent within
the ip_fw_chk routine, displaying the results to the console
every 1000 packets.Two rule sets, each with 1000 rules were tested. The first set
was designed to demonstrate a worst case scenario by repeating the
rule:&prompt.root; ipfw add deny tcp from any to any 55555This demonstrates worst case by causing most of IPFW's packet
check routine to be executed before finally deciding that the
packet does not match the rule (by virtue of the port number).
Following the 999th iteration of this rule was an allow ip
from any to any.The second set of rules were designed to abort the rule
check quickly:&prompt.root; ipfw add deny ip from 1.2.3.4 to 1.2.3.4The nonmatching source IP address for the above rule causes
these rules to be skipped very quickly. As before, the 1000th
rule was an allow ip from any to any.The per-packet processing overhead in the former case was
approximately 2.703ms/packet, or roughly 2.7 microseconds per
rule. Thus the theoretical packet processing limit with these
rules is around 370 packets per second. Assuming 10Mbps ethernet
and a ~1500 byte packet size, we would only be able to achieve a
55.5% bandwidth utilization.For the latter case each packet was processed in
approximately 1.172ms, or roughly 1.2 microseconds per rule.
The theoretical packet processing limit here would be about
853 packets per second, which could consume 10Mbps ethernet
bandwidth.The excessive number of rules tested and the nature of those
rules do not provide a real-world scenario -- they were used only
to generate the timing information presented here. Here are a
few things to keep in mind when building an efficient rule set:Place an established rule early on to handle the
majority of TCP traffic. Don't put any allow tcp
statements before this rule.
Place heavily triggered rules earlier in the rule
set than those rarely used (without changing the
permissiveness of the firewall, of course). You can see
which rules are used most often by examining the packet counting
statistics with ipfw -a l.
How can I redirect service requests from one machine to another?
You can redirect FTP (and other service) request with the socket
package, available in the ports tree in category sysutils.
Simply replace the service's commandline to call socket instead, like so:ftp stream tcp nowait nobody /usr/local/bin/socket socket ftp.foo.comftpwhere ftp.foo.com and ftp are the host and port to redirect to,
respectively.Where can I get a bandwidth management tool?There are two bandwidth management tools available for FreeBSD.
ALTQ is available for free; Bandwidth Manager from
Emerging Technologies is
a commercial product. Why do I get /dev/bpf0: device not configured?The Berkeley Packet Filter (bpf) driver
needs to be enabled before running programs that utilize it.
Add this to your kernel config file and build a new kernel:pseudo-device bpfilter # Berkeley Packet FilterSecondly, after rebooting you will have to create the device
node. This can be accomplished by a change to the /dev
directory, followed by the execution of:&prompt.root; sh MAKEDEV bpf0Please see the handbook's entry on device nodes for more information
on creating devices.How do I mount a disk from a Windows machine that's on my
network, like smbmount in Linux?Use the sharity
light package in the ports collection.PPP I can't make ppp work. What am I doing wrong ?
You should first read the ppp man page and
the ppp section of the handbook. Enable logging with the commandset log Phase Chat Connect Carrier lcp ipcp ccp commandThis command may be typed at the ppp command prompt or
it may be entered in the /etc/ppp/ppp.conf configuration file
(the start of the default section is the best place to put it).
Make sure that /etc/syslog.conf contains the lines!ppp
*.* /var/log/ppp.logand that the file /var/log/ppp.log exists. You can
now find out a lot about what's going on from the log file.
Don't worry if it doesn't all make sense. If you need to
get help from someone, it may make sense to them.If your version of ppp doesn't understand the set log
command, you should download the
latest version.
It will build on FreeBSD version 2.1.5 and higher.Ppp just hangs when I run itThis is usually because your hostname won't resolve. The best
way to fix this is to make sure that /etc/hosts is
consoluted by your resolver first by editing /etc/host.conf
and putting the hosts line first. Then, simply put an
entry in /etc/hosts for your local machine. If you have
no local network, change your localhost line:127.0.0.1 foo.bar.com foo localhostOtherwise, simply add another entry for your host. Consult the
relevant man pages for more details.You should be able to successfully ping -c1 `hostname`
when you're done.Ppp won't dial in -auto modeFirst, check that you've got a default route. By running
netstat -rn,
you should see two entries like this:Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.2 UGSc 0 0 tun0
10.0.0.2 10.0.0.1 UH 0 0 tun0This is assuming that you've used the addresses from the
handbook, the man page or from the ppp.conf.sample file.
If you haven't got a default route, it may be because you're
running an old version of ppp that doesn't understand the
word HISADDR in the ppp.conf file. If your version of
ppp is from before FreeBSD 2.2.5, change theadd 0 0 HISADDRline to one sayingadd 0 0 10.0.0.2Another reason for the default route line being missing is that
you have mistakenly set up a default router in your
/etc/rc.conf file (this file was called
/etc/sysconfig prior to release 2.2.2), and you have
omitted the line sayingdelete ALLfrom ppp.conf. If this is the case, go back to the
Final system configuration section of the handbook.What does No route to host meanThis error is usually due to a missingMYADDR:
delete ALL
add 0 0 HISADDRsection in your /etc/ppp/ppp.linkup file. This is
only necessary if you have a dynamic IP address or don't know the
address of your gateway. If you're using interactive mode, you can
type the following after entering packet mode (packet mode is
indicated by the capitalized PPP in the prompt):delete ALL
add 0 0 HISADDRRefer to the PPP and Dynamic IP addresses section of the handbook
for further details.My connection drops after about 3 minutesThe default ppp timeout is 3 minutes. This can be adjusted
with the lineset timeout NNNwhere NNN is the number of seconds of inactivity before the
connection is closed. If NNN is zero, the connection is
never closed due to a timeout. It is possible to put this command in
the ppp.conf file, or to type it at the prompt in
interactive mode. It is also possible to adjust it on the fly while
the line is active by connecting to ppps server socket using
telnet
or pppctl. Refer to the
ppp man
page for further details.My connection drops under heavy loadIf you have Link Quality Reporting (LQR) configured, it is
possible that too many LQR packets are lost between your
machine and the peer. Ppp deduces that the line must therefore
be bad, and disconnects. Prior to FreeBSD version 2.2.5,
LQR was enabled by default. It is now disabled by default.
LQR can be disabled with the linedisable lqrMy connection drops after a random amount of timeSometimes, on a noisy phone line or even on a line with
call waiting enabled, your modem may hang up because it
thinks (incorrectly) that it lost carrier.There's a setting on most modems for determining how tolerant
it should be to temporary losses of carrier. On a USR
Sportster for example, this is measured by the S10 register in
tenths of a second. To make your modem more forgiving, you could
add the following send-expect sequence to your dial string:set dial "...... ATS10=10 OK ......"Refer to your modem manual for details.My connection hangs after a random amount of timeMany people experience hung connections with no apparent
explaination. The first thing to establish is which side of the
link is hung.If you are using an external modem, you can simply try using
ping to see if the TD light is flashing when you
transmit data. If it flashes (and the RD light doesn't), the
problem is with the remote end. If TD doesn't flash, the problem
is local. With an internal modem, you'll need to use the set
server command in your ppp.conf file. When the hang occurs,
connect to ppp using pppctl. If your network connection suddenly
revives (ppp was revived due to the activity on the diagnostic socket)
or if you can't connect (assuming the set socket command
succeeded at startup time), the problem is local. If you can connect
and things are still hung, enable local async logging with set log
local async and use ping from another window or terminal to make
use of the link. The async logging will show you the data being
transmitted and received on the link. If data is going out and not
coming back, the problem is remote.Having established whether the problem is local or remote,
you now have two possibilities:The remote end isn't respondingThere's very little you can do about this. Most ISPs will
refuse to help if you're not running a Microsoft OS. You can
enable lqr in your ppp.conf file, allowing ppp to
detect the remote failure and hang up, but this detection is
relatively slow and therefore not that useful. You may want
to avoid telling your ISP that you're running user-ppp....First, try disabling all local compression by adding the
following to your configuration:disable pred1 deflate deflate24 protocomp acfcomp shortseq vj
deny pred1 deflate deflate24 protocomp acfcomp shortseq vjThen reconnect to ensure that this makes no difference.
If things improve or if the problem is solved completely,
determine which setting makes the difference through trial
and error. This will provide good amunition when you contact
your ISP (although it may make it apparent that you're not
running a Microsoft product).Before contacting your ISP, enable async logging locally
and wait until the connection hangs again. This may use up
quite a bit of disk space. The last data read from the port
may be of interest. It is usually ascii data, and may even
describe the problem (Memory fault, core dumped ?).If your ISP is helpful, they should be able to enable logging
on their end, then when the next link drop occurs, they may be
able to tell you why their side is having a problem. Feel free
to send the details to &a.brian;, or even to ask your ISP to
contact me directly.Ppp is hungYour best bet here is to rebuild ppp by adding CFLAGS+=-g
and STRIP= to the end of the Makefile, then doing a
make clean && make && make install. When
ppp hangs, find the ppp process id with ps ajxww | fgrep ppp
and run gdb ppp PID. From the gdb prompt, you can then use
bt to get a stack trace.Send the results to brian@Awfulhak.org.Nothing happens after the Login OK! messagePrior to FreeBSD version 2.2.5, once the link was established,
ppp would wait for the peer to initiate the Line Control
Protocol (LCP). Many ISPs will not initiate negotiations and
expect the client to do so. To force ppp to initiate
the LCP, use the following line:set openmode activeNote: It usually does no harm if both sides initiate
negotiation, so openmode is now active by default. However,
the next section explains when it does do some harm.I keep seeing errors about magic being the sameOccasionally, just after connecting, you may see messages in
the log that say magic is the same. Sometimes, these
messages are harmless, and sometimes one side or the other
exits. Most ppp implementations cannot survive this problem, and
even if the link seems to come up, you'll see repeated configure
requests and configure acknowledgements in the log file until
ppp eventually gives up and closes the connection.This normally happens on server machines with slow disks that
are spawning a getty on the port, and executing ppp from a
login script or program after login. I've also heard reports
of it happening consistently when using slirp. The reason is
that in the time taken between getty exiting and ppp starting, the
client-side ppp starts sending Line Control Protocol (LCP)
packets. Because ECHO is still switched on for the port on
the server, the client ppp sees these packets reflect back.One part of the LCP negotiation is to establish a magic number
for each side of the link so that reflections can be detected.
The protocol says that when the peer tries to negotiate
the same magic number, a NAK should be sent and a new magic
number should be chosen. During the period that the server
port has ECHO turned on, the client ppp sends LCP packets,
sees the same magic in the reflected packet and NAKs it. It
also sees the NAK reflect (which also means ppp must change
its magic). This produces a potentially enormous number of
magic number changes, all of which are happily piling into
the server's tty buffer. As soon as ppp starts on the server,
it's flooded with magic number changes and almost immediately
decides it's tried enough to negotiate LCP and gives up.
Meanwhile, the client, who no longer sees the reflections,
becomes happy just in time to see a hangup from the server.This can be avoided by allowing the peer to start negotiating
with the following line in your ppp.conf file:set openmode passiveThis tells ppp to wait for the server to initiate LCP
negotiations. Some servers however may never initiate negotiations.
If this is the case, you can do something like:set openmode active 3This tells ppp to be passive for 3 seconds, and then to start
sending LCP requests. If the peer starts sending requests during
this period, ppp will immediately respond rather than waiting for
the full 3 second period. LCP negotiations continue 'till the connection is closed
There is currently an implementation mis-feature in ppp
where it doesn't associate LCP, CCP & IPCP responses with
their original requests. As a result, if one ppp
implementation is more than 6 seconds slower than the other side,
the other side will send two additional LCP configuration requests.
This is fatal.Consider two implementations, A and B. A starts
sending LCP requests immediately after connecting and B takes
7 seconds to start. When B starts, A has sent 3 LCP
REQs. We're assuming the line has ECHO switched off, otherwise
we'd see magic number problems as described in the previous section.
B sends a REQ, then an ACK to the first of A's REQs.
This results in A entering the OPENED state and sending
and ACK (the first) back to B. In the meantime, B sends
back two more ACKs in response to the two additional REQs sent by
A before B started up. B then receives the first
ACK from A and enters the OPENED state. A receives
the second ACK from B and goes back to the REQ-SENT state,
sending another (forth) REQ as per the RFC. It then receives the
third ACK and enters the OPENED state. In the meantime,
B receives the forth REQ from A, resulting in it reverting
to the ACK-SENT state and sending another (second) REQ and
(forth) ACK as per the RFC. A gets the REQ, goes into
REQ-SENT and sends another REQ. It immediately receives the
following ACK and enters OPENED.This goes on 'till one side figures out that they're getting
nowhere and gives up.The best way to avoid this is to configure one side to be
passive - that is, make one side wait for the other to start
negotiating. This can be done with theset openmode passivecommand. Care should be taken with this option. You should also
use theset stopped Ncommand to limit the amount of time that ppp waits for the peer
to begin negotiations. Alternatively, theset openmode active Ncommand (where N is the number of seconds to wait before
starting negotiations) can be used. Check the manual page for
details.Ppp locks up shortly after connectingPrior to version 2.2.5 of FreeBSD, it was possible that your
link was disabled shortly after connection due to ppp
mis-handling Predictor1 compression negotiation. This would
only happen if both sides tried to negotiate different
Compression Control Protocols (CCP). This problem is now
corrected, but if you're still running an old version of
ppp, the problem can be circumvented with the linedisable pred1Ppp locks up when I shell out to test itWhen you execute the shell or ! command,
ppp
executes a shell (or if you've passed any arguements, ppp
will execute those arguements). Ppp will wait for the command
to complete before continuing. If you attempt to use the
ppp link while running the command, the link will appear to have
frozen. This is because ppp is waiting for the command
to complete.If you wish to execute commands like this, use the
!bg command instead. This will execute the given command
in the background, and ppp can continue to service the link.Ppp over a null-modem cable never exitsThere is no way for ppp to automatically determine that
a direct connection has been dropped. This is due to the
lines that are used in a null-modem serial cable. When using
this sort of connection, LQR should always be enabled with
the lineenable lqrLQR is accepted by default if negotiated by the peer.Why does ppp dial for no reason in -auto modeIf ppp is dialing unexpectedly, you must determine the
cause, and set up Dial filters (dfilters) to prevent such dialing.To determine the cause, use the following line:set log +tcp/ipThis will log all traffic through the connection. The next
time the line comes up unexpectedly, you will see the reason
logged with a convenient timestamp next to it.You can now disable dialing under these circumstances. Usually,
this sort of problem arises due to DNS lookups. To prevent
DNS lookups from establishing a connection (this will not
prevent ppp from passing the packets through an established
connection), use the following:set dfilter 1 deny udp src eq 53
set dfilter 2 deny udp dst eq 53
set dfilter 3 permit 0/0 0/0This is not always suitable, as it will effectively break your
demand-dial capabilities - most programs will need a DNS lookup
before doing any other network related things.In the DNS case, you should try to determine what is actually
trying to resolve a host name. A lot of the time,
sendmail is the culprit. You should make sure that you tell
sendmail not to do any DNS lookups in its configuration file. See
the section on Mail Configuration for
details on how to create your own configuration file and what should
go into it. You may also want to add the following line to your
.mc file:define(`confDELIVERY_MODE', `d')dnlThis will make sendmail queue everything until the queue is
run (usually, sendmail is invoked with , telling it
to run the queue every 30 minutes) or until a sendmail -q
is done (perhaps from your ppp.linkup file).What do these CCP errors meanI keep seeing the following errors in my log file:CCP: CcpSendConfigReq
CCP: Received Terminate Ack (1) state = Req-Sent (6)This is because ppp is trying to negotiate Predictor1
compression, and the peer does not want to negotiate any
compression at all. The messages are harmless, but if you
wish to remove them, you can disable Predictor1 compression
locally too:disable pred1Ppp locks up during file transfers with IO errorsUnder FreeBSD 2.2.2 and before, there was a bug in the tun
driver that prevents incoming packets of a size larger than
the tun interface's MTU size. Receipt of a packet greater than
the MTU size results in an IO error being logged via syslogd.The ppp specification says that an MRU of 1500 should
always be accepted as a minimum, despite any LCP
negotiations, therefore it is possible that should you decrease
the MTU to less than 1500, your ISP will transmit packets of
1500 regardless, and you will tickle this non-feature - locking
up your link.The problem can be circumvented by never setting an MTU of
less than 1500 under FreeBSD 2.2.2 or before.Why doesn't ppp log my connection speed?In order to log all lines of your modem conversation,
you must enable the following:set log +connectThis will make
ppp
log everything up until the last requested expect string.If you wish to see your connect speed and are using PAP or CHAP
(and therefore don't have anything to chat after the CONNECT
in the dial script - no set login script), you must make sure that
you instruct ppp to expect the whole CONNECT line, something like
this:set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 4 \
\"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"Here, we get our CONNECT, send nothing, then expect a line-feed,
forcing ppp to read the whole CONNECT response.Ppp ignores the \ character in my chat scriptPpp parses each line in your config files so that it can
interpret strings such as set phone "123 456 789" correctly
(and realize that the number is actually only one argument.
In order to specify a " character, you must escape it using
a backslash (\).When the chat interpreter parses each argument, it re-interprets
the argument in order to find any special escape sequences such
as \P or \T (see the man page). As a result of this
double-parsing, you must remember to use the correct number of
escapes.If you wish to actually send a \ character to (say) your
modem, you'd need something like:set dial "\"\" ATZ OK-ATZ-OK AT\\\\X OK"resulting in the following sequence:ATZ
OK
AT\X
OKorset phone 1234567
set dial "\"\" ATZ OK ATDT\\T"resulting in the following sequence:ATZ
OK
ATDT1234567Ppp gets a seg-fault, but I see no ppp.core filePpp (or any other program for that matter) should never
dump core. Because ppp runs with an effective user id of 0,
the operating system will not write ppps core image to disk
before terminating it. If, however ppp is actually
termating due to a segmentation violation or some other
signal that normally causes core to be dumped, and you're
sure you're using the latest version (see the start of this
section), then you should do the following:&prompt.user; tar xfz ppp-*.src.tar.gz
&prompt.user; cd ppp*/ppp
&prompt.user; echo STRIP= >>Makefile
&prompt.user; echo CFLAGS+=-g >>Makefile
&prompt.user; make clean all
&prompt.user; su
&prompt.root; make install
&prompt.root; chmod 555 /usr/sbin/pppYou will now have a debuggable version of ppp installed. You
will have to be root to run ppp as all of its privileges have
been revoked. When you start ppp, take a careful note of what
your current directory was at the time.Now, if and when ppp receives the segmentation violation, it
will dump a core file called ppp.core. You should then do the
following:&prompt.user; su
&prompt.root; gdb /usr/sbin/ppp ppp.core(gdb)bt
.....
(gdb)f 0
....
(gdb)i args
....
(gdb)l
.....All of this information should be given alongside your
question, making it possible to diagnose the problem.If you're familiar with gdb, you may wish to find out some
other bits and pieces such as what actually caused the dump and
the addresses & values of the relevant variables. The process that forces a dial in auto mode never connects
This was a known problem with ppp set up to negotiate
a dynamic local IP number with the peer in auto mode. It is
fixed in the latest version - search the man page for iface.The problem was that when that initial program calls
connect(2), the IP number of the tun interface is
assigned to the socket endpoint. The kernel creates the first
outgoing packet and writes it to the tun device. Ppp then
reads the packet and establishes a connection. If, as a result
of ppps dynamic IP assignment, the interface address is changed,
the original socket endpoint will be invalid. Any subsequent
packets sent to the peer will usually be dropped. Even if
they aren't, any responses will not route back to the originating
machine as the IP number is no longer owned by that machine.There are several theoretical ways to approach this problem.
It would be nicest if the peer would re-assign the same IP number
if possible :-) The current version of ppp does this,
but most other implementations don't.The easiest method from our side would be to never change the
tun interface IP number, but instead to change all outgoing packets
so that the source IP number is changed from the interface IP to
the negotiated IP on the fly. This is essentially what the
iface-alias option in the latest version of ppp is
doing (with the help of libalias(3)
and ppp's switch) - it's maintaining all previous
interface addresses and NATing them to the last negotiated address.Another alternative (and probably the most reliable) would be
to implement a system call that changes all bound sockets from one
IP to another. Ppp would use this call to modify the
sockets of all existing programs when a new IP number is
negotiated. The same system call could be used by dhcp clients
when they are forced to re-bind() their sockets.Yet another possibility is to allow an interface to be brought
up without an IP number. Outgoing packets would be given
an IP number of 255.255.255.255 up until the first SIOCAIFADDR
ioctl is done. This would result in fully binding the socket. It
would be up to ppp to change the source IP number, but only if
it's set to 255.255.255.255, and only the IP number and IP checksum
would need to change. This, however is a bit of a hack as
the kernel would be sending bad packets to an improperly
configured interface, on the assumption that some other mechanism
is capable of fixing things retrospectively.Why don't most games work with the -nat switchThe reason games and the like don't work when libalias is
in use is that the machine on the outside will try to open a
connection or send (unsolicited) UDP packets to the machine
on the inside. The NAT software doesn't know that
it should send these packets to the interior machine.To make things work, make sure that the only thing running
is the software that you're having problems with, then either
run tcpdump on the tun interface of the gateway or enable ppp
tcp/ip logging (set log +tcp/ip) on the gateway.When you start the offending software, you should see packets
passing through the gateway machine. When something comes back
from the outside, it'll be dropped (that's the problem). Note
the port number of these packets then shut down the offending
software. Do this a few times to see if the port numbers are
consistent. If they are, then the following line in the relevant
section of /etc/ppp/ppp.conf will make the software functional:nat port protointernalmachine:portportwhere proto is either tcp or udp,
internalmachine is the machine that you want the packets
to be sent to and port is the destination port number of
the packets.You won't be able to use the software on other machines
without changing the above command, and running the software
on two internal machines at the same time is out of the question
- after all, the outside world is seeing your entire internal
network as being just a single machine.If the port numbers aren't consistent, there are three more
options:1) Submit support in libalias. Examples of special
cases can be found in /usr/src/lib/libalias/alias_*.c (alias_ftp.c
is a good prototype). This usually involves reading certain
recognised outgoing packets, identifying the instruction that
tells the outside machine to initiate a connection back to the
internal machine on a specific (random) port and setting up a
route in the alias table so that the subsequent packets
know where to go.This is the most difficult solution, but it is the best and
will make the software work with multiple machines.2) Use a proxy. The application may support socks5
for example, or (as in the cvsup case) may have a passive
option that avoids ever requesting that the peer open connections
back to the local machine.3) Redirect everything to the internal machine using
nat addr. This is the sledge-hammer approach.Has anybody made a list of useful port numbers ?Not yet, but this is intended to grow into such a list (if
any interest is shown). In each example, internal should
be replaced with the IP number of the machine playing the game.Asheron's Callnat port udp internal:65000 65000Manually change the port number within the game to 65000.
If you've got a number of machines that you wish to play on assign
a unique port number for each (i.e. 65001, 65002, etc) and add a
nat port line for each one.Half Lifenat port udp internal:27005 27015PCAnywhere 8.0nat port udp internal:5632 5632nat port tcp internal:5631 5631Quakenat port udp internal:6112 6112Alternatively, you may want to take a look at
www.battle.net for Quake proxy support.Quake 2nat port udp internal:27901 27910Red Alertnat port udp internal:8675 8675nat port udp internal:5009 5009What are FCS errors ?FCS stands for Frame Check Sequence. Each
ppp packet has a checksum attached to ensure that the data
being received is the data being sent. If the FCS of an
incoming packet is incorrect, the packet is dropped and the
HDLC FCS count is increased. The HDLC error values can be
displayed using the show hdlc command.If your link is bad (or if your serial driver is dropping
packets), you will see the occasional FCS error. This is not
usually worth worrying about although it does slow down the
compression protocols substantially. If you have an external
modem, make sure your cable is properly shielded from
interference - this may eradicate the problem.If your link freezes as soon as you've connected and you see
a large number of FCS errors, this may be because your link is
not 8 bit clean. Make sure your modem is not using software
flow control (XON/XOFF). If your datalink must use
software flow control, use the command
set accmap 0x000a0000 to tell ppp to escape
the ^Q and ^S characters.Another reason for seeing too many FCS errors may be that
the remote end has stopped talking PPP. You may want to
enable async logging at this point to determine if the
incoming data is actually a login or shell prompt. If you
have a shell prompt at the remote end, it's possible to
terminate ppp without dropping the line by using the
close lcp command (a following term command
will reconnect you to the shell on the remote machine.If nothing in your log file indicates why the link might
have been terminated, you should ask the remote administrator
(your ISP?) why the session was terminated.Why do MacOS and Windows 98 connections freeze when running PPPoE on the gateway
Thanks to Michael Wozniak mwozniak@netcom.ca for figuring
this out and Dan Flemming danflemming@mac.com for the Mac
solution:
This is due to what's called a Black Hole router. MacOS and Windows 98 (and
maybe other Microsoft OSs) send TCP packets with a requested
segment size too big to fit into a PPPoE frame (MTU is 1500 by default
for ethernet) and have the don't fragment
bit set (default of TCP) and the Telco router is not sending ICMP must
fragment back to the www site you are trying to load. When the www
server is sending you frames that don't fit into the PPPoE pipe the Telco
router drops them on the floor and your page doesn't load (some
pages/graphics do as they are smaller than a MSS.) This seems to be the
default of most Telco PPPoE configurations (if only they knew how to
program a router... sigh...)
One fix is to use regedit on your 95/98 boxes to add the following
registry entry...
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\0000\MaxMTU
It should be a string with a value 1450 (more accurately it
should be 1464 to fit TCP packets into a PPPoE frame
perfectly but the 1450 gives you a margin of error for
other IP protocols you may encounter).
Refer to MS KB # Q158474 - Windows TCPIP Registry Entries
and Q120642 - TCPIP & NBT Configuration Parameters for Windows NT
for more information on changing Windoze MTU to work with a
FreeBSD/NAT/PPPoE router.
Unfortunately, MacOS does not provide an interface for changing TCP/IP
settings. However, there is commercial software available, such as
OTAdvancedTuner (OT for OpenTransport, the MacOS TCP/IP stack) by
Sustainable Softworks,
that will allow users to customize TCP/IP settings. MacOS NAT users
should select ip_interface_MTU from the drop-down
menu, enter 1450 instead of 1500
in the box, click the box next to Save as Auto
Configure, and click Make Active.
None of this helps - I'm desperate !If all else fails, send as much information as you can,
including your config files, how you're starting ppp,
the relevant parts of your log file and the output of the
netstat -rn command (before and after connecting) to the
freebsd-questions@FreeBSD.org mailing list or the
comp.unix.bsd.freebsd.misc news group, and someone
should point you in the right direction.Serial CommunicationsThis section answers common questions about serial communications
with FreeBSD. PPP and SLIP are covered in the section.How do I tell if FreeBSD found my serial ports?As the FreeBSD kernel boots, it will probe for the serial ports
in your system for which the kernel was configured. You can
either watch your system closely for the messages it prints or
run the command&prompt.user; dmesg | grep sioafter your system's up and running.Here's some example output from the above command:sio0 at 0x3f8-0x3ff irq 4 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550AThis shows two serial ports. The first is on irq 4, is using
port address 0x3f8, and has a 16550A-type UART chip. The
second uses the same kind of chip but is on irq 3 and is at port
address 0x2f8. Internal modem cards are treated just like
serial ports---except that they always have a modem attached
to the port.The GENERIC kernel includes support for two serial ports
using the same irq and port address settings in the above
example. If these settings aren't right for your system, or if
you've added modem cards or have more serial ports than your
kernel is configured for, just reconfigure your kernel. See
section about building a kernel for
more details.How do I tell if FreeBSD found my modem cards?Refer to the answer to the previous question.I just upgraded to 2.0.5 and my tty0X are missing!Don't worry, they have been merged with the ttydX devices.
You'll have to change any old configuration files you have, though.How do I access the serial ports on FreeBSD?The third serial port, sio2 (known as
COM3 in DOS), is on /dev/cuaa2 for dial-out devices, and on
/dev/ttyd2 for dial-in devices. What's the difference
between these two classes of devices?You use ttydX for dial-ins. When opening /dev/ttydX
in blocking mode, a process will wait for the corresponding
cuaaX device to become inactive, and then wait
for the carrier detect line to go active. When you open the
cuaaX device, it makes sure the serial port isn't already in
use by the ttydX device. If the port's available, it
steals it from the ttydX device. Also,
the cuaXX
device doesn't care about carrier detect. With this scheme and
an auto-answer modem, you can have remote users log in and you
can still dialout with the same modem and the system will take
care of all the conflicts.How do I enable support for a multiport serial card?Again, the section on kernel configuration provides information
about configuring your kernel. For a multiport serial card,
place an sio line for each serial port on the card in the
kernel configuration file. But place the irq and vector
specifiers on only one of the entries. All of the ports on the
card should share one irq. For consistency, use the last serial
port to specify the irq. Also, specify the COM_MULTIPORT
option.The following example is for an AST 4-port serial card on irq 7:options "COM_MULTIPORT"
device sio4 at isa? port 0x2a0 tty flags 0x781
device sio5 at isa? port 0x2a8 tty flags 0x781
device sio6 at isa? port 0x2b0 tty flags 0x781
device sio7 at isa? port 0x2b8 tty flags 0x781 irq 7 vector siointrThe flags indicate that the master port has minor number 7
(0x700), diagnostics enabled during probe (0x080), and
all the ports share an irq (0x001).Can FreeBSD handle multiport serial cards sharing irqs?Not yet. You'll have to use a different irq for each card.Can I set the default serial parameters for a port?The ttydX (or cuaaX) device is the regular device
you'll want to open for your applications. When a process opens
the device, it'll have a default set of terminal I/O settings.
You can see these settings with the command&prompt.root; stty -a -f /dev/ttyd1When you change the settings to this device, the settings are in
effect until the device is closed. When it's reopened, it goes
back to the default set. To make changes to the default set, you
can open and adjust the settings of the initial state device.
For example, to turn on CLOCAL mode, 8 bits, and
XON/XOFF flow control by default for ttyd5, do:&prompt.root; stty -f /dev/ttyid5 clocal cs8 ixon ixoffA good place to do this is in /etc/rc.serial. Now, an
application will have these settings by default when it opens
ttyd5. It can still change these settings to its liking,
though.You can also prevent certain settings from being changed by an
application by making adjustments to the lock state device.
For example, to lock the speed of ttyd5 to 57600 bps, do&prompt.root; stty -f /dev/ttyld5 57600Now, an application that opens ttyd5 and tries to change the
speed of the port will be stuck with 57600 bps.Naturally, you should make the initial state and lock state
devices writable only by root. The
MAKEDEV
script does NOT do this when it creates the
device entries.How can I enable dialup logins on my modem?So you want to become an Internet service provider, eh? First,
you'll need one or more modems that can auto-answer. Your modem
will need to assert carrier-detect when it detects a carrier and
not assert it all the time. It will need to hang up the phone
and reset itself when the data terminal ready (DTR) line
goes from on to off. It should probably use RTS/CTS
flow control or no local flow control at all. Finally, it must
use a constant speed between the computer and itself, but (to be
nice to your callers) it should negotiate a speed between itself
and the remote modem.For many Hayes command-set--compatible modems, this command will
make these settings and store them in nonvolatile memory:AT &C1 &D3 &K3 &Q6 S0=1 &WSee the section on sending AT commands below for information on how to make these settings
without resorting to an MS-DOS terminal program.Next, make an entry in /etc/ttys for the
modem. This file lists all the ports on which the operating system will
await logins. Add a line that looks something like this:ttyd1 "/usr/libexec/getty std.57600" dialup on insecureThis line indicates that the second serial port
(/dev/ttyd1) has a modem connected running at 57600 bps
and no parity (std.57600, which comes from the file
/etc/gettytab). The terminal type for this port is
dialup. The port is on and is insecure---meaning
root logins on the port aren't allowed. For dialin ports like
this one, use the ttydX entry.It's common practice to use dialup as the terminal type.
Many users set up in their .profile or .login files a prompt for
the actual terminal type if the starting type is dialup. The
example shows the port as insecure. To become root on this port,
you have to login as a regular user, then su to become
root. If you use secure then
root can login in directly.After making modifications to /etc/ttys, you
need to send a hangup or HUP signal to the init process:&prompt.root; kill -HUP 1This forces the init process to reread /etc/ttys. The
init process will then start getty processes on all on ports.
You can find out if logins are available for your port by typing&prompt.user; ps -ax | grep '[t]tyd1'You should see something like:747 ?? I 0:00.04 /usr/libexec/getty std.57600 ttyd1How can I connect a dumb terminal to my FreeBSD box?If you're using another computer as a terminal into your FreeBSD
system, get a null modem cable to go between the two serial
ports. If you're using an actual terminal, see its accompanying
instructions.Then, modify /etc/ttys, like above. For example, if you're hooking up a
WYSE-50 terminal to the fifth serial port, use an entry like this:ttyd4 "/usr/libexec/getty std.38400" wyse50 on secureThis example shows that the port on /dev/ttyd4 has a
wyse50 terminal connected at 38400 bps with no parity
(std.38400 from /etc/gettytab) and
root logins are allowed (secure).Why can't I run tip or cu?On your system, the programs tip and cu are probably
executable only by uucp and group
dialer. You can use the group dialer
to control who has access to your modem or remote systems. Just add
yourself to group dialer.Alternatively, you can let everyone on your system run tip
and cu by typing:&prompt.root; chmod 4511 /usr/bin/cu
&prompt.root; chmod 4511 /usr/bin/tipMy stock Hayes modem isn't supported---what can I do?Actually, the man page for tip is out of
date. There is a generic Hayes dialer already built in. Just use
at=hayes in your /etc/remote file.The Hayes driver isn't smart enough to recognize some of the
advanced features of newer modems---messages like BUSY,
NO DIALTONE, or CONNECT 115200 will just confuse it.
You should turn those messages off when you use tip (using
ATX0&W).Also, the dial timeout for tip is 60 seconds. Your modem
should use something less, or else tip will think there's a
communication problem. Try ATS7=45&W.Actually, as shipped tip doesn't yet support it fully. The
solution is to edit the file tipconf.h in the directory
/usr/src/usr.bin/tip/tip. Obviously you need the source
distribution to do this.Edit the line #define HAYES 0 to #define HAYES 1.
Then make and make install. Everything
works nicely after that. How am I expected to enter these AT commands?
Make what's called a direct entry in your
/etc/remote file. For example, if your modem's hooked
up to the first serial port, /dev/cuaa0, then put in the
following line:cuaa0:dv=/dev/cuaa0:br#19200:pa=noneUse the highest bps rate your modem supports in the br
capability. Then, type tip cuaa0 and
you'll be connected to your modem.If there is no /dev/cuaa0 on your system, do this:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV cuaa0Or use cu as root with the following command:&prompt.root; cu -lline -sspeedwith line being the serial port (e.g./dev/cuaa0)
and speed being the speed (e.g.57600). When you are done
entering the AT commands hit ~. to exit.The <@> sign for the pn capability doesn't work!The <@> sign in the phone number capability tells tip to look in
/etc/phones for a phone number. But the <@> sign is
also a special character in capability files like
/etc/remote. Escape it with a backslash:pn=\@How can I dial a phone number on the command line?Put what's called a generic entry in your
/etc/remote file. For example:tip115200|Dial any phone number at 115200 bps:\
:dv=/dev/cuaa0:br#115200:at=hayes:pa=none:du:
tip57600|Dial any phone number at 57600 bps:\
:dv=/dev/cuaa0:br#57600:at=hayes:pa=none:du:Then you can do something like tip -115200 5551234. If you
prefer cu over tip, use a
generic cu entry:cu115200|Use cu to dial any number at 115200bps:\
:dv=/dev/cuaa1:br#57600:at=hayes:pa=none:du:and type cu 5551234 -s 115200.Do I have to type in the bps rate every time I do that?Put in an entry for tip1200 or cu1200, but go ahead and
use whatever bps rate is appropriate with the br capability. tip thinks a good
default is 1200 bps which is why it looks for a tip1200 entry.
You don't have to use 1200 bps, though.I access a number of hosts through a terminal server.Rather than waiting until you're connected and typing
CONNECT host each time, use tip's cm
capability. For example, these entries in
/etc/remote:pain|pain.deep13.com|Forrester's machine:\
:cm=CONNECT pain\n:tc=deep13:
muffin|muffin.deep13.com|Frank's machine:\
:cm=CONNECT muffin\n:tc=deep13:
deep13:Gizmonics Institute terminal server:\
:dv=/dev/cua02:br#38400:at=hayes:du:pa=none:pn=5551234:will let you type tip pain or tip muffin to
connect to the hosts pain or muffin;
and tip deep13 to
get to the terminal server.Can tip try more than one line for each site?This is often a problem where a university has several modem lines
and several thousand students trying to use them...Make an entry for your university in /etc/remote
and use <\@> for the pn capability:big-university:\
:pn=\@:tc=dialout
dialout:\
:dv=/dev/cuaa3:br#9600:at=courier:du:pa=none:Then, list the phone numbers for the university in
/etc/phones:big-university 5551111
big-university 5551112
big-university 5551113
big-university 5551114tip will try each one in the listed order, then give up. If
you want to keep retrying, run tip in a while loop.Why do I have to hit CTRL+P twice to send CTRL+P once?CTRL+P is the default force character, used to tell
tip
that the next character is literal data. You can set the force
character to any other character with the ~s escape, which
means set a variable.Type ~sforce=single-char followed by a newline.
single-char is any single character. If you leave
out single-char, then the force character is the nul
character, which you can get by typing CTRL+2 or CTRL+SPACE. A
pretty good value for single-char is SHIFT+CTRL+6,
which I've seen only used on some terminal servers.You can have the force character be whatever you want by
specifying the following in your $HOME/.tiprc
file:force=single-charSuddenly everything I type is in UPPER CASE??You must've pressed CTRL+A, tipraise
character, specially designed for people with broken caps-lock keys.
Use ~s as above and set the variable raisechar to something
reasonable. In fact, you can set it to the same as the force
character, if you never expect to use either of these features.Here's a sample .tiprc file perfect for Emacs users who need to
type CTRL+2 and CTRL+A a lot:force=^^
raisechar=^^The ^^ is SHIFT+CTRL+6.How can I do file transfers with tip?If you're talking to another UNIX system, you can send and
receive files with ~p (put) and ~t (take). These
commands run cat and echo on the remote system to accept and send files. The syntax
is:~p <local-file> [<remote-file>]
~t <remote-file> [<local-file>]There's no error checking, so you probably should use another
protocol, like zmodem.How can I run zmodem with tip?First, install one of the zmodem programs from the ports
collection (such as one of the two from the comms category,
lrzsz
and rzsz).To receive files, start the sending program on the remote end.
Then, press enter and type ~C rz (or ~C lrz if
you installed lrzsz) to begin receiving them locally.To send files, start the receiving program on the remote end.
Then, press enter and type ~C sz files (or
~C lsz files) to send them to the
remote system.FreeBSD can't seem to find my serial ports, even when the
settings are correct.Motherboards and cards with Acer UARTs do not probe properly under
the FreeBSD sio probe. Obtain a patch from
www.lemis.com to fix your problem.Miscellaneous Questions FreeBSD uses far more swap space than Linux. Why?
FreeBSD only appears to use more swap than Linux. In actual fact,
it does not. The main difference between FreeBSD and Linux in this
regard is that FreeBSD will proactively move entirely idle, unused pages
of main memory into swap in order to make more main memory available
for active use. Linux tends to only move pages to swap as a last resort.
The perceived heavier use of swap is balanced by the more efficient use
of main memory. Note that while FreeBSD is proactive in this regard, it does not
arbitrarily decide to swap pages when the system is truely idle. Thus
you will not find your system all paged out when you get up in the
morning after leaving it idle overnight.Why does &man.top.1; show very little free memory even
when I have very few programs running?The simple answer is that free memory is wasted
memory. Any memory that your programs don't actively
allocate is used within the FreeBSD kernel as disk
cache. The values shown by &man.top.1; labelled as
Inact, Cache, and
Buf are all cached data at different
aging levels. This cached data means the system does
not have to access a slow disk again for data it has
accessed recently, thus increasing overall performance.
In general, a low value shown for Free
memory in &man.top.1; is good, provided it is not
very low. Why use (what are) a.out and ELF executable formats?
To understand why FreeBSD uses the ELF format, you must
first know a little about the 3 currently dominant executable
formats for UNIX:Prior to FreeBSD 3.x, FreeBSD used the a.out format.a.outThe oldest and classic unix object format. It uses a
short and compact header with a magic number at the beginning
that's often used to characterize the format (see
a.out(5) for more details). It contains three loaded
segments: .text, .data, and .bss plus a symbol table and a
string table.COFF
The SVR3 object format. The header now comprises a section
table, so you can have more than just .text, .data, and .bss
sections.ELF
The successor to COFF, featuring Multiple sections
and 32-bit or 64-bit possible values. One major drawback:
ELF was also designed with the assumption that there
would be only one ABI per system architecture. That
assumption is actually quite incorrect, and not even in the
commercial SYSV world (which has at least three ABIs: SVR4,
Solaris, SCO) does it hold true.FreeBSD tries to work around this problem somewhat by
providing a utility for branding a known ELF
executable with information about the ABI it's compliant with.
See the man page for
brandelf for more information.FreeBSD comes from the classic camp and has traditionally used
the a.out format, a technology tried and proven through
many generations of BSD releases. Though it has also been possible
for some time to build and run native ELF binaries (and
kernels) on a FreeBSD system, FreeBSD initially resisted the push
to switch to ELF as the default format. Why? Well,
when the Linux camp made their painful transition to ELF, it
was not so much to flee the a.out executable format
as it was their inflexible jump-table based shared library
mechanism, which made the construction of shared libraries
very difficult for vendors and developers alike. Since the ELF
tools available offered a solution to the shared library
problem and were generally seen as the way forward anyway, the
migration cost was accepted as necessary and the transition
made.In FreeBSD's case, our shared
library mechanism is based more closely on Sun's
SunOS-style shared library mechanism and, as such, is very
easy to use.
However, starting with 3.0, FreeBSD officially supports ELF
binaries as the default format. Even though the a.out
executable format has served us well, the GNU people, who author the
compiler tools we use, have dropped support for the a.out
format. This has forced us to maintain a divergent version of
the compler and linker, and has kept us from reaping the benefits
of the latest GNU development efforts. Also the demands of
ISO-C++, notably contstructors and destructors, has also led to
native ELF support in future FreeBSD releases.Yes, but why are there so many different
formats?Back in the dim, dark past, there was simple hardware. This
simple hardware supported a simple, small system. a.out was
completely adequate for the job of representing binaries on this
simple system (a PDP-11). As people ported unix from this
simple system, they retained the a.out format because it was
sufficient for the early ports of unix to architectures like the
Motorola 68k, VAXen, etc.Then some bright hardware engineer decided that if he could
force software to do some sleazy tricks, then he'd be able to
shave a few gates off the design and allow his CPU core to run
faster. While it was made to work with this new kind of
hardware (known these days as RISC), a.out was ill-suited
for this hardware, so many formats were developed to get to a
better performance from this hardware than the limited, simple
a.out format could offer. Things like COFF,
ECOFF, and a few obscure others were invented and their
limitations explored before things seemed to settle on ELF.In addition, program sizes were getting huge and disks (and
physical memory) were still relatively small so the concept of a
shared library was born. The VM system also became more
sophisticated. While each one of these advancements was done
using the a.out format, its usefulness was stretched more
and more with each new feature. In addition, people wanted to
dynamically load things at run time, or to junk parts of their
program after the init code had run to save in core memory
and/or swap space. Languages became more sophistocated and
people wanted code called before main automatically. Lots of
hacks were done to the a.out format to allow all of these
things to happen, and they basically worked for a time. In
time, a.out wasn't up to handling all these problems
without an ever increasing overhead in code and complexity.
While ELF solved many of these problems, it would be
painful to switch from the system that basically worked. So
ELF had to wait until it was more painful to remain with
a.out than it was to migrate to ELF.However, as time passed, the build tools that FreeBSD derived
their build tools from (the assembler and loader especially)
evolved in two parallel trees. The FreeBSD tree added shared
libraries and fixed some bugs. The GNU folks that originally
write these programs rewrote them and added simpler support for
building cross compilers, plugging in different formats at will,
etc. Since many people wanted to build cross compilers
targeting FreeBSD, they were out of luck since the older sources
that FreeBSD had for as and ld weren't up to the task. The new
gnu tools chain (binutils) does support cross compiling,
ELF, shared libraries, C++ extnensions, etc. In addition,
many vendors are releasing ELF binaries, and it is a good
thing for FreeBSD to run them. And if it is running ELF
binaries, why bother having a.out any more? It is a tired
old horse that has proven useful for a long time, but it is time
to turn him out to pasture for his long, faithful years of
service.ELF is more expressive than a.out and will allow more
extensibility in the base system. The ELF tools are better
maintained, and offer cross compilation support, which is
important to many people. ELF may be a little slower than
a.out, but trying to measure it can be difficult. There are
also numerous details that are different between the two in how
they map pages, handle init code, etc. None of these are very
important, but they are differences. In time support for
a.out will be moved out of the GENERIC kernel, and
eventually removed from the kernel once the need to run legacy
a.out programs is past.Why won't chmod change the permissions on symlinks?Symlinks do not have permissions, and by default,
&man.chmod.1; will not follow symlinks to change the permissions
on the target file. So if you have a file,
foo, and a symlink to that file,
bar, then this command will always
succeed.&prompt.user; chmod g-w barHowever, the permissions on foo will not
have changed.You have to use either or together with
the option to make this work. See the chmod and
symlink
man pages for more info.The option does a RECURSIVE
chmod. Be careful about specifying directories or symlinks
to directories to chmod. If you want to change the
permissions of a directory referenced by a symlink, use
chmod
without any options and follow the symlink with a trailing slash
(/). For example, if foo is a symlink to
directory bar, and you want to change the permissions of
foo (actually bar), you would do something like:&prompt.user; chmod 555 foo/With the trailing slash, chmod will
follow the symlink, foo, to change the permissions of the
directory, bar. Why are login names still restricted to 8 characters?
You'd think it'd be easy enough to change UT_NAMESIZE and rebuild
the whole world, and everything would just work. Unfortunately there
are often scads of applications and utilities (including system tools)
that have hard-coded small numbers (not always 8 or 9, but oddball
ones like 15 and 20) in structures and buffers. Not only will
this get you log files which are trashed (due to variable-length
records getting written when fixed records were expected), but it can
break Sun's NIS clients and potentially cause other problems in
interacting with other UNIX systems.In FreeBSD 3.0 and later, the maximum name length has been
increased to 16 characters and those various utilities with
hard-coded name sizes have been found and fixed. The fact that this
touched so many areas of the system is why, in fact, the change was
not made until 3.0.If you're absolutely confident in your ability to find and fix
these sorts of problems for yourself when and if they pop up, you
can increase the login name length in earlier releases by editing
/usr/include/utmp.h and changing UT_NAMESIZE accordingly. You must
also update MAXLOGNAME in /usr/include/sys/param.h to match
the UT_NAMESIZE change. Finally, if you build from sources, don't
forget that /usr/include is updated each time! Change the appropriate
files in /usr/src/.. instead.Can I run DOS binaries under FreeBSD?Yes, starting with version 3.0 you can using BSDI's doscmd
DOS emulation which has been integrated and enhanced.
Send mail to The FreeBSD emulation discussion list if you're interested in
joining this ongoing effort!For pre-3.0 systems, there is a neat utility called
pcemu
in the ports collection which emulates an 8088 and enough BIOS services
to run DOS text mode applications. It requires the X Window
System (provided as XFree86). What is sup, and how do I use it?
SUP
stands for Software Update Protocol, and was developed by CMU
for keeping their development trees in sync. We used it to keep
remote sites in sync with our central development sources.SUP is not bandwidth friendly, and has been retired. The current
recommended method to keep your sources up to date is
Handbook entry on CVSupHow cool is FreeBSD?Q. Has anyone done any temperature testing while running FreeBSD?
I know Linux runs cooler than dos, but have never seen a mention of
FreeBSD. It seems to run really hot.A. No, but we have done numerous taste tests on blindfolded
volunteers who have also had 250 micrograms of LSD-25
administered beforehand. 35% of the volunteers said that FreeBSD
tasted sort of orange, whereas Linux tasted like purple haze.
Neither group mentioned any particular variances in temperature
that I can remember. We eventually had to throw the results of
this survey out entirely anyway when we found that too many
volunteers were wandering out of the room during the tests, thus
skewing the results. I think most of the volunteers are at Apple
now, working on their new scratch and sniff GUI. It's a
funny old business we're in!Seriously, both FreeBSD and Linux use the HLT (halt)
instruction when the system is idle thus lowering its energy
consumption and therefore the heat it generates. Also if you
have APM (advanced power management) configured, then FreeBSD
can also put the CPU into a low power mode.Who's scratching in my memory banks??Q. Is there anything odd that FreeBSD does when compiling the
kernel which would cause the memory to make a scratchy sound? When
compiling (and for a brief moment after recognizing the floppy drive
upon startup, as well), a strange scratchy sound emanates from what
appears to be the memory banks.A. Yes! You'll see frequent references to daemons in the BSD
documentation, and what most people don't know is that this
refers to genuine, non-corporeal entities that now possess your
computer. The scratchy sound coming from your memory is actually
high-pitched whispering exchanged among the daemons as they best
decide how to deal with various system administration tasks.If the noise gets to you, a good fdisk /mbr from DOS
will get rid of them, but don't be surprised if they react
adversely and try to stop you. In fact, if at any point during
the exercise you hear the satanic voice of Bill Gates coming from
the built-in speaker, take off running and don't ever look back!
Freed from the counterbalancing influence of the BSD daemons, the
twin demons of DOS and Windows are often able to re-assert total
control over your machine to the eternal damnation of your soul.
Given a choice, I think I'd prefer to get used to the scratchy
noises, myself!What does MFC mean?MFC is an acronym for Merged From -CURRENT. It's used in the CVS
logs to denote when a change was migrated from the CURRENT to the STABLE
branches.What does BSD mean?It stands for something in a secret language that only
members can know. It doesn't translate literally but its ok to
tell you that BSD's translation is something between, Formula-1
Racing Team, Penguins are tasty snacks, and We have a better
sense of humor than Linux. :-)Seriously, BSD is an acronym for Berkeley Software
Distribution, which is the name the Berkeley CSRG (Computer
Systems Research Group) chose for their Unix distribution way
back when.What is a repo-copy?A repo-copy (which is a short form of repository
copy) refers to the direct copying of files within the CVS
repository.Without a repo-copy, if a file needed to be copied or moved to
another place in the repository, the committer would run cvs
add to put the file in its new location, and then cvs
rm on the old file if the old copy was being removed.The disadvantage of this method is that the history (i.e. the
entries in the CVS logs) of the file would not be copied to the new
location. As the FreeBSD Project considers this history very useful,
a repository copy is often used instead. This is a process where one
of the repository meisters will copy the files directly within the
repository, rather than using the cvs program.Why should I care what color the bikeshed is?The really, really short answer is that you shouldn't.
The somewhat longer answer is that just because you are
capable of building a bikeshed doesn't mean you should stop
others from building one just because you don't like the
color they plan to paint it. This is a metaphor indicating
that you need not argue about every little feature just
because you know enough to do so. Some people have
commented that the amount of noise generated by a change is
inversely proportional to the complexity of the
change.The longer and more complete answer is that after a very
long argument about whether &man.sleep.1; should take
fractional second arguments, &a.phk; posted a long
message entitled A
bike shed (any colour will do) on greener
grass.... The appropriate portions of that
message are quoted below.
&a.phk; on freebsd-hackers, October
2, 1999What is it about this bike shed? Some
of you have asked me.It's a long story, or rather it's an old story, but
it is quite short actually. C. Northcote Parkinson wrote
a book in the early 1960'ies, called Parkinson's
Law, which contains a lot of insight into the
dynamics of management.[snip a bit of commentary on the book]In the specific example involving the bike shed, the
other vital component is an atomic power-plant, I guess
that illustrates the age of the book.Parkinson shows how you can go in to the board of
directors and get approval for building a multi-million or
even billion dollar atomic power plant, but if you want to
build a bike shed you will be tangled up in endless
discussions.Parkinson explains that this is because an atomic
plant is so vast, so expensive and so complicated that
people cannot grasp it, and rather than try, they fall
back on the assumption that somebody else checked all the
details before it got this far. Richard P. Feynmann
gives a couple of interesting, and very much to the point,
examples relating to Los Alamos in his books.A bike shed on the other hand. Anyone can build one
of those over a weekend, and still have time to watch the
game on TV. So no matter how well prepared, no matter how
reasonable you are with your proposal, somebody will seize
the chance to show that he is doing his job, that he is
paying attention, that he is
here.In Denmark we call it setting your
fingerprint. It is about personal pride and
prestige, it is about being able to point somewhere and
say There! I did that.
It is a strong trait in politicians, but present in most
people given the chance. Just think about footsteps in
wet cement.
How many FreeBSD hackers does it take to change a lightbulb?One thousand, one hundred and seventy-two:Twenty-three to complain to -CURRENT about the lights being
out;Four to claim that it is a configuration problem, and that
such matters really belong on -questions;Three to submit PRs about it, one of which is misfiled under
doc and consists only of "it's dark";One to commit an untested lightbulb which breaks buildworld,
then back it out five minutes later;Eight to flame the PR originators for not including patches
in their PRs;Five to complain about buildworld being broken;Thirty-one to answer that it works for them, and they must
have cvsupped at a bad time;One to post a patch for a new lightbulb to -hackers;One to complain that he had patches for this three years ago,
but when he sent them to -CURRENT they were just ignored, and he
has had bad experiences with the PR system; besides, the
proposed new lightbulb is non-reflexive;Thirty-seven to scream that lightbulbs do not belong in the
base system, that committers have no right to do things like
this without consulting the Community, and WHAT IS -CORE DOING
ABOUT IT!?Two hundred to complain about the color of the bicycle shed;Three to point out that the patch breaks style(9);Seventeen to complain that the proposed new lightbulb is
under GPL;Five hundred and eighty-six to engage in a flame war about
the comparative advantages of the GPL, the BSD license, the MIT
license, the NPL, and the personal hygiene of unnamed FSF
founders;Seven to move various portions of the thread to -chat and
-advocacy;One to commit the suggested lightbulb, even though it shines
dimmer than the old one;Two to back it out with a furious flame of a commit message,
arguing that FreeBSD is better off in the dark than with a dim
lightbulb;Forty-six to argue vociferously about the backing out of the
dim lightbulb and demanding a statement from -core;Eleven to request a smaller lightbulb so it will fit their
Tamagotchi if we ever decide to port FreeBSD to that platform;Seventy-three to complain about the SNR on -hackers and -chat
and unsubscribe in protest;Thirteen to post "unsubscribe", "How do I unsubscribe?", or
"Please remove me from the list", followed by the usual footer;One to commit a working lightbulb while everybody is too busy
flaming everybody else to notice;Thirty-one to point out that the new lightbulb would shine
0.364% brighter if compiled with TenDRA (although it will have
to be reshaped into a cube), and that FreeBSD should therefore
switch to TenDRA instead of EGCS;One to complain that the new lightbulb lacks fairings;Nine (including the PR originators) to ask "what is MFC?";Fifty-seven to complain about the lights being out two weeks
after the bulb has been changed.&a.nik; adds:I was laughing quite hard at this.And then I thought, "Hang on, shouldn't there be '1 to
document it.' in that list somewhere?"And then I was enlightened :-)This entry is Copyright (c) 1999 &a.des;.
Please do not reproduce without attribution.For serious FreeBSD hackers only What are SNAPs and RELEASEs?
There are currently three active/semi-active branches in the FreeBSD
CVS
Repository (the RELENG_2 branch is probably only changed twice
a year, which is why there are only three active branches of development):RELENG_2_2 AKA 2.2-STABLERELENG_3 AKA 3.X-STABLERELENG_4 AKA 4-STABLEHEAD AKA -CURRENT
AKA 5.0-CURRENTHEAD is not an actual branch tag, like the other two; it's
simply a symbolic constant for
the current, non-branched development stream which we simply
refer to as -CURRENT.Right now, -CURRENT is the 5.0 development stream and the
4-STABLE branch, RELENG_4, forked off from
-CURRENT in Mar 2000.The 2.2-STABLE branch, RELENG_2_2, departed -CURRENT in
November 1996, and has pretty much been retired. How do I make my own custom release?
To make a release you need to do three things: First, you need to
be running a kernel with the vn driver configured
in. Add this to your kernel config file and build a new kernel:pseudo-device vn #Vnode driver (turns a file into a device)Second, you have to have the whole CVS repository at hand.
To get this you can use CVSUP
but in your supfile set the release name to cvs and remove any tag or
date fields:*default prefix=/home/ncvs
*default base=/a
*default host=cvsup.FreeBSD.org
*default release=cvs
*default delete compress use-rel-suffix
## Main Source Tree
src-all
src-eBones
src-secure
# Other stuff
ports-all
www
doc-allThen run cvsup -g supfile to suck all the good bits onto your
box...Finally, you need a chunk of empty space to build into. Let's
say it's in /some/big/filesystem, and from the example
above you've got the CVS repository in /home/ncvs:&prompt.root; setenv CVSROOT /home/ncvs # or export CVSROOT=/home/ncvs
&prompt.root; cd /usr/src
&prompt.root; make buildworld
&prompt.root; cd /usr/src/release
&prompt.root; make release BUILDNAME=3.0-MY-SNAP CHROOTDIR=/some/big/filesystem/release
Please note that you do not need to
build world if you already have a populated
/usr/obj.
An entire release will be built in
/some/big/filesystem/release and you will have a full FTP-type
installation in /some/big/filesystem/release/R/ftp when you're
done. If you want to build your SNAP along some other branch than
-CURRENT, you can also add RELEASETAG=SOMETAG to
the make release command line above, e.g. RELEASETAG=RELENG_2_2
would build an up-to-the- minute 2.2-STABLE snapshot.How do I create customized installation disks?The entire process of creating installation disks and source and
binary archives is automated by various targets in
/usr/src/release/Makefile. The information there should
be enough to get you started. However, it should be said that this
involves doing a make world and will therefore take up a lot of
time and disk space.make world clobbers my existing installed binaries.Yes, this is the general idea; as its name might suggest,
make world rebuilds every system binary from scratch, so you can be
certain of having a clean and consistent environment at the end (which
is why it takes so long).If the environment variable DESTDIR is defined while running
make world or make install, the newly-created
binaries will be deposited in a directory tree identical to the
installed one, rooted at ${DESTDIR}.
Some random combination of shared libraries modifications and
program rebuilds can cause this to fail in make world
however. When my system boots, it says (bus speed defaulted).
The Adaptec 1542 SCSI host adapters allow the user to configure
their bus access speed in software. Previous versions of the
1542 driver tried to determine the fastest usable speed and set
the adapter to that. We found that this breaks some users'
systems, so you now have to define the TUNE_1542 kernel
configuration option in order to have this take place. Using it
on those systems where it works may make your disks run faster,
but on those systems where it doesn't, your data could be
corrupted. Can I follow current with limited Internet access?
Yes, you can do this without downloading the whole source tree
by using the CTM facility.How did you split the distribution into 240k files?Newer BSD based systems have a option to split that
allows them to split files on arbitrary byte boundaries.Here is an example from /usr/src/Makefile.bin-tarball:
(cd ${DISTDIR}; \
tar cf - . \
gzip --no-name -9 -c | \
split -b 240640 - \
${RELEASEDIR}/tarballs/bindist/bin_tgz.)I've written a kernel extension, who do I send it to?Please take a look at The Handbook entry on how to submit code.And thanks for the thought!How are Plug N Play ISA cards detected and initialized?By: Frank Durda IVIn a nutshell, there a few I/O ports that all of the PnP boards
respond to when the host asks if anyone is out there. So when
the PnP probe routine starts, he asks if there are any PnP boards
present, and all the PnP boards respond with their model # to
a I/O read of the same port, so the probe routine gets a wired-OR
yes to that question. At least one bit will be on in that
reply. Then the probe code is able to cause boards with board
model IDs (assigned by Microsoft/Intel) lower than X to go
off-line. It then looks to see if any boards are still
responding to the query. If the answer was 0, then
there are no boards with IDs above X. Now probe asks if there
are any boards below X. If so, probe knows there are boards
with a model numbers below X. Probe then asks for boards greater
than X-(limit/4) to go off-line. If repeats the query. By
repeating this semi-binary search of IDs-in-range enough times,
the probing code will eventually identify all PnP boards present
in a given machine with a number of iterations that is much lower
than what 2^64 would take.The IDs are two 32-bit fields (hence 2ˆ64) + 8 bit checksum.
The first 32 bits are a vendor identifier. They never come out
and say it, but it appears to be assumed that different types of
boards from the same vendor could have different 32-bit vendor
ids. The idea of needing 32 bits just for unique manufacturers
is a bit excessive.The lower 32 bits are a serial #, ethernet address, something
that makes this one board unique. The vendor must never produce
a second board that has the same lower 32 bits unless the upper
32 bits are also different. So you can have multiple boards of
the same type in the machine and the full 64 bits will still be
unique.The 32 bit groups can never be all zero. This allows the
wired-OR to show non-zero bits during the initial binary search.Once the system has identified all the board IDs present, it will
reactivate each board, one at a time (via the same I/O ports),
and find out what resources the given board needs, what interrupt
choices are available, etc. A scan is made over all the boards
to collect this information.This info is then combined with info from any ECU files on the
hard disk or wired into the MLB BIOS. The ECU and BIOS PnP
support for hardware on the MLB is usually synthetic, and the
peripherals don't really do genuine PnP. However by examining
the BIOS info plus the ECU info, the probe routines can cause the
devices that are PnP to avoid those devices the probe code cannot
relocate.Then the PnP devices are visited once more and given their I/O,
DMA, IRQ and Memory-map address assignments. The devices will
then appear at those locations and remain there until the next
reboot, although there is nothing that says you can't move them
around whenever you want.There is a lot of oversimplification above, but you should get
the general idea.Microsoft took over some of the primary printer status ports to
do PnP, on the logic that no boards decoded those addresses for
the opposing I/O cycles. I found a genuine IBM printer board
that did decode writes of the status port during the early PnP
proposal review period, but MS said tough. So they do a
write to the printer status port for setting addresses, plus that
use that address + 0x800, and a third I/O port for reading
that can be located anywhere between 0x200 and 0x3ff.Does FreeBSD support architectures other than the x86?Several groups of people have expressed interest in working on
multi-architecture ports for FreeBSD and the FreeBSD/AXP (ALPHA)
port is one such effort which has been quite successful, now
available in 3.0 SNAPshot release form at ftp://ftp.FreeBSD.org/pub/FreeBSD/alpha. The ALPHA
port currently runs on a growing number of ALPHA machine
types, among them the AlphaStation, AXPpci, PC164, Miata and Multia
models. This port is not yet considered a full release and won't be
until a full compliment of system installation tools and a distribution
on CDROM installation media is available, including a reasonable
number of working ports and packages.
FreeBSD/AXP should be considered BETA quality software at this
time. For status information, please join the
freebsd-alpha@FreeBSD.orgmailing list.Interest has also been expressed in a port of FreeBSD to
the SPARC architecture, join the freebsd-sparc@FreeBSD.orgmailing list if you are interested
in joining that project. For general discussion on new architectures,
join the freebsd-platforms@FreeBSD.org
mailing list.I need a major number for a device driver I've written.This depends on whether or not you plan on making the driver
publicly available. If you do, then please send us a copy of the
driver source code, plus the appropriate modifications to
files.i386, a sample configuration file entry, and the
appropriate MAKEDEV code to create any special files your device uses. If
you do not, or are unable to because of licensing restrictions, then
character major number 32 and block major number 8 have been reserved
specifically for this purpose; please use them. In any case, we'd
appreciate hearing about your driver on
freebsd-hackers@FreeBSD.org.Alternative layout policies for directoriesIn answer to the question of alternative layout policies for
directories, the scheme that is currently in use is unchanged
from what I wrote in 1983. I wrote that policy for the original
fast filesystem, and never revisited it. It works well at keeping
cylinder groups from filling up. As several of you have noted,
it works poorly for find. Most filesystems are created from
archives that were created by a depth first search (aka ftw).
These directories end up being striped across the cylinder groups
thus creating a worst possible senario for future depth first
searches. If one knew the total number of directories to be
created, the solution would be to create (total / fs_ncg) per
cylinder group before moving on. Obviously, one would have to
create some heuristic to guess at this number. Even using a
small fixed number like say 10 would make an order of magnitude
improvement. To differentiate restores from normal operation
(when the current algorithm is probably more sensible), you
could use the clustering of up to 10 if they were all done
within a ten second window. Anyway, my conclusion is that this
is an area ripe for experimentation.Kirk McKusick, September 1998Making the most of a kernel panic[This section was extracted from a mail written by &a.wpaul; on the
freebsd-current mailing list by &a.des;, who fixed a few typos and added the bracketed
comments]From: Bill Paul <wpaul@skynet.ctr.columbia.edu>
Subject: Re: the fs fun never stops
To: ben@rosengart.com
Date: Sun, 20 Sep 1998 15:22:50 -0400 (EDT)
Cc: current@FreeBSD.org[<ben@rosengart.com> posted the following panic
message]> Fatal trap 12: page fault while in kernel mode
> fault virtual address = 0x40
> fault code = supervisor read, page not present
> instruction pointer = 0x8:0xf014a7e5
^^^^^^^^^^
> stack pointer = 0x10:0xf4ed6f24
> frame pointer = 0x10:0xf4ed6f28
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, def32 1, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 80 (mount)
> interrupt mask =
> trap number = 12
> panic: page fault
[When] you see a message like this, it's not enough to just
reproduce it and send it in. The instruction pointer value that
I highlighted up there is important; unfortunately, it's also
configuration dependent. In other words, the value varies
depending on the exact kernel image that you're using. If you're
using a GENERIC kernel image from one of the snapshots, then
it's possible for somebody else to track down the offending
function, but if you're running a custom kernel then only
you can tell us where the fault occured. What you should do is this:Write down the instruction pointer value. Note that the
0x8: part at the begining is not significant in this case:
it's the 0xf0xxxxxx part that we want.When the system reboots, do the following:
&prompt.user; nm /kernel.that.caused.the.panic | grep f0xxxxxx
where f0xxxxxx is the instruction pointer value. The
odds are you will not get an exact match since the symbols
in the kernel symbol table are for the entry points of
functions and the instruction pointer address will be
somewhere inside a function, not at the start. If you don't
get an exact match, omit the last digit from the instruction
pointer value and try again, i.e.:
&prompt.user; nm /kernel.that.caused.the.panic | grep f0xxxxx
If that doesn't yield any results, chop off another digit.
Repeat until you get some sort of output. The result will be
a possible list of functions which caused the panic. This is
a less than exact mechanism for tracking down the point of
failure, but it's better than nothing. I see people constantly show panic messages like this but
rarely do I see someone take the time to match up the
instruction pointer with a function in the kernel symbol table. The best way to track down the cause of a panic is by
capturing a crash dump, then using gdb(1) to to a stack
trace on the crash dump. Of course, this depends on gdb(1)
in -CURRENT working correctly, which I can't guarantee (I recall
somebody saying that the new ELF-ized gdb(1) didn't handle
kernel crash dumps correctly: somebody should check this before
3.0 goes out of beta or there'll be a lot of red faces after the
CDs ship).In any case, the method I normally use is this:Set up a kernel config file, optionally adding options DDB if you
think you need the kernel debugger for something. (I use this mainly
for setting beakpoints if I suspect an infinite loop condition of
some kind.)Use config -g KERNELCONFIG to set up the build directory.cd /sys/compile/KERNELCONFIG; makeWait for kernel to finish compiling.make installrebootThe &man.make.1; process will have built two kernels.
kernel and
kernel.debug. kernel
was installed as /kernel, while
kernel.debug can be used as the source of
debugging symbols for gdb(1). To make sure you capture a crash dump, you need edit
/etc/rc.conf and set dumpdev to point to your swap
partition. This will cause the rc(8) scripts to use the
dumpon(8) command to enable crash dumps. You can also run
dumpon(8) manually. After a panic, the crash dump can be
recovered using savecore(8); if dumpdev is set in
/etc/rc.conf, the rc(8) scripts will run
savecore(8) automatically and put the crash dump in
/var/crash.FreeBSD crash dumps are usually the same size as the
physical RAM size of your machine. That is, if you have 64MB of
RAM, you will get a 64MB crash dump. Therefore you must make sure
there's enough space in /var/crash to hold the dump.
Alternatively, you run savecore(8) manually and have it
recover the crash dump to another directory where you have more
room. It's possible to limit the size of the crash dump by using
options MAXMEM=(foo) to set the amount of memory the kernel
will use to something a little more sensible. For example, if
you have 128MB of RAM, you can limit the kernel's memory usage
to 16MB so that your crash dump size will be 16MB instead of
128MB. Once you have recovered the crash dump, you can get a stack
trace with gdb(1) as follows:&prompt.user; gdb -k /sys/compile/KERNELCONFIG/kernel.debug /var/crash/vmcore.0(gdb)where Note that there may be several screens worth of information;
ideally you should use script(1) to capture all of them.
Using the unstripped kernel image with all the debug symbols
should show the exact line of kernel source code where the panic
occured. Usually you have to read the stack trace from the
bottom up in order to trace the exact sequence of events that
lead to the crash. You can also use gdb(1) to print out the
contents of various variables or structures in order to examine
the system state at the time of the crash. Now, if you're really insane and have a second computer, you
can also configure gdb(1) to do remote debugging such that
you can use gdb(1) on one system to debug the kernel on
another system, including setting breakpoints, single-stepping
through the kernel code, just like you can do with a normal
user-mode program. I haven't played with this yet as I don't
often have the chance to set up two machines side by side for
debugging purposes.[Bill adds: "I forgot to mention one thing: if you have
DDB enabled and the kernel drops into the debugger, you can
force a panic (and a crash dump) just by typing 'panic' at the
ddb prompt. It may stop in the debugger again during the panic
phase. If it does, type 'continue' and it will finish the crash
dump." -ed]dlsym() stopped working for ELF executables!The ELF toolchain does not, by default, make the symbols
defined in an executable visible to the dynamic linker.
Consequently dlsym() searches on handles obtained
from calls to dlopen(NULL, flags) will fail to find
such symbols.If you want to search, using dlsym(), for symbols
present in the main executable of a process, you need to link
the executable using the option to the
ELF linker.Increasing or reducing the kernel address spaceBy default, the kernel address space is 256 MB on FreeBSD 3.x
and 1 GB on FreeBSD 4.x. If you run a network-intensive server
(e.g. a large FTP or HTTP server), you might find that 256 MB is
not enough.So how do you increase the address space? There are two aspects
to this. First, you need to tell the kernel to reserve a larger
portion of the address space for itself. Second, since the
kernel is loaded at the top of the address space, you need to
lower the load address so it doesn't bump its head against the
ceiling.The first goal is achieved by increasing the value of
NKPDE in src/sys/i386/include/pmap.h. Here's what
it looks like for a 1 GB address space:#ifndef NKPDE
#ifdef SMP
#define NKPDE 254 /* addressable number of page tables/pde's */
#else
#define NKPDE 255 /* addressable number of page tables/pde's */
#endif /* SMP */
#endifTo find the correct value of NKPDE, divide the desired
address space size (in megabytes) by four, then subtract one for
UP and two for SMP.To achieve the second goal, you need to compute the correct load
address: simply subtract the address space size (in bytes) from
0x100100000; the result is 0xc0100000 for a 1 GB address space.
Set LOAD_ADDRESS in src/sys/i386/conf/Makefile.i386
to that value; then set the location counter in the beginning of
the section listing in src/sys/i386/conf/kernel.script
to the same value, as follows:OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(btext)
SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/obj/elf/home/src/tmp/usr/i386-unknown-freebsdelf/lib);
SECTIONS
{
/* Read-only sections, merged into text segment: */
. = 0xc0100000 + SIZEOF_HEADERS;
.interp : { *(.interp) }Then reconfig and rebuild your kernel. You will probably have
problems with ps(1), top(1) and the like; make
world should take care of it (or a manual rebuild of
libkvm, ps and top after copying the patched
pmap.h to /usr/include/vm/.NOTE: the size of the kernel address space must be a multiple of
four megabytes.[&a.dg;
adds: I think the kernel address space needs to be a power
of two, but I'm not certain about that. The old(er) boot code
used to monkey with the high order address bits and I think
expected at least 256MB granularity.]ACKNOWLEDGMENTS
FreeBSD Core TeamIf you see a problem with this FAQ, or wish to submit an
entry, please mail the &a.faq;. We appreciate your feedback, and
cannot make this a better FAQ without your help!
&a.jkh;Occasional fits of FAQ-reshuffling and updating.&a.dwhite;Services above and beyond the call of duty on freebsd-questions&a.joerg;Services above and beyond the call of duty on Usenet&a.wollman;Networking and formattingJim LoweMulticast information&a.pds;FreeBSD FAQ typing machine slaveyThe FreeBSD TeamKvetching, moaning, submitting dataAnd to any others we've forgotten, apologies and heartfelt thanks!
diff --git a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
index 1eccc0d2af..a9dd789058 100644
--- a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
@@ -1,721 +1,704 @@
IntroductionRestructured, reorganized, and parts rewritten by
&a.jim;, 17 January 2000.SynopsisThank you for your interest in FreeBSD! The following chapter
covers various items about the FreeBSD Project, such as its history,
goals, development model, and so on.FreeBSD is a 4.4BSD-Lite2 based operating system for the Intel
architecture (x86) and DEC Alpha based systems. Ports to other
architectures are also underway. For a brief overview of FreeBSD,
see the next section. You can also
read about the history of FreeBSD,
or the current release. If you
are interested in contributing something to the Project (code,
hardware, unmarked bills), see the contributing to FreeBSD section.Welcome to FreeBSD!Since you are still here reading this, you most likely have some
idea as to what FreeBSD is and what it can do for you. If you are
new to FreeBSD, read on for more information.What is FreeBSD?In general, FreeBSD is a state-of-the-art operating system
based on 4.4BSD-Lite2. It runs on computer systems based on the
Intel architecture (x86), and also the DEC Alpha
architecture.FreeBSD is used to power some of the biggest sites on the
Internet, including:Yahoo!HotmailApacheBe, Inc.Blue Mountain
ArtsPair
NetworksWhistle
CommunicationsWalnut Creek
CDROMand many more.What can FreeBSD do?FreeBSD has many noteworthy features. Some of these
are:Preemptive multitasking with
dynamic priority adjustment to ensure smooth and fair
sharing of the computer between applications and users, even
under the heaviest of loads.Multi-user facilities which allow many
people to use a FreeBSD system simultaneously for a variety
of things. This means, for example, that system peripherals
such as printers and tape drives are properly shared between
all users on the system or the network and that individual
resource limits can be placed on users or groups of users,
protecting critical system resources from over-use.Strong TCP/IP networking with
support for industry standards such as SLIP, PPP, NFS, DHCP,
and NIS. This means that your FreeBSD machine can
inter-operate easily with other systems as well as act as an
enterprise server, providing vital functions such as NFS
(remote file access) and e-mail services or putting your
organization on the Internet with WWW, FTP, routing and
firewall (security) services.Memory protection ensures that
applications (or users) cannot interfere with each other. One
application crashing will not affect others in any way.FreeBSD is a 32-bit operating
system (64-bit on the Alpha) and was
designed as such from the ground up.The industry standard X Window System
(X11R6) provides a graphical user interface (GUI) for the cost
of a common VGA card and monitor and comes with full
sources.Binary compatibility with many
programs built for Linux, SCO, SVR4, BSDI and NetBSD.Thousands of ready-to-run
applications are available from the FreeBSD
ports and packages
collection. Why search the net when you can find it all right
here?Thousands of additional and
easy-to-port applications are available
on the Internet. FreeBSD is source code compatible with most
popular commercial Unix systems and thus most applications
require few, if any, changes to compile.Demand paged virtual memory and
merged VM/buffer cache design efficiently
satisfies applications with large appetites for memory while
still maintaining interactive response to other users.SMP support for machines with
multiple CPUs (Intel only).A full complement of C,
C++, Fortran, and
Perl development tools.
Many additional languages for advanced research
and development are also available in the ports and packages
collection.Source code for the entire system
means you have the greatest degree of control over your
environment. Why be locked into a proprietary solution
at the mercy of your vendor when you can have a truly Open
System?Extensive on-line
documentation.And many more!FreeBSD is based on the 4.4BSD-Lite2 release from Computer
Systems Research Group (CSRG) at the University of California at
Berkeley, and carries on the distinguished tradition of BSD
systems development. In addition to the fine work provided by
CSRG, the FreeBSD Project has put in many thousands of hours in
fine tuning the system for maximum performance and reliability in
real-life load situations. As many of the commercial giants
struggle to field PC operating systems with such features,
performance and reliability, FreeBSD can offer them
now!The applications to which FreeBSD can be put are truly
limited only by your own imagination. From software development
to factory automation, inventory control to azimuth correction of
remote satellite antennae; if it can be done with a commercial
UNIX product then it is more than likely that you can do it with
FreeBSD, too! FreeBSD also benefits significantly from the
literally thousands of high quality applications developed by
research centers and universities around the world, often
available at little to no cost. Commercial applications are also
available and appearing in greater numbers every day.Because the source code for FreeBSD itself is generally
available, the system can also be customized to an almost unheard
of degree for special applications or projects, and in ways not
generally possible with operating systems from most major
commercial vendors. Here is just a sampling of some of the
applications in which people are currently using FreeBSD:Internet Services: The robust TCP/IP
networking built into FreeBSD makes it an ideal platform for a
variety of Internet services such as:FTP serversWorld Wide Web servers (standard or secure
[SSL])Firewalls and NAT (IP masquerading)
gateways.Electronic Mail serversUSENET News or Bulletin Board SystemsAnd more...With FreeBSD, you can easily start out small with an
inexpensive 386 class PC and upgrade all the way up to a
quad-processor Xeon with RAID storage as your enterprise
grows.Education: Are you a student of
computer science or a related engineering field? There is no
better way of learning about operating systems, computer
architecture and networking than the hands on, under the hood
experience that FreeBSD can provide. A number of freely
available CAD, mathematical and graphic design packages also
make it highly useful to those whose primary interest in a
computer is to get other work
done!Research: With source code for the
entire system available, FreeBSD is an excellent platform for
research in operating systems as well as other branches of
computer science. FreeBSD's freely available nature also makes
it possible for remote groups to collaborate on ideas or
shared development without having to worry about special
licensing agreements or limitations on what may be discussed
in open forums.Networking: Need a new router? A
name server (DNS)? A firewall to keep people out of your
internal network? FreeBSD can easily turn that unused 386 or
486 PC sitting in the corner into an advanced router with
sophisticated packet-filtering capabilities.X Window workstation: FreeBSD is a
fine choice for an inexpensive X terminal solution, either
using the freely available XFree86 server or one of the
excellent commercial servers provided by X Inside. Unlike an
X terminal, FreeBSD allows many applications to be run
locally, if desired, thus relieving the burden on a central
server. FreeBSD can even boot diskless, making
individual workstations even cheaper and easier to
administer.Software Development: The basic
FreeBSD system comes with a full complement of development
tools including the renowned GNU C/C++ compiler and
debugger.FreeBSD is available in both source and binary form on CDROM
and via anonymous FTP. See Obtaining
FreeBSD for more details.About the FreeBSD ProjectThe following section provides some background information on
the project, including a brief history, project goals, and the
development model of the project.A Brief History of FreeBSDContributed by &a.jkh;.The FreeBSD project had its genesis in the early part of 1993,
partially as an outgrowth of the Unofficial 386BSD
Patchkit by the patchkit's last 3 coordinators: Nate
Williams, Rod Grimes and myself.Our original goal was to produce an intermediate snapshot of
386BSD in order to fix a number of problems with it that the
patchkit mechanism just was not capable of solving. Some of you
may remember the early working title for the project being
386BSD 0.5 or 386BSD Interim in
reference to that fact.386BSD was Bill Jolitz's operating system, which had been up
to that point suffering rather severely from almost a year's worth
of neglect. As the patchkit swelled ever more uncomfortably with
each passing day, we were in unanimous agreement that something
had to be done and decided to try and assist Bill by providing
this interim cleanup snapshot. Those plans came to
a rude halt when Bill Jolitz suddenly decided to withdraw his
sanction from the project without any clear indication of what
would be done instead.It did not take us long to decide that the goal remained
worthwhile, even without Bill's support, and so we adopted the
name FreeBSD, coined by David Greenman. Our initial
objectives were set after consulting with the system's current
users and, once it became clear that the project was on the road
to perhaps even becoming a reality, I contacted Walnut Creek CDROM
with an eye towards improving FreeBSD's distribution channels for
those many unfortunates without easy access to the Internet.
Walnut Creek CDROM not only supported the idea of distributing
FreeBSD on CD but also went so far as to provide the project with a
machine to work on and a fast Internet connection. Without Walnut
Creek CDROM's almost unprecedented degree of faith in what was, at
the time, a completely unknown project, it is quite unlikely that
FreeBSD would have gotten as far, as fast, as it has today.The first CDROM (and general net-wide) distribution was
FreeBSD 1.0, released in December of 1993. This was based on the
4.3BSD-Lite (Net/2) tape from U.C. Berkeley, with
many components also provided by 386BSD and the Free Software
Foundation. It was a fairly reasonable success for a first
offering, and we followed it with the highly successful FreeBSD
1.1 release in May of 1994.Around this time, some rather unexpected storm clouds formed
on the horizon as Novell and U.C. Berkeley settled their
long-running lawsuit over the legal status of the Berkeley Net/2
tape. A condition of that settlement was U.C. Berkeley's
concession that large parts of Net/2 were encumbered
code and the property of Novell, who had in turn acquired it from
AT&T some time previously. What Berkeley got in return was
Novell's blessing that the 4.4BSD-Lite release, when
it was finally released, would be declared unencumbered and all
existing Net/2 users would be strongly encouraged to switch. This
included FreeBSD, and the project was given until the end of July
1994 to stop shipping its own Net/2 based product. Under the
terms of that agreement, the project was allowed one last release
before the deadline, that release being FreeBSD 1.1.5.1.FreeBSD then set about the arduous task of literally
re-inventing itself from a completely new and rather incomplete
set of 4.4BSD-Lite bits. The Lite releases were
light in part because Berkeley's CSRG had removed large chunks of
code required for actually constructing a bootable running system
(due to various legal requirements) and the fact that the Intel
port of 4.4 was highly incomplete. It took the project until
November of 1994 to make this transition, at which point it
released FreeBSD 2.0 to the net and on CDROM (in late December).
Despite being still more than a little rough around the edges,
the release was a significant success and was followed by the
more robust and easier to install FreeBSD 2.0.5 release in June of
1995.We released FreeBSD 2.1.5 in August of 1996, and it appeared
to be popular enough among the ISP and commercial communities that
another release along the 2.1-STABLE branch was merited. This was
FreeBSD 2.1.7.1, released in February 1997 and capping the end of
mainstream development on 2.1-STABLE. Now in maintenance mode,
only security enhancements and other critical bug fixes will be
done on this branch (RELENG_2_1_0).FreeBSD 2.2 was branched from the development mainline
(-CURRENT) in November 1996 as the RELENG_2_2
branch, and the first full release (2.2.1) was released in April
1997. Further releases along the 2.2 branch were done in the
summer and fall of '97, the last of which (2.2.8) appeared in
November 1998. The first official 3.0 release appeared in
October 1998 and spelled the beginning of the end for the 2.2
branch.The tree branched again on Jan 20, 1999, leading to the
4.0-CURRENT and 3.X-STABLE branches. From 3.X-STABLE, 3.1 was
released on February 15, 1999, 3.2 on May 15, 1999, 3.3 on
September 16, 1999, 3.4 on December 20, 1999, and 3.5 on
June 24, 2000, which was followed a few days later by a minor
point release update to 3.5.1, to incorporate some last-minute
security fixes to Kerberos. This will be the final release in the
3.X branch.There was another branch on March 13, 2000, which saw the
emergence of the 5.0-CURRENT and 4.X-STABLE branches. The only
release from this branch so far is &rel.current;-RELEASE.Long-term development projects continue to take place in the
5.0-CURRENT branch, and SNAPshot releases of 5.0 on CDROM (and, of
course, on the net) are continually made available as work
progresses.FreeBSD Project GoalsContributed by &a.jkh;.The goals of the FreeBSD Project are to provide software that
may be used for any purpose and without strings attached. Many of
us have a significant investment in the code (and project) and
would certainly not mind a little financial compensation now and
then, but we are definitely not prepared to insist on it. We
believe that our first and foremost mission is to
provide code to any and all comers, and for whatever purpose, so
that the code gets the widest possible use and provides the widest
possible benefit. This is, I believe, one of the most fundamental
goals of Free Software and one that we enthusiastically
support.That code in our source tree which falls under the GNU General
Public License (GPL) or Library General Public License (LGPL)
comes with slightly more strings attached, though at least on the
side of enforced access rather than the usual opposite. Due to
the additional complexities that can evolve in the commercial use
of GPL software we do, however, prefer software submitted under
the more relaxed BSD copyright when it's a reasonable option to
do so.The FreeBSD Development ModelContributed by &a.asami;.The development of FreeBSD is a very open and flexible
process, FreeBSD being literally built from the contributions of
hundreds of people around the world, as can be seen from our
list of contributors. We are
constantly on the lookout for new developers and ideas, and those
interested in becoming more closely involved with the project
need simply contact us at the &a.hackers;. The &a.announce; is
also available to those wishing to make other FreeBSD users aware
of major areas of work.Useful things to know about the FreeBSD project and its
development process, whether working independently or in close
cooperation:The CVS repositoryThe central source tree for FreeBSD is maintained by
CVS
(Concurrent Version System), a freely available source code
control tool that comes bundled with FreeBSD. The primary
CVS
repository resides on a machine in Concord CA, USA
from where it is replicated to numerous mirror machines
throughout the world. The CVS tree, as well as the -CURRENT and -STABLE trees which are checked out
of it, can be easily replicated to your own machine as well.
Please refer to the Synchronizing
your source tree section for more information on
doing this.The committers listThe committers
are the people who have write access to
the CVS tree, and are thus authorized to make modifications
to the FreeBSD source (the term committer
comes from the &man.cvs.1; commit
command, which is used to bring new changes into the CVS
repository). The best way of making submissions for review
by the committers list is to use the &man.send-pr.1;
command, though if something appears to be jammed in the
system then you may also reach them by sending mail to
cvs-committers@FreeBSD.org.The FreeBSD core teamThe FreeBSD core team
would be equivalent to the board of directors if the FreeBSD
Project were a company. The primary task of the core team
is to make sure the project, as a whole, is in good shape
and is heading in the right directions. Inviting dedicated
and responsible developers to join our group of committers
is one of the functions of the core team, as is the
recruitment of new core team members as others move on. Most
current members of the core team started as committers whose
addiction to the project got the better of them.Some core team members also have specific areas of responsibility, meaning
that they are committed to ensuring that some large portion
of the system works as advertised.Most members of the core team are volunteers when it
comes to FreeBSD development and do not benefit from the
project financially, so commitment should
also not be misconstrued as meaning guaranteed
support. The board of directors
analogy above is not actually very accurate, and it may be
more suitable to say that these are the people who gave up
their lives in favor of FreeBSD against their better
judgment! ;-)Outside contributorsLast, but definitely not least, the largest group of
developers are the users themselves who provide feedback and
bug fixes to us on an almost constant basis. The primary
way of keeping in touch with FreeBSD's more non-centralized
development is to subscribe to the &a.hackers; (see mailing list info) where
such things are discussed.The list of
those who have contributed something, which made its way into
our source tree, is a long and growing one, so why not join
it by contributing something back to FreeBSD today?
:-)Providing code is not the only way of contributing to
the project; for a more complete list of things that need
doing, please refer to the how to
contribute section in this handbook.In summary, our development model is organized as a loose set
of concentric circles. The centralized model is designed for the
convenience of the users of FreeBSD, who are
thereby provided with an easy way of tracking one central code
base, not to keep potential contributors out! Our desire is to
present a stable operating system with a large set of coherent
application programs that the users
can easily install and use, and this model works very well in
accomplishing that.All we ask of those who would join us as FreeBSD developers is
some of the same dedication its current people have to its
continued success!The Current FreeBSD ReleaseFreeBSD is a freely available, full source 4.4BSD-Lite2 based
release for Intel i386, i486, Pentium, Pentium Pro, Celeron,
Pentium II, Pentium III (or compatible) and DEC Alpha based computer
systems. It is based primarily on software from U.C. Berkeley's
CSRG group, with some enhancements from NetBSD, OpenBSD, 386BSD, and
the Free Software Foundation.Since our release of FreeBSD 2.0 in late 94, the performance,
feature set, and stability of FreeBSD has improved dramatically.
The largest change is a revamped virtual memory system with a merged
VM/file buffer cache that not only increases performance, but also
reduces FreeBSD's memory footprint, making a 5MB configuration a
more acceptable minimum. Other enhancements include full NIS client
and server support, transaction TCP support, dial-on-demand PPP,
integrated DHCP support, an improved SCSI subsystem, ISDN support,
support for ATM, FDDI, Fast and Gigabit Ethernet (1000Mbit)
adapters, improved support for the latest Adaptec controllers, and
many hundreds of bug fixes.We have also taken the comments and suggestions of many of our
users to heart and have attempted to provide what we hope is a more
sane and easily understood installation process. Your feedback on
this (constantly evolving) process is especially welcome!In addition to the base distributions, FreeBSD offers a
ported software collection with thousands of commonly sought-after
programs. By mid-January 2000, there were nearly 3000 ports! The
list of ports ranges from http (WWW) servers, to games, languages,
editors, and almost everything in between. The entire ports
collection requires approximately 50MB of storage, all ports being
expressed as deltas to their original sources. This
makes it much easier for us to update ports, and greatly reduces
the disk space demands made by the older 1.0 ports collection. To
compile a port, you simply change to the directory of the program
you wish to install, type make install, and let
the system do the rest. The full original distribution for each
port you build is retrieved dynamically off the CDROM or a local FTP
site, so you need only enough disk space to build the ports you
want. Almost every port is also provided as a pre-compiled
package, which can be installed with a simple command
(pkg_add) by those who do not wish to compile their own ports from
source.A number of additional documents which you may find very helpful
in the process of installing and using FreeBSD may now also be found
in the /usr/share/doc directory on any machine
running FreeBSD 2.1 or later. You may view the locally installed
manuals with any HTML capable browser using the following
URLs:The FreeBSD Handbookfile:/usr/share/doc/handbook/index.htmlThe FreeBSD FAQfile:/usr/share/doc/faq/index.htmlYou can also view the master (and most frequently updated)
copies at http://www.FreeBSD.org/.
-
- The core of FreeBSD does not contain DES code which would
- inhibit its being exported outside the United States. There is an
- add-on package to the core distribution, for use only in the United
- States, which contains the programs that normally use DES. The
- auxiliary packages provided separately can be used by anyone. A
- freely (from outside the U.S.) exportable European distribution of
- DES for our non-U.S. users also exists and is described in the
- FreeBSD FAQ.
-
- If password security for FreeBSD is all you need, and you have
- no requirement for copying encrypted passwords from different hosts
- (Suns, DEC machines, etc) into FreeBSD password entries, then
- FreeBSD's MD5 based security may be all you require! We feel that
- our default security model is more than a match for DES, and avoids
- dealing with any messy export issues. If you are outside (or even
- inside) the U.S., give it a try!
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index b9f1c86c3e..807870b165 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,2762 +1,2683 @@
SecurityMuch of this chapter has been taken from the
&man.security.7; man page, originally written by
&a.dillon;.SynopsisThe following chapter will provide a basic introduction to
system security concepts, some general good rules of thumb, and some
advanced topics such as S/Key, OpenSSL, Kerberos, and others.IntroductionSecurity is a function that begins and ends with the system
administrator. While all BSD UNIX multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
are ever competing with the human necessity for convenience. UNIX
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers – meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
internetworked, security becomes an ever bigger issue.Security is best implemented through a layered
onion approach. In a nutshell, what you want to do is
to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
at all.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash or otherwise make a
system unusable but do not attempt to break root. Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.A denial of service attack is an action that deprives the
machine of needed resources. Typically, D.O.S. attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
D.O.S. attacks try to take advantages of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop
short of cutting your system off from the internet. It may not be
able to take your machine down, but it can fill up internet
pipe.A user account compromise is even more common then a D.O.S.
attack. Many sysadmins still run standard telnetd, rlogind, rshd,
and ftpd servers on their machines. These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root. However, the reality is
that in a well secured and maintained system, access to a user
account does not necessarily give the attacker access to root. The
distinction is important because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more then mess with the user's files or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.System administrators must keep in mind that there are
potentially many ways to break root on a machine. The attacker
may know the root password, the attacker may find a bug in a
root-run server and be able to break root over a network
connection to that server, or the attacker may know of a bug in
an suid-root program that allows the attacker to break root once
he has broken into a user's account. If an attacker has found a
a way to break root on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. Backdoors provide the attacker with a way to easily
regain root access to the system, but it also gives the smart
system administrator a convenient way to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root – root-run servers and suid/sgid
binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
filesystems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.Securing FreeBSDThe sections that follow will cover the methods of securing your
FreeBSD system that were mentioned in the last section of this chapter.Securing the root account and staff accountsFirst off, do not bother securing staff accounts if you have
not secured the root account. Most systems have a password
assigned to the root account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your pty's are specified as being unsecure in the
/etc/ttys file so that direct root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct root logins
are disabled there as well. Consider every access method –
services such as FTP often fall through the cracks. Direct root
logins should only be allowed via the system console.Of course, as a sysadmin you have to be able to get to root,
so we open up a few holes. But we make sure these holes require
additional password verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root. You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access should be placed in the
wheel group. It is also possible, when using
an authentication method such as kerberos, to use kerberos'
.k5login file in the root account to allow a
&man.ksu.1; to root without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better then having
nothing at all, it is not necessarily the safest option.An indirect way to secure the root account is to secure your
staff accounts by using an alternative login access method and
*'ing out the crypted password for the staff
accounts. This way an intruder may be able to steal the password
file but will not be able to break into any staff accounts (or,
indirectly, root, even if root has a crypted password associated
with it). Staff members get into their staff accounts through a
secure login mechanism such as &man.kerberos.1; or &man.ssh.1;
using a private/public key pair. When you use something like
kerberos, you generally must secure the machines which run the
kerberos servers and your desktop workstation. When you use a
public/private key pair with ssh, you
must generally secure the machine you are logging in
from (typically your workstation), but you
can also add an additional layer of protection to the key pair by
password protecting the keypair when you create it with
&man.ssh-keygen.1;. Being able to * out the
passwords for staff accounts also guarantees that staff members can
only login through secure access methods that you have setup. You
can thus force all staff members to use secure, encrypted
connections for all of their sessions which closes an important
hole used by many intruders: That of sniffing the network from an
unrelated, less secure machine.The more indirect security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.Using something like kerberos also gives you the ability to
disable or change the password for a staff account in one place
and have it immediately effect all the machine the staff member
may have an account on. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with kerberos: not only can a
kerberos ticket be made to timeout after a while, but the kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of imapd or
popper is like giving a universal root ticket out to the entire
world. Never run a server that you have not checked out
carefully. Many servers do not need to be run as root. For
example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox isn't perfect unless
you go to a large amount of trouble, but the onion approach to
security still stands: If someone is able to break in through
a server running in a sandbox, they still have to break out of the
sandbox. The more layers the attacker must break through, the
lower the likelihood of his success. Root holes have historically
been found in virtually every server ever run as root, including
basic system servers. If you are running a machine through which
people only login via sshd and never
login via telnetd or
rshd or
rlogind, then turn off those
services!FreeBSD now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
The default rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.There are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work then you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other mechanisms to detect
break-ins that might occur through them.The other big potential root hole in a system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still, root holes are
occasionally found in these binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe then sorry and the prudent
sysadmin will restrict suid binaries that only staff should run to
a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary
the intruder might be able to read /dev/kmem
and thus read the crypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
pty's, including pty's used by users who login through secure
methods. An intruder that breaks the tty group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose Draconian access restrictions on your staff and
* out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and kerberos for user accounts is
more problematic due to the extra administration and technical
support required, but still a very good solution compared to a
crypted password file.Securing the Password FileThe only sure fire way is to * out as many
passwords as you can and use ssh or
kerberos for access to those accounts. Even though the crypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder to obtain read access
to that file even if the attacker cannot obtain root-write
access.Your security scripts should always check for and report
changes to the password file (see Checking file integrity
below).Securing the Kernel Core, Raw Devices, and
FilesystemsIf an attacker breaks root he can do just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under FreeBSD it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems should not have the bpf device compiled in.But even if you turn off the bpf device, you still have
/dev/mem and /dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf device or other sniffing
device on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags, such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files – everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important – detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
safety) if you cannot detect potential incursions. Half the job
of the onion is to slow down the attacker rather then stop him in
order to give the detection side of the equation a chance to catch
him in the act.The best way to detect an incursion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh keypairs to
allow the limit-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method – allowing you to monitor the
filesystems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you give a limit-access box at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
boxes at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather then NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh daemon on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
unsecure links, but it's also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth…
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries and devices on those
partitions is a good idea. The nodev and
nosuid options (see &man.mount.8;) are what you
want to look into. I would scan them anyway at least once a week,
since the object of this layer is to detect a break-in whether or
not the break-in is effective.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which I recommend
using as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in
occurs.Finally, security scripts should process the log files and the
logs themselves should be generated in as secure a manner as
possible – remote syslog can be very useful. An intruder
tries to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information on a continuing basis through a secure machine
monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features as long as they do not effect
convenience, and can add security features that do effect
convenience with some added thought. Even more importantly, a
security administrator should mix it up a bit – if you use
recommendations such as those given by this document verbatim, you
give away your methodologies to the prospective attacker who also
has access to this document.Denial of Service AttacksThis section covers Denial of Service attacks. A DOS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers.Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Kernel Route Cache.A common DOS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory
until the machine dies. Inetd (see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option which tends to work
much better than trying to use sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter when you start
sendmail high enough to handle your
expected load but no so high that the computer cannot handle that
number of sendmails without falling on
its face. It is also prudent to run sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for that sendmail to
prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as tcpwrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
tcpwrappers for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise. Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other internet-accessible
services. If you try to configure the firewall the other way
– as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall to allow permissive-like operation
without compromising your low ports. Also take note that FreeBSD
allows you to control the range of port numbers used for dynamic
binding via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. I usually use a normal first/last range
of 4000 to 5000, and a hiport range of 49152 to 65535, then block
everything under 4000 off in my firewall (except for certain
specific internet-accessible ports, of course).Another common DOS attack is called a springboard attack
– to attack a server in a manner that causes the server to
generate responses which then overload the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping's to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
mbuf's, especially if the server cannot drain the ICMP responses
it generates fast enough. The FreeBSD kernel has a new kernel
compile option called ICMP_BANDLIM which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it to less then
rtminexpire. There are two problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the internet via a T3 or
better it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
you want to crash the machine :-). Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHThere are a few issues with both kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos V is an excellent
authentication protocol but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an unsecure machine, your keys
becomes exposed. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login and if a attacker has broken root on the
unsecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with kerberos whenever possible for staff logins.
ssh can be compiled with kerberos
support. This reduces your reliance on potentially exposable
ssh keys while at the same time
protecting passwords via kerberos. ssh
keys should only be used for automated tasks from secure machines
(something that kerberos is unsuited to). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.DES, MD5, and CryptParts rewritten and updated by &a.unfurl;, 21 March
2000.Every user on a UNIX system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
- the US, but since the source code for DES cannot be exported
+ the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
US law and retain compatibility with all the other UNIX
variants that still use DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing your crypt mechanismIt is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those with
encrypted with the DES hash and also begin with the characters
$1$. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The libraries can identify the passwords this way as well.
As a result, the DES libraries are able to identify MD5
passwords, and use MD5 to check passwords that were encrypted
that way, and DES for the rest. They are able to do this
because the DES libraries also contain MD5. Unfortunately, the
reverse is not true, so the MD5 libraries cannot authenticate
passwords that were encrypted with DES.Identifying which library is being used by the programs on
your system is easy as well. Any program that uses crypt is linked
against libcrypt which for each type of library is a symbolic link
to the appropriate implementation. For example, on a system using
the DES versions:&prompt.user; ls -l /usr/lib/libcrypt*
lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a
lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0
lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.aOn a system using the MD5-based libraries, the same links will
be present, but the target will be libscrypt
rather than libdescrypt.
+
+ If you have installed the DES-capable crypt library
+ libdescrypt (e.g. by installing the
+ "crypto" distribution), then which password format will be used
+ for new passwords is controlled by the
+ passwd_format login capability in
+ /etc/login.conf, which takes values of
+ either des or md5. See the
+ login.conf(5) manpage for more information about login
+ capabilities.S/KeyS/Key is a one-time password scheme based on a one-way hash
function. FreeBSD uses the MD4 hash for compatibility but other
systems have used MD5 and DES-MAC. S/Key has been part of the
FreeBSD base system since version 1.1.5 and is also used on a
growing number of other operating systems. S/Key is a registered
trademark of Bell Communications Research, Inc.There are three different sorts of passwords which we will talk
about in the discussion below. The first is your usual UNIX-style or
Kerberos password; we will call this a UNIX password.
The second sort is the one-time password which is generated by the
S/Key key program and accepted by the
keyinit program and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
key program (and sometimes the
keyinit program) which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.The secret password does not have anything to do with your UNIX
password; they can be the same but this is not recommended. S/Key
secret passwords are not limited to 8 characters like UNIX passwords,
they can be as long as you like. Passwords of six or seven word
long phrases are fairly common. For the most part, the S/Key system
operates completely independently of the UNIX password
system.Besides the password, there are two other pieces of data that
are important to S/Key. One is what is known as the
seed or key and consists of two letters
and five digits. The other is what is called the iteration
count and is a number between 1 and 100. S/Key creates the
one-time password by concatenating the seed and the secret password,
then applying the MD4 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
login and su programs keep
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1 S/Key must be
reinitialized.There are four programs involved in the S/Key system which we
will discuss below. The key program accepts an
iteration count, a seed, and a secret password, and generates a
one-time password. The keyinit program is used
to initialized S/Key, and to change passwords, iteration counts, or
seeds; it takes either a secret password, or an iteration count,
seed, and one-time password. The keyinfo program
examines the /etc/skeykeys file and prints out
the invoking user's current iteration count and seed. Finally, the
login and su programs contain
the necessary logic to accept S/Key one-time passwords for
authentication. The login program is also
capable of disallowing the use of UNIX passwords on connections
coming from specified addresses.There are four different sorts of operations we will cover. The
first is using the keyinit program over a secure
connection to set up S/Key for the first time, or to change your
password or seed. The second operation is using the
keyinit program over an insecure connection, in
conjunction with the key program over a secure
connection, to do the same. The third is using the
key program to log in over an insecure
connection. The fourth is using the key program
to generate a number of keys which can be written down or printed
out to carry with you when going to some location without secure
connections to anywhere.Secure connection initializationTo initialize S/Key for the first time, change your password,
or change your seed while logged in over a secure connection
(e.g., on the console of a machine or via ssh), use the
keyinit command without any parameters while
logged in as yourself:&prompt.user; keyinit
Adding unfurl:
Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID unfurl s/key is 99 to17757
DEFY CLUB PRO NASH LACE SOFTAt the Enter secret password: prompt you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular S/Key instance; your login name, the
iteration count, and seed. When logging in with S/Key, the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure connection initializationTo initialize S/Key or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run the
key program; this might be in the form of a
desk accessory on a Macintosh, or a shell prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use the keyinit
-s command:&prompt.user; keyinit -s
Updating unfurl:
Old key: to17758
Reminder you need the 6 English words from the key command.
Enter sequence count from 1 to 9999: 100
Enter new key [default to17759]:
s/key 100 to 17759
s/key access password:To accept the default seed (which the
keyinit program confusingly calls a
key), press return. Then before entering an
access password, move over to your secure connection or S/Key desk
accessory, and give it the same parameters:&prompt.user; key 100 to17759
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
CURE MIKE BANE HIM RACY GORENow switch back over to the insecure connection, and copy the
one-time password generated by key over to the
keyinit program:s/key access password:CURE MIKE BANE HIM RACY GORE
ID unfurl s/key is 100 to17759
CURE MIKE BANE HIM RACY GOREThe rest of the description from the previous section applies
here as well.Generating a single one-time passwordOnce you've initialized S/Key, when you login you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
s/key 97 fw13894
Password: As a side note, the S/Key prompt has a useful feature
(not shown here): if you press return at the password prompt, the
login program will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in an S/Key by hand, such as from a printout. Also, if this
machine were configured to disallow UNIX passwords over a
connection from my machine, the prompt would have also included
the annotation (s/key required), indicating
that only S/Key one-time passwords will be accepted.At this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run the key command on. (There
are versions of the key program from DOS,
Windows and MacOS as well.) The key program
needs both the iteration count and the seed as command line
options. You can cut-and-paste these right from the login prompt
on the machine that you are logging in to.On the trusted system:&prompt.user; key 97 fw13894
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
WELD LIP ACTS ENDS ME HAAGNow that you have your one-time password you can continue
logging in:login: <username>
s/key 97 fw13894
Password: <return to enable echo>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... This is the easiest mechanism if you have
a trusted machine. There is a Java S/Key key
applet, The Java OTP
Calculator, that you can download and run locally on any
Java supporting browser.Generating multiple one-time passwordsSometimes you have have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the key command to
generate a number of one-time passwords before hand to be printed
out and taken with you. For example:&prompt.user; key -n 5 30 zz99999
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
26: SODA RUDE LEA LIND BUDD SILT
27: JILT SPY DUTY GLOW COWL ROT
28: THEM OW COLA RUNT BONG SCOT
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILKThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.Restricting use of UNIX passwordsRestrictions can be placed on the use of UNIX passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file /etc/skey.access. The
&man.skey.access.5; manual page has more info on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.If there is no /etc/skey.access file
(this is the FreeBSD default), then all users will be allowed to
use UNIX passwords. If the file exists, however, then all users
will be required to use S/Key unless explicitly permitted to do
otherwise by configuration statements in the
skey.access file. In all cases, UNIX
passwords are permitted on the console.Here is a sample configuration file which illustrates the
three most common sorts of configuration statements:
permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0The first line (permit internet) allows
users whose IP source address (which is vulnerable to spoofing)
matches the specified value and mask, to use UNIX passwords. This
should not be considered a security mechanism, but rather, a means
to remind authorized users that they are using an insecure network
and need to use S/Key for authentication.The second line (permit user) allows the
specified username, in this case fnord, to use
UNIX passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the
key program, like those with dumb terminals, or
those who are uneducable.The third line (permit port) allows all
users logging in on the specified terminal line to use UNIX
passwords; this would be used for dial-ups.KerberosContributed by &a.markm; (based on contribution by
&a.md;).Kerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for FreeBSD. However, you should refer to the
relevant manual pages for a complete description.In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
distribution, but eBones, which had been previously ported to FreeBSD
- 1.1.5.1, and was sourced from outside the USA/Canada, and is thus
- available to system owners outside those countries.
-
- For those needing to get a legal foreign distribution of this
- software, please do not get it from a USA or Canada
- site. You will get that site in big trouble! A
- legal copy of this is available from ftp.internat.FreeBSD.org, which is in South
- Africa and an official FreeBSD mirror site.
+ 1.1.5.1, and was sourced from outside the USA/Canada, and was thus
+ available to system owners outside those countries during the era
+ of restrictive export controls on cryptographic code from the USA.
Creating the initial databaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, of if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be GRONDAR.ZA and the
server is grunt.grondar.za. We edit or create
the krb.conf file:&prompt.root; cat krb.conf
GRONDAR.ZA
GRONDAR.ZA grunt.grondar.za admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a hosts name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos man pages.Now we have to add grunt.grondar.za
to the GRONDAR.ZA realm and also add an entry to
put all hosts in the .grondar.za
domain in the GRONDAR.ZA realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.grondar.za GRONDAR.ZA
.grondar.za GRONDAR.ZA
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:GRONDAR.ZA
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this.&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making it all runTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like rcp,
rlogin and rsh.Now let's add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the server fileWe now have to extract all the instances which define the services
on each machine. For this we use the ext_srvtab
command. This will create a file which must be copied or moved
by secure means to each Kerberos client's
/etc/kerberosIV directory. This file must be present on each server
and client, and is crucial to the operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the server can pick
it up. Use the mv command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc/kerberosIV directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the databaseWe now have to add some user entries into the database. First
let's create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting it all outFirst we have to start the Kerberos daemons. NOTE that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automagically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: GRONDAR.ZA
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the id jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@GRONDAR.ZA
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.GRONDAR.ZA@GRONDAR.ZANow try changing the password using passwd to
check if the kpasswd daemon can get authorization to the Kerberos
database:&prompt.user; passwd
realm GRONDAR.ZA
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding su privilegesKerberos allows us to give each user who
needs root privileges their own separatesupassword. We could now add an id which is
authorized to su to root.
This is controlled by having an instance of root
associated with a principal. Using kdb_edit we can
create the entry jane.root in the Kerberos
database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's .klogin
file:&prompt.root; cat /root/.klogin
jane.root@GRONDAR.ZANow try doing the su:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@GRONDAR.ZA
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.GRONDAR.ZA@GRONDAR.ZAUsing other commandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to su to
root if the necessary entries are in the .klogin
file in root's home directory:&prompt.root; cat /root/.klogin
jane.root@GRONDAR.ZALikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@GRONDAR.ZA
jack@GRONDAR.ZAThis allows anyone in the GRONDAR.ZA realm
who has authenticated themselves to jane or
jack (via kinit, see above)
access to rlogin to jane's
account or files on this system (grunt) via
rlogin, rsh or
rcp.For example, Jane now logs into another system, using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.grondar.za)
Password:
%prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or Jack logs into Jane's account on the same machine (Jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance:&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.grondar.za)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995FirewallsContributed by &a.gpalmer; and Alex Nash.Firewalls are an area of increasing interest for people who are
connected to the Internet, and are even finding applications on private
networks to provide enhanced security. This section will hopefully
explain what firewalls are, how to use them, and how to use the
facilities provided in the FreeBSD kernel to implement them.People often think that having a firewall between your
internal network and the Big Bad Internet will solve all
your security problems. It may help, but a poorly setup firewall
system is more of a security risk than not having one at all. A
firewall can add another layer of security to your systems, but it
cannot stop a really determined cracker from penetrating your internal
network. If you let internal security lapse because you believe your
firewall to be impenetrable, you have just made the crackers job that
much easier.What is a firewall?There are currently two distinct types of firewalls in common use
on the Internet today. The first type is more properly called a
packet filtering router, where the kernel on a
multi-homed machine chooses whether to forward or block packets based
on a set of rules. The second type, known as a proxy
server, relies on daemons to provide authentication and to
forward packets, possibly on a multi-homed machine which has kernel
packet forwarding disabled.Sometimes sites combine the two types of firewalls, so that only a
certain machine (known as a bastion host) is
allowed to send packets through a packet filtering router onto an
internal network. Proxy services are run on the bastion host, which
are generally more secure than normal authentication
mechanisms.FreeBSD comes with a kernel packet filter (known as
IPFW), which is what the rest of this
section will concentrate on. Proxy servers can be built on FreeBSD
from third party software, but there is such a variety of proxy
servers available that it would be impossible to cover them in this
document.Packet filtering routersA router is a machine which forwards packets between two or more
networks. A packet filtering router has an extra piece of code in
its kernel which compares each packet to a list of rules before
deciding if it should be forwarded or not. Most modern IP routing
software has packet filtering code within it that defaults to
forwarding all packets. To enable the filters, you need to define a
set of rules for the filtering code so it can decide if the
packet should be allowed to pass or not.To decide whether a packet should be passed on, the code looks
through its set of rules for a rule which matches the contents of
this packets headers. Once a match is found, the rule action is
obeyed. The rule action could be to drop the packet, to forward the
packet, or even to send an ICMP message back to the originator.
Only the first match counts, as the rules are searched in order.
Hence, the list of rules can be referred to as a rule
chain.The packet matching criteria varies depending on the software
used, but typically you can specify rules which depend on the source
IP address of the packet, the destination IP address, the source
port number, the destination port number (for protocols which
support ports), or even the packet type (UDP, TCP, ICMP,
etc).Proxy serversProxy servers are machines which have had the normal system
daemons (telnetd, ftpd, etc) replaced with special servers. These
servers are called proxy servers as they
normally only allow onward connections to be made. This enables you
to run (for example) a proxy telnet server on your firewall host,
and people can telnet in to your firewall from the outside, go
through some authentication mechanism, and then gain access to the
internal network (alternatively, proxy servers can be used for
signals coming from the internal network and heading out).Proxy servers are normally more secure than normal servers, and
often have a wider variety of authentication mechanisms available,
including one-shot password systems so that even if
someone manages to discover what password you used, they will not be
able to use it to gain access to your systems as the password
instantly expires. As they do not actually give users access to the
host machine, it becomes a lot more difficult for someone to install
backdoors around your security system.Proxy servers often have ways of restricting access further, so
that only certain hosts can gain access to the servers, and often
they can be set up so that you can limit which users can talk to
which destination machine. Again, what facilities are available
depends largely on what proxy software you choose.What does IPFW allow me to do?IPFW, the software supplied with
FreeBSD, is a packet filtering and accounting system which resides in
the kernel, and has a user-land control utility,
&man.ipfw.8;. Together, they allow you to define and query the
rules currently used by the kernel in its routing decisions.There are two related parts to IPFW.
The firewall section allows you to perform packet filtering. There is
also an IP accounting section which allows you to track usage of your
router, based on similar rules to the firewall section. This allows
you to see (for example) how much traffic your router is getting from
a certain machine, or how much WWW (World Wide Web) traffic it is
forwarding.As a result of the way that IPFW is
designed, you can use IPFW on non-router
machines to perform packet filtering on incoming and outgoing
connections. This is a special case of the more general use of
IPFW, and the same commands and techniques
should be used in this situation.Enabling IPFW on FreeBSDAs the main part of the IPFW system
lives in the kernel, you will need to add one or more options to your
kernel configuration file, depending on what facilities you want, and
recompile your kernel. See reconfiguring
the kernel for more details on how to recompile your
kernel.There are currently three kernel configuration options relevant to
IPFW:options IPFIREWALLCompiles into the kernel the code for packet
filtering.options IPFIREWALL_VERBOSEEnables code to allow logging of packets through
&man.syslogd.8;. Without this option, even if you specify
that packets should be logged in the filter rules, nothing will
happen.options IPFIREWALL_VERBOSE_LIMIT=10Limits the number of packets logged through
&man.syslogd.8; on a per entry basis. You may wish to use
this option in hostile environments in which you want to log
firewall activity, but do not want to be open to a denial of
service attack via syslog flooding.When a chain entry reaches the packet limit specified,
logging is turned off for that particular entry. To resume
logging, you will need to reset the associated counter using the
&man.ipfw.8; utility:&prompt.root; ipfw zero 4500Where 4500 is the chain entry you wish to continue
logging.Previous versions of FreeBSD contained an
IPFIREWALL_ACCT option. This is now obsolete as
the firewall code automatically includes accounting
facilities.Configuring IPFWThe configuration of the IPFW software
is done through the &man.ipfw.8; utility. The syntax for this
command looks quite complicated, but it is relatively simple once you
understand its structure.There are currently four different command categories used by the
utility: addition/deletion, listing, flushing, and clearing.
Addition/deletion is used to build the rules that control how packets
are accepted, rejected, and logged. Listing is used to examine the
contents of your rule set (otherwise known as the chain) and packet
counters (accounting). Flushing is used to remove all entries from
the chain. Clearing is used to zero out one or more accounting
entries.Altering the IPFW rulesThe syntax for this form of the command is:
ipfw-NcommandindexactionlogprotocoladdressesoptionsThere is one valid flag when using this form of the
command:-NResolve addresses and service names in output.The command given can be shortened to the
shortest unique form. The valid commands
are:addAdd an entry to the firewall/accounting rule listdeleteDelete an entry from the firewall/accounting rule
listPrevious versions of IPFW used
separate firewall and accounting entries. The present version
provides packet accounting with each firewall entry.If an index value is supplied, it used to
place the entry at a specific point in the chain. Otherwise, the
entry is placed at the end of the chain at an index 100 greater than
the last chain entry (this does not include the default policy, rule
65535, deny).The log option causes matching rules to be
output to the system console if the kernel was compiled with
IPFIREWALL_VERBOSE.Valid actions are:rejectDrop the packet, and send an ICMP host or port unreachable
(as appropriate) packet to the source.allowPass the packet on as normal. (aliases:
pass and
accept)denyDrop the packet. The source is not notified via an
ICMP message (thus it appears that the packet never
arrived at the destination).countUpdate packet counters but do not allow/deny the packet
based on this rule. The search continues with the next chain
entry.Each action will be recognized by the
shortest unambiguous prefix.The protocols which can be specified
are:allMatches any IP packeticmpMatches ICMP packetstcpMatches TCP packetsudpMatches UDP packetsThe address specification is:fromaddress/maskporttoaddress/maskportvia interfaceYou can only specify port in
conjunction with protocols which support ports
(UDP and TCP).The is optional and may specify the IP
address or domain name of a local IP interface, or an interface name
(e.g. ed0) to match only packets coming
through this interface. Interface unit numbers can be specified
with an optional wildcard. For example, ppp*
would match all kernel PPP interfaces.The syntax used to specify an
address/mask is:
address
or
address/mask-bits
or
address:mask-patternA valid hostname may be specified in place of the IP address.
is a decimal
number representing how many bits in the address mask should be set.
e.g. specifying 192.216.222.1/24 will create a
mask which will allow any address in a class C subnet (in this case,
192.216.222) to be matched.
is an IP
address which will be logically AND'ed with the address given. The
keyword any may be used to specify any IP
address.The port numbers to be blocked are specified as:
port,port,port…
to specify either a single port or a list of ports, or
port-port
to specify a range of ports. You may also combine a single range
with a list, but the range must always be specified first.The options available are:fragMatches if the packet is not the first fragment of the
datagram.inMatches if the packet is on the way in.outMatches if the packet is on the way out.ipoptions specMatches if the IP header contains the comma separated list
of options specified in spec. The
supported list of IP options are: ssrr
(strict source route), lsrr (loose source
route), rr (record packet route), and
ts (time stamp). The absence of a
particular option may be denoted with a leading
!.establishedMatches if the packet is part of an already established
TCP connection (i.e. it has the RST or ACK bits set). You can
optimize the performance of the firewall by placing
established rules early in the
chain.setupMatches if the packet is an attempt to establish a TCP
connection (the SYN bit set is set but the ACK bit is
not).tcpflags flagsMatches if the TCP header contains the comma separated
list of flags. The supported flags
are fin, syn,
rst, psh,
ack, and urg. The
absence of a particular flag may be indicated by a leading
!.icmptypes typesMatches if the ICMP type is present in the list
types. The list may be specified
as any combination of ranges and/or individual types separated
by commas. Commonly used ICMP types are: 0
echo reply (ping reply), 3 destination
unreachable, 5 redirect,
8 echo request (ping request), and
11 time exceeded (used to indicate TTL
expiration as with &man.traceroute.8;).Listing the IPFW rulesThe syntax for this form of the command is:
ipfw-a-t-NlThere are three valid flags when using this form of the
command:-aWhile listing, show counter values. This option is the
only way to see accounting counters.-tDisplay the last match times for each chain entry. The
time listing is incompatible with the input syntax used by the
&man.ipfw.8; utility.-NAttempt to resolve given addresses and service
names.Flushing the IPFW rulesThe syntax for flushing the chain is:
ipfwflushThis causes all entries in the firewall chain to be removed
except the fixed default policy enforced by the kernel (index
65535). Use caution when flushing rules, the default deny policy
will leave your system cut off from the network until allow entries
are added to the chain.Clearing the IPFW packet countersThe syntax for clearing one or more packet counters is:
ipfwzeroindexWhen used without an index argument,
all packet counters are cleared. If an
index is supplied, the clearing operation
only affects a specific chain entry.Example commands for ipfwThis command will deny all packets from the host evil.crackers.org to the telnet port of the
host nice.people.org:&prompt.root ipfw add deny tcp from evil.crackers.org to nice.people.org 23The next example denies and logs any TCP traffic from the entire
crackers.org network (a class C) to
the nice.people.org machine (any
port).&prompt.root; ipfw add deny log tcp from evil.crackers.org/24 to nice.people.orgIf you do not want people sending X sessions to your internal
network (a subnet of a class C), the following command will do the
necessary filtering:&prompt.root; ipfw add deny tcp from any to my.org/28 6000 setupTo see the accounting records:
&prompt.root; ipfw -a list
or in the short form
&prompt.root; ipfw -a lYou can also see the last time a chain entry was matched
with:&prompt.root; ipfw -at lBuilding a packet filtering firewallThe following suggestions are just that: suggestions. The
requirements of each firewall are different and I cannot tell you
how to build a firewall to meet your particular requirements.When initially setting up your firewall, unless you have a test
bench setup where you can configure your firewall host in a controlled
environment, I strongly recommend you use the logging version of the
commands and enable logging in the kernel. This will allow you to
quickly identify problem areas and cure them without too much
disruption. Even after the initial setup phase is complete, I
recommend using the logging for `deny' as it allows tracing of
possible attacks and also modification of the firewall rules if your
requirements alter.If you use the logging versions of the accept
command, it can generate large amounts of log
data as one log line will be generated for every packet that passes
through the firewall, so large ftp/http transfers, etc, will really
slow the system down. It also increases the latencies on those
packets as it requires more work to be done by the kernel before the
packet can be passed on. syslogd with also start using up a lot
more processor time as it logs all the extra data to disk, and it
could quite easily fill the partition /var/log
is located on.You should enable your firewall from
/etc/rc.conf.local or
/etc/rc.conf. The associated man page explains
which knobs to fiddle and lists some preset firewall configurations.
If you do not use a preset configuration, ipfw list
will output the current ruleset into a file that you can
pass to rc.conf. If you do not use
/etc/rc.conf.local or
/etc/rc.conf to enable your firewall,
it is important to make sure your firewall is enabled before
any IP interfaces are configured.
The next problem is what your firewall should actually
do! This is largely dependent on what access to
your network you want to allow from the outside, and how much access
to the outside world you want to allow from the inside. Some general
rules are:Block all incoming access to ports below 1024 for TCP. This is
where most of the security sensitive services are, like finger,
SMTP (mail) and telnet.Block all incoming UDP traffic. There
are very few useful services that travel over UDP, and what useful
traffic there is is normally a security threat (e.g. Suns RPC and
NFS protocols). This has its disadvantages also, since UDP is a
connectionless protocol, denying incoming UDP traffic also blocks
the replies to outgoing UDP traffic. This can cause a problem for
people (on the inside) using external archie (prospero) servers.
If you want to allow access to archie, you'll have to allow
packets coming from ports 191 and 1525 to any internal UDP port
through the firewall. ntp is another service you may consider
allowing through, which comes from port 123.Block traffic to port 6000 from the outside. Port 6000 is the
port used for access to X11 servers, and can be a security threat
(especially if people are in the habit of doing xhost
+ on their workstations). X11 can actually use a
range of ports starting at 6000, the upper limit being how many X
displays you can run on the machine. The upper limit as defined
by RFC 1700 (Assigned Numbers) is 6063.Check what ports any internal servers use (e.g. SQL servers,
etc). It is probably a good idea to block those as well, as they
normally fall outside the 1-1024 range specified above.Another checklist for firewall configuration is available from
CERT at ftp://ftp.cert.org/pub/tech_tips/packet_filteringAs I said above, these are only guidelines.
You will have to decide what filter rules you want to use on your
firewall yourself. I cannot accept ANY responsibility if someone
breaks into your network, even if you follow the advice given
above.OpenSSLAs of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL
provides a general-purpose cryptography library, as well as the
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.
- However, some of the algorithms (specifically, RSA and IDEA)
- included in OpenSSL are protected by patents in the USA and
- elsewhere, and are not available for unrestricted use (in
- particular, IDEA is not available at all in FreeBSD's version of
- OpenSSL). As a result, FreeBSD has available two different
- versions of the OpenSSL RSA libraries depending on geographical
- location (USA/non-USA).
+ However, one of the algorithms (specifically IDEA)
+ included in OpenSSL is protected by patents in the USA and
+ elsewhere, and is not available for unrestricted use.
+ IDEA is included in the OpenSSL sources in FreeBSD, but it is not
+ built by default. If you wish to use it, and you comply with the
+ license terms, enable the MAKE_IDEA switch in /etc/make.conf and
+ rebuild your sources using 'make world'.
+
+ Today, the RSA algorithm is free for use in USA and other
+ countries. In the past it was protected by a patent.Source Code InstallationsOpenSSL is part of the src-crypto and
src-secure cvsup collections. See the Obtaining FreeBSD section for more
information about obtaining and updating FreeBSD source
code.
-
-
- International (Non-USA) Users
-
- People who are located outside the USA, and who obtain their
- crypto sources from internat.FreeBSD.org (the International
- Crypto Repository) or an international mirror site, will build a
- version of OpenSSL which includes the native OpenSSL
- implementation of
- RSA, but does not include IDEA, because the latter is restricted
- in certain locations elsewhere in the world. In the future a more
- flexible geographical identification system may allow building of
- IDEA in countries for which it is not restricted.
-
- Please be aware of any local restrictions on the import, use
- and redistribution of cryptography which may exist in your
- country.
-
-
-
- USA Users
-
- As noted above, RSA is patented in the USA, with terms
- preventing general use without an appropriate license. Therefore
- the standard OpenSSL RSA code may not be used in the USA, and has been
- removed from the version of OpenSSL carried on USA mirror sites.
- The RSA patent is due to expire on September 20, 2000, at which
- time it is intended to add the full RSA code back to
- the USA version of OpenSSL.
-
- However (and fortunately), the RSA patent holder (RSA Security, has
- provided a RSA reference implementation toolkit
- (RSAREF) which is available for certain classes of
- use, including non-commercial use
- (see the RSAREF license for their definition of
- non-commercial).
-
- If you meet the conditions of the RSAREF license and wish to
- use it in conjunction with OpenSSL to provide RSA support, you can
- install the rsaref port, which is located in
- /usr/ports/security/rsaref, or the
- rsaref-2.0 package. The OpenSSL library will
- then automatically detect and use the RSAREF libraries. Please obtain
- legal advice if you are unsure of your compliance with the license
- terms.
-
- The RSAREF implementation is inferior to the
- native OpenSSL implementation (it is much slower,
- and cannot be used with keys larger than 1024 bits). If you are not
- located in the USA then you are doing yourself a disadvantage by
- using RSAREF.
-
- Users who have purchased an appropriate RSA source code
- license from RSA Security may use the International version of
- OpenSSL described above to obtain native RSA support.
-
- IDEA code is also removed from the USA version of OpenSSL for
- patent reasons.
-
-
-
- Binary Installations
-
- If your FreeBSD installation was a binary installation (e.g.,
- installed from the Walnut Creek CDROM, or from a snapshot
- downloaded from
- ftp.FreeBSD.org) and you selected to
- install the crypto collection, then the
- sysinstall utility will automatically select
- the correct version to install during the installation
- process. If the international version was selected but could
- not be installed during sysinstall (e.g. you have not
- configured network access, and the version must be downloaded
- from a FTP site) then you can add the international RSA library
- after installation as a package.
-
- The librsaintl package contains the RSA
- code for International (non-USA) users. This is not legal for
- use in the USA, but international users should use this version
- because the RSA implementation is faster and more flexible. It
- is available from ftp.internat.FreeBSD.org and does not
- require RSAREF.
- IPsecContributed by &a.shin;, 5 March
2000.IPsec mechanism provides secure communication either for IP
layer and socket layer communication. This section should
explain how to use them. About IPsec implementation, please
refer section 23.5.4.The current IPsec implementation supports both transport mode
and tunnel mode. However, tunnel mode comes with some restrictions.
http://www.kame.net/newsletter/
has more comprehensive examples.Transport mode example with IPv4Let's setup security association to deploy a secure channel
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.Now we should choose algorithm to be used corresponding to
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.OK, let's assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
(1)
HOST A ------> HOST B
(1)PROTO=AH
ALG=MD5(RFC1826)
KEY=MYSECRETMYSECRET
SPI=1000
(2.1)
HOST A <------ HOST B
<------
(2.2)
(2.1)
PROTO=AH
ALG=new-HMAC-SHA1(new AH)
KEY=KAMEKAMEKAMEKAMEKAME
SPI=2000
(2.2)
PROTO=ESP
ALG=new-DES-expIV(new ESP)
IV length = 8
KEY=PASSWORD
SPI=3000
Now, let's setup security association. Execute &man.setkey.8;
on both HOST A and B:
&prompt.root; setkey -c
add 10.2.3.4 10.6.7.8 ah-old 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D
Actually, IPsec communication doesn't process until security policy
entries will be defined. In this case, you must setup each host.
At A:
&prompt.root; setkey -c
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
ah/transport/10.2.3.4-10.6.7.8/require ;
^D
At B:
&prompt.root; setkey -c
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
^D
HOST A --------------------------------------> HOST E
10.2.3.4 10.6.7.8
| |
========== old AH keyed-md5 ==========>
<========= new AH hmac-sha1 ===========
<========= new ESP des-cbc ============
Transport mode example with IPv6Another example using IPv6.ESP transport mode is recommended for TCP port number 110 between
Host-A and Host-B.
============ ESP ============
| |
Host-A Host-B
fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is "kamekame", and
authentication algorithm is hmac-sha1 whose key is "this is the test
key". Configuration at Host-A:
&prompt.root; setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
and at Host-B:
&prompt.root; setkey -c <<EOF
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
esp/transport/fec0::11-fec0::10/use ;
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
esp/transport/fec0::10-fec0::11/use ;
add fec0::10 fec0::11 esp 0x10001 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
Note the direction of SP.Tunnel mode example with IPv4Tunnel mode between two security gatewaysSecurity protocol is old AH tunnel mode, i.e. specified by
RFC1826, with keyed-md5 whose key is "this is the test" as
authentication algorithm.
======= AH =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
&prompt.root; setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOF
If port number field is omitted such above then "[any]" is
employed. `-m' specifies the mode of SA to be used. "-m any" means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.and at Gateway-B:
&prompt.root; setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOF
Making SA bundle between two security gatewaysAH transport mode and ESP tunnel mode is required between
Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.
========== AH =========
| ======= ESP ===== |
| | | |
Network-A Gateway-A Gateway-B Network-B
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
Tunnel mode example with IPv6Encryption algorithm is 3des-cbc, and authentication algorithm
for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:
&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
EOF
Making SAs with the different endESP tunnel mode is required between Host-A and Gateway-A. Encryption
algorithm is cast128-cbc, and authentication algorithm for ESP is
hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
hmac-md5.
================== ESP =================
| ======= ESP ======= |
| | | |
Host-A Gateway-A Host-B
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:
&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
EOF
diff --git a/en_US.ISO8859-1/books/porters-handbook/book.sgml b/en_US.ISO8859-1/books/porters-handbook/book.sgml
index 632cfc6c50..b8e98b45bb 100644
--- a/en_US.ISO8859-1/books/porters-handbook/book.sgml
+++ b/en_US.ISO8859-1/books/porters-handbook/book.sgml
@@ -1,4165 +1,4165 @@
%man;
%bookinfo;
%authors;
%mailing-lists;
]>
FreeBSD Porter's HandbookThe FreeBSD Documentation ProjectApril 20002000The FreeBSD Documentation
Project
&bookinfo.legalnotice;
Making a port yourselfSo, now you are interested in making your own port or
upgrading an existing one? Great!What follows are some guidelines for creating a new port for
FreeBSD. If you want to upgrade an existing port, you should
read this and then read .When this document is not sufficiently detailed, you should
refer to /usr/ports/Mk/bsd.port.mk, which
all port Makefiles include. Even if you do not hack Makefiles
daily, it is well commented, and you will still gain much
knowledge from it. Additionally, you may send specific questions
to the &a.ports;.Only a fraction of the variables
(VAR) that can be
overridden are mentioned in this document. Most (if not all)
are documented at the start of bsd.port.mk.
This file uses a non-standard tab setting.
Emacs and
Vim should recognize the setting on
loading the file. Both vi and
ex can be set to use the correct value by
typing :set tabstop=4 once the file has been
loaded.Quick PortingThis section tells you how to do a quick port. In many cases, it
is not enough, but we will see.First, get the original tarball and put it into
DISTDIR, which defaults to
/usr/ports/distfiles.The following assumes that the software compiled out-of-the-box,
i.e., there was absolutely no change required for the port to work
on your FreeBSD box. If you needed to change something, you will
have to refer to the next section too.Writing the MakefileThe minimal Makefile would look something
like this:
# New ports collection makefile for: oneko
# Date created: 5 December 1994
# Whom: asami
#
# $FreeBSD$
#
PORTNAME= oneko
PORTVERSION= 1.1b
CATEGORIES= games
MASTER_SITES= ftp://ftp.cs.columbia.edu/archives/X11R5/contrib/
MAINTAINER= asami@FreeBSD.org
MAN1= oneko.1
MANCOMPRESSED= yes
USE_IMAKE= yes
.include <bsd.port.mk>See if you can figure it out. Do not worry about the contents
of the $FreeBSD$ line, it will be
filled in automatically by CVS when the port is imported to our main
ports tree. You can find a more detailed example in the sample Makefile section.Writing the description filesThere are three description files that are required for any
port, whether they actually package or not. They are
COMMENT, DESCR, and
PLIST, and reside in the
pkg subdirectory.COMMENTThis is the one-line description of the port.
Please do not include the package name (or
version number of the software) in the comment. The comment
should begin with a capital, and end without a period. Here
is an example:
A cat chasing a mouse all over the screenDESCRThis is a longer description of the port. One to a few
paragraphs concisely explaining what the port does is
sufficient.This is not a manual or an in-depth
description on how to use or compile the port! Please
be careful if you are copying from the
README or manpage; too often
they are not a concise description of the port or are in an
awkward format (e.g., manpages have justified spacing). If the
ported software has an official WWW homepage, you should list it
here. Prefix one of the websites with
WWW: so that automated tools will work
correctly.It is recommended that you sign your name at the end of this
file, as in:
This is a port of oneko, in which a cat chases a poor mouse all over
the screen.
:
(etc.)
WWW: http://www.oneko.org/
- Satoshi
asami@cs.berkeley.eduPLISTThis file lists all the files installed by the port. It is
also called the “packing list” because the package is
generated by packing the files listed here. The pathnames are
relative to the installation prefix (usually
/usr/local or
/usr/X11R6). If you are using the
MANn variables (as
you should be), do not list any manpages here.Here is a small example:
bin/oneko
lib/X11/app-defaults/Oneko
lib/X11/oneko/cat1.xpm
lib/X11/oneko/cat2.xpm
lib/X11/oneko/mouse.xpm
@dirrm lib/X11/onekoRefer to the &man.pkg.create.1; man page for details on the
packing list.You should list all the files, but not the name directories,
in the list. Also, if the port creates directories for itself
during installation, make sure to add @dirrm
lines as necessary to remove them when the port is
deleted.It is recommended that you keep all the filenames in this
file sorted alphabetically. It will make verifying the changes
when you upgrade the port much easier.Creating a packing list manually can be a very tedious
task. If the port installs a large numbers of files, creating the packing list
automatically might save time.Creating the checksum fileJust type make makesum. The ports make rules
will automatically generate the file
files/md5.Testing the portYou should make sure that the port rules do exactly what you
want them to do, including packaging up the port. These are the
important points you need to verify.PLIST does not contain anything not
installed by your portPLIST contains everything that is
installed by your portYour port can be installed multiple times using the
reinstall targetYour port cleans up
after itself upon deinstallRecommended test orderingmake installmake packagemake deinstallpkg_add package-namemake deinstallmake reinstallmake packageMake sure that there are not any warnings issued in any of the
package and
deinstall stages. After step 3, check to
see if all the new directories are correctly deleted. Also, try
using the software after step 4, to ensure that it works correctly
when installed from a package.Checking your port with portlintPlease use portlint to see if your port
conforms to our guidelines. The portlint program
is part of the ports collection. In particular, you may want to
check if the Makefile is in
the right shape and the package is named
appropriately.Submitting the portFirst, make sure you have read the DOs and DON'Ts section.Now that you are happy with your port, the only thing remaining
is to put it in the main FreeBSD ports tree and make everybody else
happy about it too. We do not need your work
directory or the pkgname.tgz package, so delete
them now. Next, simply include the output of shar `find
port_dir` in a bug report and send it with the
&man.send-pr.1; program (see Bug
Reports and General Commentary for more information about
&man.send-pr.1;. If the uncompressed port is larger than 20KB,
you should compress it into a tarfile and use &man.uuencode.1;
before including it in the bug report (uuencoded tarfiles are
acceptable even if the bug report is smaller than 20KB but are not
preferred). Be sure to classify the bug report as category
ports and class
change-request (Do not mark the report
confidential!).
Also add a short description of the program you ported
to the Description field of the PR and
the shar or uuencoded tarfile to the
Fix field. The latter one helps the committers
a lot, who use scripts for the ports-work.One more time, do not include the original source
distfile, the work directory, or the package
you built with make package.In the past, we asked you to upload new port submissions in
our ftp site (ftp.FreeBSD.org). This
is no longer recommended as read access is turned off on the
incoming/ directory of that site due to the
large amount of pirated software showing up there.We will look at your port, get back to you if necessary, and put
it in the tree. Your name will also appear in the list of
“Additional FreeBSD contributors” in the FreeBSD
Handbook and other files. Isn't that great?!? :-)You can make our work a lot easier, if you use a good
description in the synopsis of the problem report.
We prefer something like
“New port: <short description of the port>” for
new ports and
“Update port: <category>/<port> <short description
of the update>” for port updates.
If you stick to this scheme, the chance that one takes a look at
your PR soon is much bigger.Slow PortingOk, so it was not that simple, and the port required some
modifications to get it to work. In this section, we will explain,
step by step, how to modify it to get it to work with the ports
paradigm.How things workFirst, this is the sequence of events which occurs when the user
first types make in your port's directory.
You may find that having bsd.port.mk in another
window while you read this really helps to understand it.But do not worry if you do not really understand what
bsd.port.mk is doing, not many people do...
:->The fetch target is run. The
fetch target is responsible for making
sure that the tarball exists locally in
DISTDIR. If fetch
cannot find the required files in DISTDIR it
will look up the URL MASTER_SITES, which is
set in the Makefile, as well as our main ftp site at ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/,
where we put sanctioned distfiles as backup. It will then
attempt to fetch the named distribution file with
FETCH, assuming that the requesting site has
direct access to the Internet. If that succeeds, it will save
the file in DISTDIR for future use and
proceed.The extract target is run. It
looks for your port's distribution file (typically a gzip'd
tarball) in DISTDIR and unpacks it into a
temporary subdirectory specified by WRKDIR
(defaults to work).The patch target is run. First,
any patches defined in PATCHFILES are
applied. Second, if any patches are found in
PATCHDIR (defaults to the
patches subdirectory), they are applied at
this time in alphabetical order.The configure target is run. This
can do any one of many different things.If it exists, scripts/configure is
run.If HAS_CONFIGURE or
GNU_CONFIGURE is set,
WRKSRC/configure is
run.If USE_IMAKE is set,
XMKMF (default: xmkmf
-a) is run.The build target is run. This is
responsible for descending into the port's private working
directory (WRKSRC) and building it. If
USE_GMAKE is set, GNU make
will be used, otherwise the system make will
be used.The above are the default actions. In addition, you can define
targets
pre-something or
post-something,
or put scripts with those names, in the scripts
subdirectory, and they will be run before or after the default
actions are done.For example, if you have a post-extract
target defined in your Makefile, and a file
pre-build in the scripts
subdirectory, the post-extract target will
be called after the regular extraction actions, and the
pre-build script will be executed before the
default build rules are done. It is recommended that you use
Makefile targets if the actions are simple
enough, because it will be easier for someone to figure out what
kind of non-default action the port requires.The default actions are done by the
bsd.port.mk targets
do-something.
For example, the commands to extract a port are in the target
do-extract. If you are not happy with the
default target, you can fix it by redefining the
do-something
target in your Makefile.The “main” targets (e.g.,
extract,
configure, etc.) do nothing more than
make sure all the stages up to that one are completed and call
the real targets or scripts, and they are not intended to be
changed. If you want to fix the extraction, fix
do-extract, but never ever touch
extract!Now that you understand what goes on when the user types
make, let us go through the recommended steps to
create the perfect port.Getting the original sourcesGet the original sources (normally) as a compressed tarball
(foo.tar.gz or
foo.tar.Z) and copy
it into DISTDIR. Always use
mainstream sources when and where you
can.If you cannot find a ftp/http site that is well-connected to the
net, or can only find sites that have irritatingly non-standard
formats, you might want to put a copy on a reliable ftp or http
server that you control (e.g., your home page). Make sure you set
MASTER_SITES to reflect your choice.If you cannot find somewhere convenient and reliable to put the
distfile
we can “house” it ourselves
on ftp.FreeBSD.org.
The distfile must be placed into
~/public_distfiles/ of someone's
freefall account.
Ask the person who commits your port to do this.
This person will also set MASTER_SITES to
MASTER_SITE_LOCAL and
MASTER_SITE_SUBDIR to their
freefall username.If your port's distfile changes all the time for no good reason,
consider putting the distfile in your home page and listing it as
the first MASTER_SITES. This will prevent users
from getting checksum mismatch errors, and
also reduce the workload of maintainers of our ftp site. Also, if
there is only one master site for the port, it is recommended that
you house a backup at your site and list it as the second
MASTER_SITES.If your port requires some additional `patches' that are
available on the Internet, fetch them too and put them in
DISTDIR. Do not worry if they come from a site
other than where you got the main source tarball, we have a way to
handle these situations (see the description of PATCHFILES below).Modifying the portUnpack a copy of the tarball in a private directory and make
whatever changes are necessary to get the port to compile properly
under the current version of FreeBSD. Keep careful
track of everything you do, as you will be automating
the process shortly. Everything, including the deletion, addition,
or modification of files should be doable using an automated script
or patch file when your port is finished.If your port requires significant user interaction/customization
to compile or install, you should take a look at one of Larry Wall's
classic Configure scripts and perhaps do
something similar yourself. The goal of the new ports collection is
to make each port as “plug-and-play” as possible for the
end-user while using a minimum of disk space.Unless explicitly stated, patch files, scripts, and other
files you have created and contributed to the FreeBSD ports
collection are assumed to be covered by the standard BSD copyright
conditions.PatchingIn the preparation of the port, files that have been added or
changed can be picked up with a recursive diff for later feeding to
patch. Each set of patches you wish to apply should be collected
into a file named
patch-xx where
xx denotes the sequence in which the
patches will be applied — these are done in
alphabetical order, thus aa
first, ab second and so on. These files should
be stored in PATCHDIR, from where they will be
automatically applied. All patches should be relative to
WRKSRC (generally the directory your port's
tarball unpacks itself into, that being where the build is done).
To make fixes and upgrades easier, you should avoid having more than
one patch fix the same file (e.g., patch-aa and
patch-ab both changing
WRKSRC/foobar.c).ConfiguringInclude any additional customization commands in your
configure script and save it in the
scripts subdirectory. As mentioned above, you
can also do this with Makefile targets and/or
scripts with the name pre-configure or
post-configure.Handling user inputIf your port requires user input to build, configure, or install,
then set IS_INTERACTIVE in your Makefile. This
will allow “overnight builds” to skip your port if the
user sets the variable BATCH in his environment (and
if the user sets the variable INTERACTIVE, then
only those ports requiring interaction are
built).It is also recommended that if there are reasonable default
answers to the questions, you check the
PACKAGE_BUILDING variable and turn off the
interactive script when it is set. This will allow us to build the
packages for CD-ROMs and ftp.Configuring the MakefileConfiguring the Makefile is pretty simple, and again we suggest
that you look at existing examples before starting. Also, there is a
sample Makefile in this
handbook, so take a look and please follow the ordering of variables
and sections in that template to make your port easier for others to
read.Now, consider the following problems in sequence as you design
your new Makefile:The original sourceDoes it live in DISTDIR as a standard
gzip'd tarball named something like
foozolix-1.2.tar.gz? If so, you can go on
to the next step. If not, you should look at overriding any of
the DISTNAME, EXTRACT_CMD,
EXTRACT_BEFORE_ARGS,
EXTRACT_AFTER_ARGS,
EXTRACT_SUFX, or DISTFILES
variables, depending on how alien a format your port's
distribution file is. (The most common case is
EXTRACT_SUFX=.tar.Z, when the tarball is
condensed by regular compress, not
gzip.)In the worst case, you can simply create your own
do-extract target to override the
default, though this should be rarely, if ever,
necessary.PORTNAME and PORTVERSIONYou should set PORTNAME to the
base name of your port, and PORTVERSION
to the version number of the port.PKGNAMEPREFIX and PKGNAMESUFFIXTwo optional variables, PKGNAMEPREFIX and
PKGNAMESUFFIX, are combined with
PORTNAME and
PORTVERSION to
form PKGNAME as
${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}-${PORTVERSION}.
Make sure this conforms to our guidelines for a good package
name. In particular, you are not allowed to use a
hyphen (-) in
PORTVERSION. Also, if the package name
has the language- or the
compiled.specifics part, use
PKGNAMEPREFIX and
PKGNAMESUFFIX, respectively. Do not make
them part of PORTNAME.DISTNAMEDISTNAME is the name of the port as
called by the authors of the software.
DISTNAME defaults to
${PORTNAME}-${PORTVERSION}, so override it if necessary.
DISTNAME is only used in two places.
First, the distribution file list
(DISTFILES) defaults to
${DISTNAME}${EXTRACT_SUFX}.
Second, the distribution file is expected to extract into a
subdirectory named WRKSRC, which defaults
to work/${DISTNAME}.Note that PKGNAMEPREFIX and
PKGNAMESUFFIX do not affect
DISTNAME.CATEGORIESWhen a package is created, it is put under
/usr/ports/packages/All and links are made from
one or more subdirectories of
/usr/ports/packages. The names of these
subdirectories are specified by the variable
CATEGORIES. It is intended to make life easier
for the user when he is wading through the pile of packages on the
ftp site or the CD-ROM. Please take a look at the existing categories and pick the ones
that are suitable for your port.This list also determines where in the ports tree the port is
imported. If you put more than one category here, it is assumed
that the port files will be put in the subdirectory with the name in
the first category. See the categories section for more
discussion about how to pick the right categories.If your port truly belongs to something that is different from
all the existing ones, you can even create a new category name. In
that case, please send mail to the &a.ports; to propose a new
category.There is no error checking for category names. make
package will happily create a new directory if you
mistype the category name, so be careful!MASTER_SITESRecord the directory part of the ftp/http-URL pointing at the
original tarball in MASTER_SITES. Do not forget
the trailing slash (/)!The make macros will try to use this
specification for grabbing the distribution file with
FETCH if they cannot find it already on the
system.It is recommended that you put multiple sites on this list,
preferably from different continents. This will safeguard against
wide-area network problems, and we are even planning to add support
for automatically determining the closest master site and fetching
from there!If the original tarball is part of one of the following popular
archives: X-contrib, GNU, Perl CPAN, TeX CTAN, or Linux Sunsite, you
refer to those sites in an easy compact form using
MASTER_SITE_XCONTRIB,
MASTER_SITE_GNU,
MASTER_SITE_PERL_CPAN,
MASTER_SITE_TEX_CTAN, and
MASTER_SITE_SUNSITE. Simply set
MASTER_SITE_SUBDIR to the path within the
archive. Here is an example:
MASTER_SITES= ${MASTER_SITE_XCONTRIB}
MASTER_SITE_SUBDIR= applicationsThe user can also set the MASTER_SITE_*
variables in /etc/make.conf to override our
choices, and use their favorite mirrors of these popular archives
instead.PATCHFILESIf your port requires some additional patches that are available
by ftp or http, set PATCHFILES to the names of
the files and PATCH_SITES to the URL of the
directory that contains them (the format is the same as
MASTER_SITES).If the patch is not relative to the top of the source tree
(i.e., WRKSRC) because it contains some extra
pathnames, set PATCH_DIST_STRIP accordingly. For
instance, if all the pathnames in the patch have an extra
foozolix-1.0/ in front of the filenames, then set
PATCH_DIST_STRIP=-p1.Do not worry if the patches are compressed; they will be
decompressed automatically if the filenames end with
.gz or .Z.If the patch is distributed with some other files, such as
documentation, in a gzip'd tarball, you cannot just use
PATCHFILES. If that is the case, add the name
and the location of the patch tarball to
DISTFILES and MASTER_SITES.
Then, from the pre-patch target, apply the
patch either by running the patch command from there, or copying the
patch file into the PATCHDIR directory and
calling it
patch-xx.Note that the tarball will have been extracted alongside the
regular source by then, so there is no need to explicitly extract
it if it is a regular gzip'd or compress'd tarball. If you do the
latter, take extra care not to overwrite something that already
exists in that directory. Also, do not forget to add a command to
remove the copied patch in the pre-clean
target.MAINTAINERSet your mail-address here. Please. :-)For a detailed description of the responsibilities of maintainers,
refer to the MAINTAINER on
Makefiles section.DependenciesMany ports depend on other ports. There are five variables that
you can use to ensure that all the required bits will be on the
user's machine. There are also some pre-supported dependency
variables for common cases, plus a few more to control the behaviour
of dependencies.LIB_DEPENDSThis variable specifies the shared libraries this port depends
on. It is a list of
lib:dir:target
tuples where lib is the name of the
shared library, dir is the
directory in which to find it in case it is not available, and
target is the target to call in that
directory. For example, LIB_DEPENDS=
jpeg.9:${PORTSDIR}/graphics/jpeg:install
will check for a shared jpeg library with major version 9, and
descend into the graphics/jpeg subdirectory
of your ports tree to build and install it if it is not found.
The target part can be omitted if it is
equal to DEPENDS_TARGET (which defaults to
install).The lib part is an argument given
to ldconfig -r | grep -wF. There shall be no
regular expressions in this variable.The dependency is checked twice, once from within the
extract target and then from within the
install target. Also, the name of the
dependency is put into the package so that
pkg_add will automatically install it if it is
not on the user's system.RUN_DEPENDSThis variable specifies executables or files this port depends
on during run-time. It is a list of
path:dir:target
tuples where path is the name of the
executable or file, dir is the
directory in which to find it in case it is not available, and
target is the target to call in that
directory. If path starts with a slash
(/), it is treated as a file and its existence
is tested with test -e; otherwise, it is
assumed to be an executable, and which -s is
used to determine if the program exists in the user's search
path.For example,
RUN_DEPENDS= ${PREFIX}/etc/innd:${PORTSDIR}/news/inn \
wish8.0:${PORTSDIR}/x11-toolkits/tk80will check if the file or directory
/usr/local/etc/innd exists, and build and
install it from the news/inn subdirectory of
the ports tree if it is not found. It will also see if an
executable called wish8.0 is in your search
path, and descend into the x11-toolkits/tk80
subdirectory of your ports tree to build and install it if it is
not found.In this case, innd is actually an
executable; if an executable is in a place that is not expected
to be in a normal user's search path, you should use the full
pathname.The dependency is checked from within the
install target. Also, the name of the
dependency is put in to the package so that
pkg_add will automatically install it if it is
not on the user's system. The target
part can be omitted if it is the same as
DEPENDS_TARGET.BUILD_DEPENDSThis variable specifies executables or files this port
requires to build. Like RUN_DEPENDS, it is a
list of
path:dir:target
tuples. For example, BUILD_DEPENDS=
unzip:${PORTSDIR}/archivers/unzip will check
for an executable called unzip, and descend
into the archivers/unzip subdirectory of your
ports tree to build and install it if it is not found.“build” here means everything from extraction to
compilation. The dependency is checked from within the
extract target. The
target part can be omitted if it is
the same as DEPENDS_TARGETFETCH_DEPENDSThis variable specifies executables or files this port
requires to fetch. Like the previous two, it is a list of
path:dir:target
tuples. For example, FETCH_DEPENDS=
ncftp2:${PORTSDIR}/net/ncftp2 will check for an
executable called ncftp2, and descend into the
net/ncftp2 subdirectory of your ports tree to
build and install it if it is not found.The dependency is checked from within the
fetch target. The
target part can be omitted if it is the
same as DEPENDS_TARGET.DEPENDSIf there is a dependency that does not fall into either of the
above four categories, or your port requires having the source of
the other port extracted in addition to having it installed,
then use this variable. This is a list of
dir:target,
as there is nothing to check, unlike the previous four. The
target part can be omitted if it is the
same as DEPENDS_TARGET.Common dependency variablesDefine USE_XLIB=yes if your port requires
the X Window System to be installed (it is implied by
USE_IMAKE). Define
USE_GMAKE=yes if your port requires GNU
make instead of BSD make.
Define USE_AUTOCONF=yes if your port requires
GNU autoconf to be run. Define USE_QT=yes if
your port uses the latest qt toolkit. Use
USE_PERL5=yes if your port requires version 5
of the perl language. (The last is especially important since
some versions of FreeBSD have perl5 as part of the base system
while others do not.)Notes on dependenciesAs mentioned above, the default target to call when a
dependency is required is DEPENDS_TARGET.
It defaults to install. This is a user
variable; it is never defined in a port's
Makefile. If your port needs a special way
to handle a dependency, use the :target part of
the *_DEPENDS variables instead of redefining
DEPENDS_TARGET.When you type make clean, its dependencies
are automatically cleaned too. If you do not wish this to happen,
define the variable NOCLEANDEPENDS in your
environment.To depend on another port unconditionally, it is customary to
use the string nonexistent as the first field
of BUILD_DEPENDS or
RUN_DEPENDS. Use this only when you need to
the to get to the source of the other port. You can often save
compilation time by specifying the target too. For
instance
BUILD_DEPENDS= /nonexistent:${PORTSDIR}/graphics/jpeg:extract
will always descend to the JPEG port and extract it.Do not use DEPENDS unless there is no other
way the behaviour you want can be accomplished. It will cause the
other port to always be built (and installed, by default), and the
dependency will go into the packages as well. If this is really
what you need, I recommend you write it as
BUILD_DEPENDS and
RUN_DEPENDS instead—at least the
intention will be clear.Building mechanismsIf your package uses GNU make, set
USE_GMAKE=yes. If your package uses
configure, set
HAS_CONFIGURE=yes. If your package uses GNU
configure, set
GNU_CONFIGURE=yes (this implies
HAS_CONFIGURE). If you want to give some extra
arguments to configure (the default argument list
--prefix=${PREFIX} for GNU
configure and empty for non-GNU
configure), set those extra arguments in
CONFIGURE_ARGS. If your package uses GNU
autoconf, set
USE_AUTOCONF=yes. This implies
GNU_CONFIGURE, and will cause
autoconf to be run before
configure.If your package is an X application that creates
Makefiles from Imakefiles
using imake, then set
USE_IMAKE=yes. This will cause the configure
stage to automatically do an xmkmf -a. If the
flag is a problem for your port, set
XMKMF=xmkmf. If the port uses
imake but does not understand the
install.man target,
NO_INSTALL_MANPAGES=yes should be set. In
addition, the author of the original port should be shot. :->If your port's source Makefile has
something else than all as the main build
target, set ALL_TARGET accordingly. Same goes
for install and
INSTALL_TARGET.Special considerationsThere are some more things you have to take into account when you
create a port. This section explains the most common of those.Shared LibrariesIf your port installs one or more shared libraries, define a
INSTALLS_SHLIB make variable, which will instruct
a bsd.port.mk to run
${LDCONFIG} -m on the directory where the
new library is installed (usually
PREFIX/lib) during
post-install target to register it into the
shared library cache. This variable, when defined, will also
facilitate addition of an appropriate
@exec /sbin/ldconfig -m and
@unexec /sbin/ldconfig -R pair into your
pkg/PLIST file, so that a user who installed
the package can start using the shared library immediately and
deinstallation will not cause the system to still believe the
library is there.If you need, you can override default location where the new
library is installed by defining LDCONFIG_DIRS
make variable, which should contain a list of directories into which
shared libraries are to be installed. For example if your port
installs shared libraries into
PREFIX/lib/foo and
PREFIX/lib/bar directories
you could use the following in your
Makefile:
INSTALLS_SHLIB= yes
LDCONFIG_DIRS= %%PREFIX%%/lib/foo %%PREFIX%%/lib/barNote that content of LDCONFIG_DIRS is passed
through &man.sed.1; just like the rest of pkg/PLIST,
so PLIST_SUB substitutions also apply here. It is
recommended that you use %%PREFIX%% for
PREFIX, %%LOCALBASE%% for
LOCALBASE and %%X11BASE%% for
X11BASE.MASTERDIRIf your port needs to build slightly different versions of
packages by having a variable (for instance, resolution, or paper
size) take different values, create one subdirectory per package to
make it easier for users to see what to do, but try to share as many
files as possible between ports. Typically you only need a very short
Makefile in all but one of the directories if you
use variables cleverly. In the sole Makefiles,
you can use MASTERDIR to specify the directory
where the rest of the files are. Also, use a variable as part of
PKGNAMESUFFIX so
the packages will have different names.This will be best demonstrated by an example. This is part of
japanese/xdvi300/Makefile;
PORTNAME= xdvi
PORTVERSION= 17
PKGNAMEPREFIX= ja-
PKGNAMESUFFIX= ${RESOLUTION}
:
# default
RESOLUTION?= 300
.if ${RESOLUTION} != 118 && ${RESOLUTION} != 240 && \
${RESOLUTION} != 300 && ${RESOLUTION} != 400
@${ECHO} "Error: invalid value for RESOLUTION: \"${RESOLUTION}\""
@${ECHO} "Possible values are: 118, 240, 300 (default) and 400."
@${FALSE}
.endifjapanese/xdvi300 also has all the regular
patches, package files, etc. If you type make
there, it will take the default value for the resolution (300) and
build the port normally.As for other resolutions, this is the entirexdvi118/Makefile:
RESOLUTION= 118
MASTERDIR= ${.CURDIR}/../xdvi300
.include ${MASTERDIR}/Makefile(xdvi240/Makefile and
xdvi400/Makefile are similar). The
MASTERDIR definition tells
bsd.port.mk that the regular set of
subdirectories like PATCHDIR and
PKGDIR are to be found under
xdvi300. The RESOLUTION=118
line will override the RESOLUTION=300 line in
xdvi300/Makefile and the port will be built with
resolution set to 118.Shared library versionsPlease read our policy on
shared library versioning to understand what to do with
shared library versions in general. Do not blindly assume software
authors know what they are doing; many of them do not. It is very
important that these details are carefully considered, as we have
quite a unique situation where we are trying to have dozens of
potentially incompatible software pairs co-exist. Careless port
imports have caused great trouble regarding shared libraries in the
past (ever wondered why the port jpeg-6b has a
shared library version of 9?). If in doubt, send a message to the
&a.ports;. Most of the time, your job ends by determining the right
shared library version and making appropriate patches to implement
it.ManpagesThe MAN[1-9LN] variables will automatically add
any manpages to pkg/PLIST (this means you must
not list manpages in the
PLIST—see generating PLIST for more). It also
makes the install stage automatically compress or uncompress manpages
depending on the setting of NOMANCOMPRESS in
/etc/make.conf.If your port tries to install multiple names for manpages using
symlinks or hardlinks, you must use the MLINKS
variable to identify these. The link installed by your port will
be destroyed and recreated by bsd.port.mk
to make sure it points to the correct file. Any manpages
listed in MLINKS must not be listed in the
PLIST.To specify whether the manpages are compressed upon installation,
use the MANCOMPRESSED variable. This variable can
take three values, yes, no and
maybe. yes means manpages are
already installed compressed, no means they are
not, and maybe means the software already respects
the value of NOMANCOMPRESS so
bsd.port.mk does not have to do anything
special.MANCOMPRESSED is automatically set to
yes if USE_IMAKE is set and
NO_INSTALL_MANPAGES is not set, and to
no otherwise. You do not have to explicitly define
it unless the default is not suitable for your port.If your port anchors its man tree somewhere other than
PREFIX, you can use the
MANPREFIX to set it. Also, if only manpages in
certain sections go in a non-standard place, such as some Perl modules
ports, you can set individual man paths using
MANsectPREFIX (where
sect is one of 1-9,
L or N).If your manpages go to language-specific subdirectories, set the
name of the languages to MANLANG. The value of
this variable defaults to "" (i.e., English
only).Here is an example that puts it all together.
MAN1= foo.1
MAN3= bar.3
MAN4= baz.4
MLINKS= foo.1 alt-name.8
MANLANG= "" ja
MAN3PREFIX= ${PREFIX}/share/foobar
MANCOMPRESSED= yesThis states that six files are installed by this port;
${PREFIX}/man/man1/foo.1.gz
${PREFIX}/man/ja/man1/foo.1.gz
${PREFIX}/share/foobar/man/man3/bar.3.gz
${PREFIX}/share/foobar/man/ja/man3/bar.3.gz
${PREFIX}/man/man4/baz.4.gz
${PREFIX}/man/ja/man4/baz.4.gzAdditionally ${PREFIX}/man/man8/alt-name.8.gz
may or may not be installed by your port. Regardless, a
symlink will be made to join the foo(1) manpage and
alt-name(8) manpage.Ports that require MotifThere are many programs that require a Motif library (available
from several commercial vendors, while there is a free clone reported
to be able to run many applications in
x11-toolkits/lesstif) to compile. Since it is a
popular toolkit and their licenses usually permit redistribution of
statically linked binaries, we have made special provisions for
handling ports that require Motif in a way that we can easily compile
binaries linked either dynamically (for people who are compiling from
the port) or statically (for people who distribute packages).REQUIRES_MOTIFIf your port requires Motif, define this variable in the
Makefile. This will prevent people who do not own a copy of Motif
from even attempting to build it.MOTIFLIBThis variable will be set by bsd.port.mk to
be the appropriate reference to the Motif library. Please patch the
source to use this wherever the Motif library is referenced in the
Makefile or
Imakefile.There are two common cases:If the port refers to the Motif library as
-lXm in its Makefile or
Imakefile, simply substitute
${MOTIFLIB} for it.If the port uses XmClientLibs in its
Imakefile, change it to
${MOTIFLIB} ${XTOOLLIB}
${XLIB}.Note that MOTIFLIB (usually) expands to
-L/usr/X11R6/lib -lXm or
/usr/X11R6/lib/libXm.a, so there is no need to
add -L or -l in front.X11 fontsIf your port installs fonts for the X Window system, put them in
X11BASE/lib/X11/fonts/local.
This directory is new to XFree86 release 3.3.3. If it does not exist,
please create it, and print out a message urging the user to update
their XFree86 to 3.3.3 or newer, or at least add this directory to the
font path in /etc/XF86Config.Info filesThe new version of texinfo (included in 2.2.2-RELEASE and onwards)
contains a utility called install-info to add and
delete entries to the dir file. If your port
installs any info documents, please follow these instructions so your
port/package will correctly update the user's
PREFIX/info/dir file. (Sorry
for the length of this section, but is it imperative to weave all the
info files together. If done correctly, it will produce a
beautiful listing, so please bear with me!First, this is what you (as a porter) need to know&prompt.user; install-info --help
install-info [OPTION]... [INFO-FILE [DIR-FILE]]
Install INFO-FILE in the Info directory file DIR-FILE.
Options:
--delete Delete existing entries in INFO-FILE;
don't insert any new entries.
:
--entry=TEXT Insert TEXT as an Info directory entry.
:
--section=SEC Put this file's entries in section SEC of the directory. :This program will not actually install info
files; it merely inserts or deletes entries in the
dir file.Here's a seven-step procedure to convert ports to use
install-info. I will use
editors/emacs as an example.Look at the texinfo sources and make a patch to insert
@dircategory and @direntry
statements to files that do not have them. This is part of my
patch:
--- ./man/vip.texi.org Fri Jun 16 15:31:11 1995
+++ ./man/vip.texi Tue May 20 01:28:33 1997
@@ -2,6 +2,10 @@
@setfilename ../info/vip
@settitle VIP
+@dircategory The Emacs editor and associated tools
+@direntry
+* VIP: (vip). A VI-emulation for Emacs.
+@end direntry
@iftex
@finalout
:The format should be self-explanatory. Many authors leave a
dir file in the source tree that contains all
the entries you need, so look around before you try to write your
own. Also, make sure you look into related ports and make the
section names and entry indentations consistent (we recommend that
all entry text start at the 4th tab stop).Note that you can put only one info entry per file because
of a bug in install-info --delete that
deletes only the first entry if you specify multiple entries in
the @direntry section.You can give the dir entries to
install-info as arguments
( and ) instead
of patching the texinfo sources. I do not think this is a good
idea for ports because you need to duplicate the same information
in three places
(Makefile and
@exec/@unexec of
PLIST; see below). However, if you have
Japanese (or other multibyte encoding) info files, you will have
to use the extra arguments to install-info
because makeinfo cannot handle those texinfo
sources. (See Makefile and
PLIST of japanese/skk
for examples on how to do this).Go back to the port directory and do a make clean;
make and verify that the info files are regenerated
from the texinfo sources. Since the texinfo sources are newer than
the info files, they should be rebuilt when you type
make; but many Makefiles
do not include correct dependencies for info files. In
emacs' case, I had to patch the main
Makefile.in so it will descend into the
man subdirectory to rebuild the info
pages.
--- ./Makefile.in.org Mon Aug 19 21:12:19 1996
+++ ./Makefile.in Tue Apr 15 00:15:28 1997
@@ -184,7 +184,7 @@
# Subdirectories to make recursively. `lisp' is not included
# because the compiled lisp files are part of the distribution
# and you cannot remake them without installing Emacs first.
-SUBDIR = lib-src src
+SUBDIR = lib-src src man
# The makefiles of the directories in $SUBDIR.
SUBDIR_MAKEFILES = lib-src/Makefile man/Makefile src/Makefile oldXMenu/Makefile
lwlib/Makefile
--- ./man/Makefile.in.org Thu Jun 27 15:27:19 1996
+++ ./man/Makefile.in Tue Apr 15 00:29:52 1997
@@ -66,6 +66,7 @@
${srcdir}/gnu1.texi \
${srcdir}/glossary.texi
+all: info
info: $(INFO_TARGETS)
dvi: $(DVI_TARGETS)The second hunk was necessary because the default target in
the man subdir is called
info, while the main
Makefile wants to call
all. I also deleted the installation of
the info info file because we already have
one with the same name in /usr/share/info
(that patch is not shown here).If there is a place in the Makefile that
is installing the dir file, delete it. Your
port may not be doing it. Also, remove any commands that are
otherwise mucking around with the dir
file.
--- ./Makefile.in.org Mon Aug 19 21:12:19 1996
+++ ./Makefile.in Mon Apr 14 23:38:07 1997
@@ -368,14 +368,8 @@
if [ `(cd ${srcdir}/info && /bin/pwd)` != `(cd ${infodir} && /bin/pwd)` ]; \
then \
(cd ${infodir}; \
- if [ -f dir ]; then \
- if [ ! -f dir.old ]; then mv -f dir dir.old; \
- else mv -f dir dir.bak; fi; \
- fi; \
cd ${srcdir}/info ; \
- (cd $${thisdir}; ${INSTALL_DATA} ${srcdir}/info/dir ${infodir}/dir);
\
- (cd $${thisdir}; chmod a+r ${infodir}/dir); \
for f in ccmode* cl* dired-x* ediff* emacs* forms* gnus* info* message* mh-e* sc* vip*; do \
(cd $${thisdir}; \
${INSTALL_DATA} ${srcdir}/info/$$f ${infodir}/$$f; \
chmod a+r ${infodir}/$$f); \(This step is only necessary if you are modifying an existing
port.) Take a look at pkg/PLIST and delete
anything that is trying to patch up info/dir.
They may be in pkg/INSTALL or some other
file, so search extensively.
Index: pkg/PLIST
===================================================================
RCS file: /usr/cvs/ports/editors/emacs/pkg/PLIST,v
retrieving revision 1.15
diff -u -r1.15 PLIST
--- PLIST 1997/03/04 08:04:00 1.15
+++ PLIST 1997/04/15 06:32:12
@@ -15,9 +15,6 @@
man/man1/emacs.1.gz
man/man1/etags.1.gz
man/man1/ctags.1.gz
-@unexec cp %D/info/dir %D/info/dir.bak
-info/dir
-@unexec cp %D/info/dir.bak %D/info/dir
info/cl
info/cl-1
info/cl-2Add a post-install target to the
Makefile to call
install-info with the installed
info files. (It is no longer necessary to create the
dir file yourself;
install-info automatically creates this
file if it does not exist.)
Index: Makefile
===================================================================
RCS file: /usr/cvs/ports/editors/emacs/Makefile,v
retrieving revision 1.26
diff -u -r1.26 Makefile
--- Makefile 1996/11/19 13:14:40 1.26
+++ Makefile 1997/05/20 10:25:09 1.28
@@ -20,5 +20,8 @@
post-install:
.for file in emacs-19.34 emacsclient etags ctags b2m
strip ${PREFIX}/bin/${file}
.endfor
+.for info in emacs vip viper forms gnus mh-e cl sc dired-x ediff ccmode
+ install-info ${PREFIX}/info/${info} ${PREFIX}/info/dir
+.endfor
.include <bsd.port.mk>Edit PLIST and add equivalent
@exec statements and also
@unexec for
pkg_delete.
Index: pkg/PLIST
===================================================================
RCS file: /usr/cvs/ports/editors/emacs/pkg/PLIST,v
retrieving revision 1.15
diff -u -r1.15 PLIST
--- PLIST 1997/03/04 08:04:00 1.15
+++ PLIST 1997/05/20 10:25:12 1.17
@@ -16,7 +14,14 @@
man/man1/etags.1.gz
man/man1/ctags.1.gz
+@unexec install-info --delete %D/info/emacs %D/info/dir
:
+@unexec install-info --delete %D/info/ccmode %D/info/dir
info/cl
info/cl-1
@@ -87,6 +94,18 @@
info/viper-3
info/viper-4
+@exec install-info %D/info/emacs %D/info/dir
:
+@exec install-info %D/info/ccmode %D/info/dir
libexec/emacs/19.34/i386--freebsd/cvtmail
libexec/emacs/19.34/i386--freebsd/digest-docThe @unexec install-info --delete
commands have to be listed before the info files themselves so
they can read the files. Also, the @exec
install-info commands have to be after the info
files and the @exec command that creates the
the dir file.Test and admire your
work. :-). Check the
dir file before and after each step.The pkg/ subdirectoryThere are some tricks we have not mentioned yet about the
pkg/ subdirectory that come in handy
sometimes.MESSAGEIf you need to display a message to the installer, you may place
the message in pkg/MESSAGE. This capability is
often useful to display additional installation steps to be taken
after a pkg_add or to display licensing
information.The pkg/MESSAGE file does not need to be
added to pkg/PLIST. Also, it will not get
automatically printed if the user is using the port, not the
package, so you should probably display it from the
post-install target yourself.INSTALLIf your port needs to execute commands when the binary package
is installed with pkg_add you can do this via the
pkg/INSTALL script. This script will
automatically be added to the package, and will be run twice by
pkg_add. The first time will as INSTALL
${PKGNAME} PRE-INSTALL and the second time as
INSTALL ${PKGNAME} POST-INSTALL.
$2 can be tested to determine which mode
the script is being run in. The PKG_PREFIX
environmental variable will be set to the package installation
directory. See &man.pkg.add.1; for
additional information.This script is not run automatically if you install the port
with make install. If you are depending on it
being run, you will have to explicitly call it from your port's
Makefile.REQIf your port needs to determine if it should install or not, you
can create a pkg/REQ “requirements”
script. It will be invoked automatically at
installation/deinstallation time to determine whether or not
installation/deinstallation should proceed.Changing PLIST based on make
variablesSome ports, particularly the p5- ports, need to change their
PLIST depending on what options they are
configured with (or version of perl, in the case of p5- ports). To
make this easy, any instances in the PLIST of
%%OSREL%%, %%PERL_VER%%, and
%%PERL_VERSION%% will be substituted for
appropriately. The value of %%OSREL%% is the
numeric revision of the operating system (e.g.,
2.2.7). %%PERL_VERSION%% is
the full version number of perl (e.g., 5.00502)
and %%PERL_VER%% is the perl version number minus
the patchlevel (e.g., 5.005).If you need to make other substitutions, you can set the
PLIST_SUB variable with a list of
VAR=VALUE
pairs and instances of
%%VAR%%' will be
substituted with VALUE in the
PLIST.For instance, if you have a port that installs many files in a
version-specific subdirectory, you can put something like
OCTAVE_VERSION= 2.0.13
PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION}
in the Makefile and use
%%OCTAVE_VERSION%% wherever the version shows up
in PLIST. That way, when you upgrade the port,
you will not have to change dozens (or in some cases, hundreds) of
lines in the PLIST.This substitution (as well as addition of any man pages) will be done between
the do-install and
post-install targets, by reading from
PLIST and writing to TMPPLIST
(default:
WRKDIR/.PLIST.mktmp). So if
your port builds PLIST on the fly, do so in or
before do-install. Also, if your port
needs to edit the resulting file, do so in
post-install to a file named
TMPPLIST.Changing the names of files in the
pkg subdirectoryAll the filenames in the pkg subdirectory
are defined using variables so you can change them in your
Makefile if need be. This is especially useful
when you are sharing the same pkg subdirectory
among several ports or have to write to one of the above files (see
writing to places other than
WRKDIR for why it is a bad idea to write
directly in to the pkg subdirectory).Here is a list of variable names and their default
values.VariableDefault valueCOMMENT${PKGDIR}/COMMENTDESCR${PKGDIR}/DESCRPLIST${PKGDIR}/PLISTPKGINSTALL${PKGDIR}/INSTALLPKGDEINSTALL${PKGDIR}/DEINSTALLPKGREQ${PKGDIR}/REQPKGMESSAGE${PKGDIR}/MESSAGEPlease change these variables rather than overriding
PKG_ARGS. If you change
PKG_ARGS, those files will not correctly be
installed in /var/db/pkg upon install from a
port.Licensing ProblemsSome software packages have restrictive licenses or can be in
- violation of the law (PKP's patent on public key crypto, ITAR (export
- of crypto software) to name just two of them). What we can do with
+ violation of the law in some countries (such as violating a patent).
+ What we can do with
them varies a lot, depending on the exact wordings of the respective
licenses.It is your responsibility as a porter to read the licensing
terms of the software and make sure that the FreeBSD project will
not be held accountable for violating them by redistributing the
source or compiled binaries either via ftp or CD-ROM. If in doubt,
please contact the &a.ports;.There are two variables you can set in the Makefile to handle the
situations that arise frequently:If the port has a “do not sell for profit” type of
license, set the variable NO_CDROM to a string
describing the reason why. We will make sure such ports will not go
into the CD-ROM come release time. The distfile and package will
still be available via ftp.If the resulting package needs to be built uniquely for each
site, or the resulting binary package cannot be distributed due to
licensing; set the variable NO_PACKAGE to a
string describing the reason why. We will make sure such packages
will not go on the ftp site, nor into the CD-ROM come release time.
The distfile will still be included on both however.If the port has legal restrictions on who can use it (e.g.,
- crypto stuff) or has a “no commercial use” license,
+ patented stuff) or has a “no commercial use” license,
set the variable RESTRICTED to be the string
describing the reason why. For such ports, the distfiles/packages
will not be available even from our ftp sites.The GNU General Public License (GPL), both version 1 and 2,
should not be a problem for ports.If you are a committer, make sure you update the
ports/LEGAL file too.UpgradingWhen you notice that a port is out of date compared to the latest
version from the original authors, first make sure you have the latest
port. You can find them in the
ports/ports-current directory of the ftp mirror
sites. You may also use CVSup to keep your whole ports collection
up-to-date, as described in the Handbook.The next step is to send a mail to the maintainer, if one is
listed in the port's Makefile. That person may
already be working on an upgrade, or have a reason to not upgrade the
port right now (because of, for example, stability problems of the new
version).If the maintainer asks you to do the upgrade or there is not any
such person to begin with, please make the upgrade and send the
recursive diff (either unified or context diff is fine, but port
committers appear to prefer unified diff more) of the new and old
ports directories to us (e.g., if your modified port directory is
called superedit and the original as in our tree
is superedit.bak, then send us the result of
diff -ruN superedit.bak superedit). Please examine
the output to make sure all the changes make sense. The best way to
send us the diff is by including it via &man.send-pr.1; (category
ports). Please mention any added or deleted files
in the message, as they have to be explicitly specified to CVS when
doing a commit. If the diff is more than about 20KB, please compress
and uuencode it; otherwise, just include it in the PR as is.Once again, please use &man.diff.1; and not &man.shar.1; to send
updates to existing ports!Dos and Don'tsHere is a list of common dos and don'ts that you encounter during
the porting process.You should check your own port against this list,
but you can also check ports in the PR database that others have
submitted. Submit any comments on ports you check as described in
Bug Reports and General
Commentary. Checking ports in the PR database will both make
it faster for us to commit them, and prove that you know what you are
doing.Strip BinariesDo strip binaries. If the original source already strips the
binaries, fine; otherwise you should add a
post-install rule to to it yourself. Here is an
example:
post-install:
strip ${PREFIX}/bin/xdlUse the &man.file.1; command on the installed executable to
check whether the binary is stripped or not. If it does not say
not stripped, it is stripped.INSTALL_* macrosDo use the macros provided in bsd.port.mk
to ensure correct modes and ownership of files in your own
*-install targets.INSTALL_PROGRAM is a command to install
binary executables.INSTALL_SCRIPT is a command to install
executable scripts.INSTALL_DATA is a command to install
sharable data.INSTALL_MAN is a command to install
manpages and other documentation (it does not compress
anything).These are basically the install command with
all the appropriate flags. See below for an example on how to use
them.WRKDIRDo not write anything to files outside
WRKDIR. WRKDIR is the only
place that is guaranteed to be writable during the port build (see
compiling ports from CDROM for an
example of building ports from a read-only tree). If you need to
modify some file in PKGDIR, do so by redefining a variable, not by
writing over it.WRKDIRPREFIXMake sure your port honors WRKDIRPREFIX.
Most ports do not have to worry about this. In particular, if you
are referring to a WRKDIR of another port, note
that the correct location is
WRKDIRPREFIXPORTSDIR/subdir/name/work not PORTSDIR/subdir/name/work or .CURDIR/../../subdir/name/work or some such.Also, if you are defining WRKDIR yourself,
make sure you prepend
${WRKDIRPREFIX}${.CURDIR} in the
front.Differentiating operating systems and OS versionsYou may come across code that needs modifications or conditional
compilation based upon what version of UNIX it is running under. If
you need to make such changes to the code for conditional
compilation, make sure you make the changes as general as possible
so that we can back-port code to FreeBSD 1.x systems and cross-port
to other BSD systems such as 4.4BSD from CSRG, BSD/386, 386BSD,
NetBSD, and OpenBSD.The preferred way to tell 4.3BSD/Reno (1990) and newer versions
of the BSD code apart is by using the BSD macro
defined in <sys/param.h>. Hopefully that
file is already included; if not, add the code:
#if (defined(__unix__) || defined(unix)) && !defined(USG)
#include <sys/param.h>
#endifto the proper place in the .c file. We
believe that every system that defines these two symbols has
sys/param.h. If you find a system that
does not, we would like to know. Please send mail to the
&a.ports;.Another way is to use the GNU Autoconf style of doing
this:
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
#endifDo not forget to add -DHAVE_SYS_PARAM_H to the
CFLAGS in the Makefile for
this method.Once you have sys/param.h included, you may
use:
#if (defined(BSD) && (BSD >= 199103))to detect if the code is being compiled on a 4.3 Net2 code base
or newer (e.g. FreeBSD 1.x, 4.3/Reno, NetBSD 0.9, 386BSD, BSD/386
1.1 and below).Use:
#if (defined(BSD) && (BSD >= 199306))to detect if the code is being compiled on a 4.4 code base or
newer (e.g. FreeBSD 2.x, 4.4, NetBSD 1.0, BSD/386 2.0 or
above).The value of the BSD macro is
199506 for the 4.4BSD-Lite2 code base. This is
stated for informational purposes only. It should not be used to
distinguish between versions of FreeBSD based only on 4.4-Lite vs.
versions that have merged in changes from 4.4-Lite2. The
__FreeBSD__ macro should be used instead.Use sparingly:__FreeBSD__ is defined in all versions of
FreeBSD. Use it if the change you are making
only affects FreeBSD. Porting gotchas like
the use of sys_errlist[] vs
strerror() are Berkeleyisms, not FreeBSD
changes.In FreeBSD 2.x, __FreeBSD__ is defined to
be 2. In earlier versions, it is
1. Later versions will bump it to match
their major version number.If you need to tell the difference between a FreeBSD 1.x
system and a FreeBSD 2.x or 3.x system, usually the right answer
is to use the BSD macros described above. If
there actually is a FreeBSD specific change (such as special
shared library options when using ld) then it
is OK to use __FreeBSD__ and #if
__FreeBSD__ > 1 to detect a FreeBSD 2.x and later
system. If you need more granularity in detecting FreeBSD
systems since 2.0-RELEASE you can use the following:
#if __FreeBSD__ >= 2
#include <osreldate.h>
# if __FreeBSD_version >= 199504
/* 2.0.5+ release specific code here */
# endif
#endifRelease__FreeBSD_version2.0-RELEASE1194112.1-CURRENT199501, 1995032.0.5-RELEASE1995042.2-CURRENT before 2.11995082.1.0-RELEASE1995112.2-CURRENT before 2.1.51995122.1.5-RELEASE1996072.2-CURRENT before 2.1.61996082.1.6-RELEASE1996122.1.7-RELEASE1996122.2-RELEASE2200002.2.1-RELEASE220000 (no change)2.2-STABLE after 2.2.1-RELEASE220000 (no change)2.2-STABLE after texinfo-3.92210012.2-STABLE after top2210022.2.2-RELEASE2220002.2-STABLE after 2.2.2-RELEASE2220012.2.5-RELEASE2250002.2-STABLE after 2.2.5-RELEASE2250012.2-STABLE after ldconfig -R merge2250022.2.6-RELEASE2260002.2.7-RELEASE2270002.2-STABLE after 2.2.7-RELEASE2270012.2-STABLE after semctl(2) change2270022.2.8-RELEASE2280002.2-STABLE after 2.2.8-RELEASE2280013.0-CURRENT before mount(2) change3000003.0-CURRENT after mount(2) change3000013.0-CURRENT after semctl(2) change3000023.0-CURRENT after ioctl arg changes3000033.0-CURRENT after ELF conversion3000043.0-RELEASE3000053.0-CURRENT after 3.0-RELEASE3000063.0-STABLE after 3/4 branch3000073.1-RELEASE3100003.1-STABLE after 3.1-RELEASE3100013.1-STABLE after C++ constructor/destructor order
change3100023.2-RELEASE3200003.2-STABLE3200013.2-STABLE after binary-incompatible IPFW and
socket changes3200023.3-RELEASE3300003.3-STABLE3300013.3-STABLE after adding mkstemps() to libc3300023.4-RELEASE3400003.4-STABLE3400014.0-CURRENT after 3.4 branch4000004.0-CURRENT after change in dynamic linker
handling4000014.0-CURRENT after C++ constructor/destructor
order change4000024.0-CURRENT after functioning dladdr(3)4000034.0-CURRENT after __deregister_frame_info dynamic
linker bug fix (also 4.0-CURRENT after EGCS 1.1.2
integration)
4000044.0-CURRENT after suser(9) API change
(also 4.0-CURRENT after newbus)4000054.0-CURRENT after cdevsw registration change4000064.0-CURRENT after the addition of so_cred for
socket level credentials4000074.0-CURRENT after the addition of a poll syscall
wrapper to libc_r4000084.0-CURRENT after the change of the kernel's
dev_t type to struct
specinfo pointer4000094.0-CURRENT after fixing a hole in jail(2)4000104.0-CURRENT after the sigset_t
datatype change4000114.0-CURRENT after the cutover to the GCC 2.95.2
compiler4000124.0-CURRENT after adding pluggable linux-mode
ioctl handlers4000134.0-CURRENT after importing OpenSSL4000144.0-CURRENT after the C++ ABI change in GCC 2.95.2
from -fvtable-thunks to -fno-vtable-thunks by
default4000154.0-CURRENT after importing OpenSSH4000164.0-RELEASE4000174.0-STABLE after 4.0-RELEASE4000184.0-STABLE after merging libxpg4 code into
libc.4000204.0-STABLE after upgrading Binutils to 2.10.0, ELF
branding changes, and tcsh in the base system.4000214.1-RELEASE4100004.1-STABLE after 4.1-RELEASE4100014.1-STABLE after setproctitle() moved from
libutil to libc.4100024.1.1-RELEASE4110004.1.1-STABLE after 4.1.1-RELEASE4110015.0-CURRENT5000005.0-CURRENT after adding addition ELF header fields,
and changing our ELF binary branding method.5000015.0-CURRENT after kld metadata changes.5000025.0-CURRENT after buf/bio changes.5000035.0-CURRENT after binutils upgrade.5000045.0-CURRENT after merging libxpg4 code into
libc and after TASKQ interface introduction.5000055.0-CURRENT after the addition of AGP
interfaces.5000065.0-CURRENT after Perl upgrade to 5.6.05000075.0-CURRENT after the update of KAME code to
2000/07 sources.5000085.0-CURRENT after ether_ifattach() and
ether_ifdetach() changes.5000095.0-CURRENT after changing mtree defaults
back to original variant, adding -L to follow
symlinks.5000105.0-CURRENT after kqueue API changed.5000115.0-CURRENT after setproctitle() moved from
libutil to libc.5000125.0-CURRENT after the first SMPng commit.500013Note that 2.2-STABLE sometimes identifies itself as
“2.2.5-STABLE” after the 2.2.5-RELEASE. The pattern
used to be year followed by the month, but we decided to change it
to a more straightforward major/minor system starting from 2.2.
This is because the parallel development on several branches made
it infeasible to classify the releases simply by their real
release dates. If you are making a port now, you do not have to
worry about old -CURRENTs; they are listed here just for your
reference.In the hundreds of ports that have been done, there have only
been one or two cases where __FreeBSD__ should
have been used. Just because an earlier port screwed up and used it
in the wrong place does not mean you should do so too.Writing something after
bsd.port.mkDo not write anything after the .include
<bsd.port.mk> line. It usually can be avoided by
including bsd.port.pre.mk somewhere in the
middle of your Makefile and
bsd.port.post.mk at the end.You need to include either the
pre.mk/post.mk pair or
bsd.port.mk only; do not mix these two.bsd.port.pre.mk only defines a few
variables, which can be used in tests in the
Makefile, bsd.port.post.mk
defines the rest.Here are some important variables defined in
bsd.port.pre.mk (this is not the complete list,
please read bsd.port.mk for the complete
list).VariableDescriptionARCHThe architecture as returned by uname
-m (e.g., i386)OPSYSThe operating system type, as returned by
uname -s (e.g.,
FreeBSD)OSRELThe release version of the operating system (e.g.,
2.1.5 or
2.2.7)OSVERSIONThe numeric version of the operating system, same as
__FreeBSD_version.PORTOBJFORMATThe object format of the system
(aout or elf)LOCALBASEThe base of the “local” tree (e.g.,
/usr/local/)X11BASEThe base of the “X11” tree (e.g.,
/usr/X11R6)PREFIXWhere the port installs itself (see more on
PREFIX).If you have to define the variables
USE_IMAKE, USE_X_PREFIX, or
MASTERDIR, do so before including
bsd.port.pre.mk.Here are some examples of things you can write after
bsd.port.pre.mk:
# no need to compile lang/perl5 if perl5 is already in system
.if ${OSVERSION} > 300003
BROKEN= perl is in system
.endif
# only one shlib version number for ELF
.if ${PORTOBJFORMAT} == "elf"
TCL_LIB_FILE= ${TCL_LIB}.${SHLIB_MAJOR}
.else
TCL_LIB_FILE= ${TCL_LIB}.${SHLIB_MAJOR}.${SHLIB_MINOR}
.endif
# software already makes link for ELF, but not for a.out
post-install:
.if ${PORTOBJFORMAT} == "aout"
${LN} -sf liblinpack.so.1.0 ${PREFIX}/lib/liblinpack.so
.endifInstall additional documentationIf your software has some documentation other than the standard
man and info pages that you think is useful for the user, install it
under PREFIX/share/doc.
This can be done, like the previous item, in the
post-install target.Create a new directory for your port. The directory name should
reflect what the port is. This usually means
PORTNAME. However, if you
think the user might want different versions of the port to be
installed at the same time, you can use the whole
PKGNAME.Make the installation dependent to the variable
NOPORTDOCS so that users can disable it in
/etc/make.conf, like this:
post-install:
.if !defined(NOPORTDOCS)
${MKDIR} ${PREFIX}/share/doc/xv
${INSTALL_MAN} ${WRKSRC}/docs/xvdocs.ps ${PREFIX}/share/doc/xv
.endifDo not forget to add them to pkg/PLIST too!
(Do not worry about NOPORTDOCS here; there is
currently no way for the packages to read variables from
/etc/make.conf.)You can also use the pkg/MESSAGE file to
display messages upon installation. See the using
pkg/MESSAGE section for
details.MESSAGE does not need to be added to
pkg/PLIST.DIST_SUBDIRDo not let your port clutter
/usr/ports/distfiles. If your port requires a
lot of files to be fetched, or contains a file that has a name that
might conflict with other ports (e.g.,
Makefile), set DIST_SUBDIR
to the name of the port (${PORTNAME} or
${PKGNAMEPREFIX}${PORTNAME}
should work fine). This will change
DISTDIR from the default
/usr/ports/distfiles to
/usr/ports/distfiles/DIST_SUBDIR,
and in effect puts everything that is required for your port into
that subdirectory.It will also look at the subdirectory with the same name on the
backup master site at ftp.FreeBSD.org.
(Setting DISTDIR explicitly in your
Makefile will not accomplish this, so please use
DIST_SUBDIR.)This does not affect the MASTER_SITES you
define in your Makefile.Package informationDo include package information, i.e.
COMMENT, DESCR, and
PLIST, in pkg.Note that these files are not used only for packaging anymore,
and are mandatory now, even if
NO_PACKAGE is set.RCS stringsDo not put RCS strings in patches. CVS will mangle them when we
put the files into the ports tree, and when we check them out again,
they will come out different and the patch will fail. RCS strings
are surrounded by dollar ($) signs, and
typically start with $Id or
$RCS.Recursive diffUsing the recurse () option to
diff to generate patches is fine, but please take
a look at the resulting patches to make sure you do not have any
unnecessary junk in there. In particular, diffs between two backup
files, Makefiles when the port uses
Imake or GNU configure, etc.,
are unnecessary and should be deleted. If you had to edit
configure.in and run
autoconf to regenerate
configure, do not take the diffs of
configure (it often grows to a few thousand
lines!); define USE_AUTOCONF=yes and take the
diffs of configure.in.Also, if you had to delete a file, then you can do it in the
post-extract target rather than as part of
the patch. Once you are happy with the resulting diff, please split
it up into one source file per patch file.PREFIXDo try to make your port install relative to
PREFIX. (The value of this variable will be set
to LOCALBASE (default
/usr/local), unless
USE_X_PREFIX or USE_IMAKE is
set, in which case it will be X11BASE (default
/usr/X11R6).)Not hard-coding /usr/local or
/usr/X11R6 anywhere in the source will make the
port much more flexible and able to cater to the needs of other
sites. For X ports that use imake, this is
automatic; otherwise, this can often be done by simply replacing the
occurrences of /usr/local (or
/usr/X11R6 for X ports that do not use imake)
in the various scripts/Makefiles in the port to read
PREFIX, as this variable is automatically passed
down to every stage of the build and install processes.Do not set USE_X_PREFIX unless your port
truly requires it (i.e., it links against X libs or it needs to
reference files in X11BASE).The variable PREFIX can be reassigned in your
Makefile or in the user's environment.
However, it is strongly discouraged for individual ports to set this
variable explicitly in the Makefiles.Also, refer to programs/files from other ports with the
variables mentioned above, not explicit pathnames. For instance, if
your port requires a macro PAGER to be the full
pathname of less, use the compiler flag:
-DPAGER=\"${PREFIX}/bin/less\"
or
-DPAGER=\"${LOCALBASE}/bin/less\"
if this is an X port, instead of
-DPAGER=\"/usr/local/bin/less\". This way it will
have a better chance of working if the system administrator has
moved the whole `/usr/local' tree somewhere else.SubdirectoriesTry to let the port put things in the right subdirectories of
PREFIX. Some ports lump everything and put it in
the subdirectory with the port's name, which is incorrect. Also,
many ports put everything except binaries, header files and manual
pages in the a subdirectory of lib, which does
not bode well with the BSD paradigm. Many of the files should be
moved to one of the following: etc
(setup/configuration files), libexec
(executables started internally), sbin
(executables for superusers/managers), info
(documentation for info browser) or share
(architecture independent files). See man &man.hier.7; for details,
the rules governing
/usr pretty much apply to
/usr/local too. The exception are ports
dealing with USENET “news”. They may use
PREFIX/news as a destination
for their files.Cleaning up empty directoriesDo make your ports clean up after themselves when they are
deinstalled. This is usually accomplished by adding
@dirrm lines for all directories that are
specifically created by the port. You need to delete subdirectories
before you can delete parent directories.
:
lib/X11/oneko/pixmaps/cat.xpm
lib/X11/oneko/sounds/cat.au
:
@dirrm lib/X11/oneko/pixmaps
@dirrm lib/X11/oneko/sounds
@dirrm lib/X11/onekoHowever, sometimes @dirrm will give you
errors because other ports also share the same subdirectory. You
can call rmdir from @unexec to
remove only empty directories without warning.
@unexec rmdir %D/share/doc/gimp 2>/dev/null || trueThis will neither print any error messages nor cause
pkg_delete to exit abnormally even if
PREFIX/share/doc/gimp is not
empty due to other ports installing some files in there.UIDsIf your port requires a certain user to be on the installed
system, let the pkg/INSTALL script call
pw to create it automatically. Look at
net/cvsup-mirror for an example.If your port must use the same user/group ID number when it is
installed as a binary package as when it was compiled, then you must
choose a free UID from 50 to 99 and register it below. Look at
japanese/Wnn for an example.Make sure you do not use a UID already used by the system or
other ports. This is the current list of UIDs between 50 and
99.
majordom:*:54:54:Majordomo Pseudo User:/usr/local/majordomo:/nonexistent
cyrus:*:60:60:the cyrus mail server:/nonexistent:/nonexistent
gnats:*:61:1:GNATS database owner:/usr/local/share/gnats/gnats-db:/bin/sh
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67:X-10 daemon:/usr/local/xten:/nonexistent
pop:*:68:6:Post Office Owner (popper):/nonexistent:/nonexistent
wnn:*:69:7:Wnn:/nonexistent:/nonexistent
ifmail:*:70:66:Ifmail user:/nonexistent:/nonexistent
pgsql:*:70:70:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
ircd:*:72:72:IRCd hybrid:/nonexistent:/nonexistent
alias:*:81:81:QMail user:/var/qmail/alias:/nonexistent
qmaill:*:83:81:QMail user:/var/qmail:/nonexistent
qmaild:*:82:81:QMail user:/var/qmail:/nonexistent
qmailq:*:85:82:QMail user:/var/qmail:/nonexistent
qmails:*:87:82:QMail user:/var/qmail:/nonexistent
qmailp:*:84:81:QMail user:/var/qmail:/nonexistent
qmailr:*:86:82:QMail user:/var/qmail:/nonexistent
msql:*:87:87:mSQL-2 pseudo-user:/var/db/msqldb:/bin/sh
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/sbin/nologin
vpopmail:*:89:89::0:0:User &:/usr/local/vpopmail:/nonexistentPlease include a notice when you submit a port (or an upgrade)
that reserves a new UID or GID in this range. This allows us to
keep the list of reserved IDs up to date.Do things rationallyThe Makefile should do things simply and
reasonably. If you can make it a couple of lines shorter or more
readable, then do so. Examples include using a make
.if construct instead of a shell
if construct, not redefining
do-extract if you can redefine
EXTRACT* instead, and using
GNU_CONFIGURE instead of CONFIGURE_ARGS
+= --prefix=${PREFIX}.Respect CFLAGSThe port should respect the CFLAGS variable.
If it does not, please add NO_PACKAGE=ignores
cflags to the Makefile.An example of a Makefile respecting
the CFLAGS variable follows. Note the
+=:CFLAGS += -Wall -WerrorHere is an example which does not respect the
CFLAGS variable:CFLAGS = -Wall -WerrorThe CFLAGS variable is defined on
FreeBSD systems in /etc/make.conf. The
first example appends additional flags to the
CFLAGS variable, preserving any system-wide
definitions. The second example clobbers anything previously
defined.Configuration filesIf your port requires some configuration files in
PREFIX/etc, do
not just install them and list them in
pkg/PLIST. That will cause
pkg_delete to delete files carefully edited by
the user and a new installation to wipe them out.Instead, install sample files with a suffix
(filename.sample
will work well) and print out a message pointing out that the
user has to copy and edit the file before the software can be made
to work.PortlintDo check your work with portlint
before you submit or commit it.FeedbackDo send applicable changes/patches to the original
author/maintainer for inclusion in next release of the code. This
will only make your job that much easier for the next
release.README.htmlDo not include the README.html file. This
file is not part of the cvs collection but is generated using the
make readme command.
MiscellaneaThe files pkg/DESCR,
pkg/COMMENT, and pkg/PLIST
should each be double-checked. If you are reviewing a port and feel
they can be worded better, do so.Do not copy more copies of the GNU General Public License into
our system, please.Please be careful to note any legal issues! Do not let us
illegally distribute software!If you are stuck…Do look at existing examples and the
bsd.port.mk file before asking us questions!
;-)Do ask us questions if you have any trouble! Do not just beat
your head against a wall! :-)A Sample MakefileHere is a sample Makefile that you can use to
create a new port. Make sure you remove all the extra comments (ones
between brackets)!It is recommended that you follow this format (ordering of
variables, empty lines between sections, etc.). This format is
designed so that the most important information is easy to locate. We
recommend that you use portlint to check the
Makefile.
[the header...just to make it easier for us to identify the ports.]
# New ports collection makefile for: xdvi
[the "version required" line is only needed when the PORTVERSION
variable is not specific enough to describe the port.]
# Version required: pl18 + japanization patches 18.1 and 18.2
[this is the date when the first version of this Makefile was created.
Never change this when doing an update of the port.]
# Date created: 26 May 1995
[this is the person who did the original port to FreeBSD, in particular, the
person who wrote the first version of this Makefile. Remember, this should
not be changed when upgrading the port later.]
# Whom: Satoshi Asami <asami@FreeBSD.org>
#
# $FreeBSD$
[ ^^^^^^^^^ This will be automatically replaced with RCS ID string by CVS
when it is committed to our repository. If upgrading a port, do not alter
this line back to "$FreeBSD$". CVS deals with it automatically.]
#
[section to describe the port itself and the master site - PORTNAME
and PORTVERSION are always first, followed by CATEGORIES,
and then MASTER_SITES, which can be followed by MASTER_SITE_SUBDIR.
PKGNAMEPREFIX and PKGNAMESUFFIX, if needed, will be after that.
Then comes DISTNAME, EXTRACT_SUFX and/or DISTFILES, and then
EXTRACT_ONLY, as necessary.]
PORTNAME= xdvi
PORTVERSION= 18.2
CATEGORIES= print
[do not forget the trailing slash ("/")!
if you are not using MASTER_SITE_* macros]
MASTER_SITES= ${MASTER_SITE_XCONTRIB}
MASTER_SITE_SUBDIR= applications
PKGNAMEPREFIX= ja-
DISTNAME= xdvi-pl18
[set this if the source is not in the standard ".tar.gz" form]
EXTRACT_SUFX= .tar.Z
[section for distributed patches -- can be empty]
PATCH_SITES= ftp://ftp.sra.co.jp/pub/X11/japanese/
PATCHFILES= xdvi-18.patch1.gz xdvi-18.patch2.gz
[maintainer; *mandatory*! This is the person (preferably with commit
privileges) whom a user can contact for questions and bug reports - this
person should be the porter or someone who can forward questions to the
original porter reasonably promptly. If you really do not want to have
your address here, set it to "ports@FreeBSD.org".]
MAINTAINER= asami@FreeBSD.org
[dependencies -- can be empty]
RUN_DEPENDS= gs:${PORTSDIR}/print/ghostscript
LIB_DEPENDS= Xpm.5:${PORTSDIR}/graphics/xpm
[this section is for other standard bsd.port.mk variables that do not
belong to any of the above]
[If it asks questions during configure, build, install...]
IS_INTERACTIVE= yes
[If it extracts to a directory other than ${DISTNAME}...]
WRKSRC= ${WRKDIR}/xdvi-new
[If the distributed patches were not made relative to ${WRKSRC}, you
may need to tweak this]
PATCH_DIST_STRIP= -p1
[If it requires a "configure" script generated by GNU autoconf to be run]
GNU_CONFIGURE= yes
[If it requires GNU make, not /usr/bin/make, to build...]
USE_GMAKE= yes
[If it is an X application and requires "xmkmf -a" to be run...]
USE_IMAKE= yes
[et cetera.]
[non-standard variables to be used in the rules below]
MY_FAVORITE_RESPONSE= "yeah, right"
[then the special rules, in the order they are called]
pre-fetch:
i go fetch something, yeah
post-patch:
i need to do something after patch, great
pre-install:
and then some more stuff before installing, wow
[and then the epilogue]
.include <bsd.port.mk>Automated package list creationFirst, make sure your port is almost complete, with only
PLIST missing. Create an empty
PLIST.&prompt.root; touch PLISTNext, create a new set of directories which your port can be
installed, and install any dependencies.&prompt.root; mtree -U -f /etc/mtree/BSD.local.dist -d -e -p /var/tmp/port-name
&prompt.root; make depends PREFIX=/var/tmp/port-nameStore the directory structure in a new file.&prompt.root; (cd /var/tmp/port-name && find * -type d) > OLD-DIRSIf your port honors PREFIX (which it should)
you can then install the port and create the package list.&prompt.root; make install PREFIX=/var/tmp/port-name
&prompt.root; (cd /var/tmp/port-name && find * \! -type d) > pkg/PLISTYou must also add any newly created directories to the packing
list.&prompt.root; (cd /var/tmp/port-name && find * -type d) | comm -13 OLD-DIRS - | sed -e 's#^#@dirrm #' >> pkg/PLISTFinally, you need to tidy up the packing list by hand. I lied
when I said this was all automated. Manual pages should be listed in
the port's Makefile under
MANn, and not in the
package list. User configuration files should be removed, or
installed as
filename.sample.
The info/dir file should not be listed
and appropriate install-info lines should
be added as noted in the info
files section. Any
libraries installed by the port should be listed as specified in the
shared libraries section.Package NamesThe following are the conventions you should follow in naming your
packages. This is to have our package directory easy to scan, as
there are already lots and lots of packages and users are going to
turn away if they hurt their eyes!The package name should look like
language_region-name-compiled.specifics-version.numbers.The package name is defined as
${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}-${PORTVERSION}.
Make sure to set the variables to conform to that format.FreeBSD strives to support the native language of its users.
The language- part should be a two
letter abbreviation of the natural language defined by ISO-639 if
the port is specific to a certain language. Examples are
ja for Japanese, ru for
Russian, vi for Vietnamese,
zh for Chinese, ko for
Korean and de for German.If the port is specific to a certain region within the
language area, add the two letter country code as well.
Examples are en_US for US English and
fr_CH for Swiss French.The language- part should
be set in the PKGNAMEPREFIX variable.The name part should be all lowercase,
except for a really large package (with lots of programs in it).
Things like XFree86 (yes there really is a port of it, check it
out) and ImageMagick fall into this category. Otherwise, convert
the name (or at least the first letter) to lowercase. If the
capital letters are important to the name (for example, with
one-letter names like R or
V) you may use capital letters at your
discretion. There is a tradition of naming Perl 5 modules by
prepending p5- and converting the double-colon
separator to a hyphen; for example, the
Data::Dumper module becomes
p5-Data-Dumper. If the software in question
has numbers, hyphens, or underscores in its name, you may include
them as well (like kinput2).If the port can be built with different hardcoded defaults (usually
part of the directory name in a family of ports), the
-compiled.specifics part should state
the compiled-in defaults (the hyphen is optional). Examples are
papersize and font units.The compiled.specifics part
should be set in the PKGNAMESUFFIX
variable.The version string should follow a dash
(-) and be a period-separated list of
integers and single lowercase alphabetics. In particular,
it is not pormissible to have another dash inside the
version string. The only exception is the string
pl (meaning `patchlevel'), which can be
used only when there are no major and
minor version numbers in the software. If the software
version has strings like "alpha", "beta", or "pre", take
the first letter and put it immediately after a period.
If the version string continues after those names, the
numbers should follow the single alphabet without an extra
period between them.The idea is to make it easier to sort ports by looking
at the version string. In particular, make sure version
number components are always delimited by a period, and
if the date is part of the string, use the
yyyy.mm.dd
format, not
dd.mm.yyyy
or the non-Y2K compliant
yy.mm.dd
format.Here are some (real) examples on how to convert the name
as called by the software authors to a suitable package
name:Distribution NamePKGNAMEPREFIXPORTNAMEPKGNAMESUFFIXPORTVERSIONReasonmule-2.2.2(empty)mule(empty)2.2.2No changes requiredXFree86-3.3.6(empty)XFree86(empty)3.3.6No changes requiredEmiClock-1.0.2(empty)emiclock(empty)1.0.2No uppercase names for single programsrdist-1.3alpha(empty)rdist(empty)1.3.aNo strings like alpha
allowedes-0.9-beta1(empty)es(empty)0.9.b1No strings like beta
allowedv3.3beta021.src(empty)tiff(empty)3.3What the heck was that anyway?tvtwm(empty)tvtwm(empty)pl11Version string always requiredpiewm(empty)piewm(empty)1.0Version string always requiredxvgr-2.10pl1(empty)xvgr(empty)2.10.1pl allowed only when no
major/minor version numbersgawk-2.15.6ja-gawk(empty)2.15.6Japanese language versionpsutils-1.13(empty)psutils-letter1.13Papersize hardcoded at package build timepkfonts(empty)pkfonts3001.0Package for 300dpi fontsIf there is absolutely no trace of version information in the
original source and it is unlikely that the original author will ever
release another version, just set the version string to
1.0 (like the piewm example above). Otherwise, ask
the original author or use the date string
(yyyy.mm.dd)
as the version.CategoriesAs you already know, ports are classified in several categories.
But for this to work, it is important that porters and users understand
what each category is for and how we decide what to put in each
category.Current list of categoriesFirst, this is the current list of port categories. Those
marked with an asterisk (*) are
virtual categories—those that do not have
a corresponding subdirectory in the ports tree.For non-virtual categories, you will find a one-line
description in the pkg/COMMENT file in that
subdirectory (e.g.,
archivers/pkg/COMMENT).CategoryDescriptionafterstep*Ports to support the AfterStep window manager.archiversArchiving tools.astroAstronomical ports.audioSound support.benchmarksBenchmarking utilities.biologyBiology-related software.cadComputer aided design tools.chineseChinese language support.commsCommunication software. Mostly software to talk to
your serial port.convertersCharacter code converters.databasesDatabases.deskutilsThings that used to be on the desktop before
computers were invented.develDevelopment utilities. Do not put libraries here just
because they are libraries—unless they truly do not
belong anywhere else, they should not be in this
category.editorsGeneral editors. Specialized editors go in the section
for those tools (e.g., a mathematical-formula editor will go
in math).elisp*Emacs-lisp ports.emulatorsEmulators for other operating systems. Terminal
emulators do not belong
here—X-based ones should go to
x11 and text-based ones to either
comms or misc,
depending on the exact functionality.frenchFrench language support.ftpFTP client and server utilities. If your
port speaks both FTP and HTTP, put it in
ftp with a secondary
category of www.gamesGames.germanGerman language support.gnome*Ports from the GNU Object Model Environment (GNOME)
Project.graphicsGraphics utilities.hebrewHebrew language support.ircInternet Relay Chat utilities.ipv6*IPv6 related software.japaneseJapanese language support.javaJava language support.kde*Ports from the K Desktop Environment (KDE)
Project.koreanKorean language support.langProgramming languages.linux*Linux applications and support utilities.mailMail software.mathNumerical computation software and other utilities
for mathematics.mboneMBone applications.miscMiscellaneous utilities—basically things that
do not belong anywhere else. This is the only category
that should not appear with any other non-virtual category.
If you have misc with something else in
your CATEGORIES line, that means you can
safely delete misc and just put the port
in that other subdirectory!netMiscellaneous networking software.newsUSENET news software.offix*Ports from the OffiX suite.palmSoftware support for the 3Com Palm(tm) series.perl5*Ports that require perl version 5 to run.plan9*Various programs from Plan9.printPrinting software. Desktop publishing tools
(previewers, etc.) belong here too.python*Software written in python.ruby*Software written in ruby.russianRussian language support.securitySecurity utilities.shellsCommand line shells.sysutilsSystem utilities.tcl76*Ports that use Tcl version 7.6 to run.tcl80*Ports that use Tcl version 8.0 to run.tcl81*Ports that use Tcl version 8.1 to run.tcl82*Ports that use Tcl version 8.2 to run.textprocText processing utilities. It does not include
desktop publishing tools, which go to print/.tk42*Ports that use Tk version 4.2 to run.tk80*Ports that use Tk version 8.0 to run.tk81*Ports that use Tk version 8.1 to run.tk82*Ports that use Tk version 8.2 to run.tkstep80*Ports that use TkSTEP version 8.0 to run.vietnameseVietnamese language support.windowmaker*Ports to support the WindowMaker window
managerwwwSoftware related to the World Wide Web. HTML language
support belongs here too.x11The X window system and friends. This category is only
for software that directly supports the window system. Do not
put regular X applications here. If your port is an X
application, define USE_XLIB (implied by
USE_IMAKE) and put it in the appropriate
categories. Also, many of them go into other
x11-* categories (see below).x11-clocksX11 clocks.x11-fmX11 file managers.x11-fontsX11 fonts and font utilities.x11-serversX11 servers.x11-toolkitsX11 toolkits.x11-wmX11 window managers.zope*Zope support.Choosing the right categoryAs many of the categories overlap, you often have to choose
which of the categories should be the primary category of your port.
There are several rules that govern this issue. Here is the list of
priorities, in decreasing order of precedence.Language specific categories always come first. For
example, if your port installs Japanese X11 fonts, then your
CATEGORIES line would read japanese
x11-fonts.Specific categories win over less-specific ones. For
instance, an HTML editor should be listed as www
editors, not the other way around. Also, you do not
need to list net when the port belongs to
any of irc, mail,
mbone, news,
security, or www.x11 is used as a secondary category only
when the primary category is a natural language. In particular,
you should not put x11 in the category line
for X applications.Emacs modes should be
placed in the same ports category as the application
supported by the mode, not in
editors. For example, an
Emacs mode to edit source
files of some programming language should go into
lang.
If your port truly does not belong anywhere else, put it in
misc.If you are not sure about the category, please put a comment to
that effect in your send-pr submission so we can
discuss it before we import it. If you are a committer, send a note
to the &a.ports; so we can discuss it first—too often new ports are
imported to the wrong category only to be moved right away.Changes to this document and the ports systemIf you maintain a lot of ports, you should consider following the
&a.ports;. Important changes to the way ports work will be announced
there. You can always find more detailed information on the latest
changes by looking at the
bsd.port.mk CVS log.That is It, Folks!Boy, this sure was a long tutorial, wasn't it? Thanks for
following us to here, really. Now that you know how to do a port,
have at it and convert everything in the world into ports! That
is the easiest way to start contributing to the FreeBSD Project!
:-)
diff --git a/en_US.ISO_8859-1/articles/committers-guide/article.sgml b/en_US.ISO_8859-1/articles/committers-guide/article.sgml
index 5816b521c1..99a5884a48 100644
--- a/en_US.ISO_8859-1/articles/committers-guide/article.sgml
+++ b/en_US.ISO_8859-1/articles/committers-guide/article.sgml
@@ -1,2035 +1,2003 @@
%man;
%authors;
]>
Committer GuideThe FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.35 2000/08/16 17:41:40 dannyboy Exp $
+ $FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.36 2000/08/23 20:36:53 ben Exp $19992000The FreeBSD Documentation ProjectThis document provides information for the FreeBSD committer
community. All new committers should read this document before they
start, and existing committers are strongly encouraged to review it
from time to time.Administrative DetailsMain Repository Hostfreefall.FreeBSD.org
-
-
- International Crypto Repository Host
-
- internat.FreeBSD.org
-
-
Login Methods&man.ssh.1;Main CVSROOT/home/ncvs
-
- International Crypto CVSROOT
- /home/cvs.crypt
-
-
Main CVS Repository Meisters&a.jdp; and &a.peter; as well as &a.asami; for
ports/
-
-
- International Crypto CVS Repository Meister
-
- &a.markm;
-
-
Mailing Listcvs-committers@FreeBSD.orgNoteworthy CVS TagsRELENG_3 (3.x-STABLE), RELENG_4 (4.x-STABLE), HEAD (-CURRENT)It is required that you use &man.ssh.1; or &man.telnet.1;
with Kerberos 5 to connect to the repository hosts. These are
generally more secure than plain &man.telnet.1; or
&man.rlogin.1; since credential negotiation will always be
encrypted. All traffic is encrypted by default with &man.ssh.1;.
With utilities like &man.ssh-agent.1; and &man.scp.1; also
available, &man.ssh.1; is also far more convenient. If you do
not know anything about &man.ssh.1;, please see
.CVS OperationsIt is assumed that you are already familiar with the basic operation
of CVS.The CVS Repository Meisters (Peter Wemm and John Polstra)
are the owners of the CVS repository and are
responsible for any and all direct
modification of it for the purposes of cleanup or fixing some
grievous abuse of CVS by a committer. No one else should
attempt to touch the repository directly. Should you cause some
repository accident, say a bad cvs import or tag operation, do
not attempt to fix it yourself!
Mail or call John or Peter immediately and report the problem to
one of them instead. The only ones allowed to directly fiddle
the repository bits are the repomeisters. Satoshi Asami is also a
repomeister for the ports/ portion of the
- tree. Mark Murray is the repomeister for the International
- Crypto Repository in South Africa.
+ tree.
CVS operations are usually done by logging into
freefall, making sure the
CVSROOT environment variable is set to
/home/ncvs, and then doing the appropriate
check-out/check-in operations. If you wish to add
something which is wholly new (like contrib-ified
sources, etc), a script called easy-import is
also provided for making the process easier. It automatically
adds the new module entry, does the appropriate thing with
cvs import, etc. – just run it without
arguments and it will prompt you for everything it needs to
know.Note that when you use CVS on freefall, you
should set your umask to 2,
as well as setting the CVSUMASK environmenet
variable to 2. This ensures that any new
files created by cvs add will have the correct
permissions. If you add a file or directory and discover that the
file in the repository has incorrect permissions (specifically,
all files in the repository should be group writable by group
ncvs), contact one of the repository meisters
as described below.If you are familiar with remote CVS and consider yourself
pretty studly with CVS in general, you can also do CVS
operations directly from your own machine and local working
sources. Just remember to set CVS_RSH to
ssh so that you are using a relatively
secure and reliable transport. If you have no idea what any of
the above even means, on the other hand, then please stick with
logging into freefall and applying your diffs
with &man.patch.1;.If you need to use CVS add and
delete operations in a manner that is
effectively a mv operation, then a repository
copy is in order rather than your CVS add and
delete. In a repository copy, a CVS Meister will copy the file(s)
to their new name and/or location and let you know when it is
done. The purpose of a repository copy is to preserve file
change history, or logs. We in the FreeBSD Project greatly
value the change history CVS gives to the project.CVS reference information, tutorials, and FAQs can also be found at:
http://www.cyclic.com/CVS/support&a.des; also supplied the following mini primer for
CVS.Check out a module with the co or
checkout command.&prompt.user; cvs checkout shazamThis checks out a copy of the shazam module. If
there is no shazam module in the modules file, looks for a
top-level directory named shazam instead.Useful options:Don't create empty directoriesCheck out a single level, no subdirectoriesCheck out revision, branch or tag
revCheck out the sources as they were on date
dataPractical FreeBSD examples:Check out the miscfs module,
which corresponds to src/sys/miscfs:&prompt.user; cvs co miscfsYou now have a directory named miscfs
with subdirectories CVS,
deadfs, devfs, and so
on. One of these (linprocfs) is
empty.Check out the same files, but with full path:&prompt.user; cvs co src/sys/miscfsYou now have a directory named src,
with subdirectories CVS and
sys. src/sys has
subdirectories CVS and
miscfs, etc.Check out the same files, but prunes empty
directories:&prompt.user; cvs co -P miscfsYou now have a directory named
miscfs with subdirectories
CVS, deadfs,
devfs... but note that there is no
linprocfs subdirectory, because there
are no files in it.Check out the directory miscfs, but
none of the subdirectories:&prompt.root; cvs co -l miscfsYou now have a directory named miscfs
with just one subdirectory named
CVS.Check out the miscfs module as
it is in the 4.x branch:&prompt.user; cvs co -rRELENG_4 miscfsYou can modify the sources and commit along this
branch.Check out the miscfs module as
it was in 3.4-RELEASE.&prompt.user; cvs co -rRELENG_3_4_0_RELEASE miscfsYou will not be able to commit modifications, since
RELENG_3_4_0_RELEASE is a point in time, not a branch.Check out the miscfs module as it was
on Jan 15 2000.&prompt.user; cvs co -D'01/15/2000' miscfsYou will not be able to commit modifications.Check out the miscfs module as it was
one week agao.&prompt.user; cvs co -D'last week' miscfsYou will not be able to commit modifications.Note that cvs stores metadata in subdirectories named
CVS.Arguments to and
are sticky, which means cvs will remember them later, e.g.
when you do a cvs update.Check the status of checked-out files with the
status command.&prompt.user; cvs status shazamThis displays the status of the
shazam file or of every file in the
shazam directory. For every file, the
status is given as one of:Up-to-dateFile is up-to-date and unmodified.Needs PatchFile is unmodified, but there's a newer revision in
the repository.Locally ModifiedFile is up-to-date, but modified.Needs MergeFile is modified, and there's a newer revision in the
repository.File had conflicts on mergeThere were conflicts the last time this file was
updated, and they haven't been resolved yet.You'll also see the local revision and date,
the revision number of the newest applicable version
(newest applicable because if you have a
sticky date, tag or branch, it may not be the actual newest
revision), and any sticky tags, dates or options.Once you've checked something out, update it with the
update command.&prompt.user; cvs update shazamThis updates the shazam file or the
contents of the shazam directory to the
latest version along the branch you checked out. If you
checked out a point in time, does nothing
unless the tags have moved in the repo or some other weird
stuff is going on.Useful options, in addition to those listed above for
checkout:Check out any additional missing directories.Update to head of main branch.More magic (see below).If you checked out a module with or
, running cvs update
with a different or
argument or with will select a new branch,
revision or date. The option clears all
sticky tags, dates or revisions whereas
and set new ones.Theoretically, specifying HEAD as
argument to will give you the same result
as , but that's just theory.The option is useful if:somebody has added subdirectories to the module
you've checked out after you checked it out.you checked out with , and later
change your mind and want to check out the subdirectories
as well.you deleted some subdirectories and want to check
them all back out.Watch the output of the cvs
update with care. The letter in front of
each file name indicates what was done with it:UThe file was updated with no trouble.PThe file was updated with no trouble (you'll only see
this when working against a remote repo).MThe file had been modified, and was merged with no
conflicts.CThe file had been modified, and was merged with
conflicts.Merging is what happens if you check out a copy of
some source code, modify it, then someone else commits a
change, and you run cvs update. CVS notices
that you've made local changes, and tries to merge your
changes with the changes between the version you originally
checked out and the one you updated to. If the changed are to
separate portions of the file, it'll almost always work fine
(though the result might not be syntactically or semantically
correct).CVS will print an 'M' in front of every locally modified
file even if there is no newer version in the repository, so
cvs update is handy for getting a summary
of what you've changed locally.If you get a C, then your changes
conflicted with the changes in the repository (the changes
were to the same lines, or neighboring lines, or you changed
the local file so much that cvs can't
figure out how to apply the repository's changes). You'll have
to go through the file manually and resolve the conflicts;
they'll be marked with rows of <,
= and > signs. For
every conflict, there'll be a marker line with seven
< signs and the name of the file,
followed by a chunk of what your local file contained,
followed by a separator line with seven =
signs, followed by the corresponding chunk in the
repository version, followed by a marker line with seven
> signs and the revision number you
updated to.The option is slightly voodoo. It
updates the local file to the specified revision as if you
used , but it does not change the recorded
revision number or branch of the local file. It's not really
useful except when used twice, in which case it will merge the
changes between the two specified versions into the working
copy.For instance, say you commit a change to
shazam/shazam.c in -CURRENT and later
want to MFC it. The change you want to MFC was revision
1.15:Check out the -STABLE version of the
shazam module:&prompt.user; cvs co -rRELENG_4 shazamApply the changes between rev 1.14 and 1.15:&prompt.user; cvs update -j1.14 -j1.15 shazam/shazam.cYou'll almost certainly get a conflict because
- of the $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ (or in FreeBSD's case,
+ of the $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ (or in FreeBSD's case,
$FreeBSD$) lines, so you'll have to edit
the file to resolve the conflict (remove the marker lines and
- the second $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line, leaving the original
- $Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $ line intact).
+ the second $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line, leaving the original
+ $Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $ line intact).
View differences between the local version and the
repository version with the diff
command.&prompt.user; cvs diff shazamshows you every modification you've made to the
shazam file or module.Useful options:Uses the unified diff format.Shows missing or added files.You always want to use , since
unified diffs are much easier to read than almost any other
diff format (in some circumstances, context diffs may be
better, but they're much bulkier). A unified diff consists of
a series of hunks. Each hunk begins with a line that starts
with two @ signs and specifies where in the
file the differences are and how many lines they span. This
is followed by a number of lines; some (preceded by a blank)
are context; some (preceded by a - sign)
are outtakes and some (preceded by a +) are
additions.You can also diff against a different version
than the one you checked out by specifying a version
with or as in
checkout or update,
or even view the diffs between two arbitrary versions
(with no regard for what you have locally) by specifying
two versions with or
.View log entries with the log
command.&prompt.user; cvs log shazamSee who did what with the annotate command.
This command shows you each line of the specified file or
files, along with which user most recently changed that
line.&prompt.user; cvs annotate shazamAdd new files with the add command.Create the file, cvs add it, then
cvs commit it.Similarly, you can add new directories by creating them
and then cvs adding them. Note that you
don't need to commit directories.Remove obsolete files with the remove command.Remove the file, then cvs rm it, then
cvs commit it.Commit with the commit or
checkin command.Useful options:Force a commit of an unmodified file.Specify a commit message on the command line rather
than invoking an editor.Use the option if you realize that
you left out important information from the commit message.Good commit messages are important. They tell others
why you did the changes you did, not just right here and now,
but months or years from now when someone wonders why some
seemingly illogical or inefficient piece of code snuck into
your source file. It's also an invaluable aid to deciding
which changes to MFC and which not to MFC.Don't waste space in the commit messages explaining
what you did. That's what
cvs diff is for. Instead, tell us
why you did it.Avoid committing several unrelated changes in one go. It
makes merging difficult, and also makes it harder to determine
which change is the culprit if a bug crops up.Avoid committing style or whitespace fixes and
functionality fixes in one go. It makes merging difficult,
and also makes it harder to understand just what functional
changes were made.Avoid committing changes to multiple files in one go
with a generic, vague message. Instead, commit each file (or
small groups of files) with tailored commit messages.Before committing, always:verify which branch you're committing to, using
cvs status.review your diffs, using
cvs diffAlso, ALWAYS specify which files to commit explicitly on
the command line, so you don't accidentally commit other files
than the ones you intended - cvs commit
with no arguments will commit every modification in your
current working directory and every subdirectory.Additional tips and tricks:You can place commonly used options in your
~/.cvsrc, like this:cvs -z3
diff -Nu
update -Pd
checkout -PThis example says:always use compression level 3 when talking to a
remote server. This is a life-saver when working over a
slow connection.always use the (show added or
removed files) and (unified diff
format) options to &man.diff.1;.always use the (prune empty
directories) and (check out new
directories) options when updating.always use the (prune empty
directories) option when checking out.Use Eivind Eklund's cdiff script to
view unidiffs. It's a wrapper for &man.less.1; that adds ANSI
color codes to make hunk headers, outtakes and additions stand
out; context and garbage are unmodified. It also expands tabs
properly (tabs often look wrong in diffs because of the extra
character in front of each line).http://people.freebsd.org/~eivind/cdiffSimply use instead of &man.more.1; or &man.less.1;:&prompt.user; cvs diff -Nu shazam | cdiffAlternatively some editors like &man.vim.1;
(ports/editors/vim5) have color support and when used as
a pager with color syntax highlighting switched on will
highlight many types of file, including diffs, patches,
and cvs/rcs logs. &prompt.user; echo "syn on" >> ~/.vimrc
&prompt.user; cvs diff -Nu shazam | vim -
&prompt.user; cvs log shazam | vim -CVS is old, arcane, crufty and buggy, and sometimes
exhibits non-deterministic behavior which some claim as proof
that it's actually merely the newtonian manifestation of a
sentient transdimensional entity. It's not humanly possible
to know its every quirk inside out, so don't be afraid to ask
the resident AI (cvs@FreeBSD.org) for help when
you screw up.Conventions and TraditionsAs a new committer there are a number of things you should do
first.Add yourself to the Developers section of the
Handbook and remove yourself from the Additional
Contributors section.This is a relatively easy task, but remains a good first test of
your CVS skills.Add an entry for yourself to
www/en/news/newsflash.sgml. Look for the other
entries that look like A new committer and follow the
format.Some people also add an entry for themselves to
ports/astro/xearth/files/freebsd.committers.markers.Introduce yourself to the other committers, otherwise no one
will have any idea who you are or what you are working on. You do
not have to write a comprehensive biography, just write a paragraph
or two about who you are and what you plan to be working on as a
committer in FreeBSD. Email this to
cvs-committers@FreeBSD.org and you will be on your
way!Log into hub.FreeBSD.org and create a
/var/forward/user
(where user is your username) file
containing the e-mail address where you want mail addressed to
yourusername@FreeBSD.org to be forwarded.
This includes all of the commit messages as well as any other mail
addressed to cvs-committers@FreeBSD.org. Really
large mailboxes which have taken up permanent residence on
hub often get accidently truncated
without warning, so forward it or read it and you will not lose
it.All new committers also have a mentor assigned to them for
the first few months. Your mentor is more or less responsible for
explaining anything which is confusing to you and is also
responsible for your actions during this initial period. If you
make a bogus commit, it is only going to embarrass your mentor
and you should probably make it a policy to pass at least your
first few commits by your mentor before committing it to the
repository.All commits should go to -CURRENT first
before being merged to -STABLE. No major new
features or high-risk modifications should be made to the
-STABLE branch.Developer RelationsIf you are working directly on your own code or on code
which is already well established as your responsibility, then
there is probably little need to check with other committers
before jumping in with a commit. If you see a bug in an area of
the system which is clearly orphaned (and there are a few such
areas, to our shame), the same applies. If, however, you are
about to modify something which is clearly being actively
maintained by someone else (and it is only by watching the
cvs-committers mailing list that you can
really get a feel for just what is and is not) then consider
sending the change to them instead, just as you would have
before becoming a committer. For ports, you should contact the
listed MAINTAINER in the
Makefile. For other parts of the
repository, if you are unsure who the active maintainer might
be, it may help to scan the output of cvs log
to see who has committed changes in the past. &a.fenner; has
written a nice shell script that can help determine who the
active maintainer might be. It lists each person who has
committed to a given file along with the number of commits each
person has made. It can be found on freefall
at ~fenner/bin/whodid. If your queries go
unanswered or the committer otherwise indicates a lack of
proprietary interest in the area affected, go ahead and commit
it.If you are unsure about a commit for any reason at
all, have it reviewed by -hackers
before committing. Better to have it flamed then and there
rather than when it is part of the CVS repository. If you do
happen to commit something which results in controversy
erupting, you may also wish to consider backing the change out
again until the matter is settled. Remember – with CVS we
can always change it back.GNATSThe FreeBSD Project utilizes
GNATS for tracking bugs and change
requests. Be sure that if you commit a fix or suggestion found
in a GNATS PR, you use
edit-pr pr-number
on freefall to close it. It is also considered
nice if you take time to close any PRs associated with your
commits, if appropriate. Your can also make use of
&man.send-pr.1; yourself for proposing any change which you feel
should probably be made, pending a more extensive peer-review
first.You can find out more about GNATS
at:http://www.cs.utah.edu/csinfo/texinfo/gnats/gnats.htmlhttp://www.FreeBSD.org/support.htmlhttp://www.FreeBSD.org/send-pr.html&man.send-pr.1;You can run a local copy of GNATS, and then integrate the FreeBSD
GNATS tree in to it using CVSup. Then you can run GNATS commands
locally, or use other interfaces, such as tkgnats.
This lets you query the PR database without needing to be connected to
the Internet.Using a local GNATS treeIf you are not already downloading the GNATS tree, add this line
to your supfile, and re-sup. Note that since
GNATS is not under CVS control it has no tag, so if you are adding
it to your existing supfile it should appear
before any tag= entry as these remain active once set.
gnats release=current prefix=/usrThis will place the FreeBSD GNATS tree in
/usr/gnats. You can use a
refuse file to control which categories to
receive. For example, to only receive docs PRs,
put this line in
/usr/local/etc/cvsup/sup/refuseThe precise path depends on the *default
base setting in your
supfile..gnats/[a-ce-z]*The rest of these examples assume you have only supped the
docs category. Adjust them as necessary,
depending on the categories you are synching.Install the GNATS port from
ports/databases/gnats. This will place the
various GNATS directories under
$PREFIX/share/gnats.Symlink the GNATS directories you are supping under the version
of GNATS you have installed.&prompt.root; cd /usr/local/share/gnats/gnats-db
&prompt.root; ln -s /usr/gnats/docsRepeat as necessary, depending on how many GNATS categories you
are synching.Update the GNATS categories file with these
cageories. The file is
$PREFIX/share/gnats/gnats-db/gnats-adm/categories.# This category is mandatory
pending:Category for faulty PRs:gnats-admin:
#
# FreeBSD categories
#
docs:Documentation Bug:nik:Run $PREFIX/libexec/gnats/gen-index to
recreate the GNATS index. The output has to be redirected to
$PREFIX/share/gnats/gnats-db/gnats-adm/index.
You can do this periodically from &man.cron.8;, or run &man.cvsup.1;
from a shell script that does this as well.&prompt.root; /usr/local/libexec/gnats/gen-index \
> /usr/local/share/gnats/gnats-db/gnats-adm/indexTest the configuration by querying the PR database. This
command shows open docs PRs.&prompt.root; query-pr -c docs -s openOther interfaces, like
ports/databases/tkgnats should also work
nicely.Pick a PR and close it.This procedure only works to allow you to view and query the PRs
locally. To edit or close them you will still have to log in to
freefall and do it from there.Who's WhoBesides Peter Wemm and John Polstra, the repository
meisters, there are other FreeBSD project members whom you will
probably get to know in your role as a committer. Briefly,
and by no means all-inclusively, these are:&a.asami;Satoshi is the Ports Wraith, meaning that he has
ultimate authority over any modifications to the ports
collection or the ports skeleton makefiles. He is also
the one responsible for administering ports freezes before
the releases.&a.bde;Bruce is the Obersturmbahnfuhrer of the Style Police.
When you do a commit that could have been done better,
Bruce will be there to tell you. Be thankful that someone
is.&a.dg;David is our principal architect and overseer of the
VM system. If you have a VM system change in mind,
coordinate it with David. Should you become locked in a
bitter, intractable dispute with some other committer over
a proposed change (which does not happen very often,
thankfully) then an appeal to David to put on his P.A. hat
and make a final decision might be necessary.&a.jkh;Jordan is the release engineer. He is responsible for
setting release deadlines and controlling the release
process. During code freezes, he also has final authority
on all changes to the system for whichever branch is
pending release status. If there is something you want
merged from -CURRENT to
-STABLE (whatever values those may have
at any given time), he is also the one to talk to about
it.
-
- &a.markm;
-
- Mark is the CVS repository meister for the
- international crypto repository kept on
- internat.FreeBSD.org in South Africa.
-
- Mark also oversees most of the crypto code; if you have
- any crypto updates, please ask Mark first.
-
-
-
&a.steve;Steve is the unofficial maintainer of
src/bin. If you have something
significant you'd like to do there, you should probably
coordinate it with Steve first. He is also a Problem
Report-meister, along with &a.phk;.&a.brian;Official maintainer of
/usr/bin/ppp and LPD.&a.wollman;If you need advice on obscure network internals or
aren't sure of some potential change to the networking
subsystem you have in mind, Garrett is someone to talk
to.SSH Quick-Start GuideIf you are using FreeBSD 4.0 or later,
OpenSSH is included in the base system.
If you are using an earlier release,
update and install one of the SSH ports. In general,
you will probably want to get OpenSSH from the port in
/usr/ports/security/openssh. You
may also wish to check out the original ssh1 in
/usr/ports/security/ssh, but make
certain you pay attention to its license. Note that both
of these ports cannot be installed at the same time.If you do not wish to to type your password in every
time you use &man.ssh.1;, and you use RSA keys to
authenticate, &man.ssh-agent.1; is there for your
convenience. If you want to use &man.ssh-agent.1;, make
sure that you run it before running other applications. X
users, for example, usually do this from their
.xsession or
.xinitrc file. See &man.ssh-agent.1;
for details.Generate a key pair using &man.ssh-keygen.1;. The key
pair will wind up in the
$HOME/.ssh
directory.Send your public key
($HOME/.ssh/identity.pub)
to the person setting you up as a committer so it can be put
into your authorized_keys file in your
home directory on freefall
(i.e.
$HOME/.ssh/authorized_keys).
Now you should be able to use &man.ssh-add.1; for
authentication once per session. This will prompt you for
your private key's pass phrase, and then store it in your
authentication agent (&man.ssh-agent.1;). If you no longer
wish to have your key stored in the agent, issuing
ssh-add -d will remove it.Test by doing something such as ssh
freefall.FreeBSD.org ls /usr.For more information, see
/usr/ports/security/openssh, &man.ssh.1;,
&man.ssh-add.1;, &man.ssh-agent.1;, &man.ssh-keygen.1;, and
&man.scp.1;.The FreeBSD Committers' Big List of RulesRespect other committers.Discuss any significant change
before committing.Respect existing maintainers if listed in the
(MAINTAINER field in
Makefile or in the
MAINTAINER file in the top-level
directory).Never touch the repository directly. Ask a
Repomeister.Any disputed change must be backed out pending
resolution of the dispute if requested by a maintainer or
the Principal Architect. Security related changes may
override a maintainer's wishes at the Security Officer's
discretion.Changes go to -CURRENT before
-STABLE unless specifically permitted by
the release engineer or unless they're not applicable to
-CURRENT. Any non-trivial or non-urgent
change which is applicable should also be allowed to sit in
-CURRENT for at least 3 days before
merging so that it can be given sufficient testing. The
release engineer has the same authority over the
-STABLE branch as outlined for the
Principal Architect in rule #5.Don't fight in public with other committers; it looks
bad. If you must strongly disagree about
something, do so only in private.Respect all code freezes and read the
committers mailing list on a timely basis
so you know when a code freeze is in effect.When in doubt on any procedure, ask first!Test your changes before committing them.As noted, breaking some of these rules can be grounds for
suspension or, upon repeated offense, permanent removal of
commit privileges. Three or more members of core, or the
Principal Architect and another member of core acting in unison,
have the power to temporarily suspend commit privileges until
-core as a whole has the chance to review the
issue. In case of an emergency (a committer
doing damage to the repository), a temporary suspension may also
be done by the repository meisters or any other member of core
who may happen to be awake at the time. Only core as a whole
has the authority to suspend commit privileges for any
significant length of time or to remove them permanently, the
latter generally only being done after consultation with
committers. This rule does not exist to set core up as a bunch
of cruel dictators who can dispose of committers as casually as
empty soda cans, but to give the project a kind of safety fuse.
If someone is seriously out of control, it's important to be
able to deal with this immediately rather than be paralyzed by
debate. In all cases, a committer whose privileges are
suspended or revoked is entitled to a hearing,
the total duration of the suspension being determined at that
time. A committer whose privileges are suspended may also
request a review of the decision after 30 days and every 30 days
thereafter (unless the total suspension period is less than 30
days). A committer whose privileges have been revoked entirely
may request a review after a period of 6 months have elapsed.
This review policy is strictly informal
and, in all cases, core reserves the right to either act on or
disregard requests for review if they feel their original
decision to be the right one.In all other aspects of project operation, core is a subset
of committers and is bound by the same
rules. Just because someone is in core doesn't mean
that they have special dispensation to step outside of any of
the lines painted here; core's special powers
only kick in when it acts as a group, not on an individual
basis. As individuals, we are all committers first and core
second.DetailsRespect other committers.This means that you need to treat other committers as
the peer-group developers that they are. Despite our
occasional attempts to prove the contrary, one doesn't get
into committers by being stupid and nothing rankles more
than being treated that way by one of your peers. Whether
we always feel respect for one another or not (and
everyone has off days), we still have to
treat other committers with respect
at all times or the whole team structure rapidly breaks
down.Being able to work together long term is this project's
greatest asset, one far more important than any set of
changes to the code, and turning arguments about code into
issues that affect our long-term ability to work
harmoniously together is just not worth the trade-off by
any conceivable stretch of the imagination.To comply with this rule, don't send email when you're
angry or otherwise behave in a manner which is likely to
strike others as needlessly confrontational. First calm
down, then think about how to communicate in the most
effective fashion for convincing the other person(s) that
your side of the argument is correct, don't just blow off
some steam so you can feel better in the short term at the
cost of a long-term flame war. Not only is this very bad
energy economics, but repeated displays of
public aggression which impair our ability to work well
together will be dealt with severely by the project
leadership and may result in suspension or termination of
your commit privileges. That's never an option which the
project's leadership enjoys in the slightest, but unity
comes first. No amount of code or good advice is worth
trading that away.Discuss any significant change
before committing.The CVS repository is not where changes should be
initially submitted for correctness or argued over, that
should happen first in the mailing lists and then
committed only once something resembling consensus has
been reached. This doesn't mean that you have to ask
permission before correcting every obvious syntax error or
man page misspelling, simply that you should try to
develop a feel for when a proposed change isn't quite such
a no-brainer and requires some feedback first. People
really don't mind sweeping changes if the result is
something clearly better than what they had before, they
just don't like being surprised by
those changes. The very best way of making sure that
you're on the right track is to have your code reviewed by
one or more other committers.When in doubt, ask for review!Respect existing maintainers if listed.Many parts of FreeBSD aren't owned in
the sense that any specific individual will jump up and
yell if you commit a change to their area,
but it still pays to check first. One convention we use
is to put a maintainer line in the
Makefile for any package or subtree
which is being actively maintained by one or more people;
see http://www.FreeBSD.org/handbook/policies.html
for documentation on this. Where sections of code have
several maintainers, commits to affected areas by one
maintainer need to be reviewed by at least one other
maintainer. In cases where the
maintainer-ship of something isn't clear,
you can also look at the CVS logs for the file(s) in
question and see if someone has been working recently or
predominantly in that area.Other areas of FreeBSD fall under the control of
someone who manages an overall category of FreeBSD
evolution, such as internationalization or networking.
See http://www.FreeBSD.org/handbook/staff-who.html
for more information on this.Never touch the repository directly. Ask a
Repomeister.This is pretty clear - you're not allowed to make
direct modifications to the CVS repository, period. In
case of difficulty, ask one of the repository meisters by
sending mail to cvs@FreeBSD.org and simply
wait for them to fix the problem and get back to you. Do
not attempt to fix the problem yourself!If you're thinking about putting down a tag or doing a
new import of code on a vendor branch, you might also find
it useful to ask for advice first. A lot of people get
this wrong the first few times and the consequences are
expensive in terms of files touched and angry CVSup/CTM
folks who are suddenly getting a lot of changes sent over
unnecessarily.Any disputed change must be backed out pending
resolution of the dispute if requested by a maintainer or
the Principal Architect. Security related changes may
override a maintainer's wishes at the Security Officer's
discretion.This may be hard to swallow in times of conflict (when
each side is convinced that they're in the right, of
course) but CVS makes it unnecessary to have an ongoing
dispute raging when it's far easier to simply reverse the
disputed change, get everyone calmed down again and then
try and figure out how best to proceed. If the change
turns out to be the best thing after all, it can be easily
brought back. If it turns out not to be, then the users
didn't have to live with the bogus change in the tree
while everyone was busily debating its merits. People
very very rarely call for back-outs in the repository
since discussion generally exposes bad or controversial
changes before the commit even happens, but on such rare
occasions the back-out should be done without argument so
that we can get immediately on to the topic of figuring
out whether it was bogus or not.Changes go to -CURRENT before
-STABLE unless specifically permitted
by the release engineer or unless they're not applicable
to -CURRENT. Any non-trivial or
non-urgent change which is applicable should also be
allowed to sit in -CURRENT for at least
3 days before merging so that it can be given sufficient
testing. The release engineer has the same authority over
the -STABLE branch as outlined in rule
#5.This is another don't argue about it
issue since it's the release engineer who is ultimately
responsible (and gets beaten up) if a change turns out to
be bad. Please respect this and give the release engineer
your full cooperation when it comes to the
-STABLE branch. The management of
-STABLE may frequently seem to be
overly conservative to the casual observer, but also bear
in mind the fact that conservatism is supposed to be the
hallmark of -STABLE and different rules
apply there than in -CURRENT. There's
also really no point in having -CURRENT
be a testing ground if changes are merged over to
-STABLE immediately. Changes need a
chance to be tested by the -CURRENT
developers, so allow some time to elapse before merging
unless the -STABLE fix is critical,
time sensitive or so obvious as to make further testing
unnecessary (spelling fixes to manpages, obvious bug/typo
fixes, etc.) In other words, apply common sense.Don't fight in public with other committers; it looks
bad. If you must strongly disagree about
something, do so only in private.This project has a public image to uphold and that
image is very important to all of us, especially if we are
to continue to attract new members. There will be
occasions when, despite everyone's very best attempts at
self-control, tempers are lost and angry words are
exchanged, and the best we can do is try and minimize the
effects of this until everyone has cooled back down. That
means that you should not air your angry words in public
and you should not forward private correspondence to
public mailing lists or aliases. What people say
one-to-one is often much less sugar-coated than what they
would say in public, and such communications therefore
have no place there - they only serve to inflame an
already bad situation. If the person sending you a
flame-o-gram at least had the grace to send it privately,
then have the grace to keep it private yourself. If you
feel you are being unfairly treated by another developer,
and it is causing you anguish, bring the matter up with
core rather than taking it public. We will do our best to
play peace makers and get things back to sanity. In cases
where the dispute involves a change to the codebase and
the participants do not appear to be reaching an amicable
agreement, core may appoint a mutually-agreeable 3rd party
to resolve the dispute. All parties involved must then
agree to be bound by the decision reached by this 3rd
party.Respect all code freezes and read the
committers mailing list on a timely
basis so you know when they are.Committing changes during a code freeze is a really
big mistake and committers are expected to keep up-to-date
on what's going on before jumping in after a long absence
and committing 10 megabytes worth of accumulated stuff.
People who abuse this on a regular basis will have their
commit privileges suspended until they get back from the
FreeBSD Happy Reeducation Camp we run in Greenland.When in doubt on any procedure, ask first!Many mistakes are made because someone is in a hurry
and just assumes they know the right way of doing
something. If you have not done it before, chances are
good that you do not actually know the way we do things
and really need to ask first or you are going to
completely embarrass yourself in public. There's no shame
in asking how in the heck do I do this? We
already know you are an intelligent person; otherwise, you
would not be a committer.Test your changes before committing them.This may sound obvious, but if it really were so
obvious then we probably wouldn't see so many cases of
people clearly not doing this. If your changes are to the
kernel, make sure you can still compile both GENERIC and
LINT. If your changes are anywhere else, make sure you
can still make world. If your changes are to a branch,
make sure your testing occurs with a machine which is
running that code. If you have a change which also may
break another architecture, be sure and test on all
supported architectures. Currently, this is only the x86
and the alpha so it's pretty easy to do. If you need to
test on the AXP, your account on beast.FreeBSD.org will let you
compile and test alpha binaries/kernels/etc. As other
architectures are added to the FreeBSD supported platforms
list, the appropriate shared testing resources will be
made available.Other SuggestionsWhen committing documentation changes, use a spell checker
before committing. :) For all SGML docs, you should also
verify that your formatting directives are correct by running
make lint.For all on-line manual pages, run manck
(from ports) over the man page to verify the all of the cross
references and file references are correct and that the man
page has all of the appropriate MLINKs
installed.Do not mix style fixes with new functionality. A style
fix is any change which does not modify the functionality of
the code. Mixing the changes obfuscates the functionality
change when using cvs diff, which can hide
any new bugs. Do not include whitespace changes with content
changes in commits to doc/ or
www/. The extra clutter in the diffs
makes the translators' job much more difficult. Instead, make
any style or whitespace changes in seperate commits that are
clearly labeled as such in the commit message.Ports Specific FAQImporting a New PortHow do I import a new port?First, please read the section about repository
copy.The easiest way to import a new port is to use the
addport script on
freefall. It will import a port from the
directory you specify, determining the category automatically
from the port Makefile.
It will also add an entry to the
CVSROOT/modules file and the port's
category Makefile. It was
written by &a.mharo; and &a.will;, but Will is the current
maintainer so please send questions/patches about
addport to him.Any other things I need to know when I import a new
port?Check the port, preferably to make sure it compiles
and packages correctly. This is the recommended
sequence:&prompt.root; make install
&prompt.root; make package
&prompt.root; make deinstall
&prompt.root; pkg_add package you built above
&prompt.root; make deinstall
&prompt.root; make reinstall
&prompt.root; make packageThe
Porters
Handbook contains more detailed
instructions.Use &man.portlint.1; to check the syntax of the port.
You don't necessarily have to eliminate all warnings but
make sure you have fixed the simple ones.If the port came from a submitter who has not
contributed to the project before, add that person's
name to the Handbook's Additional Contributors
section.Close the PR if the port came in as a PR. To close
a PR, just do
edit-pr PR#
on freefall and change the
state from open
to closed. You will be asked to
enter a log message and then you are done.Repository CopiesWhen do we need a repository copy?When you want to import a port that is related to
any port that is already in the tree in a separate
directory, please send mail to the ports manager asking
about it. Here related means
it is a different version or a slightly modified
version. Examples are
print/ghostscript* (different
versions) and x11-wm/windowmaker*
(English-only and internationalized version).Another example is when a port is moved from one
subdirectory to another, or when you want to change the
name of a directory because the author(s) renamed their
software even though it is a
descendant of a port already in a tree.When do we not need a
repository copy?When there is no history to preserve. If a port is
imported into a wrong category and is moved immediately,
it suffices to simply cvs remove the
old one and cvs import the new
one.What do I need to do?Send mail to the ports manager, who will do a copy
from the old location/name to the new location/name.
You will then get a notice, at which point you are
expected to perform the following:cvs remove the old port (if
necessary)Adjust the parent (category)
MakefileUpdate CVSROOT/modulesIf other ports depend on the updated port,
change their Makefiles'
dependency linesIf the port changed categories, modify the
CATEGORIES line of the port's
Makefile accordinglyPorts FreezeWhat is a ports freeze?Before a release, it is necessary to restrict
commits to the ports tree for a short period of time
while the packages and the release itself are being
built. This is to ensure consistency among the various
parts of the release, and is called the ports
freeze.How long is a ports freeze?Usually two to three days.What does it mean to me?During the ports freeze, you are not allowed to
commit anything to the tree without explicit approval
from the ports manager. Explicit
approval here means either of the
following:You asked the ports manager and got a reply
saying, Go ahead and commit
it.The ports manager sent a mail to you or the
mailing lists during the ports freeze pointing out
that the port is broken and has to be fixed.Note that you do not have implicit permission to fix
a port during the freeze just because it is
broken.How do I know when the ports freeze starts?The ports manager will send out warning messages to
the freebsd-ports@FreeBSD.org and
cvs-committers@FreeBSD.org mailing lists
announcing the start of the impending release, usually
two or three weeks in advance. The exact starting time
will not be determined until a few days before the
actual release. This is because the ports freeze has to
be synchronized with the release, and it is usually not
known until then when exactly the release will be
rolled.When the freeze starts, there will be another
announcement to the
cvs-committers@FreeBSD.org list, of
course.How do I know when the ports freeze ends?A few hours after the release, the ports manager
will send out a mail to the
freebsd-ports@FreeBSD.org and
cvs-committers@FreeBSD.org mailing lists
announcing the end of the ports freeze. Note that the
release being cut does not automatically end the freeze.
We have to make sure there will not be any last minute
snafus that result in an immediate re-rolling of the
release.Miscellaneous QuestionsHow do I know if my port is building correctly or
not?First, go check
http://bento.FreeBSD.org/~asami/errorlogs/.
There you will find error logs from the latest package
building runs on 3-stable and 4-current.However, just because the port doesn't show up there
doesn't mean it's building correctly. (One of the
dependencies may have failed, for instance.) Here are
the relevant directories on bento, so feel free to dig
around. /a/asami/portbuild/3/errors error logs from latest 3-stable run
/logs all logs from latest 3-stable run
/packages packages from latest 3-stable run
/bak/errors error logs from last complete 3-stable run
/bak/logs all logs from last complete 3-stable run
/bak/packages packages from last complete 3-stable run
/4/errors error logs from latest 4-current run
/logs all logs from latest 4-current run
/packages packages from latest 4-current run
/bak/errors error logs from last complete 4-current run
/bak/logs all logs from last complete 4-current run
/bak/packages packages from last complete 4-current run
Basically, if the port shows up in
packages, or it is in
logs but not in
errors, it built fine. (The
errors directories are what you get
from the web page.)I added a new port. Do I need to add it to the
INDEX?No. The ports manager will regenerate the
INDEX and commit it every few
days.Are there any other files I'm not allowed to
touch?Any file directly under ports/, or
any file under a subdirectory that starts with an
uppercase letter (Mk/,
Tools/, etc.). In particular, the
ports manager is very protective of
ports/Mk/bsd.port*.mk so don't
commit changes to those files unless you want to face his
wra(i)th.Miscellaneous QuestionsWhy are trivial or cosmetic changes to files on a vendor
branch a bad idea?The RCS file format is quite braindead and certain
operations to achieve things for CVS are hideously
expensive for the repository. Making changes to files on
a vendor branch, thereby pulling the file off that branch,
is one example of this.Suppose you have a file which was first imported on a
vendor branch, and was then re-imported three times (still
on the vendor branch) as the vendor makes updates to the
file.1.1.1.1vendor import1.1.1.2vendor import, +1000, -500 lines1.1.1.3vendor import, +2000, -500 lines1.1.1.4vendor import, +1000, -1000 linesNow suppose that one of the FreeBSD committers makes a
one line change to this file, causing it to go to version
1.2. This causes it to leave the branch, resulting in
4,001 lines being added to the file's history, and 2,001
lines being deleted.This is because the 1.2 delta is stored relative to
1.1.1.1, not 1.1.1.4, and so the
entire vendor history is duplicated in the 1.2 delta.
Now, repeat this for 2000 files in a large directory, it
adds up a lot.This is why we have such
hands off policies for
src/contrib and other things that
track the vendor releases. This is why typo
fixes in man pages and spelling
corrections are so strongly discouraged for
vendor code.How do I add a new file to a CVS branch?To add a file onto a branch, simply checkout or update
to the branch you want to add to and then add the file using
cvs add as you normally would. For
example, if you wanted to MFC the file
src/sys/alpha/include/smp.h from HEAD
to RELENG_4 and it does not exist in RELENG_4 yet, you would
use the following steps:MFC'ing a New File&prompt.user; cd sys/alpha/include
&prompt.user; cvs update -rRELENG_4
cvs update: Updating .
U clockvar.h
U console.h
...
&prompt.user; cvs update -kk -Ap smp.h > smp.h
===================================================================
Checking out smp.h
RCS: /usr/cvs/src/sys/alpha/include/smp.h,v
VERS: 1.1
***************
&prompt.user; cvs add smp.h
cvs add: scheduling file `smp.h' for addition on branch `RELENG_4'
cvs add: use 'cvs commit' to add this file permanently
&prompt.user; cvs commit
diff --git a/en_US.ISO_8859-1/books/faq/book.sgml b/en_US.ISO_8859-1/books/faq/book.sgml
index ae5bc50a1e..960ecfc0c5 100644
--- a/en_US.ISO_8859-1/books/faq/book.sgml
+++ b/en_US.ISO_8859-1/books/faq/book.sgml
@@ -1,9546 +1,9495 @@
%man;
%authors;
]>
Frequently Asked Questions for FreeBSD 2.X, 3.X and 4.XThe FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.94 2000/09/22 18:40:00 marko Exp $
+ $FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.95 2000/09/22 23:41:25 ben Exp $This is the FAQ for FreeBSD versions 2.X, 3.X, and 4.X. All entries
are assumed to be relevant to FreeBSD 2.0.5 and later, unless
otherwise noted. Any entries with a <XXX> are under
construction. If you are interested in helping with this project,
send email to the FreeBSD documentation project mailing list
freebsd-doc@FreeBSD.org.
The latest version of this document is always available from the
FreeBSD World Wide Web
server. It may also be downloaded as one large HTML file with HTTP or as plain text,
postscript, or PDF from the FreeBSD FTP
server. You may also want to Search the
FAQ.PrefaceWelcome to the FreeBSD 2.X-4.X FAQ!As is usual with Usenet FAQs, this document aims to cover the
most frequently asked questions concerning the FreeBSD operating
system (and of course answer them!). Although originally intended
to reduce bandwidth and avoid the same old questions being asked
over and over again, FAQs have become recognized as valuable
information resources.Every effort has been made to make this FAQ as informative as
possible; if you have any suggestions as to how it may be improved,
please feel free to mail them to the &a.faq;.What is FreeBSD?Briefly, FreeBSD is a UN*X-like operating system for the
i386 and Alpha/AXP platforms based on U.C. Berkeley's
4.4BSD-lite release.
It is also based indirectly on William Jolitz's port of U.C.
Berkeley's Net/2 to the i386, known as 386BSD, though very
little of the 386BSD code remains. A fuller description of
what FreeBSD is and how it can work for you may be found on
the FreeBSD home
page.FreeBSD is used by companies, Internet Service Providers,
researchers, computer professionals, students and home users
all over the world in their work, education and recreation.
See some of them in the FreeBSD
Gallery.For more detailed information on FreeBSD, please see the
FreeBSD
Handbook.What are the goals of FreeBSD?The goals of the FreeBSD Project are to provide software
that may be used for any purpose and without strings attached.
Many of us have a significant investment in the code (and
project) and would certainly not mind a little financial
compensation now and then, but we're definitely not prepared
to insist on it. We believe that our first and foremost
mission is to provide code to any and all comers, and for
whatever purpose, so that the code gets the widest possible
use and provides the widest possible benefit. This is, we
believe, one of the most fundamental goals of Free Software
and one that we enthusiastically support.That code in our source tree which falls under the GNU
General Public License (GPL) or GNU Library General Public
License (LGPL) comes with slightly more strings attached,
though at least on the side of enforced access rather than the
usual opposite. Due to the additional complexities that can
evolve in the commercial use of GPL software, we do, however,
endeavor to replace such software with submissions under the
more relaxed BSD copyright whenever possible.Why is it called FreeBSD?It may be used free of charge, even by commercial
users.Full source for the operating system is freely
available, and the minimum possible restrictions have
been placed upon its use, distribution and incorporation
into other work (commercial or non-commercial).Anyone who has an improvement and/or bug fix is free
to submit their code and have it added to the source tree
(subject to one or two obvious provisos).For those of our readers whose first language is not
English, it may be worth pointing out that the word free
is being used in two ways here, one meaning at no cost,
the other meaning you can do whatever you like. Apart
from one or two things you
cannot do with the FreeBSD code,
for example pretending you wrote it, you really can do
whatever you like with it.What is the latest version of FreeBSD?Version 4.1
is the latest stable version; it was
released in July, 2000. This is also the latest
release version.Briefly explained, -STABLE is aimed
at the ISP or other corporate user who wants stability and a
low change count over the wizzy new features of the latest
-CURRENT snapshot. Releases can come
from either branch, but you should only use
-CURRENT if you're sure that you're
prepared for its increased volatility (relative to
-STABLE, that is).Releases are only made every
few months. While many people stay more up-to-date with
the FreeBSD sources (see the questions on FreeBSD-CURRENT and FreeBSD-STABLE) than that, doing so
is more of a commitment, as the sources are a moving
target.What is FreeBSD-CURRENT?FreeBSD-CURRENT
is the development version of the operating system, which will
in due course become 5.0-RELEASE. As such, it is really only
of interest to developers working on the system and die-hard
hobbyists. See the relevant
section in the handbook for details on
running -CURRENT.If you are not familiar with the operating system or are
not capable of identifying the difference between a real
problem and a temporary problem, you should not use
FreeBSD-CURRENT. This branch sometimes evolves quite quickly
and can be un-buildable for a number of days at a time.
People that use FreeBSD-CURRENT are expected to be able to
analyze any problems and only report them if they are deemed
to be mistakes rather than glitches. Questions such as
make world produces some error about groups on the
-CURRENT mailing list are sometimes treated with
contempt.Every day, snapshot
releases are made based on the current state of the
-CURRENT and -STABLE branches. Nowadays,
distributions of the occasional snapshot are now being made
available. The goals behind each snapshot release are:To test the latest version of the installation
software.To give people who would like to run -CURRENT or
-STABLE but who
don't have the time and/or bandwidth to follow it on a
day-to-day basis an easy way of bootstrapping it onto
their systems.To preserve a fixed reference point for the code in
question, just in case we break something really badly
later. (Although CVS normally prevents anything horrible
like this happening :)To ensure that any new features in need of testing
have the greatest possible number of potential
testers.No claims are made that any -CURRENT snapshot can be considered
production quality for any purpose.
If you want to run a stable and
fully tested system, you will have to stick to full
releases, or use the -STABLE snaphosts.Snapshot releases are directly available from
ftp://current.FreeBSD.org/pub/FreeBSD/
for 5.0-CURRENT and
releng4.FreeBSD.org for 4-STABLE snapshots.
3-STABLE snapshots are not being produced at the time of
this writing (May 2000).Snapshots are generated, on the average, once a day for
all actively developed branches.What is the FreeBSD-STABLE concept?Back when FreeBSD 2.0.5 was released, we decided to
branch FreeBSD development into two parts. One branch was
named -STABLE,
with the intention that only well-tested bug fixes and small
incremental enhancements would be made to it (for Internet
Service Providers and other commercial enterprises for whom
sudden shifts or experimental features are quite
undesirable). The other branch was -CURRENT,
which essentially has been one unbroken line leading towards
5.0-RELEASE (and beyond) since 2.0 was released. If a little
ASCII art would help, this is how it looks: 2.0
|
|
| [2.1-STABLE]
*BRANCH* 2.0.5 -> 2.1 -> 2.1.5 -> 2.1.6 -> 2.1.7.1 [2.1-STABLE ends]
| (Mar 1997)
|
|
| [2.2-STABLE]
*BRANCH* 2.2.1 -> 2.2.2-RELEASE -> 2.2.5 -> 2.2.6 -> 2.2.7 -> 2.2.8 [end]
| (Mar 1997) (Oct 97) (Apr 98) (Jul 98) (Dec 98)
|
|
3.0-SNAPs (started Q1 1997)
|
|
3.0-RELEASE (Oct 1998)
|
| [3.0-STABLE]
*BRANCH* 3.1-RELEASE (Feb 1999) -> 3.2 -> 3.3 -> 3.4 -> 3.5 -> 3.5.1
| (May 1999) (Sep 1999) (Dec 1999) (June 2000) (July 2000)
|
| [4.0-STABLE]
*BRANCH* 4.0 (Mar 2000) -> 4.1 -> ... future 4.x releases ...
|
| (Jul 2000)
\|/
+
[5.0-CURRENT continues]The -CURRENT branch is slowly progressing towards 5.0 and
beyond, the previous 2.2-STABLE branch having been retired
with the release of 2.2.8. 3-STABLE replaced it,
with 3.5.1 (the final 3.X release) being released in July 2000.
In May 2000 (even though 3.5 came after that), the 3-STABLE branch was more or less replaced
by the 4-STABLE branch.
4.1-RELEASE was released in July 2000. 4-STABLE
is the actively developed -STABLE branch, although some
bugfixes (mostly security-related) are
still being committed to 3-STABLE. It is expected that the
3.X branch will be officially obsoleted some time in
summer 2000.
5.0-CURRENT is now the current
branch, with the no release date planed.When are FreeBSD releases made?As a general principle, the FreeBSD core team only release
a new version of FreeBSD when they believe that there are
sufficient new features and/or bug fixes to justify one, and
are satisfied that the changes made have settled down
sufficiently to avoid compromising the stability of the
release. Many users regard this caution as one of the best
things about FreeBSD, although it can be a little frustrating
when waiting for all the latest goodies to become
available...Releases are made about every 4 months on average.For people needing (or wanting) a little more excitement,
binary snapshots are made every day... see above.Is FreeBSD only available for PCs ?Since 3.x, FreeBSD has run on the DEC Alpha
as well as the x86 architecture. Some interest has also been
expressed in a SPARC port, but details on this project are not yet
clear.If your machine has a different architecture and you need
something right now, we suggest you look at NetBSD or OpenBSD. Who is responsible for FreeBSD?The key decisions concerning the FreeBSD project, such as
the overall direction of the project and who is allowed to add
code to the source tree, are made by a core team of
some 15 people. There is a much larger team of about 200 committers who
are authorized to make changes directly to the FreeBSD source
tree.However, most non-trivial changes are discussed in advance
in the mailing lists, and there
are no restrictions on who may take part in the
discussion.Where can I get FreeBSD?Every significant release of FreeBSD is available via
anonymous ftp from the FreeBSD FTP site:For the current 3.X-STABLE release, 3.4-RELEASE, see
the 3.4-RELEASE directory.The current 4-STABLE release, 4.1-RELEASE can be
found in the 4.1-RELEASE directory.4.X
snapshots are usually made once a day.5.0 Snapshot
releases are made once a day for the -CURRENT branch, these being of
service purely to bleeding-edge testers and
developers.FreeBSD is also available via CDROM, from the following
place(s):
Walnut Creek CDROM
4041 Pike Lane, Suite FConcord, CA94520USAOrders: +1 800 786-9907Questions: +1 925 674-0783FAX: +1 925 674-0821email: WC Orders addressWWW: WC Home pageIn Australia, you may find it at:
Advanced Multimedia Distributors
Factory 1/1 Ovata DriveTullamarine, MelbourneVictoriaAustraliaVoice: +61 3 9338 6777CDROM Support BBS17 Irvine StPeppermint Grove, WA6011Voice: +61 9 385-3793Fax: +61 9 385-2360And in the UK:
The Public Domain & Shareware Library
Winscombe House, Beacon RdCrowboroughSussex. TN6 1ULVoice: +44 1892 663-298Fax: +44 1892 667-473Where do I find info on the FreeBSD mailing lists?You can find full information in the Handbook
entry on mailing-lists.Where do I find the FreeBSD Y2K info?You can find full information in the FreeBSD Y2K
page.What FreeBSD news groups are available?You can find full information in the Handbook entry on
newsgroups.Are there FreeBSD IRC (Internet Relay Chat)
channels?Yes, most major IRC networks host a FreeBSD chat
channel:Channel #FreeBSD on
EFNet is a FreeBSD forum, but don't go there for tech
support or to try and get folks there to help you avoid
the pain of reading man pages or doing your own research.
It is a chat channel, first and foremost, and topics there
are just as likely to involve sex, sports or nuclear
weapons as they are FreeBSD. You Have Been Warned!
Available at server irc.chat.org.Channel #FreeBSDhelp on
EFNet is a channel dedicated to helping FreeBSD users. They
are much more sympathetic to questions then
#FreeBSD is.Channel #FreeBSD on
DALNET is available at irc.dal.net in the
US and irc.eu.dal.net in Europe.Channel #FreeBSD on
UNDERNET is available at us.undernet.org
in the US and eu.undernet.org in Europe.
Since it is a help channel, be prepared to read the
documents you are referred to.Channel #FreeBSD on HybNet is available
at irc.FreeBSD.org. This channel
is a help channel.Each of these channels are distinct and are not connected
to each other. Their chat styles also differ, so you may need
to try each to find one suited to your chat style. As with
*all* types of IRC traffic, if you're easily offended or can't
deal with lots of young people (and more than a few older
ones) doing the verbal equivalent of jello wrestling, don't
even bother with it.Books on FreeBSDThere is a FreeBSD Documentation Project which you may
contact (or even better, join) at the
freebsd-doc mailing list:
freebsd-doc@FreeBSD.org.
This list is for discussion of the FreeBSD documentation. For
actual questions about FreeBSD, there is the
freebsd-questions mailing list:
freebsd-questions@FreeBSD.org.A FreeBSD handbook is available, and can be found as:
the FreeBSD
Handbook. Note that this is a work in progress;
some parts may be incomplete or out-of-date.The definitive printed guide on FreeBSD is The Complete
FreeBSD, written by Greg Lehey and published by Walnut Creek
CDROM Books. Now in its second edition, the book contains
1,750 pages of install & system administration guidance,
program setup help, and manual pages. The book (and current
FreeBSD release) can be ordered from Walnut Creek, CheapBytes, or at your
favorite bookstore. The ISBN is 1-57176-227-2.Since FreeBSD is based upon Berkeley
4.4BSD-Lite2, most of the 4.4BSD manuals are applicable to
FreeBSD. O'Reilly and Associates publishes the following
manuals:4.4BSD System Manager's Manual
By Computer Systems Research Group, UC Berkeley
1st Edition June 1994, 804 pages
ISBN:
1-56592-080-5 4.4BSD User's Reference Manual
By Computer Systems Research Group, UC Berkeley
1st Edition June 1994, 905 pages
ISBN:
1-56592-075-9 4.4BSD User's Supplementary Documents
By Computer Systems Research Group, UC Berkeley
1st Edition July 1994, 712 pages
ISBN:
1-56592-076-7 4.4BSD Programmer's Reference Manual
By Computer Systems Research Group, UC Berkeley
1st Edition June 1994, 886 pages
ISBN:
1-56592-078-3 4.4BSD Programmer's Supplementary Documents
By Computer Systems Research Group, UC Berkeley
1st Edition July 1994, 596 pages
ISBN:
1-56592-079-1 A description of these can be found via WWW as:
4.4BSD
books description. Due to poor sales, however, these
manuals may be hard to get a hold of.For a more in-depth look at the 4.4BSD kernel
organization, you can't go wrong with:McKusick, Marshall Kirk, Keith Bostic, Michael J Karels,
and John Quarterman.The Design and Implementation of the 4.4BSD
Operating System. Reading, Mass. :
Addison-Wesley, 1996.
ISBN
0-201-54979-4A good book on system administration is:Evi Nemeth, Garth Snyder, Scott Seebass & Trent R.
Hein,
Unix System Administration Handbook, Prentice-Hall,
1995
ISBN:
0-13-151051-7Make sure you get the second edition, with a red
cover, instead of the first edition.This book covers the basics, as well as TCP/IP, DNS, NFS,
SLIP/PPP, sendmail, INN/NNTP, printing, etc.. It's expensive
(approx. US$45-$55), but worth it. It also includes
a CDROM with the sources for various tools; most of these,
however, are also on the FreeBSD 2.2.6R CDROM (and the FreeBSD
CDROM often has newer versions).How do I access your Problem Report database?The Problem Report database of all user change requests
may be queried (or submitted to) by using our web-based PR
submission
and
query
interfaces. The send-pr(1) command can
also be used to submit problem reports and change requests via
electronic mail.Is the documentation available in other formats, such as plain
text (ASCII), or Postscript?Yes. The documentation is available in a number of different
formats and compression schemes on the FreeBSD FTP site, in the
/pub/FreeBSD/doc/ directory.The documentation is categorised in a number of different
ways. These include:The document's name, such as faq, or
handbook.The document's language and encoding. These are based on
the locale names you will find under
/usr/share/locale on your FreeBSD
system. The current languages and encodings that we have for
documentation are as follows:NameMeaningen_US.ISO_8859-1US Englishes_ES.ISO_8859-1Spanishfr_FR.ISO_8859-1Frenchja_JP.eucJPJapanese (EUC encoding)ru_RU.KOI8-RRussianzh_TW.Big5Chinese (Big5 encoding)Some documents may not be available in all
languages.The document's format. We produce the documentation in a
number of different output formats to try and make it as
flexible as possible. The current formats are;FormatMeaninghtml-splitA collection of small, linked, HTML
files.htmlOne large HTML file containing the entire
documentpdbPalm Pilot database format, for use with the
iSilo
reader.pdfAdobe's Portable Document FormatpsPostscriptrtfMicrosoft's Rich Text FormatPage numbers are not automatically updated
when loading this format in to Word. Press
CTRL+A,
CTRL+END,
F9 after loading the document, to
update the page numbers.txtPlain textThe compression and packaging scheme. There are three of
these currently in use.Where the format is html-split, the
files are bundled up using &man.tar.1;. The resulting
.tar file is then compressed using
the compression schemes detailed in the next point.All the other formats generate one file, called
book.format
(i.e., book.pdb,
book.html, and so on).These files are then compressed using three
compression schemes.SchemeDescriptionzipThe Zip format. If you want to uncompress
this on FreeBSD you will need to install the
archivers/unzip port
first.gzThe GNU Zip format. Use &man.gunzip.1; to
uncompress these files, which is part of
FreeBSD.bz2The BZip2 format. Less widespread than the
others, but generally gives smaller files.
Install the archivers/bzip2
port to uncompress these files.So the Postscript version of the Handbook, compressed
using BZip2 will be stored in a file called
book.sgml.bz2 in the
handbook/ directory.The formatted documentation is also available as a
FreeBSD package, of which more later.After choosing the format and compression mechanism that you
want to download, you must then decide whether or not you want to
download the document as a FreeBSD
package.The advantage of downloading and installing the package is
that the documentation can then be managed using the normal
FreeBSD package management comments, such as &man.pkg.add.1; and
&man.pkg.delete.1;.If you decide to download and install the package then you
must know the filename to download. The documentation-as-packages
files are stored in a directory called
packages. Each package file looks like
document-name.lang.encoding.format.tgz.For example, the FAQ, in English, formatted as PDF, is in the
package called
faq.en_US.ISO_8859-1.pdf.tgz.Knowing this, you can use the following command to install the
English PDF FAQ package.&prompt.root; pkg_add ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/packages/faq.en_US.ISO_8859-1.pdf.tgzHaving done that, you can use &man.pkg.info.1; to determine
where the file has been installed.&prompt.root; pkg_info -f faq.en_US.ISO_8859-1.pdf
Information for faq.en_US.ISO_8859-1.pdf:
Packing list:
Package name: faq.en_US.ISO_8859-1.pdf
CWD to /usr/share/doc/en_US.ISO_8859-1/books/faq
File: book.pdf
CWD to .
File: +COMMENT (ignored)
File: +DESC (ignored)As you can see, book.pdf will have been
installed in to
/usr/share/doc/en_US.ISO_8859-1/books/faq.If you do not want to use the packages then you will have to
download the compressed files yourself, uncompress them, and then
copy the appropriate documents in to place.For example, the split HTML version of the FAQ, compressed
using &man.gzip.1;, can be found in the
en_US.ISO_8859-1/books/faq/book.html-split.tar.gz
file. To download and uncompress that file you would have to do
this.&prompt.root; fetch ftp://ftp.freebsd.org/pub/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.html-split.tar.gz
&prompt.root; gzip -d book.html-split.tar.gz
&prompt.root; tar xvf book.html-split.tarYou will be left with a collection of
.html files. The main one is called
index.html, which will contain the table of
contents, introductory material, and links to the other parts of
the document. You can then copy or move these to their final
location as necessary.I'd like to become a FreeBSD Web mirror!Certainly! There are multiple ways to mirror the Web
pages.Using CVSup:
You can retrieve the formatted files
using CVSup, and connecting to
a CVSup server.To retrieve the webpages, please look at the example
supfile, which can be found in
/usr/share/examples/cvsup/www-supfile.Using ftp mirror: You can download the FTP server's
copy of the web site sources using your favorite ftp mirror
tool. Keep in mind that you have to build these sources before
publishing them. Simply start at
ftp://ftp.FreeBSD.org/pub/FreeBSD/FreeBSD-current/www.I'd like to translate the documentation into
Friesian.Well, we can't pay, but we might arrange a free CD or
T-shirt and a Contributor's Handbook entry if you submit a
translation of the documentation. Before you begin translating
please contact the
freebsd-doc mailing list at
freebsd-doc@FreeBSD.org; you may find
somebody to help with the translation effort. You may also
find out there is already
a team translating the docs into your chosen language,
who surely wouldn't turn down your help. Other sources of information.The following newsgroups contain pertinent discussion for
FreeBSD users:comp.unix.bsd.freebsd.announce
(moderated)comp.unix.bsd.freebsd.misccomp.unix.bsd.miscWeb resources:The FreeBSD Home Page.If you have a laptop, be sure and see
Tatsumi
Hosokawa's Mobile Computing page in Japan.For information on SMP (Symmetric
MultiProcessing), please see the SMP support page.For information on FreeBSD
multimedia applications, please see the multimedia
page. If you're interested specifically in the Bt848
video capture chip, then follow that link.The FreeBSD handbook also has a fairly complete bibliography
section which is worth reading if you're looking for actual
books to buy.InstallationWhich file do I download to get FreeBSD?Prior to release 3.1, you only needed one floppy image to install
FreeBSD, namely floppies/boot.flp. However,
since release 3.1 the Project has added base support for a wide
variety of hardware which needed more space, and thus for 3.x and 4.x
we now use two floppy images, namely
floppies/kernel.flp and
floppies/mfsroot.flp. These images need to be
copied onto floppies by tools like fdimage or
&man.dd.1;.If you need to download the distributions yourself (for a DOS
filesystem install, for instance), below are some recommendations
for distributions to grab: bin/ manpages/ compat*/ doc/ src/ssys.* Full instructions on this procedure and a little bit more about
installation issues in general can be found in the Handbook entry on installing FreeBSD.Help! The boot floppy image will not fit on a single floppy!
A 3.5 inch (1.44MB) floppy can accomodate 1474560 bytes of data.
The boot image is exactly 1474560 bytes in size.Common mistakes when preparing the boot floppy are:Not downloading the floppy image in binary mode when
using FTP.Some FTP clients default their transfer mode to ascii
and attempt to change any end-of-line characters received to match
the conventions used by the client's system.
This will almost invariably corrupt the boot image. Check the
size of the downloaded boot image: if it is not exactly
that on the server, then the download process is suspect.To workaround: type binary at the FTP command prompt
after getting connected to the server and before starting the
download of the image.Using the DOS copy command (or equivalent GUI tool) to
transfer the boot image to floppy.
Programs like copy will not work as the boot
image has been created to be booted into directly. The image has
the complete content of the floppy, track for track, and is not
meant to be placed on the floppy as a regular file.
You have to transfer it to the floppy raw, using the
low-level tools (e.g. fdimage or rawrite)
described in the installation guide to FreeBSD.Where are the instructions for installing FreeBSD?Installation instructions can be found in the
Handbook entry on installing FreeBSD.What do I need in order to run FreeBSD?You'll need a 386 or better PC, with 5 MB or more of RAM and at
least 60 MB of hard disk space. It can run with a low end MDA
graphics card but to run X11R6, a VGA or better video card is needed.See also the section on I have only 4 MB of RAM. Can I install FreeBSD?FreeBSD 2.1.7 was the last version of FreeBSD that could be installed
on a 4MB system. Newer versions of FreeBSD, like 2.2, need at least 5MB
to install on a new system.All versions of FreeBSD, including 3.0, will run in 4MB of RAM, they
just can't run the installation program in 4MB. You can add
extra memory for the install process, if you like, and then
after the system is up and running, go back to 4MB. Or you could
always just swap your disk into a system which has >4MB, install onto
it and then swap it back.There are also situations in which FreeBSD 2.1.7 will not install
in 4 MB. To be exact: it does not install with 640 kB base + 3 MB
extended memory. If your motherboard can remap some of the lost
memory out of the 640kB to 1MB region, then you may still be able
to get FreeBSD 2.1.7 up.Try to go into your BIOS setup and look for a remap option.
Enable it. You may also have to disable ROM shadowing.It may be easier to get 4 more MB just for the install. Build a
custom kernel with only the options you need and then get the 4
MB out again.You may also install 2.0.5 and then upgrade your system to 2.1.7
with the upgrade option of the 2.1.7 installation program.After the installation, if you build a custom kernel, it will run
in 4 MB. Someone has even succeeded in booting with 2 MB (the
system was almost unusable though :-)) How can I make my own custom install floppy?
Currently there's no way to just make a custom install floppy.
You have to cut a whole new release, which will include your install
floppy. There's some code in /usr/src/release/floppies/Makefile
that's supposed to let you just make those floppies, but it's not
really gelled yet.To make a custom release, follow the instructions here.Can I have more than one operating system on my PC?Have a look at
The multi-OS page.Can Windows 95/98 co-exist with FreeBSD?Install Windows 95/98 first, after that FreeBSD. FreeBSD's boot
manager will then manage to boot Win95/98 and FreeBSD. If you
install Windows 95/98 second, it will boorishly overwrite your
boot manager without even asking. If that happens, see
the next section. Windows 95/98 killed my boot manager! How do I get it back?
You can reinstall the boot manager FreeBSD comes with in one of
three ways:Running DOS, go into the tools/ directory of your FreeBSD
distribution and look for bootinst.exe. You run it like so:
...\TOOLS>bootinst.exe boot.binand the boot manager will be reinstalled.Boot the FreeBSD boot floppy again and go to the Custom
installation menu item. Choose Partition. Select the drive which
used to contain your boot manager (likely the first one) and when you
come to the partition editor for it, as the very first thing (e.g.
do not make any changes) select (W)rite. This will ask for
confirmation, say yes, and when you get the Boot Manager selection
prompt, be sure to select Boot Manager.
This will re-write the boot manager to disk. Now quit out of the
installation menu and reboot off the hard disk as normal.Boot the FreeBSD boot floppy (or CD-ROM) and choose the
Fixit menu item. Select either the Fixit floppy or
CD-ROM #2 (the live file system option) as appropriate
and enter the fixit shell. Then execute the following command:
Fixit#fdisk -B -b /boot/boot0 bootdevicesubstituting bootdevice for your real
boot device such as ad0 (first IDE disk),
ad4 (first IDE disk on auxiliary controller),
da0 (first SCSI disk), etc.Can I install on a disk with bad blocks?Prior to 3.0, FreeBSD included a utility known as
bad144, which automatically remapped bad
blocks. Because modern IDE drives perform this function themselves,
bad144 has been removed from the FreeBSD source
tree. If you wish to install FreeBSD 3.0 or later, we strongly suggest
you purchase a newer disk drive. If you do not wish to do this, you
must run FreeBSD 2.x.If you are seeing bad block errors with a modern IDE drive,
chances are the drive is going to die very soon (the drive's internal
remapping functions are no longer sufficient to fix the bad blocks,
which means the disk is heavily corrupted); we suggest you by a
new hard drive.If you have a SCSI drive with bad blocks, see this answer.Strange things happen when I boot the install floppy!If you're seeing things like the machine grinding to a halt or
spontaneously rebooting when you try to boot the install floppy,
here are three questions to ask yourself:-Did you use a new, freshly-formatted, error-free floppy
(preferably a brand-new one straight out of the box, as
opposed to the magazine coverdisk that's been lying under
the bed for the last three years)?
Did you download the floppy image in binary (or image) mode?
(don't be embarrassed, even the best of us have accidentally
downloaded a binary file in ASCII mode at least once!)
If you're using
Windows95 or Win98 did you run fdimage or
rawrite in pure DOS mode? These OS's can
interfere with programs that write directly to hardware, which
the disk creation program does; even running it inside a DOS
shell in the GUI can cause this problem.There have also been reports of Netscape causing problems when
downloading the boot floppy, so it's probably best to use a different
FTP client if you can.I booted from my ATAPI CD-ROM, but the install program says no
CD-ROM is found. Where did it go?The usual cause of this problem is a mis-configured CD-ROM
drive. Many PCs now ship with the CD-ROM as the slave device on
the secondary IDE controller, with no master device on that
controller. This is illegal according to the ATAPI specification,
but Windows plays fast and loose with the specification, and the
BIOS ignores it when booting. This is why the BIOS was able to
see the CD-ROM to boot from it, but why FreeBSD can not see it to
complete the install.Reconfigure your system so that the CD-ROM is either the
master device on the IDE controller it is attached to, or make
sure that it is the slave on an IDE controller that also has a
master device.Help! I can't install from tape!If you are installing 2.1.7R from tape, you must create the tape
using a tar blocksize of 10 (5120 bytes). The default tar
blocksize is 20 (10240 bytes), and tapes created using this
default size cannot be used to install 2.1.7R; with these tapes,
you will get an error that complains about the record size being
too big.Connect two FreeBSD boxes over a parallel line (PLIP)
Get a laplink cable. Make sure both computer have a kernel
with lpt driver support.&prompt.root; dmesg | grep lp
lpt0 at 0x378-0x37f irq 7 on isa
lpt0: Interrupt-driven
lp0: TCP/IP capable interfacePlug in the laplink cable into the parallel interface.Configure the network interface parameters for lp0 on both
sites as root. For example, if you want connect the host max
with moritz max <-----> moritz
IP Address 10.0.0.1 10.0.0.2on max start&prompt.root; ifconfig lp0 10.0.0.1 10.0.0.2on moritz start&prompt.root; ifconfig lp0 10.0.0.2 10.0.0.1Thats all! Please read also the manpages
&man.lp.4;
and
&man.lpt.4;
.You should also add the hosts to /etc/hosts.127.0.0.1 localhost.my.domain localhost
10.0.0.1 max.my.domain max
10.0.0.2 moritz.my.domainTo check if it works do:on max:&prompt.root; ifconfig lp0
lp0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 --> 10.0.0.2 netmask 0xff000000
&prompt.root; netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
moritz max UH 4 127592 lp0
&prompt.root; ping -c 4 moritz
PING moritz (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=255 time=2.774 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=2.530 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=2.556 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=2.714 ms
--- moritz ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms Can I install on my laptop over PLIP (Parallel Line IP)?
Connect the two computers using a Laplink parallel cable to use
this feature:
See also this note on the Mobile Computing page. Which geometry should I use for a disk drive?
(By the geometry of a disk, we mean the number of cylinders,
heads and sectors/track on a disk - I'll refer to this as
C/H/S for convenience. This is how the PC's BIOS works out
which area on a disk to read/write from).This seems to cause a lot of confusion for some reason. First
of all, the physical geometry of a SCSI drive is totally
irrelevant, as FreeBSD works in term of disk blocks. In fact, there
is no such thing as the physical geometry, as the sector density
varies across the disk - what manufacturers claim is the quote
physical geometry is usually the geometry that they've worked out
results in the least wasted space. For IDE disks, FreeBSD does
work in terms of C/H/S, but all modern drives will convert this
into block references internally as well.All that matters is the logical geometry - the answer that the
BIOS gets when it asks what is your geometry? and then uses to access
the disk. As FreeBSD uses the BIOS when booting, it's very important
to get this right. In particular, if you have more than one operating
system on a disk, they must all agree on the geometry, otherwise you
will have serious problems booting!For SCSI disks, the geometry to use depends on whether extended
translation support is turned on in your controller (this is
often referred to as support for DOS disks >1GB or something
similar). If it's turned off, then use N cylinders, 64 heads
and 32 sectors/track, where N is the capacity of the disk in
MB. For example, a 2GB disk should pretend to have 2048 cylinders,
64 heads and 32 sectors/track.If it is turned on (it's often supplied this way to get around
certain limitations in MSDOS) and the disk capacity is more than 1GB,
use M cylinders, 63 sectors per track (*not* 64), and 255 heads, where
'M' is the disk capacity in MB divided by 7.844238 (!). So our
example 2GB drive would have 261 cylinders, 63 sectors per track and
255 heads.If you are not sure about this, or FreeBSD fails to detect the
geometry correctly during installation, the simplest way around
this is usually to create a small DOS partition on the disk. The
correct geometry should then be detected (and you can always remove
the DOS partition in the partition editor if you don't want to keep
it, or leave it around for programming network cards and the like).Alternatively, there is a freely available utility distributed with
FreeBSD called pfdisk.exe (located in the tools
subdirectory on the FreeBSD CDROM or on the various FreeBSD
ftp sites) which can be used to work out what geometry the other
operating systems on the disk are using. You can then enter this
geometry in the partition editor.Any restrictions on how I divide the disk up?Yes. You must make sure that your root partition is below 1024
cylinders so the BIOS can boot the kernel from it. (Note that this
is a limitation in the PC's BIOS, not FreeBSD).For a SCSI drive, this will normally imply that the root partition
will be in the first 1024MB (or in the first 4096MB if extended
translation is turned on - see previous question). For IDE, the
corresponding figure is 504MB. What about disk managers? Or, I have a large drive!
FreeBSD recognizes the Ontrack Disk Manager and makes allowances
for it. Other disk managers are not supported.If you just want to use the disk with FreeBSD you don't need a
disk manager. Just configure the disk for as much space as the
BIOS can deal with (usually 504 megabytes), and FreeBSD
should figure out how much space you really have. If you're using
an old disk with an MFM controller, you may need to explicitly
tell FreeBSD how many cylinders to use.If you want to use the disk with FreeBSD and another operating
system, you may be able to do without a disk manager: just make sure
the the FreeBSD boot partition and the slice for the other
operating system are in the first 1024 cylinders. If you're
reasonably careful, a 20 megabyte boot partition should be plenty. When I boot FreeBSD I get Missing Operating SystemThis is classically a case of FreeBSD and DOS or some other OS
conflicting over their ideas of disk geometry. You will have to reinstall FreeBSD, but obeying the
instructions given above will almost always get you going.I can't get past the boot manager's F? prompt.This is another symptom of the problem described in the preceding
question. Your BIOS geometry and FreeBSD geometry settings do
not agree! If your controller or BIOS supports cylinder
translation (often marked as >1GB drive support), try
toggling its setting and reinstalling FreeBSD.Do I need to install the complete sources?In general, no. However, we would strongly recommend that you
install, at a minimum, the base source kit, which
includes several of the files mentioned here, and the
sys (kernel) source kit, which includes sources for the
kernel. There is nothing in the system which requires the
presence of the sources to operate, however, except for the
kernel-configuration program
&man.config.8;. With the exception
of the kernel sources, our build structure is set up so that you
can read-only mount the sources from elsewhere via NFS and still
be able to make new binaries. (Because of the kernel-source
restriction, we recommend that you not mount this on
/usr/src directly, but rather in some other location
with appropriate symbolic links to duplicate the top-level
structure of the source tree.)Having the sources on-line and knowing how to build a system with
them will make it much easier for you to upgrade to future
releases of FreeBSD.To actually select a subset of the sources, use the Custom
menu item when you are in the Distributions menu of the
system installation tool.Do I need to build a kernel?Building a new kernel was originally pretty much a required
step in a FreeBSD installation, but more recent releases have
benefited from the introduction of a much friendlier kernel
configuration tool. When at the FreeBSD boot prompt (boot:),
use the flag and you will be dropped into a visual
configuration screen which allows you to configure the kernel's
settings for most common ISA cards.It's still recommended that you eventually build a new
kernel containing just the drivers that you need, just to save a
bit of RAM, but it's no longer a strict requirement for most
systems.
-
-I live outside the US. Can I use DES encryption?
-
-If it is not absolutely imperative that you use DES style
-encryption, you can use FreeBSD's default encryption for even
-better security, and with no export restrictions. FreeBSD
-2.0's password default scrambler is now MD5-based, and is
-more CPU-intensive to crack with an automated password cracker
-than DES, and allows longer passwords as well. The only reason
-for not using the MD5-based crypt today would be to use the
-the same password entries on FreeBSD and non-FreeBSD systems.
-
-Since the DES encryption algorithm cannot legally be exported
-from the US, non-US users should not download this software (as
-part of the secrdist from US FTP sites.
-
-There is however a replacement libcrypt available, based on
-sources written in Australia by David Burren. This code is now
-available on some non-US FreeBSD mirror sites. Sources for the
-unencumbered libcrypt, and binaries of the programs which use it,
-can be obtained from the following FTP sites:
-
-
-
-South Africa
-
-ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/,
-ftp://storm.sea.uct.ac.za/pub/FreeBSD/
-
-
-
-
-
-
-Brazil
-
-
-ftp://ftp.iqm.unicamp.br/pub/FreeBSD/
-
-
-
-
-
-
-Finland
-
-
-ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/
-
-
-
-
-
-
-The non-US securedist can be used as a direct replacement
-for the encumbered US securedist. This securedist
-package is installed the same way as the US package (see
-installation notes for details). If you are going to install DES
-encryption, you should do so as soon as possible, before
-installing other software.
-
-Non-US users should please not download any encryption software
-from the USA. This can get the maintainers of the sites from
-which the software is downloaded into severe legal difficulties.
-
-A non-US distribution of Kerberos is also being developed, and
-current versions can generally be obtained by anonymous FTP from
-braae.ru.ac.za.
-
-There is also a mailing list for the
-discussion of non-US encryption software. For more information, send
-an email message with a single line saying help in the body
-of your message to majordomo@braae.ru.ac.za.
+
+
+ Should I use DES passwords, or MD5, and how do I specify
+ which form my users receive?
+
-
+
+ The default password format on FreeBSD is to use
+ MD5-based passwords. These are believed to
+ be more secure than the traditional UNIX password format, which
+ used a scheme based on the DES algorithm.
+ DES passwords are still available if you need to share your
+ password file with legacy operating systems which still use the
+ less secure password format (they are available if you choose to
+ install the crypto distribution in sysinstall, or
+ by installing the crypto sources if building from source). Which
+ password format to use for new passwords is controlled by the
+ passwd_format login capability in
+ /etc/login.conf, which takes values of either
+ des (if available) or md5. See the
+ login.conf(5) manpage for more information about login
+ capabilities.
+
+
The boot floppy starts but hangs at the Probing Devices...
screen.If you have a IDE Zip or Jaz drive installed, remove it and try again.
The boot floppy can get confused by the drives.
After the system is installed you can reconnect the drive. Hopefully
this will be fixed in a later release.I get a panic: cant mount root
error when rebooting the system after installation.This error comes from confusion between the boot block's and the
kernel's understanding of the disk devices. The error usually
manifests on two-disk IDE systems, with the hard disks arranged as the
master or single device on separate IDE controllers, with FreeBSD
installed on the secondary IDE controller. The boot blocks think
the system is installed on wd1 (the second BIOS disk) while the kernel
assigns the first disk on the secondary controller device wd2. After
the device probing, the kernel tries to mount what the boot blocks
think is the boot disk, wd1, while it is really wd2, and fails.To fix the problem, do one of the following:For FreeBSD 3.3 and later, reboot the system and hit
Enter at the Booting kernel in 10 seconds; hit
[Enter] to interrupt prompt. This will drop you into the boot
loader.Then type set
root_disk_unit="disk_number". disk_number
will be 0 if FreeBSD is installed on the master drive
on the first IDE controller, 1 if it is installed
on the slave on the first IDE controller, 2 if it
is installed on the master of the second IDE controller, and
3 if it is installed on the slave of the second
IDE controller.Then type boot, and your system should boot
correctly.To make this change permanent (ie so you don't have to do this
everytime you reboot or turn on your FreeBSD machine), put the line
root_disk_unit="disk_number" in
/boot/loader.conf.local.If using FreeBSD 3.2 or earlier, at the Boot: prompt, enter
1:wd(2,a)kernel and press Enter. If the system starts, then
run the command
echo "1:wd(2,a)kernel" > /boot.config
to make it the default boot string.Move the FreeBSD disk onto the primary IDE controller, so the
hard disks are consecutive.Rebuild your kernel,
modify the wd configuration lines to read:controller wdc0 at isa? port "IO_WD1" bio irq 14 vector wdintr
disk wd0 at wdc0 drive 0
# disk wd1 at wdc0 drive 1 # comment out this line
controller wdc1 at isa? port "IO_WD2" bio irq 15 vector wdintr
disk wd1 at wdc1 drive 0 # change from wd2 to wd1
disk wd2 at wdc1 drive 1 # change from wd3 to wd2Install the new kernel.
If you moved your disks and wish to restore the previous
configuration, replace the disks in the desired configuration and reboot.
Your system should boot successfully.
What are the limits for memory?For memory, the limit is 4 gigabytes. This configuration has
been tested, see wcarchive's
configuration for more details. If you plan to install this
much memory into a machine, you need to be careful. You'll probably
want to use ECC memory and to reduce capacitive loading use 9 chip
memory modules vice 18 chip memory modules.What are the limits for ffs filesystems?For ffs filesystems, the maximum theoretical limit is 8 terabytes
(2G blocks), or 16TB for the default block size of 8K.
In practice, there is a soft limit of 1 terabyte, but with modifications
filesystems with 4 terabytes are possible (and exist).The maximum size of a single ffs file is approximately 1G blocks
(4TB) if the block size is 4K.
Maximum file sizesfs block size2.2.7-stable3.0-currentworksshould work4K4T-14T-14T-14+t8K32+G8T-132+G32T-116K128+G16T-1128+G32T-132K512+G32T-1512+G64T-164K2048+G64T-12048+G128T-1
When the fs block size is 4K, triple indirect blocks work and
everything should be limited by the maximum fs block number that can
be represented using triple indirect blocks (approx. 1K^3 + 1K^2 +
1K), but everything is limited by a (wrong) limit of 1G-1 on fs block
numbers. The limit on fs block numbers should be 2G-1. There are
some bugs for fs block numbers near 2G-1, but such block numbers are
unreachable when the fs block size is 4K.For block sizes of 8K and larger, everything should be limited
by the 2G-1 limit on fs block numbers, but is actually limited by the
1G-1 limit on fs block numbers, except under -STABLE triple indirect
blocks are unreachable, so the limit is the maxiumum fs block number
that can be represented using double indirect blocks
(approx. (blocksize/4)^2 + (blocksize/4)), and under -CURRENT
exceeding this limit may cause problems. Using the correct limit of
2G-1 blocks does cause problems.How can I put 1TB files on my floppy?I keep several virtual ones on floppies :-). The maxiumum
file size is not closely related to the maximum disk size. The
maximum disk size is 1TB. It is a feature that the file size can be
larger than the disk size.The following example creates a file of size 8T-1 using a
whole 32K of disk space (3 indirect blocks and 1 data block) on a
small root partition. The dd command requires a dd that works with
large files.&prompt.user; cat foo
df .
dd if=/dev/zero of=z bs=1 seek=`echo 2^43 - 2 | bc` count=1
ls -l z
du z
df .
&prompt.user; sh foo
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/da0a 64479 27702 31619 47% /
1+0 records in
1+0 records out
1 bytes transferred in 0.000187 secs (5346 bytes/sec)
-rw-r--r-- 1 bde bin 8796093022207 Sep 7 16:04 z
32 z
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/da0a 64479 27734 31587 47% /Bruce Evans, September 1998I compiled a new kernel and now I get the error message archsw.readin.failed when booting.You can boot by specifying the kernel directly at the second
stage, pressing any key when the | shows up before loader is
started. More specifically, you have upgraded the source for your
kernel, and installed a new kernel builtin from them without making
world. This is not supported. Make world.How do I upgrade from 3.X -> 4.X?We strongly recommend that you use
binary snapshots to do this. 4-STABLE snapshots are available at
releng4.FreeBSD.org.If you wish to upgrade using source, please see the FreeBSD
Handbook for more information.Upgrading via source is never recommended for new
users, and upgading from 3.X -> 4.X is even less so; make sure you
have read the instructions carefully before attempting to upgrade via
source this!Hardware compatibility What kind of hard drives does FreeBSD support?FreeBSD supports EIDE and SCSI drives (with a compatible
controller; see the next section), and all drives using the
original Western Digital interface (MFM, RLL, ESDI, and
of course IDE). A few ESDI controllers that use proprietary
interfaces may not work: stick to WD1002/3/6/7 interfaces
and clones.Which SCSI controllers are supported?See the complete list in the
Handbook.Which CD-ROM drives are supported by FreeBSD?Any SCSI drive connected to a supported controller is supported.The following proprietary CD-ROM interfaces are also supported:Mitsumi LU002 (8bit), LU005 (16bit) and FX001D (16bit 2x Speed).Sony CDU 31/33ASound Blaster Non-SCSI CD-ROMMatsushita/Panasonic CD-ROMATAPI compatible IDE CD-ROMsAll non-SCSI cards are known to be extremely slow compared to
SCSI drives, and some ATAPI CDROMs may not work.As of 2.2 the FreeBSD CDROM from Walnut Creek supports booting
directly from the CD.Does FreeBSD support ZIP drives?FreeBSD supports the SCSI ZIP drive out of the box, of course. The
ZIP drive can only be set to run at SCSI target IDs 5 or 6, but if
your SCSI host adapter's BIOS supports it you can even boot from
it. I don't know which host adapters let you boot from targets
other than 0 or 1... look at your docs (and let me know if it works
out for you).ATAPI (IDE) Zip drives are supported in FreeBSD 2.2.6 and
later releases.FreeBSD has contained support for Parallel Port Zip Drives since
version 3.0. If you are using a sufficiently up to date version, then
you should check that your kernel contains the scbus0,
da0, ppbus0, and
vp0 drivers (the GENERIC kernel
contains everything except vp0). With all these drivers present, the
Parallel Port drive should be available as /dev/da0s4. Disks can
be mounted using mount /dev/da0s4 /mnt OR (for dos disks)
mount_msdos /dev/da0s4 /mnt as appropriate.Also check out this note on removable drives,
and this note on formatting. Does FreeBSD support JAZ, EZ and other removable drives?
Apart from the IDE version of the EZ drive, these are all SCSI
devices, so the should all look like SCSI disks to FreeBSD, and
the IDE EZ should look like an IDE drive.I'm not sure how well FreeBSD supports changing
the media out while running. You will of course need to dismount the
drive before swapping media, and make sure that any external units are
powered on when you boot the system so FreeBSD can see them.See this note on formatting.Which multi-port serial cards are supported by FreeBSD?There is a list of these in the Miscellaneous devices
section of the handbook.Some unnamed clone cards have also been known to work, especially
those that claim to be AST compatible.Check the
sio man page to get more information on configuring such cards.I have a USB keyboard. Does FreeBSD support it?USB device support was added to FreeBSD 3.1. However, it is
still in preliminary state and may not always work as of version
3.2. If you want to experiment with the USB mouse support, follow
the procedure described below.Use FreeBSD 3.2 or later.Add the following lines to your kernel configuration file,
and rebuild the kernel.
device uhci
device ohci
device usb
device ukbd
options KBD_INSTALL_CDEVIn versions of FreeBSD before 4.0, use this instead:
controller uhci0
controller ohci0
controller usb0
controller ukbd0
options KBD_INSTALL_CDEVGo to the /dev directory and create
device nodes as follows:&prompt.root; cd /dev
&prompt.root; ./MAKEDEV kbd0 kbd1Edit /etc/rc.conf and add the following
lines:
usbd_enable="YES"
usbd_flags=""After the system is rebooted, the AT keyboard becomes
/dev/kbd0 and the USB keyboard becomes
/dev/kbd1, if both are connected to the
system. If there is the USB keyboard only, it will be
/dev/ukbd0.If you want to use the USB keyboard in the console, you have to
explicitly tell the console driver to use the existence of the USB
keyboard. This can be done by running the following command as a
part of system initialization.&prompt.root; kbdcontrol -k /dev/kbd1 < /dev/ttyv0 > /dev/nullNote that if the USB keyboard is the only keyboard, it is
accessed as /dev/kbd0, thus, the command
should look like:&prompt.root; kbdcontrol -k /dev/kbd0 < /dev/ttyv0 > /dev/null/etc/rc.i386 is a good place to add the
above command.Once this is done, the USB keyboard should work in the X
environment as well without any special settings.Hot-plugging and unplugging of the USB keyboard may not work
quite right yet. It is a good idea to connect the keyboard before
you start the system and leave it connected until the system is
shutdown to avoid troubles.See the &man.ukbd.4; man page for more information.I have an unusual bus mouse. How do I set it up?FreeBSD supports the bus mouse and the InPort bus mouse from such
manufactures as Microsoft, Logitech and ATI. The bus device driver
is compiled in the GENERIC kernel by default in FreeBSD versions 2.X, but
not included in version 3.0 or later. If you are building
a custom kernel with the bus mouse driver, make sure to add the
following line to the kernel config fileIn FreeBSD 3.0 or before, add:device mse0 at isa? port 0x23c tty irq5 vector mseintrIn FreeBSD 3.X, the line should be:device mse0 at isa? port 0x23c tty irq5And in FreeBSD 4.X and later, the line should read:device mse0 at isa? port 0x23c irq5Bus mice usually comes with dedicated interface cards.
These cards may allow you to set the port address and the IRQ number other
than shown above. Refer to the manual of your mouse and the
&man.mse.4; man page for more information. How do I use my PS/2 (mouse port
or keyboard) mouse?If you're running a post-2.2.5 version of FreeBSD, the necessary
driver, psm, is included and enabled in the kernel. The kernel
should detect your PS/2 mouse at boot time.If you're running a previous but relatively recent version of
FreeBSD (2.1.x or better) then you can simply enable it in the
kernel configuration menu at installation time, otherwise later with
at the boot: prompt. It is disabled by default, so you will need
to enable it explicitly.If you're running an older version of FreeBSD then you'll have to
add the following lines to your kernel configuration file and compile
a new kernel.In FreeBSD 3.0 or earlier, the line should be:device psm0 at isa? port "IO_KBD" conflicts tty irq 12 vector psmintrIn FreeBSD 3.1 or later, the line should be:device psm0 at isa? tty irq 12In FreeBSD 4.0 or later, the line should be:device psm0 at atkbdc? irq 12See the Handbook entry on configuring the kernel if you've no
experience with building kernels.Once you have a kernel detecting psm0 correctly at boot time,
make sure that an entry for psm0 exists in /dev. You can do this
by typing:&prompt.root; cd /dev; sh MAKEDEV psm0when logged in as root.Is it possible to make use of a mouse in any way outside the X Window?If you are using the default console driver, syscons, you can
use a mouse pointer in text consoles to cut & paste text.
Run the mouse daemon, moused, and turn on the mouse pointer
in the virtual console:&prompt.root; moused -p /dev/xxxx -t yyyy
&prompt.root; vidcontrol -m onWhere xxxx is the mouse device name and
yyyy
is a protocol type for the mouse. See the
&man.moused.8; man page for supported protocol types. You may wish to run the mouse daemon automatically when the
system starts. In version 2.2.1, set the following variables in
/etc/sysconfig.mousedtype="yyyy"
mousedport="xxxx"
mousedflags=""In versions 2.2.2 to 3.0, set the following variables in
/etc/rc.conf.moused_type="yyyy"
moused_port="xxxx"
moused_flags=""In 3.1 and later, assuming you have a PS/2 mouse, all you need
to is add moused_enable="YES" to
/etc/rc.conf.In addition, if you would like to be able to use the mouse
daemon on all virtual terminals instead of just console at boot-time,
add the following to /etc/rc.conf.allscreens_flags="-m on"Staring from FreeBSD 2.2.6, the mouse daemon is capable of
determining the correct protocol type automatically unless the mouse
is a relatively old serial mouse model. Specify auto
the protocol to invoke automatic detection.When the mouse daemon is running, access to the mouse needs to be
coordinated between the mouse daemon and other programs such as the
X Window. Refer to another section
on this issue.How do I cut and paste text with mouse in the text console?Once you get the mouse daemon running (see previous section), hold down the button 1 (left button)
and move the mouse to select a region of
text. Then, press the button 2 (middle button) or the button 3 (right
button) to paste it at the text cursor.In versions 2.2.6 and later, pressing the button 2 will paste
the text. Pressing the button 3 will extend the selected region
of text. If your mouse does not have the middle button, you may wish
to emulate it or remap buttons using moused options. See the
moused(8)
man page for details.I have a USB mouse. Does FreeBSD support the USB mouse?USB device support was added to FreeBSD 3.1. However, it is
still in a preliminary state and may not always work as of version
3.2. If you want to experiment with the USB mouse support, follow
the procedure described below.Use FreeBSD 3.2 or later.Add the following lines to your kernel configuration file,
and rebuild the kernel.
device uhci
device ohci
device usb
device umsIn versions of FreeBSD before 4.0, use this instead:
controller uhci0
controller ohci0
controller usb0
device ums0Go to the /dev directory and create a
device node as follows:&prompt.root; cd /dev
&prompt.root; ./MAKEDEV ums0Edit /etc/rc.conf and add the following
lines:
moused_enable="YES"
moused_type="auto"
moused_port="/dev/ums0"
moused_flags=""
usbd_enable="YES"
usbd_flags=""See the previous section for
more detailed discussion on moused.In order to use the USB mouse in the X session, edit
XF86Config. If you are using XFree86 3.3.2
or later, be sure to have the following lines in the
Pointer section:
Device "/dev/sysmouse"
Protocol "Auto"If you are using earlier versions of XFree86, be sure to
have the following lines in the Pointer
section:
Device "/dev/sysmouse"
Protocol "SysMouse"Refer to another section on
the mouse support in the X environment.Hot-plugging and unplugging of the USB mouse may not work quite
right yet. It is a good idea connect the mouse before you start the
system and leave it connected until the system is shutdown to avoid
trouble.My mouse has a fancy wheel and buttons. Can I use them in FreeBSD?The answer is, unfortunately, It depends. These mice with
additional features require specialized driver in most cases.
Unless the mouse device driver or the user program has specific
support for the mouse, it will act just like a standard two, or
three button mouse.For the possible usage of wheels in the X Window environment,
refer to that section.My mouse does not seem working. The mouse cursor jumps around
on the screen. The mouse has a wheel and is connected to the PS/2
mouse port.The PS/2 mouse driver psm in FreeBSD versions 3.2 or earlier has
difficulty with some wheel mice, including Logitech model M-S48 and
its OEM siblings. Apply the following patch to
/sys/i386/isa/psm.c and rebuild the
kernel.
Index: psm.c
===================================================================
RCS file: /src/CVS/src/sys/i386/isa/Attic/psm.c,v
retrieving revision 1.60.2.1
retrieving revision 1.60.2.2
diff -u -r1.60.2.1 -r1.60.2.2
--- psm.c 1999/06/03 12:41:13 1.60.2.1
+++ psm.c 1999/07/12 13:40:52 1.60.2.2
@@ -959,14 +959,28 @@
sc->mode.packetsize = vendortype[i].packetsize;
/* set mouse parameters */
+#if 0
+ /*
+ * A version of Logitech FirstMouse+ won't report wheel movement,
+ * if SET_DEFAULTS is sent... Don't use this command.
+ * This fix was found by Takashi Nishida.
+ */
i = send_aux_command(sc->kbdc, PSMC_SET_DEFAULTS);
if (verbose >= 2)
printf("psm%d: SET_DEFAULTS return code:%04x\n", unit, i);
+#endif
if (sc->config & PSM_CONFIG_RESOLUTION) {
sc->mode.resolution
= set_mouse_resolution(sc->kbdc,
- (sc->config & PSM_CONFIG_RESOLUTION) - 1);
+ (sc->config & PSM_CONFIG_RESOLUTION) - 1);
+ } else if (sc->mode.resolution >= 0) {
+ sc->mode.resolution
+ = set_mouse_resolution(sc->kbdc, sc->dflt_mode.resolution);
+ }
+ if (sc->mode.rate > 0) {
+ sc->mode.rate = set_mouse_sampling_rate(sc->kbdc, sc->dflt_mode.rate);
}
+ set_mouse_scaling(sc->kbdc, 1);
/* request a data packet and extract sync. bits */
if (get_mouse_status(sc->kbdc, stat, 1, 3) < 3) {Versions later than 3.2 should be all right. How do I use the mouse/trackball/touchpad on my laptop?
Please refer to the answer to the previous question. And check out this note on the Mobile
Computing page.What types of tape drives are supported?FreeBSD supports SCSI, QIC-36 (with a QIC-02 interface) and
QIC-40/80 (Floppy based) tape drives. This includes 8-mm (aka Exabyte)
and DAT drives. The QIC-40/80 drives are known to be slow.Some of the early 8-mm drives are not quite compatible with SCSI-2,
and may not work well with FreeBSD.Does FreeBSD support tape changers?FreeBSD 2.2 supports SCSI changers using the ch(4) device and
the chio(1)
command. The details of how you actually control the changer can be
found in the chio(1)
man page.If you're not using AMANDA or
some other product that already understands changers, remember that
they're only know how to move a tape from one point to another, so
you need to keep track of which slot a tape is in, and which slot the
tape currently in the drive needs to go back to.Which sound cards are supported by FreeBSD?FreeBSD supports the SoundBlaster, SoundBlaster Pro, SoundBlaster
16, Pro Audio Spectrum 16, AdLib and Gravis UltraSound sound cards.
There is also limited support for MPU-401 and compatible MIDI cards.
Cards conforming to the Microsoft Sound System specification are also
supported through the pcm driver.This is only for sound! This driver does not support
CD-ROMs, SCSI or joysticks on these cards, except for the
SoundBlaster. The SoundBlaster SCSI interface and some non-SCSI
CDROMS are supported, but you can't boot off this
device.Workarounds for no sound from es1370 with pcm driver?You can run the following command everytime the machine booted up:&prompt.root; mixer pcm 100 vol 100 cd 100Which network cards does FreeBSD support?See the Ethernet cards section of the handbook for a more
complete list. I don't have a math co-processor - is that bad?This will only affect 386/486SX/486SLC owners - other
machines will have one built into the CPU.In general this will not cause any problems, but there are
circumstances where you will take a hit, either in performance or
accuracy of the math emulation code (see the section on FP emulation). In particular, drawing arcs in X will be
VERY slow. It is highly recommended that you buy a math
co-processor; it's well worth it.Some math co-processors are better than others. It pains
us to say it, but nobody ever got fired for buying Intel. Unless
you're sure it works with FreeBSD, beware of clones.What other devices does FreeBSD support?See the Handbook
for the list of other devices supported.Does FreeBSD support power management on my laptop?FreeBSD supports APM on certain machines. Please look in the
LINT kernel config file, searching for the APM keyword.My Micron system hangs at boot timeCertain Micron motherboards have a non-conforming PCI BIOS
implementation that causes grief when FreeBSD boots because
PCI devices don't get configured at their reported addresses.Disable the Plug and Play Operating System flag in the BIOS
to work around this problem. More information can be found at
http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micronI have a newer Adaptec controller and FreeBSD can't find it.
The newer AIC789x series Adaptec chips are supported under the CAM SCSI
framework which made it's debut in 3.0. Patches against 2.2-STABLE
are in ftp://ftp.FreeBSD.org/pub/FreeBSD/development/cam/.
A CAM-enhanced boot floppy is available at http://people.FreeBSD.org/~abial/cam-boot/. In both cases read the README before
beginning. I have an internal Plug & Play modem and FreeBSD can't find it.
You will need to add the modem's PnP ID to the PnP ID list in the serial driver.
To enable Plug & Play support, compile a new kernel with
controller pnp0 in
the configuration file, then reboot the system. The kernel will print the PnP IDs
of all the devices it finds. Copy the PnP ID from the modem to the table in
/sys/i386/isa/sio.c, at about line 2777. Look for the string SUP1310
in the structure siopnp_ids[] to
find the table. Build the kernel again, install, reboot, and your modem should be found.You may have to manually configure the PnP devices using the pnp command in the
boot-time configuration with a command like
pnp 1 0 enable os irq0 3 drq0 0 port0 0x2f8
to make the modem show.How do I get the boot: prompt to show on the serial console?
Build a kernel with options COMCONSOLE.Create /boot.config and place as the only text in the file.Unplug the keyboard from the system.See /usr/src/sys/i386/boot/biosboot/README.serial for information.Why doesn't my 3Com PCI network card work with my Micron computer?Certain Micron motherboards have a non-conforming PCI BIOS
implementation that does not configure PCI devices at
the addresses reported. This causes grief when FreeBSD boots.To work around this problem, disable the Plug and Play Operating
System flag in the BIOS. More information on this problem is available at URL:
http://cesdis.gsfc.nasa.gov/linux/drivers/vortex.html#micronDoes FreeBSD support Symmetric Multiprocessing (SMP)?
SMP is supported in 3.0-STABLE and later releases only. SMP is
not enabled in the GENERIC kernel, so you will
have to recompile your kernel to enable SMP. Take a look at
/sys/i386/conf/LINT to figure out what options to put in
your kernel config file.The boot floppy hangs on a system with an ASUS K7V
motherboard. How do I fix this?Go in to the BIOS setup and disable the boot virus
protection.TroubleshootingI have bad blocks on my hard drive!With SCSI drives, the drive should be capable of re-mapping
these automatically. However, many drives are shipped with
this feature disabled, for some mysterious reason...To enable this, you'll need to edit the first device page mode,
which can be done on FreeBSD by giving the command (as root)&prompt.root; scsi -f /dev/rsd0c -m 1 -e -P 3and changing the values of AWRE and ARRE from 0 to 1:-AWRE (Auto Write Reallocation Enbld): 1
ARRE (Auto Read Reallocation Enbld): 1The following paragraphs were submitted by
Ted Mittelstaedt:For IDE drives, any bad block is usually a sign of potential trouble.
All modern IDE drives come with internal bad-block remapping turned
on. All IDE hard drive manufacturers today offer extensive
warranties and will replace drives with bad blocks on them.If you still want to attempt to rescue an IDE drive with bad blocks,
you can attempt to download the IDE drive manufacturer's IDE diagnostic
program, and run this against the drive. Sometimes these programs can
be set to force the drive electronics to rescan the drive for bad blocks
and lock them out.For ESDI, RLL and MFM drives, bad blocks are a normal part of the
drive and are no sign of trouble, generally. With a PC, the disk drive
controller card and BIOS handle the task of locking out bad sectors.
This is fine for operating systems like DOS that use BIOS code to
access the disk. However, FreeBSD's disk driver does not go through
BIOS, therefore a mechanism, bad144, exists that replaces this
functionality. bad144 only works with the wd driver (which means it
is not supported in FreeBSD 4.0),
it is NOT able to be used with SCSI. bad144 works by entering all bad
sectors found into a special file.One caveat with bad144 - the bad block special file is placed on the
last track of the disk. As this file may possibly contain a listing for
a bad sector that would occur near the beginning of the disk, where the
/kernel file might be located, it therefore must be accessible to the
bootstrap program that uses BIOS calls to read the kernel file. This
means that the disk with bad144 used on it must not exceed 1024
cylinders, 16 heads, and 63 sectors. This places an effective limit
of 500MB on a disk that is mapped with bad144.To use bad144, simply set the Bad Block scanning to ON in the
FreeBSD fdisk screen during the initial install. This works up through
FreeBSD 2.2.7. The disk must have less than 1024 cylinders. It is
generally recommended that the disk drive has been in operation for at
least 4 hours prior to this to allow for thermal expansion and track
wandering.If the disk has more than 1024 cylinders (such as a large ESDI drive)
the ESDI controller uses a special translation mode to make it work
under DOS. The wd driver understands about these translation modes,
IF you enter the translated geometry with the set geometry command
in fdisk. You must also NOT use the dangerously dedicated mode of
creating the FreeBSD partition, as this ignores the geometry. Also,
even though fdisk will use your overridden geometry, it still knows the
true size of the disk, and will attempt to create a too large FreeBSD
partition. If the disk geometry is changed to the translated geometry,
the partition MUST be manually created with the number of blocks.A quick trick to use is to set up the large ESDI disk with the ESDI
controller, boot it with a DOS disk and format it with a DOS partition.
Then, boot the FreeBSD install and in the fdisk screen, read off and
write down the blocksize and block numbers for the DOS partition. Then,
reset the geometry to the same that DOS uses, delete the DOS partition,
and create a cooperative FreeBSD partition using the blocksize you
recorded earlier. Then, set the partition bootable and turn on bad
block scanning. During the actual install, bad144 will run first,
before any filesystems are created. (you can view this with an Alt-F2)
If it has any trouble creating the badsector file, you have set too
large a disk geometry - reboot the system and start all over again
(including repartitioning and reformatting with DOS).If remapping is enabled and you are seeing bad blocks, consider
replacing the drive. The bad blocks will only get worse as time goes on.FreeBSD does not recognize my Bustek 742a EISA SCSI!This info is specific to the 742a but may also cover other
Buslogic cards. (Bustek = Buslogic)There are 2 general versions of the 742a card. They are
hardware revisions A-G, and revisions H - onwards. The revision
letter is located after the Assembly number on the edge of the
card. The 742a has 2 ROM chips on it, one is the BIOS chip and
the other is the Firmware chip. FreeBSD doesn't care what
version of BIOS chip you have but it does care about what version
of firmware chip. Buslogic will send upgrade ROMS out if you
call their tech support dept. The BIOS and Firmware chips are
shipped as a matched pair. You must have the most current
Firmware ROM in your adapter card for your hardware revision.The REV A-G cards can only accept BIOS/Firmware sets up to
2.41/2.21. The REV H- up cards can accept the most current
BIOS/Firmware sets of 4.70/3.37. The difference between the
firmware sets is that the 3.37 firmware supports round robinThe Buslogic cards also have a serial number on them. If you
have a old hardware revision card you can call the Buslogic RMA
department and give them the serial number and attempt to
exchange the card for a newer hardware revision. If the card is
young enough they will do so.FreeBSD 2.1 only supports Firmware revisions 2.21 onward. If you
have a Firmware revision older than this your card will not be
recognized as a Buslogic card. It may be recognized as an
Adaptec 1540, however. The early Buslogic firmware contains an
AHA1540 emulation mode. This is not a good thing for an EISA
card, however.If you have an old hardware revision card and you obtain the 2.21
firmware for it, you will need to check the position of jumper W1
to B-C, the default is A-B. My HP Netserver's SCSI controller is not detected!
This is basically a known problem. The EISA on-board SCSI controller
in the HP Netserver machines occupies EISA slot number 11, so all
the true EISA slots are in front of it. Alas, the address space
for EISA slots >= 10 collides with the address space assigned to PCI,
and FreeBSD's auto-configuration currently cannot handle this
situation very well.So now, the best you can do is to pretend there is no address
range clash :), by bumping the kernel option EISA_SLOTS
to a value of 12.
Configure and compile a kernel, as described in the
Handbook entry on configuring the kernel.Of course, this does present you with a chicken-and-egg problem when
installing on such a machine. In order to work around this
problem, a special hack is available inside UserConfig.
Do not use the visual interface, but the plain command-line
interface there. Simply typeeisa 12
quitat the prompt, and install your system as usual. While it's
recommended you compile and install a custom kernel anyway,Hopefully, future versions will have a proper fix for this problem.You can not use a dangerously dedicated disk with
an HP Netserver. See this note for
more info.What's up with this CMD640 IDE controller?It's broken. It cannot handle commands on both channels
simultaneously.There's a workaround available now and it is enabled automatically
if your system uses this chip. For the details refer to the
manual page of the disk driver (man 4 wd).If you're already running FreeBSD 2.2.1 or 2.2.2 with a
CMD640 IDE controller and you want to use the second channel,
build a new kernel with options "CMD640" enabled. This
is the default for 2.2.5 and later.I keep seeing messages like ed1: timeout.This is usually caused by an interrupt conflict (e.g., two boards
using the same IRQ). FreeBSD prior to 2.0.5R used to be tolerant
of this, and the network driver would still function in the
presence of IRQ conflicts. However, with 2.0.5R and later, IRQ
conflicts are no longer tolerated. Boot with the -c option and
change the ed0/de0/... entry to match your board.If you're using the BNC connector on your network card, you may
also see device timeouts because of bad termination. To check this,
attach a terminator directly to the NIC (with no cable) and see if
the error messages go away. Some NE2000 compatible cards will give this error if there is
no link on the UTP port or if the cable is disconnected.When I mount a CDROM, I get Incorrect super block.You have to tell
mount
the type of the device that you want to mount. By default,
mount(8)
will assume the filesystem is of type ufs. You want to mount
a CDROM filesystem, and you do this by specifying the
option to mount(8)
. This does, of course, assume that the
CDROM contains an ISO 9660 filesystem, which is what most CDROMs
have. As of 1.1R, FreeBSD automatically understands the Rock Ridge
(long filename) extensions as well.As an example, if you want to mount the CDROM device,
/dev/cd0c, under /mnt, you would execute:&prompt.root; mount -t cd9660 /dev/cd0c /mntNote that your device name (/dev/cd0c in this
example) could be different, depending on the CDROM interface.
Note that the option just causes the
mount_cd9660 command to be executed, and so the
above example could be shortened to:&prompt.root; mount_cd9660 /dev/cd0c /mntWhen I mount a CDROM, I get Device not configured.This generally means that there is no CDROM in the CDROM drive,
or the drive is not visible on the bus. Feed the drive
something, and/or check its master/slave status if it is
IDE (ATAPI). It can take a couple of seconds for a CDROM drive
to notice that it's been fed, so be patient.Sometimes a SCSI CD-ROM may be missed because it hadn't enough time
to answer the bus reset. If you have a SCSI CD-ROM please try to
add the following symbol into your kernel configuration file
and recompile.options "SCSI_DELAY=15"My printer is ridiculously slow. What can I do ?If it's parallel, and the only problem is that it's terribly
slow, try setting your printer port into polled mode:&prompt.root; lptcontrol -pSome newer HP printers are claimed not to work correctly in
interrupt mode, apparently due to some (not yet exactly
understood) timing problem.My programs occasionally die with Signal 11 errors.Signal 11 errors are caused when your process has attempted to
access memory which the operating system has not granted it access to.
If something like this is happening at seemingly random intervals then
you need to start investigating things very carefully.These problems can usually be attributed to either:If the problem is occurring only in a specific application
that you are developing yourself it is probably a bug in your code.
If it's a problem with part of the base FreeBSD system, it
may also be buggy code, but more often than not these problems are
found and fixed long before us general FAQ readers get to use
these bits of code (that's what -current is for).In particular, a dead giveaway that this is *not* a FreeBSD bug
is if you see the problem when you're compiling a program, but the
activity that the compiler is carrying out changes each time.
For example, suppose you're running "make buildworld", and the
compile fails while trying to compile ls.c in to ls.o. If you next run
"make buildworld" again, and the compile fails in the same place then
this is a broken build -- try updating your sources and try again. If
the compile fails elsewhere then this is almost certainly hardware.
What you should do:In the first case you can use a debugger e.g. gdb to find the
point in the program which is attempting to access a bogus address and
then fix it.
In the second case you need to verify that it's not your hardware
at fault. Common causes of this include :Your hard disks might be overheating: Check the fans in
your case are still working, as your disk (and perhaps other hardware
might be overheating).The processor running is overheating: This might be because the
processor has been overclocked, or the fan on the processor might
have died. In either case you need to ensure that you have hardware
running at what it's specified to run at, at least while trying to
solve this problem. i.e. Clock it back to the default settings. If you are overclocking then note that it's far cheaper
to have a slow system than a fried system that needs replacing!
Also the wider community is not often sympathetic to problems on
overclocked systems, whether you believe it's safe or not.Dodgy memory: If you have multiple memory SIMMS/DIMMS installed
then pull them all out and try running the machine with each SIMM or
DIMM individually and narrow the problem down to either the problematic
DIMM/SIMM or perhaps even a combination.Over-optimistic Motherboard settings: In your BIOS settings, and
some motherboard jumpers you have options to set various timings, mostly
the defaults will be sufficient, but sometimes, setting the wait
states on RAM too low, or setting the "RAM Speed: Turbo" option,
or similar in the BIOS will cause strange behaviour.
A possible idea is to set to BIOS defaults, but it might be worth
noting down your settings first!Unclean or insufficient power to the motherboard. If you
have any unused I/O boards, hard disks, or CDROMs in your system,
try temporarily removing them or disconnecting the power cable
from them, to see if your power supply can manage a smaller load.
Or try another power supply, preferably one with a little more
power (for instance, if your current power supply is rated at 250
Watts try one rated at 300 Watts).You should also read the SIG11 FAQ (listed below) which has
excellent explanations of all these problems, albeit from a Linux
viewpoint. It also discusses how memory testing software or hardware
can still pass faulty memory.Finally, if none of this has helped it is possible that you've
just found a bug in FreeBSD, and you should follow the instructions to
send a problem report.There's an extensive FAQ on this at
the SIG11 problem FAQWhen I boot, the screen goes black and loses sync!This is a known problem with the ATI Mach 64 video card.
The problem is that this card uses address 2e8, and
the fourth serial port does too. Due to a bug (feature?) in the
sio(4)
driver it will touch this port even if you don't have the
fourth serial port, and even if you disable sio3 (the fourth
port) which normally uses this address.Until the bug has been fixed, you can use this workaround:Enter at the bootprompt. (This will put the kernel
into configuration mode).
Disable sio0, sio1,
sio2 and sio3
(all of them). This way the sio driver doesn't get activated
-> no problems.
Type exit to continue booting.If you want to be able to use your serial ports,
you'll have to build a new kernel with the following
modification: in /usr/src/sys/i386/isa/sio.c find the
one occurrence of the string 0x2e8 and remove that string
and the preceding comma (keep the trailing comma). Now follow
the normal procedure of building a new kernel.Even after applying these workarounds, you may still find that
the X Window System does not work properly. If this is the case, make
sure that the XFree86 version you are using is at least XFree86 3.3.3
or higher. This version and upwards has built-in support for the
Mach64 cards and even a dedicated X server for those cards. I have 128 MB of RAM but the system only uses 64 MB.
Due to the manner in which FreeBSD gets the memory size from the
BIOS, it can only detect 16 bits worth of Kbytes in size (65535
Kbytes = 64MB) (or less... some BIOSes peg the memory size to 16M).
If you have more than 64MB, FreeBSD will attempt to detect it;
however, the attempt may fail.To work around this problem, you need to use the
kernel option specified below. There is a way to get complete
memory information from the BIOS, but we don't have room in the
bootblocks to do it. Someday when lack of room in the bootblocks
is fixed, we'll use the extended BIOS functions to get the full
memory information...but for now we're stuck with the kernel
option.options "MAXMEM=n"Where n is your memory in Kilobytes. For a 128 MB machine,
you'd want to use 131072.FreeBSD 2.0 panics with kmem_map too small!The message may also be
mb_map too small!The panic indicates that the system ran out of virtual memory for
network buffers (specifically, mbuf clusters). You can increase
the amount of VM available for mbuf clusters by adding:options "NMBCLUSTERS=n"to your kernel config file, where n is a number in the
range 512-4096, depending on the number of concurrent TCP
connections you need to support. I'd recommend trying 2048 - this
should get rid of the panic completely. You can monitor the
number of mbuf clusters allocated/in use on the system with
netstat -m. The default value for NMBCLUSTERS is
512 + MAXUSERS * 16.CMAP busy panic when rebooting with a new kernel.The logic that attempts to detect an out of date
/var/db/kvm_*.db files sometimes fails and using a
mismatched file can sometimes lead to panics.If this happens, reboot single-user and do:&prompt.root; rm /var/db/kvm_*.dbahc0: brkadrint, Illegal Host Access at seqaddr 0x0This is a conflict with an Ultrastor SCSI Host Adapter. During the boot process enter the kernel configuration menu and
disable uha0,
which is causing the problem.Sendmail says mail loops back to myselfThis is answered in the sendmail FAQ as follows:- * I'm getting "Local configuration error" messages, such as:
553 relay.domain.net config error: mail loops back to myself
554 <user@domain.net>... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be
forwarded to a specific host (in this case, relay.domain.net)
by using an MX record, but the relay machine doesn't recognize
itself as domain.net. Add domain.net to /etc/sendmail.cw
(if you are using FEATURE(use_cw_file)) or add "Cw domain.net"
to /etc/sendmail.cf.
The current version of the sendmail FAQ is no longer maintained with the sendmail
release. It is however regularly posted to
comp.mail.sendmail,
comp.mail.misc,
comp.mail.smail,
comp.answers, and
news.answers.
You can also receive a copy via email by sending a message to
mail-server@rtfm.mit.edu
with the command send usenet/news.answers/mail/sendmail-faq as the body of the
message.Full screen applications on remote machines misbehaveThe remote machine may be setting your terminal type
to something other than the cons25 terminal type
required by the FreeBSD console.There are a number of possible work-arounds for this problem:
After logging on to the remote machine, set your TERM shell
variable to ansi or
sco if the remote machine knows
about these terminal types.Use a VT100 emulator like screen
at the FreeBSD console.
screen offers you the ability to run multiple
concurrent sessions from one terminal, and is a neat program in its own right.
Each screen window behaves like a VT100 terminal,
so the TERM variable at the remote end should be set to
vt100.
Install the cons25 terminal database entry on
the remote machine. The way to do this depends on the operating system on the
remote machine. The system administration manuals for the remote system
should be able to help you here.Fire up an X server at the FreeBSD end and login to the remote machine
using an X based terminal emulator such as xterm or
rxvt. The TERM variable at the remote host
should be set to xterm or vt100.My machine prints calcru: negative time...This can be caused by various hardware and/or software ailments
relating to interrupts. It may be due to bugs but can also happen
by nature of certain devices. Running TCP/IP over the parallel
port using a large MTU is one good way to provoke this problem.
Graphics accelerators can also get you here, in which case you
should check the interrupt setting of the card first.A side effect of this problem are dying processes with the
message SIGXCPU exceeded cpu time limit.For FreeBSD 3.0 and later from Nov 29, 1998 forward: If the
problem cannot be fixed otherwise the solution is to set
this sysctl variable:&prompt.root; sysctl -w kern.timecounter.method=1 This means a performance impact, but considering the cause of
this problem, you probably will not notice. If the problem
persists, keep the sysctl set to one and set the NTIMECOUNTER
option in your kernel to increasingly large values. If by the
time you have reached NTIMECOUNTER=20 the problem isn't
solved, interrupts are too hosed on your machine for reliable
timekeeping.Commercial ApplicationsThis section is still very sparse, though we're hoping, of
course, that companies will add to it! :) The FreeBSD group has no
financial interest in any of the companies listed here but simply
lists them as a public service (and feels that commercial interest
in FreeBSD can have very positive effects on FreeBSD's long-term
viability). We encourage commercial software vendors to send their
entries here for inclusion. See
the Vendors
page for a longer list.Where can I get Motif for FreeBSD?Contact Apps2go for the least expensive
ELF Motif 2.1.20 distribution for FreeBSD (either i386 or
Alpha).There are two distributions, the developement edition and the
runtime edition (for much less). These distributions includes:
OSF/Motif manager, xmbind, panner, wsm.
Development kit with uil, mrm, xm, xmcxx, include and Imake
files.
Static and dynamic ELF libraries (for use with FreeBSD 3.0
and above).
Demonstration applets.Be sure to specify that you want the FreeBSD version of Motif when
ordering (don't forget to mention the architecture you want too)! Versions
for NetBSD and OpenBSD are also sold by Apps2go.
This is currently a FTP only download.More infoApps2go WWW pageorSales or
Support email addresses.orphone (817) 431 8775 or +1 817 431-8775Contact Metro Link for an either ELF or
a.out Motif 2.1 distribution for FreeBSD.This distribution includes:
OSF/Motif manager, xmbind, panner, wsm.
Development kit with uil, mrm, xm, xmcxx, include and Imake
files.
Static and dynamic libraries (specify ELF for use with FreeBSD
3.0 and later; or a.out for use with FreeBSD 2.2.8 and eariler).
Demonstration applets.
Preformatted man pages.Be sure to specify that you want the FreeBSD version of Motif
when ordering! Versions for Linux are also sold by
Metro Link. This is available on either a CDROM or for
FTP download.Contact Xi Graphics for an a.out Motif 2.0
distribution for FreeBSD.This distribution includes:
OSF/Motif manager, xmbind, panner, wsm.
Development kit with uil, mrm, xm, xmcxx, include and Imake
files.
Static and dynamic libraries (for use with FreeBSD 2.2.8 and
eariler).
Demonstration applets.
Preformatted man pages.Be sure to specify that you want the FreeBSD version of Motif
when ordering! Versions for BSDI and Linux are also sold by
Xi Graphics. This is currently a 4 diskette set... in the
future this will change to a unified CD distribution like their CDE.Where can I get CDE for FreeBSD?Xi Graphics used to sell CDE for
FreeBSD, but no longer do.KDE is an open source
X11 desktop which is similar to CDE in many respects.
You might also like the look and feel of xfce. KDE and xfce are both
in the ports
system. Are there any commercial high-performance X servers?
Yes, Xi Graphics and
Metro Link sells
Accelerated-X product for FreeBSD and other Intel based systems.
The Metro Link offering is a high performance X Server that offers
easy configuration using the FreeBSD Package suite of tools, support
for multiple concurrent video boards and is distributed in binary
form only, in a convienent FTP download. Not to mention the Metro
Link offering is available at the very reasonable price of $39.
Metro Link also sells both ELF and a.out Motif for FreeBSD (see above).More infoMetro Link WWW pageorSales or
Support email addresses.orphone (954) 938-0283 or +1 954 938-0283The Xi Graphics offering is a high performance X Server that offers
easy configuration, support
for multiple concurrent video boards and is distributed in binary
form only, in a unified diskette distribution for FreeBSD and Linux.
Xi Graphics also offers a high performance X Server taylored for
laptop support.There is a free compatibility demo of version 5.0 available.Xi Graphics also sells Motif and CDE for FreeBSD (see above).More infoXi Graphics WWW pageorSales or
Support email addresses.orphone (800) 946 7433 or +1 303 298-7478.Are there any Database systems for FreeBSD?Yes! See the
Commercial Vendors section of FreeBSD's Web site.Also see the Databases section of the Ports collection.Can I run Oracle on FreeBSD?Yes. The following pages tell you exactly how to setup Linux-Oracle
on FreeBSD:http://www.scc.nl/~marcel/howto-oracle.htmlhttp://www.lf.net/lf/pi/oracle/install-linux-oracle-on-freebsdUser ApplicationsSo, where are all the user applications?Please take a look at the
ports page for info on software packages ported to
FreeBSD. The list currently tops 3400 and is growing daily, so come
back to check often or subscribe to the freebsd-announce
mailing list for periodic updates on new
entries.Most ports should be available for the 2.2, 3.x and 4.x
branches, and many of them should work on 2.1.x systems as
well. Each time a FreeBSD release is made, a snapshot of the
ports tree at the time of release in also included in the
ports/ directory.We also support the concept of a package, essentially no
more than a gzipped binary distribution with a little extra
intelligence embedded in it for doing whatever custom installation
work is required. A package can be installed and uninstalled
again easily without having to know the gory details of which
files it includes.Use the package installation menu in /stand/sysinstall
(under the post-configuration menu item) or invoke the
pkg_add(1) command on the specific package files you're
interested in installing. Package files can usually be identified by
their .tgz suffix and CDROM distribution people will have
a packages/All directory on their CD which contains such
files. They can also be downloaded over the net for various versions
of FreeBSD at the following locations:for 2.2.8-RELEASE/2.2.8-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-2.2.8/for 3.X-RELEASE/3.X-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/for 4.1-RELEASE/4-STABLEftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/for 5.X-CURRENTftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-currentor your nearest local mirror site.Note that all ports may not be available as packages since
new ones are constantly being added. It is always a good
idea to check back periodically to see which packages are available
at the ftp.FreeBSD.org master site.Why is /bin/sh so minimal? Why doesn't
FreeBSD use bash or another shell?Because POSIX says that there shall be such a shell.The more complicated answer: many people need to write shell
scripts which will be portable across many systems. That's why
POSIX specifies the shell and utility commands in great detail.
Most scripts are written in Bourne shell, and because several
important programming interfaces (&man.make.1;, &man.system.3;,
&man.popen.3;, and analogues in higher-level scripting languages
like Perl and Tcl) are specified to use the Bourne shell to
interpret commands. Because the Bourne shell is so often and
widely used, it is important for it to be quick to start, be
deterministic in its behavior, and have a small memory
footprint.The existing implementation is our best effort at meeting as
many of these requirements simultaneously as we can. In order to
keep /bin/sh small, we have not provided many
of the convenience features that other shells have. That's why the
Ports Collection includes more featureful shells like bash, scsh,
tcsh, and zsh. (You can compare for yourself the memory
utilization of all these shells by looking at the
VSZ and RSS columns in a ps
-u listing.)Where do I find libc.so.3.0?You are trying to run a package built on 2.2 and later on a 2.1.x
system. Please take a look at the previous section and get
the correct port/package for your system.I get a message Error: can't find
libc.so.4.0You accidently downloaded packages meant for 4.X and 5.X
systems and attempted to install them on your 2.X or 3.X FreeBSD system.
Please download the correct version of the
packages. ghostscript gives lots of errors with my 386/486SX.
You don't have a math co-processor, right?
You will need to add the alternative math emulator to your kernel;
you do this by adding the following to your kernel config file
and it will be compiled in.options GPL_MATH_EMULATEYou will need to remove the MATH_EMULATE
option when you do this. When I run a SCO/iBCS2 application, it bombs on
socksys (FreeBSD 3.0 and older only).
You first need to edit the /etc/sysconfig
(or /etc/rc.conf) file in the last section to change the
following variable to YES:# Set to YES if you want ibcs2 (SCO) emulation loaded at startup
ibcs2=NOIt will load the ibcs2
kernel module at startup.You'll then need to set up /compat/ibcs2/dev to look like:lrwxr-xr-x 1 root wheel 9 Oct 15 22:20 X0R@ -> /dev/null
lrwxr-xr-x 1 root wheel 7 Oct 15 22:20 nfsd@ -> socksys
-rw-rw-r-- 1 root wheel 0 Oct 28 12:02 null
lrwxr-xr-x 1 root wheel 9 Oct 15 22:20 socksys@ -> /dev/null
crw-rw-rw- 1 root wheel 41, 1 Oct 15 22:14 spxYou just need socksys to go to /dev/null
to fake the open & close. The code in -CURRENT will handle the
rest. This is much cleaner than the way it was done before. If you
want the spx driver for a local socket X connection, define
SPX_HACK when you compile the system. How do I configure INN (Internet News) for my machine?
After installing the inn package or port, an excellent place to
start is Dave Barr's INN Page where you'll find the INN FAQ.What version of Microsoft FrontPage should I get?Use the Port, Luke! A pre-patched version of Apache is available
in the ports tree.Does FreeBSD support Java?Yes. Please see http://www.FreeBSD.org/java/.Why can't I build this port on my 3.X-STABLE machine?If you're running a FreeBSD version that lags significantly behind
-CURRENT or -STABLE, you may need a ports upgrade kit from
http://www.FreeBSD.org/ports/. If you are up to date, then
someone might have committed a change to the port which works for
-CURRENT but which broke the port for -STABLE. Please submit a bug
report on this with the send-pr(1) command, since the ports
collection is supposed to work for both the -CURRENT and -STABLE
branches.Where do I find ld.so?If you want to run some aout applications like
Netscape Navigator on an Elf'ened machine such as 3.1-R or later,
it would need /usr/libexec/ld.so and some aout libs.
They are included in the compat22 distribution.
Use /stand/sysinstall or
install.sh in the compat22 subdirectory
and install it.
Also read ERRATAs for 3.1-R and 3.2-R.Kernel Configuration I'd like to customize my kernel. Is it difficult?
Not at all! Check out the kernel config section of the Handbook.I recommend making a dated snapshot of your kernel
in kernel.YYMMDD after you get it all working, that way if
you do something dire the next time you play with your configuration
you can boot that kernel instead of having to go all the way back
to kernel.GENERIC. This is particularly important if you're
now booting off a controller that isn't supported in the GENERIC
kernel (yes, personal experience). My kernel compiles fail because _hw_float is missing.
Let me guess. You removed npx0 from your
kernel configuration file because you don't have a math co-processor,
right? Wrong! :-) The npx0 is MANDATORY. Even if you don't
have a mathematic co-processor, you must
include the npx0
device.Why is my kernel so big (over 10MB)?Chances are, you compiled your kernel in
debug mode. Kernels built in debug
mode contain many symbols that are used for debugging, thus
greatly increasing the size of the kernel. Note that if you
running a FreeBSD 3.0 or later system, there will be little
or no performance decrease from running a debug kernel,
and it is useful to keep one around in case of a system
panic.However, if you are running low on disk space, or
you simply don't want to run a debug kernel, make sure
that both of the following are true:You do not have a line in your kernel
configuration file that reads:makeoptions DEBUG=-gYou are not running config with
the option.Both of the above situations will cause your kernel to
be built in debug mode. As long as you make sure you follow
the steps above, you can build your kernel normally, and you
should notice a fairly large size decrease; most kernels
tend to be around 1.5MB to 2MB.Interrupt conflicts with multi-port serial code.Q. When I compile a kernel with multi-port serial code, it
tells me that only the first port is probed and the rest skipped due to
interrupt conflicts. How do I fix this?A. The problem here is that FreeBSD has code built-in to keep
the kernel from getting trashed due to hardware or software
conflicts. The way to fix this is to leave out the IRQ settings
on all but one port. Here is a example:#
# Multiport high-speed serial line - 16550 UARTS
#
device sio2 at isa? port 0x2a0 tty irq 5 flags 0x501 vector siointr
device sio3 at isa? port 0x2a8 tty flags 0x501 vector siointr
device sio4 at isa? port 0x2b0 tty flags 0x501 vector siointr
device sio5 at isa? port 0x2b8 tty flags 0x501 vector siointrHow do I enable support for QIC-40/80 drives?You need to uncomment the following line in the generic config
file (or add it to your config file), add a flags 0x1
on the fdc line and recompile.controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 flags 0x1 vector fdintr
disk fd0 at fdc0 drive 0 ^^^^^^^^^
disk fd1 at fdc0 drive 1
#tape ft0 at fdc0 drive 2
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Next, you create a device called /dev/ft0 by going into
/dev and run the following command:&prompt.root; sh MAKEDEV ft0for the first device. ft1 for a second one and so on.You will have a device called /dev/ft0, which you can
write to through a special program to manage it called
fd - see the man page on ft
for further details.Versions previous to also had some trouble dealing
with bad tape media; if you have trouble where ft seems to
go back and forth over the same spot, try grabbing the latest
version of ft from /usr/src/sbin/ft in
and try that.System AdministrationWhere are the system start-up configuration files?From 2.0.5R to 2.2.1R, the primary configuration file is
/etc/sysconfig. All the options are to be specified in
this file and other files such as /etc/rc and
/etc/netstart just include it.Look in the /etc/sysconfig file and change the value to
match your system. This file is filled with comments to show what
to put in there.In post-2.2.1 and 3.0, /etc/sysconfig was renamed
to a more self-describing rc.conf
file and the syntax cleaned up a bit in the process.
/etc/netstart was also renamed to /etc/rc.network
so that all files could be copied with a cp /usr/src/etc/rc*
/etc command.And, in 3.1 and later, /etc/rc.conf has
been moved to /etc/defaults/rc.conf. Do not edit
this file! Instead, if there is any entry in
/etc/defaults/rc.conf that you want to change,
you should copy the line into /etc/rc.conf and
change it there.For example, if you wish to start named, the DNS server included
with FreeBSD in FreeBSD 3.1 or later, all you need to do is:&prompt.root; echo named_enable="YES" >>
/etc/rc.confTo start up local services in FreeBSD 3.1 or later, place shell
scripts in the /usr/local/etc.rd directory. These
shell scripts should be set executable, and end with a .sh. In FreeBSD
3.0 and earlier releases, you should edit the
/etc/rc.local file.The /etc/rc.serial is for serial port initialization
(e.g. locking the port characteristics, and so on.).The /etc/rc.i386 is for Intel-specifics settings, such
as iBCS2 emulation or the PC system console configuration.How do I add a user easily?Use the adduser command. For more complicated usage, the
pw command.To remove the user again, use the rmuser
command. Once again, pw will work as well.How can I add my new hard disk to my FreeBSD system?See the Disk Formatting Tutorial at
www.FreeBSD.org.I have a new removable drive, how do I use it?Whether it's a removable drive like a ZIP or an EZ drive (or
even a floppy, if you want to use it that way), or a new hard
disk, once it's installed and recognized by the system, and
you have your cartridge/floppy/whatever slotted in, things are
pretty much the same for all devices.(this section is based on Mark Mayo's ZIP FAQ)If it's a ZIP drive or a floppy , you've already got a DOS
filesystem on it, you can use a command like this:&prompt.root; mount -t msdos /dev/fd0c /floppyif it's a floppy, or this:&prompt.root; mount -t msdos /dev/da2s4 /zipfor a ZIP disk with the factory configuration.For other disks, see how they're laid out using fdisk or
/stand/sysinstall.The rest of the examples will be for a ZIP drive on da2, the third
SCSI disk.Unless it's a floppy, or a removable you plan on sharing with
other people, it's probably a better idea to stick a BSD file
system on it. You'll get long filename support, at least a 2X
improvement in performance, and a lot more stability. First, you
need to redo the DOS-level partitions/filesystems. You can either
use fdisk or /stand/sysinstall, or for a small
drive that you don't want to bother with multiple operating system
support on, just blow away the whole FAT partition table (slices)
and just use the BSD partitioning:&prompt.root; dd if=/dev/zero of=/dev/rda2 count=2
&prompt.root; disklabel -Brw da2 autoYou can use disklabel or /stand/sysinstall to create multiple
BSD partitions. You'll certainly want to do this if you're adding
swap space on a fixed disk, but it's probably irrelevant on a
removable drive like a ZIP.Finally, create a new file system, this one's on our ZIP drive
using the whole disk:&prompt.root; newfs /dev/rda2cand mount it:&prompt.root; mount /dev/da2c /zipand it's probably a good idea to add a line like this to
/etc/fstab so you can just type
mount /zip in the
future:/dev/da2c /zip ffs rw,noauto 0 0Why do I keep getting messages like root: not
found after editing my crontab file?This is normally caused by editing the system crontab
(/etc/crontab) and then using
&man.crontab.1; to install it:&prompt.root; crontab /etc/crontabThis is not the correct way to do things. The system
crontab has a different format to the per-user crontabs
which &man.crontab.1; updates (the &man.crontab.5; manual
page explains the differences in more detail).If this is what you did, you should delete the
/var/cron/tabs/root, since it will
simply be a copy of /etc/crontab,
in the wrong format. Next time, when you edit
/etc/crontab, you should not do
anything to inform &man.cron.8; of the changes, since it
will notice them automatically.The actual reason for the error is that the system
crontab has an extra field, specifying which user to run the
command as. In the default system crontab provided with
FreeBSD, this is root for all entries.
When this crontab is used as the root
user's crontab (which is not the
same as the system crontab), &man.cron.8; assumes the string
root is the first word of the command to
execute, but no such command exists.I made a mistake in rc.conf, and
now I can't edit it because the filesystem is read-only.
What should I do?When you get the prompt to enter the shell
pathname, simply press ENTER, and run
mount / to re-mount the root filesystem
in read/write mode. You may also need to run mount
-a -t ufs to mount the filesystem where your
favourite editor is defined. If your favourite editor is on
a network filesystem, you will need to either configure the
network manually before you can mount network filesystems,
or use an editor which resides on a local filesystem, such
as &man.ed.1;.If you intend to use a full screen editor such
as &man.vi.1; or &man.emacs.1;, you may also need to
run export TERM=cons25 so that these
editors can load the correct data from the &man.termcap.5;
database.Once you have performed these steps, you can edit
/etc/rc.conf as you usually would
to fix the syntax error. The error message displayed
immediately after the kernel boot messages should tell you
the number of the line in the file which is at fault.How do I mount a secondary DOS partition?The secondary DOS partitions are found after ALL the primary
partitions. For example, if you have an E partition as the
second DOS partition on the second SCSI drive, you need to create
the special files for slice 5 in /dev, then mount /dev/da1s5:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV da1s5
&prompt.root; mount -t msdos /dev/da1s5 /dos/eCan I mount other foreign filesystems under FreeBSD? Digital UNIX UFS CDROMs can be mounted directly on FreeBSD.
Mounting disk partitions from Digital UNIX and other systems
that support UFS may be more complex, depending on the details
of the disk partitioning for the operating system in question. Linux: 2.2 and later have support for ext2fs partitions.
See mount_ext2fs for more information. NT: A read-only NTFS driver exists for FreeBSD. For more
information, see this tutorial by Mark Ovens at
http://ukug.uk.freebsd.org/~mark/ntfs_install.html.Any other information on this subject would be appreciated.How can I use the NT loader to boot FreeBSD?This procedure is slightly different for 2.2.x and 3.x (with the
3-stage boot) systems.The general idea is that you copy the first sector of your
native root FreeBSD partition into a file in the DOS/NT
partition. Assuming you name that file something like
c:\bootsect.bsd (inspired by c:\bootsect.dos),
you can then edit the c:\boot.ini file to come up with
something like this:[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows NT"
C:\BOOTSECT.BSD="FreeBSD"
C:\="DOS"For 2.2.x systems this procedure assumes that DOS, NT, FreeBSD, or whatever
have been installed into their respective fdisk partitions on the
same disk. In my case DOS & NT are in the first fdisk
partition and FreeBSD is in the second. I also installed FreeBSD
to boot from its native partition, not the disk MBR.Mount a DOS-formatted floppy (if you've converted to NTFS) or the
FAT partition, under, say, /mnt.&prompt.root; dd if=/dev/rda0a of=/mnt/bootsect.bsd bs=512 count=1Reboot into DOS or NT. NTFS users copy the bootsect.bsd
and/or the bootsect.lnx file from the floppy to
C:\. Modify the attributes (permissions) on
boot.ini with:C:\>attrib -s -r c:\boot.iniEdit to add the appropriate entries from the example
boot.ini above, and restore the attributes:C:\>attrib +s +r c:\boot.iniIf FreeBSD is booting from the MBR, restore it with the DOS
fdisk command after you reconfigure them to boot from their
native partitions.For FreeBSD 3.x systems the procedure is somewhat simpler.If FreeBSD is installed on the same disk as the NT boot partition
simply copy /boot/boot1 to
C:\BOOTSECT.BSD However, if FreeBSD is installed
on a different disk /boot/boot1 will not work,
/boot/boot0 is needed.
DO NOT SIMPLY COPY /boot/boot0 INSTEAD OF
/boot/boot1, YOU WILL OVERWRITE YOUR PARTITION
TABLE AND RENDER YOUR COMPUTER UN-BOOTABLE!/boot/boot0 needs to be installed using
sysinstall by selecting the FreeBSD boot manager on the screen which
asks if you wish to use a boot manager. This is because
/boot/boot0 has the partition table area filled
with NULL characters but sysinstall copies the partition table before
copying /boot/boot0 to the MBR.When the FreeBSD boot manager runs it records the last OS booted
by setting the active flag on the partition table entry for that OS
and then writes the whole 512-bytes of itself back to the MBR so if
you just copy /boot/boot0 to
C:\BOOTSECT.BSD then it writes an empty partition
table, with the active flag set on one entry, to the MBR. How do I boot FreeBSD and Linux from LILO?
If you have FreeBSD and Linux on the same disk, just follow
LILO's installation instructions for booting a non-Linux operating
system. Very briefly, these are:Boot Linux, and add the following lines to
/etc/lilo.conf:
other=/dev/hda2
table=/dev/hda
label=FreeBSD
(the above assumes that your FreeBSD slice is known to Linux as
/dev/hda2; tailor to suit your setup). Then,
run lilo as root and you should be done.If FreeBSD resides on another disk, you need to add
loader=/boot/chain.b to the LILO entry.
For example:
other=/dev/dab4
table=/dev/dab
loader=/boot/chain.b
label=FreeBSDIn some cases you may need to specify the BIOS drive number
to the FreeBSD boot loader to successfully boot off the second disk.
For example, if your FreeBSD SCSI disk is probed by BIOS as BIOS
disk 1, at the FreeBSD boot loader prompt you need to specify:Boot: 1:da(0,a)/kernelOn FreeBSD 2.2.5 and later, you can configure boot(8)
to automatically do this for you at boot time.The Linux+FreeBSD mini-HOWTO is a good reference for
FreeBSD and Linux interoperability issues. How do I boot FreeBSD and Linux using BootEasy?
Install LILO at the start of your Linux boot partition instead of
in the Master Boot Record. You can then boot LILO from BootEasy.If you're running Windows-95 and Linux this is recommended anyway,
to make it simpler to get Linux booting again if you should need
to reinstall Windows95 (which is a Jealous Operating System, and
will bear no other Operating Systems in the Master Boot Record). Will a dangerously dedicated disk endanger my health?
The installation procedure allows you to chose
two different methods in partitioning your harddisk(s). The default way
makes it compatible with other operating systems on the same machine,
by using fdisk table entries (called slices in FreeBSD),
with a FreeBSD slice that employs partitions of its own.
Optionally, one can chose to install a boot-selector to switch
between the possible operating systems on the disk(s).
The alternative uses the entire disk for FreeBSD, and makes
no attempt to be compatible with other operating systems.So why it is called dangerous? A disk in this mode
doesn't contain what normal PC utilities would consider a
valid fdisk table. Depending on how well they have been
designed, they might complain at you once they are getting
in contact with such a disk, or even worse, they might
damage the BSD bootstrap without even asking or notifying
you. In addition, the dangerously dedicated disk's layout
is known to confuse many BIOSsen, including those from AWARD
(eg. as found in HP Netserver and Micronics systems as well as
many others) and Symbios/NCR (for the popular 53C8xx range of
SCSI controllers). This isn't a complete list, there are more.
Symptoms of this confusion include the read error message
printed by the FreeBSD bootstrap when it can't find itself,
as well as system lockups when booting.Why have this mode at all then? It only saves a few kbytes
of disk space, and it can cause real problems for a new
installation. Dangerously dedicated mode's origins lie
in a desire to avoid one of the most common problems plaguing
new FreeBSD installers - matching the BIOS geometry numbers
for a disk to the disk itself.Geometry is an outdated concept, but one still at the
heart of the PC's BIOS and its interaction with disks. When
the FreeBSD installer creates slices, it has to record the
location of these slices on the disk in a fashion that
corresponds with the way the BIOS expects to find them. If
it gets it wrong, you won't be able to boot.Dangerously dedicated mode tries to work around this
by making the problem simpler. In some cases, it gets it right.
But it's meant to be used as a last-ditch alternative - there
are better ways to solve the problem 99 times out of 100.So, how do you avoid the need for DD mode when you're
installing? Start by making a note of the geometry that your
BIOS claims to be using for your disks. You can arrange to have
the kernel print this as it boots by specifying at the
boot: prompt, or using boot -v in the loader. Just
before the installer starts, the kernel will print a list of
BIOS geometries. Don't panic - wait for the installer to start
and then use scrollback to read the numbers. Typically the BIOS
disk units will be in the same order that FreeBSD lists your
disks, first IDE, then SCSI.When you're slicing up your disk, check that the disk geometry
displayed in the FDISK screen is correct (ie. it matches the BIOS
numbers); if it's wrong, use the g key to fix it. You may have
to do this if there's absolutely nothing on the disk, or if the
disk has been moved from another system. Note that this is only
an issue with the disk that you're going to boot from; FreeBSD
will sort itself out just fine with any other disks you may have.Once you've got the BIOS and FreeBSD agreeing about the
geometry of the disk, your problems are almost guaranteed to be
over, and with no need for DD mode at all. If, however,
you are still greeted with the dreaded read error message
when you try to boot, it's time to cross your fingers and
go for it - there's nothing left to lose.To return a dangerously dedicated disk for normal PC
use, there are basically two options. The first is, you
write enough NULL bytes over the MBR to make any subsequent
installation believe this to be a blank disk. You can do
this for example with&prompt.root; dd if=/dev/zero of=/dev/rda0 count=15Alternatively, the undocumented DOS featureC:\>fdisk /mbrwill to install a new master boot record as well, thus clobbering the
BSD bootstrap.How can I add more swap space?The best way is to increase the size of your swap partition, or
take advantage of this convenient excuse to add another disk. The
general rule of thumb is to have around 2x the swap space as you have
main memory. However, if you have a very small amount of main memory
you may want to configure swap beyond that. It is also a good idea
to configure sufficient swap relative to anticipated future memory
upgrades so you do not have to futz with your swap configuration later.Adding swap onto a separate disk makes things faster than
simply adding swap onto the same disk. As an example, if you
are compiling source located on one disk, and the swap is on
another disk, this is much faster than both swap and compile
on the same disk. This is true for SCSI disks specifically.When you have several disks, configuring a swap partition on
each one is usually beneficial, even if you wind up putting swap on a
work disk. Typically, each fast disk in your system should have some
swap configured. FreeBSD supports up to 4 interleaved swap devices by
default. When configuring multiple swap partitions you generally
want to make them all about the same size, but people sometimes make
their primary swap parition larger in order to accomodate a kernel
core dump. Your primary swap partition must be at least as large as
main memory in order to be able to accomodate a kernel core.IDE drives are not able to allow access to both drives on
the same channel at the same time (FreeBSD doesn't support mode 4, so
all IDE disk I/O is programmed). I would still suggest putting
your swap on a separate drive however. The drives are so cheap,
it is not worth worrying about.Swapping over NFS is only recommended if you do not have a local
disk to swap to. Swapping over NFS is slow and inefficient in FreeBSD
releases prior to 4.x, but reasonably fast in releases greater or
equal to 4.0. Even so, it will be limited to the network bandwidth
available and puts an additional burden on the NFS server.Here is an example for 64Mb vn-swap (/usr/swap0, though
of course you can use any name that you want).Make sure your kernel was built with the linepseudo-device vn 1 #Vnode driver (turns a file into a device)in your config-file. The GENERIC kernel already contains this.create a vn-device&prompt.root; cd /dev
&prompt.root; sh MAKEDEV vn0create a swapfile (/usr/swap0)&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1024k count=64set proper permissions on (/usr/swap0)&prompt.root; chmod 0600 /usr/swap0enable the swap file in /etc/rc.confswapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired.reboot the machineTo enable the swap file immediately, type&prompt.root; vnconfig -ce /dev/vn0c /usr/swap0 swapI'm having problems setting up my printer.Please have a look at the Handbook entry on printing. It
should cover most of your problem. See the
Handbook entry on printing.The keyboard mappings are wrong for my system.The kbdcontrol program has an option to load a keyboard map file.
Under /usr/share/syscons/keymaps are a number of map
files. Choose the one relevant to your system and load it.&prompt.root; kbdcontrol -l uk.isoBoth the /usr/share/syscons/keymaps and the .kbd
extension are assumed by
kbdcontrol.This can be configured in /etc/sysconfig (or rc.conf).
See the appropriate comments in this file.In 2.0.5R and later, everything related to text fonts, keyboard
mapping is in /usr/share/examples/syscons.The following mappings are currently supported:Belgian ISO-8859-1 Brazilian 275 keyboard Codepage 850 Brazilian 275 keyboard ISO-8859-1 Danish Codepage 865 Danish ISO-8859-1 French ISO-8859-1 German Codepage 850 German ISO-8859-1 Italian ISO-8859-1 Japanese 106 Japanese 106x Latin American Norwegian ISO-8859-1 Polish ISO-8859-2 (programmer's) Russian Codepage 866 (alternative) Russian koi8-r (shift) Russian koi8-r Spanish ISO-8859-1 Swedish Codepage 850 Swedish ISO-8859-1 Swiss-German ISO-8859-1 United Kingdom Codepage 850 United Kingdom ISO-8859-1 United States of America ISO-8859-1 United States of America dvorak United States of America dvorakx I can't get user quotas to work properly.Don't turn on quotas on /,
Put the quota file on the file system that the quotas are
to be enforced on. ie:
FS QUOTA FILE
/usr /usr/admin/quotas
/home /home/admin/quotas
...What's inappropriate about my ccd?The symptom of this is:&prompt.root; ccdconfig -C
ccdconfig: ioctl (CCDIOCSET): /dev/ccd0c: Inappropriate file type or formatThis usually happens when you are trying to concatenate the
c partitions, which default to type unused. The ccd
driver requires the underlying partition type to be
FS_BSDFFS. Edit the disklabel of the disks you are trying
to concatenate and change the types of partitions to
4.2BSD.Why can't I edit the disklabel on my ccd?The symptom of this is:&prompt.root; disklabel ccd0
(it prints something sensible here, so let's try to edit it)
&prompt.root; disklabel -e ccd0
(edit, save, quit)
disklabel: ioctl DIOCWDINFO: No disk label on disk;
use "disklabel -r" to install initial labelThis is because the disklabel returned by ccd is actually a
fake one that is not really on the disk. You can solve
this problem by writing it back explicitly, as in:&prompt.root; disklabel ccd0 > /tmp/disklabel.tmp
&prompt.root; disklabel -Rr ccd0 /tmp/disklabel.tmp
&prompt.root; disklabel -e ccd0
(this will work now)Does FreeBSD support System V IPC primitives?Yes, FreeBSD supports System V-style IPC. This includes shared
memory, messages and semaphores. You need to add the following
lines to your kernel config to enable them.options SYSVSHM
options SYSVSHM # enable shared memory
options SYSVSEM # enable for semaphores
options SYSVMSG # enable for messagingIn FreeBSD 3.2 and later, these options are already part
of the GENERIC kernel, which means they should
already be compiled into your system.Recompile and install your kernel. How do I use sendmail for mail delivery with UUCP?
The sendmail configuration that ships with FreeBSD is
suited for sites that connect directly to the Internet.
Sites that wish to exchange their mail via UUCP must install
another sendmail configuration file.Tweaking /etc/sendmail.cf manually is considered
something for purists. Sendmail version 8 comes with a
new approach of generating config files via some
m4 preprocessing, where the actual hand-crafted configuration
is on a higher abstraction level. You should use the
configuration files under
/usr/src/usr.sbin/sendmail/cfIf you didn't install your system with full sources, the sendmail
config stuff has been broken out into a separate source distribution
tarball just for you. Assuming you've got your CD-ROM mounted, do:&prompt.root; cd /cdrom/src
&prompt.root; cat scontrib.?? | tar xzf - -C /usr/src contrib/sendmailDon't panic, this is only a few hundred kilobytes in size.
The file README in the cf directory can
serve as a basic introduction to m4 configuration.For UUCP delivery, you are best advised to use the
mailertable feature. This constitutes a database
that sendmail can use to base its routing decision upon.First, you have to create your .mc file. The
directory /usr/src/usr.sbin/sendmail/cf/cf is the
home of these files. Look around, there are already a few
examples. Assuming you have named your file foo.mc,
all you need to do in order to convert it into a valid
sendmail.cf is:
&prompt.root; cd /usr/src/usr.sbin/sendmail/cf/cf
&prompt.root; make foo.cf
&prompt.root; cp foo.cf /etc/sendmail.cfA typical .mc file might look like:include(`../m4/cf.m4')
VERSIONID(`Your version number')
OSTYPE(bsd4.4)
FEATURE(nodns)
FEATURE(nocanonify)
FEATURE(mailertable)
define(`UUCP_RELAY', your.uucp.relay)
define(`UUCP_MAX_SIZE', 200000)
MAILER(local)
MAILER(smtp)
MAILER(uucp)
Cw your.alias.host.name
Cw youruucpnodename.UUCPThe nodns and nocanonify features will
prevent any usage of the DNS during mail delivery. The
UUCP_RELAY clause is needed for bizarre reasons,
don't ask. Simply put an Internet hostname there that
is able to handle .UUCP pseudo-domain addresses; most likely,
you will enter the mail relay of your ISP there.Once you've got this, you need this file called
/etc/mailertable. A typical example of this
gender again:#
# makemap hash /etc/mailertable.db < /etc/mailertable
#
horus.interface-business.de uucp-dom:horus
.interface-business.de uucp-dom:if-bus
interface-business.de uucp-dom:if-bus
.heep.sax.de smtp8:%1
horus.UUCP uucp-dom:horus
if-bus.UUCP uucp-dom:if-bus
. uucp-dom:As you can see, this is part of a real-life file. The first
three lines handle special cases where domain-addressed mail
should not be sent out to the default route, but instead to
some UUCP neighbor in order to shortcut the delivery
path. The next line handles mail to the local Ethernet
domain that can be delivered using SMTP. Finally, the UUCP
neighbors are mentioned in the .UUCP pseudo-domain notation,
to allow for a
uucp-neighbor!recipient
override of the
default rules. The last line is always a single dot, matching
everything else, with UUCP delivery to a UUCP neighbor that
serves as your universal mail gateway to the world. All of
the node names behind the uucp-dom: keyword must
be valid UUCP neighbors, as you can verify using the
command uuname.As a reminder that this file needs to be converted into a
DBM database file before being usable, the command line to
accomplish this is best placed as a comment at the top of
the mailertable. You always have to execute this command
each time you change your mailertable.Final hint: if you are uncertain whether some particular
mail routing would work, remember the option to
sendmail. It starts sendmail in address test mode;
simply enter 0 , followed by the address you wish to
test for the mail routing. The last line tells you the used
internal mail agent, the destination host this agent will be
called with, and the (possibly translated) address. Leave
this mode by typing Control-D.&prompt.user; sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
>0 foo@interface-business.de
rewrite: ruleset 0 input: foo @ interface-business . de
...
rewrite: ruleset 0 returns: $# uucp-dom $@ if-bus $: foo \
< @ interface-business . de >
>^D How do I set up mail with a dialup connection to the 'net?
If you've got a statically assigned IP number, you should not
need to adjust anything from the default. Set your host name up
as your assigned internet name and sendmail will do the rest.If you've got a dynamically assigned IP number and use a dialup
ppp connection to the internet, you will probably be given a
mailbox on your ISPs mail server. Lets assume your ISPs domain is
myISP.com, and that your user name is user. Lets also
assume you've called your machine bsd.home and that your ISP
has told you that you may use relay.myISP.com as a mail relay.In order to retrieve mail from your mailbox, you'll need to
install a retrieval agent. Fetchmail is a good choice as it
supports many different protocols. Usually, POP3 will be provided
by your ISP. If you've chosen to use user-ppp, you can automatically
fetch your mail when a connection to the 'net is established with the
following entry in /etc/ppp/ppp.linkup:MYADDR:
!bg su user -c fetchmailIf you are using sendmail (as shown below) to deliver mail to
non-local accounts, put the command !bg su user -c "sendmail -q"after the above shown entry. This forces sendmail to process your
mailqueue as soon as the connection to the 'net is established.I'm assuming that you have an account for user on bsd.home.
In the home directory of user on bsd.home, create a
.fetchmailrc file:poll myISP.com protocol pop3 fetchall pass MySecretNeedless to say, this file should not be readable by anyone except
user as it contains the password MySecret.In order to send mail with the correct from: header, you must
tell sendmail to use user@myISP.com rather than
user@bsd.home. You may also wish to tell sendmail to send all
mail via relay.myISP.com, allowing quicker mail transmission.The following .mc file should suffice:VERSIONID(`bsd.home.mc version 1.0')
OSTYPE(bsd4.4)dnl
FEATURE(nouucp)dnl
MAILER(local)dnl
MAILER(smtp)dnl
Cwlocalhost
Cwbsd.home
MASQUERADE_AS(`myISP.com')dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(nocanonify)dnl
FEATURE(nodns)dnl
define(SMART_HOST, `relay.myISP.com')
Dmbsd.home
define(`confDOMAIN_NAME',`bsd.home')dnl
define(`confDELIVERY_MODE',`deferred')dnlRefer to the previous section for details of how to turn this
.mc file into a sendmail.cf file. Also, don't forget to
restart sendmail after updating sendmail.cf.Eek! I forgot the root password!Don't Panic! Simply restart the system, type boot -s
at the Boot: prompt (just -s for FreeBSD releases before 3.2)
to enter Single User mode. At the question about the shell to use,
hit ENTER. You'll be dropped to a &prompt.root; prompt. Enter mount -u / to
remount your root filesystem read/write, then run mount -a to
remount all the filesystems. Run passwd root to
change the root password then run exit
to continue booting. How do I keep Control-Alt-Delete from rebooting the system?
If you are using syscons (the default console driver)
in FreeBSD 2.2.7-RELEASE or later,
build and install a new kernel with the lineoptions SC_DISABLE_REBOOTin the configuration file.
If you use the PCVT console driver
in FreeBSD 2.2.5-RELEASE or later,
use the following kernel configuration line instead:options PCVT_CTRL_ALT_DELFor older versions of FreeBSD,
edit the keymap you are using for the console and replace the
boot keywords with nop. The default keymap is
/usr/share/syscons/keymaps/us.iso.kbd. You may have to instruct
/etc/rc.conf to load this keymap explicitly for the change to
take effect. Of course if you are using an alternate keymap for your
country, you should edit that one instead.How do I reformat DOS text files to UNIX ones?Simply use this perl command:&prompt.user; perl -i.bak -npe 's/\r\n/\n/g' file ...file is the file(s) to process. The modification is done in-place,
with the original file stored with a .bak extension.Alternatively you can use the tr command:&prompt.user; tr -d '\r' < dos-text-file > unix-filedos-text-file is the file containing DOS text while
unix-file will contain the converted output. This can
be quite a bit faster than using perl.How do I kill processes by name?Use killall.Why is su bugging me about not being in root's ACL?
The error comes from the Kerberos distributed authentication system.
The problem isn't fatal but annoying. You can either run su with the -K
option, or uninstall Kerberos as described in the next question.How do I uninstall Kerberos?To remove Kerberos from the system, reinstall the bin distribution
for the release you are running. If you have the CDROM, you can
mount the cd (we'll assume on /cdrom) and run&prompt.root; cd /cdrom/bin
&prompt.root; ./install.shHow do I add pseudoterminals to the system?If you have lots of telnet, ssh, X, or screen users, you'll probably run
out of pseudoterminals. Here's how to add more:Build and install a new kernel with the linepseudo-device pty 256in the configuration file.Run the commands&prompt.root; cd /dev
&prompt.root; sh MAKEDEV pty{1,2,3,4,5,6,7}to make 256 device nodes for the new terminals.Edit /etc/ttys and add lines for each of the 256
terminals. They should match the form of the existing entries, i.e. they look
likettyqc none networkThe order of the letter designations is tty[pqrsPQRS][0-9a-v],
using a regular expression. Reboot the system with the new kernel and you're ready to go.I can't create the snd0 device!There is no snd device. The name is
used as a shorthand for the various devices that make up the
FreeBSD sound driver, such as mixer,
sequencer, and
dsp.To create these devices you should&prompt.root; cd /dev
&prompt.root; sh MAKEDEV snd0How do I re-read /etc/rc.conf and re-start /etc/rc without
a reboot?Go into single user mode and than back to multi user mode.On the console do:&prompt.root; shutdown now
(Note: without -r or -h)
&prompt.root; return
&prompt.root; exitWhat is a sandbox?Sandbox is a security term. It can mean two things:A process which is placed inside a set of virtual walls
that are designed to prevent someone who breaks into the
process from being able to break into the wider system.The process is said to be able to play inside the
walls. That is, nothing the process does in regards to
executing code is supposed to be able to breech the walls
so you do not have to do a detailed audit of its code to
be able to say certain things about its security.The walls might be a userid, for example. This is the
definition used in the security and named man pages.Take the ntalk service, for example (see
/etc/inetd.conf). This service used to run as userid
root. Now it runs as userid tty. The tty user is a
sandbox designed to make it more difficult for someone
who has successfully hacked into the system via ntalk from
being able to hack beyond that user id.A process which is placed inside a simulation of the
machine. This is more hard-core. Basically it means that
someone who is able to break into the process may believe
that he can break into the wider machine but is, in fact,
only breaking into a simulation of that machine and not
modifying any real data.The most common way to accomplish this is to build a
simulated environment in a subdirectory and then run the
processes in that directory chroot'd (i.e. / for that
process is this directory, not the real / of the
system).Another common use is to mount an underlying filesystem
read-only and then create a filesystem layer on top of it
that gives a process a seemingly writeable view into that
filesystem. The process may believe it is able to write
to those files, but only the process sees the effects
- other processes in the system do not, necessarily.An attempt is made to make this sort of sandbox so
transparent that the user (or hacker) does not realize
that he is sitting in it.UNIX implements two core sanboxes. One is at the process
level, and one is at the userid level.Every UNIX process is completely firewalled off from every
other UNIX process. One process can not modify the address space
of another. This is unlike Windows where a process can easily
overwrite the address space of any other, leading to a crash.A UNIX process is owned by a patricular userid. If the
userid is not the root user, it serves to firewall the process
off from processes owned by other users. The userid is also
used to firewall off on-disk data.How do I let ordinary users mount floppies and other removable
media?Ordinary users can be permitted to mount devices. Here is
how:As root assign the appropriate
permissions to the block device associated with the removable
media.For example, to allow users to mount the first floppy
drive, use:&prompt.root; chmod 777 /dev/fd0As root set the sysctl variable
vfs.usermount to
1.&prompt.root; sysctl -w vfs.usermount=1Users can now mount /dev/fd0 onto a
directory that they own:&prompt.user; mkdir ~/my-mount-point
&prompt.user; mount -t msdos /dev/fd0 ~/my-mount-pointUnmounting the device is simple:&prompt.user; umount ~/my-mount-pointEnabling vfs.usermount, however, has
negative security implications. A better way to access MSDOS
formatted media is to use the
mtools package in the ports collection.How do I move my system over to my huge new disk?The best way is to reinstall the OS on the new
disk, then move the user data over. This is highly
recommended if you've been tracking -stable for more
than one release, or have updated a release instead of
installing a new one. You can install booteasy on both
disks with &man.boot0cfg.8;, and dual boot them until
you are happy with the new configuration. Skip the
next paragraph to find out how to move the data after
doing this.Should you decide not to do a fresh install, you
need to partition and label the new disk with either
/stand/sysinstall, or &man.fdisk.8;
and &man.disklabel.8;. You should also install booteasy
on both disks with &man.boot0cfg.8;, so that you can
dual boot to the old or new system after the copying
is done. See the formatting-media
tutorial for details on this process.Now you've got the new disk set up, and are ready
to move the data. Unfortunately, you can't just blindly
copy the data. Things like device files (in
/dev) and symbolic links tend to
screw that up. You need to use tools that understand
these things, which means &man.dump.8; and &man.tar.1;.
I recommend doing the data moves in single user mode,
but it's not required.You should never use anything but &man.dump.8; and
&man.restore.8; to move the root file system. The
&man.tar.1; command may work - then again, it may not.
You should also use &man.dump.8; and &man.restore.8;
if you are moving a single partition to another empty
partition. The sequence of steps to use dump to move
a partitions data to a new partition is:newfs the new partition.mount it on a temporary mount point.cd to that directory.dump the old partition, piping output to the
new one.For example, if you are going to move root to
/dev/ad1s1a, with
/mnt as the temporary mount point,
it's:&prompt.root; newfs /dev/ad1s1a
&prompt.root; mount /dev/ad1s1a
&prompt.root; cd /mnt
&prompt.root; dump 0uaf - / | restore xf -If you are going to rearrange your partitions -
say, splitting one into two, or combing two into one,
you may find yourself needing to move everything under
a subdirectory to a new location. Since &man.dump.8;
works with file systems, it can't do this. So you use
&man.tar.1;. The general command to move
/old to /new
for &man.tar.1; is:&prompt.root; (cd /old; tar cf - .) | (cd /new; tar xpf -)If /old has file systems
mounted on that, and you
don't want to move that data or unmount them, you just
add the 'l' flag to the first &man.tar.1;:&prompt.root; (cd /old; tar clf - .) | (cd /new; tar xpf -).You might prefer cpio(1), pax(1) or cpdup
(in ports/sysutils/cpdup) to tar.The X Window System and Virtual ConsolesI want to run X, how do I go about it?The easiest way is to simply specify that you want to run X
during the installation process.Then read and follow the documentation on the xf86config tool, which assists you in configuring XFree86(tm)
for your particular graphics card/mouse/etc.You may also wish to investigate the Xaccel server.
See the section on Xi Graphics or
Metro Link for more details.Why doesn't my mouse work with X?If you are using syscons (the default console driver), you can
configure FreeBSD to support a mouse pointer on each virtual
screen. In order to avoid conflicting with X, syscons supports
a virtual device called /dev/sysmouse. All mouse events
received from the real mouse device are written to the sysmouse
device via moused. If you wish to use your
mouse on one or more virtual consoles, and use X,
see and set up moused.Then edit /etc/XF86Config and make sure you
have the following lines.
Section Pointer
Protocol "SysMouse"
Device "/dev/sysmouse"
.....The above example is for XFree86 3.3.2 or later. For earlier
versions, the Protocol should be
MouseSystems.Some people prefer to use /dev/mouse under X. To
make this work, /dev/mouse should be linked to
/dev/sysmouse:&prompt.root; cd /dev
&prompt.root; rm -f mouse
&prompt.root; ln -s sysmouse mouseMy mouse has a fancy wheel. Can I use it in X?Yes. But you need to customize X client programs. See Colas Nahaboo's web page (http://www.inria.fr/koala/colas/mouse-wheel-scroll/).If you want to use the
imwheel program, just follow
these simple steps.Translate the Wheel EventsThe imwheel program
works by translating mouse button 4 and mouse button 5
events into key events. Thus, you have to get the
mouse driver to translate mouse wheel events to button
4 and 5 events. There are two ways of doing this, the
first way is to have &man.moused.8; do the
translation. The second way is for the X server
itself to do the event translation.Using &man.moused.8; to Translate Wheel
EventsTo have &man.moused.8; perform the event
translations, simply add to
the command line used to start &man.moused.8;.
For example, if you normally start &man.moused.8;
via moused -p /dev/psm0 you
would start it by entering moused -p
/dev/psm0 -z 4 instead. If you start
&man.moused.8; automatically during bootup via
/etc/rc.conf, you can simply
add to the
moused_flags variable in
/etc/rc.conf.You now need to tell X that you have a 5
button mouse. To do this, simply add the line
Buttons 5 to the
Pointer section of
/etc/XF86Config. For
example, you might have the following
Pointer section in
/etc/XF86Config.Pointer Section for Wheeled
Mouse in XF86Config with moused
TranslationSection "Pointer"
Protocol "SysMouse"
Device "/dev/sysmouse"
Buttons 5
EndSection
Using Your X Server to Translate the Wheel
EventsIf you aren't running &man.moused.8;, or if
you don't want &man.moused.8; to translate your
wheel events, you can have the X server do the
event translation instead. This requires a couple
of modifications to your
/etc/XF86Config file. First,
you need to choose the proper protocol for your
mouse. Most wheeled mice use the
IntelliMouse protocol. However,
XFree86 does support other protocols, such as
MouseManPlusPS/2 for the Logitech
MouseMan+ mice. Once you have chosen the protocol
you will use, you need to add a
Protocol line to the
Pointer section.Secondly, you need to tell the X server to
remap wheel scroll events to mouse buttons 4 and
5. This is done with the
ZAxisMapping option.For example, if you aren't using
&man.moused.8;, and you have an IntelliMouse
attached to the PS/2 mouse port you would use
the following in
/etc/XF86Config.Pointer Section for Wheeled
Mouse in XF86Config with X
Server TranslationSection "Pointer"
Protocol "IntelliMouse"
Device "/dev/psm0"
ZAxisMapping 4 5
EndSection
Install imwheelNext, install imwheel
from the Ports collection. It can be found in the
x11 category. This program will
map the wheel events from your mouse into keyboard
events. For example, it might send Page
Up to a program when you scroll the wheel
forwards. Imwheel uses a
configuration file to map the wheel events to
keypresses so that it can send different keys to
different applications. The default
imwheel configuration file
is installed in
/usr/X11R6/etc/imwheelrc. You
can copy it to ~/.imwheelrc and
then edit it if you wish to customize
imwheel's configuration.
The format of the configuration file is documented in
&man.imwheel.1;.Configure Emacs to Work
with Imwheel
(optional)If you use emacs or
Xemacs, then you need to
add a small section to your
~/.emacs file. For
emacs, add the
following:Emacs Configuration
for Imwheel;;; For imwheel
(setq imwheel-scroll-interval 3)
(defun imwheel-scroll-down-some-lines ()
(interactive)
(scroll-down imwheel-scroll-interval))
(defun imwheel-scroll-up-some-lines ()
(interactive)
(scroll-up imwheel-scroll-interval))
(global-set-key [?\M-\C-\)] 'imwheel-scroll-up-some-lines)
(global-set-key [?\M-\C-\(] 'imwheel-scroll-down-some-lines)
;;; end imwheel section
For Xemacs, add the
following to your ~/.emacs file
instead:Xemacs Configuration
for Imwheel;;; For imwheel
(setq imwheel-scroll-interval 3)
(defun imwheel-scroll-down-some-lines ()
(interactive)
(scroll-down imwheel-scroll-interval))
(defun imwheel-scroll-up-some-lines ()
(interactive)
(scroll-up imwheel-scroll-interval))
(define-key global-map [(control meta \))] 'imwheel-scroll-up-some-lines)
(define-key global-map [(control meta \()] 'imwheel-scroll-down-some-lines)
;;; end imwheel section
Run ImwheelYou can just type imwheel
in an xterm to start it up once it is installed. It
will background itself and take effect immediately.
If you want to always use
imwheel, simply add it to
your .xinitrc or
.xsession file. You can safely
ignore any warnings imwheel
displays about PID files. Those warnings only apply
to the Linux version of
imwheel.X Window menus and dialog boxes don't work right!Try turning off the Num Lock key.If your Num Lock key is on by default at boot-time, you may add
the following line in the Keyboard section of the
XF86Config file.# Let the server do the NumLock processing. This should only be
# required when using pre-R6 clients
ServerNumLockWhat is a virtual console and how do I make more?Virtual consoles, put simply, enable you to have several
simultaneous sessions on the same machine without doing anything
complicated like setting up a network or running X.When the system starts, it will display a login prompt on
the monitor after displaying all the boot messages. You can
then type in your login name and password and start working (or
playing!) on the first virtual console.At some point, you will probably wish to start another
session, perhaps to look at documentation for a program
you are running or to read your mail while waiting for an
FTP transfer to finish. Just do Alt-F2 (hold down the Alt
key and press the F2 key), and you will find a login prompt
waiting for you on the second virtual console! When you
want to go back to the original session, do Alt-F1.The default FreeBSD installation has three virtual consoles
enabled (8 starting with 3.3-RELEASE), and Alt-F1, Alt-F2, and
Alt-F3 will switch between these virtual consoles.To enable more of them, edit /etc/ttys
and add entries for ttyv4 to ttyvc after the
comment on Virtual terminals:# Edit the existing entry for ttyv3 in /etc/ttys and change
# "off" to "on".
ttyv3 "/usr/libexec/getty Pc" cons25 on secure
ttyv4 "/usr/libexec/getty Pc" cons25 on secure
ttyv5 "/usr/libexec/getty Pc" cons25 on secure
ttyv6 "/usr/libexec/getty Pc" cons25 on secure
ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/libexec/getty Pc" cons25 on secure
ttyv9 "/usr/libexec/getty Pc" cons25 on secure
ttyva "/usr/libexec/getty Pc" cons25 on secure
ttyvb "/usr/libexec/getty Pc" cons25 on secureUse as many or as few as you want. The more virtual terminals
you have, the more resources that are used; this can be important
if you have 8MB RAM or less. You may also want to change the
secure to insecure.If you want to run an X server you MUST
leave at least one virtual terminal unused (or turned off) for it
to use. That is to say that if you want to have a login
prompt pop up for all twelve of your Alt-function keys,
you're out of luck - you can only do this for eleven of them
if you also want to run an X server on the same
machine.The easiest way to disable a console is by turning it off. For
example, if you had the full 12 terminal allocation mentioned
above and you wanted to run X, you would change settings for
virtual terminal 12 from:ttyvb "/usr/libexec/getty Pc" cons25 on secureto:ttyvb "/usr/libexec/getty Pc" cons25 off secureIf your keyboard has only ten function keys, you would end up with:ttyv9 "/usr/libexec/getty Pc" cons25 off secure
ttyva "/usr/libexec/getty Pc" cons25 off secure
ttyvb "/usr/libexec/getty Pc" cons25 off secure(You could also just delete these lines.)Once you have edited /etc/ttys,
the next step is to make sure that you have enough virtual terminal
devices. The easiest way to do this is:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV vty12Next, the easiest (and cleanest) way to activate the virtual
consoles is to reboot. However, if you really don't want to
reboot, you can just shut down the X Window system and execute (as
root):&prompt.root; kill -HUP 1It's imperative that you completely shut down X Window if it is
running, before running this command. If you don't, your system
will probably appear to hang/lock up after executing the kill
command.How do I access the virtual consoles from X?If the console is currently displaying X Window, you can use
Ctrl-Alt-F1, etc. to switch to a virtual console. Note, however,
that once you've switched away from X Window to a virtual
terminal, you may use only the Alt- function key to switch to another
virtual terminal or back to X Window. You do not need to also press the
Ctrl key. If you use the control key to switch back to X on some
older releases, you can find your text console stuck in control-lock
mode. Tap the control key to wake it up again.How do I start XDM on boot?There are two schools of thought on how to start xdm. One school starts xdm from
/etc/ttys using the supplied example, while the other
simply runs xdm from rc.local or
from a X.sh script in /usr/local/etc/rc.d.
Both are equally valid, and one may work in
situations where the other doesn't. In both cases the result is the
same: X will popup a graphical login: prompt. The ttys method has the advantage
of documenting which vty X will start on and passing the responsibility
of restarting the X server on logout to init. The rc.local method
makes it easy to kill xdm if there is a problem starting the X server. If loaded from rc.local, xdm should be started without any
arguments (i.e., as a daemon). xdm must start AFTER getty runs, or
else getty and xdm will conflict, locking out the console. The best
way around this is to have the script sleep 10 seconds or so then
launch xdm.If you are to start xdm from
/etc/ttys, there still is a chance of conflict
between xdm and getty. One way to
avoid this is to add the vt number in the
/usr/X11R6/lib/X11/xdm/Xservers file.:0 local /usr/X11R6/bin/X vt4The above example will direct the X server to run in
/dev/ttyv3. Note the number is offset by one. The
X server counts the vty from one, whereas the FreeBSD kernel numbers the
vty from zero.When I run xconsole, I get Couldn't open console.If you start X with startx,
the permissions on /dev/console will not get
changed, resulting in things like xterm -C and xconsole not working.This is because of the way console permissions are set by default.
On a multi-user system, one doesn't necessarily want just any user
to be able to write on the system console. For users who are logging
directly onto a machine with a VTY, the
fbtab
file exists to solve such problems.In a nutshell, make sure an uncommented line of the form/dev/ttyv0 0600 /dev/consoleis in /etc/fbtab and it will ensure that whomever logs in on
/dev/ttyv0 will own the console.My PS/2 mouse doesn't behave properly under X.Your mouse and the mouse driver may have somewhat become out of
synchronization.In versions 2.2.5 and earlier, switching away from X to a
virtual terminal and getting back to X again may make them
re-synchronized. If the problem occurs often, you may add the
following option in your kernel configuration file and recompile it.options PSM_CHECKSYNCSee the section on building a kernel
if you've no experience with building kernels.With this option, there should be less chance of synchronization
problem between the mouse and the driver. If, however, you
still see the problem, click any mouse button while holding
the mouse still to re-synchronize the mouse and the driver.Note that unfortunately this option may not work with all the
systems and voids the tap feature of the ALPS GlidePoint
device attached to the PS/2 mouse port.In versions 2.2.6 and later, synchronization check is done
in a slightly better way and is standard in the PS/2 mouse driver.
It should even work with GlidePoint. (As the check code has become
a standard feature, PSM_CHECKSYNC option is not available in these
versions.) However, in rare case the driver may erroneously report
synchronization problem and you may see the kernel message:psmintr: out of sync (xxxx != yyyy)and find your mouse doesn't seem to work properly.If this happens, disable the synchronization check code by
setting the driver flags for the PS/2 mouse driver to 0x100.
Enter UserConfig by giving the option
at the boot prompt:boot: -cThen, in the UserConfig command line, type:UserConfig> flags psm0 0x100
UserConfig> quitMy PS/2 mouse from MouseSystems doesn't seem to work.There have been some reports that certain model of PS/2 mouse
from MouseSystems works only if it is put into the high resolution
mode. Otherwise, the mouse cursor may jump to the upper-left
corner of the screen every so often.Unfortunately there is no workaround for versions 2.0.X and
2.1.X. In versions 2.2 through 2.2.5, apply the following patch
to /sys/i386/isa/psm.c and rebuild the kernel. See the
section on building a kernel
if you've no experience with building kernels.@@ -766,6 +766,8 @@
if (verbose >= 2)
log(LOG_DEBUG, "psm%d: SET_DEFAULTS return code:%04x\n",
unit, i);
+ set_mouse_resolution(sc->kbdc, PSMD_RES_HIGH);
+
#if 0
set_mouse_scaling(sc->kbdc); /* 1:1 scaling */
set_mouse_mode(sc->kbdc); /* stream mode */In versions 2.2.6 or later, specify the flags 0x04 to the PS/2
mouse driver to put the mouse into the high resolution mode.
Enter UserConfig by giving the option
at the boot prompt:boot: -cThen, in the UserConfig command line, type:UserConfig> flags psm0 0x04
UserConfig> quitSee the previous section for another possible cause of mouse
problems.When building an X app, imake can't find Imake.tmpl. Where is it?
Imake.tmpl is part of the Imake package, a standard X application building tool.
Imake.tmpl, as well as several header files that are required to build X apps,
is contained in the X prog distribution. You can install this from sysinstall or
manually from the X distribution files. How do I reverse the mouse buttons?
Run the command xmodmap -e "pointer = 3 2 1" from your .xinitrc or .xsession.How do I install a splash screen and where do I find them?
Just prior to the release of FreeBSD 3.1, a new feature was
added to allow the display of splash screens during
the boot messages. The splash screens currently must be a 256
color bitmap (*.BMP) or ZSoft PCX
(*.PCX) file. In addition, they must have a
resolution of 320x200 or less to work on standard VGA adapters.
If you compile VESA support into your kernel, then you can use
larger bitmaps up to 1024x768. Note that VESA support requires
the VM86 kernel option to be compiled into the
kernel. The actual VESA support can either be compiled directly
into the kernel with the VESA kernel config option
or by loading the VESA kld module during bootup.To use a splash screen, you need to modify the startup files
that control the boot process for FreeBSD. The files for this
changed prior to the release of FreeBSD 3.2, so there are now
two ways of loading a splash screen:FreeBSD 3.1
The first step is to find a bitmap version of your splash
screen. Release 3.1 only supports Windows bitmap splash
screens. Once you've found your splash screen of choice
copy it to /boot/splash.bmp. Next, you need to
have a /boot/loader.rc file that contains the
following lines:load kernel
load -t splash_image_data /boot/splash.bmp
load splash_bmp
autobootFreeBSD 3.2+
In addition to adding support for PCX splash screens,
FreeBSD 3.2 includes a nicer way of configuring the boot
process. If you wish, you can use the method listed above
for FreeBSD 3.1. If you do and you want to use PCX, replace
splash_bmp with splash_pcx. If,
on the other hand, you want to use the newer boot
configuration, you need to create a
/boot/loader.rc file that contains the
following lines:include /boot/loader.4th
startand a /boot/loader.conf that contains the
following:splash_bmp_load="YES"
bitmap_load="YES"This assumes you are using /boot/splash.bmp
for your splash screen. If you'd rather use a PCX file,
copy it to /boot/splash.pcx, create a
/boot/loader.rc as instructed above, and
create a /boot/loader.conf that contains:splash_pcx_load="YES"
bitmap_load="YES"
bitmap_name="/boot/splash.pcx"Now all you need is a splash screen. For that you can surf
on over to the gallery at http://www.cslab.vt.edu/~jobaldwi/splash/.Can I use the Windows(tm) keys on my keyboard in X?Yes. All you need to do is use &man.xmodmap.1; to define what
function you wish them to perform.Assuming all Windows(tm) keyboards are standard
then the keycodes for the 3 keys are115 - Windows(tm) key, between the left-hand Ctrl and
Alt keys116 - Windows(tm) key, to the right of the Alt-Gr
key117 - Menu key, to the left of the right-hand Ctrl
keyTo have the left Windows(tm) key print a comma, try
this.&prompt.root; xmodmap -e "keycode 115 = comma"You will probably have to re-start your window manager
to see the result.To have the Windows(tm) key-mappings enabled automatically
everytime you start X either put the xmodmap
commands in your ~/.xinitrc file or,
preferably, create a file ~/.xmodmaprc and
include the xmodmap options, one per line,
then add the linexmodmap $HOME/.xmodmaprcto your ~/.xinitrc.For example, I have mapped the 3 keys to be F13, F14, and F15
respectively. This makes it easy to map them to useful functions
within applications or your window manager.To do this put the following in
~/.xmodmaprc.keycode 115 = F13
keycode 116 = F14
keycode 117 = F15I use fvwm2 and have mapped the keys so
that F13 iconifies (or de-iconifies) the window the cursor is in,
F14 brings the window the cursor is in to the front or, if it is
already at the front, pushes it to the back, and F15 pops up the
main Workplace (application) menu even if the cursor is not on the
desktop, which is useful if you don't have any part of the desktop
visible (and the logo on the key matches its
functionality).The entries in my ~/.fvwmrc which map the
keys this way are:Key F13 FTIWS A Iconify
Key F14 FTIWS A RaiseLower
Key F15 A A Menu Workplace NopNetworkingWhere can I get information on diskless booting?Diskless booting means that the FreeBSD box is booted over a
network, and reads the necessary files from a server instead of
its hard disk. For full details, please read
the Handbook entry on diskless booting Can a FreeBSD box be used as a dedicated network router?
Internet standards and good engineering practice prohibit us from
providing packet forwarding by default in FreeBSD. You can
however enable this feature by changing the following variable to
YES in rc.conf:gateway_enable=YES # Set to YES if this host will be a gatewayThis option will put the sysctl variable
net.inet.ip.forwarding to 1.In most cases, you will also need to run a routing process to
tell other systems on your network about your router; FreeBSD
comes with the standard BSD routing daemon
routed, or for more complex situations you may want to try
GaTeD (available from http://www.gated.org/ ) which
supports FreeBSD as of 3_5Alpha7.It is our duty to warn you that, even when FreeBSD is configured
in this way, it does not completely comply with the Internet
standard requirements for routers; however, it comes close enough
for ordinary usage.Can I connect my Win95 box to the Internet via FreeBSD?Typically, people who ask this question have two PC's at home, one
with FreeBSD and one with Win95; the idea is to use the FreeBSD
box to connect to the Internet and then be able to access the
Internet from the Windows95 box through the FreeBSD box. This
is really just a special case of the previous question. ... and the answer is yes! In FreeBSD 3.x, user-mode ppp contains a
option. If you run ppp with
the , set gateway_enable to
YES in /etc/rc.conf, and
configure your Windows machine correctly, this should work
fine.More detailed information about setting this up can be found in
the Pedantic PPP
Primer by Steve Sims.If you are using kernel-mode ppp, or have an Ethernet connection
to the Internet, you will have to use natd. Please
look at the natd section of this FAQ. Why does recompiling the latest BIND from ISC fail?
There is a conflict between the cdefs.h file in the
distribution and the one shipped with FreeBSD. Just remove
compat/include/sys/cdefs.h.Does FreeBSD support SLIP and PPP?Yes. See the man pages for
slattach, sliplogin,
pppd and
ppp.
pppd and ppp provide support for both incoming and outgoing
connections. Sliplogin deals exclusively with incoming connections and
slattach deals exclusively with outgoing connections.These programs are described in the following sections of the
handbook:Handbook entry on SLIP (server side)Handbook entry on SLIP (client side)Handbook entry on PPP (kernel version)Handbook entry on PPP (user-mode version)If you only have access to the Internet through a shell
account, you may want to have a look at the slirp
package. It can provide you with (limited) access to services
such as ftp and http direct from your local machine. Does FreeBSD support NAT or Masquerading
If you have a local subnet (one or more local machines), but have
been allocated only a single IP number from your Internet provider
(or even if you receive a dynamic IP number), you may want to look at
the natd
program. natd allows you to connect an entire subnet to the
internet using only a single IP number.The ppp program has similar functionality built in via
the switch. The alias library
is used in both cases.I can't create a /dev/ed0 device!In the Berkeley networking framework, network interfaces are only
directly accessible by kernel code. Please see the
/etc/rc.network file and the manual pages for the various
network programs mentioned there for more information. If this
leaves you totally confused, then you should pick up a book
describing network administration on another BSD-related
operating system; with few significant exceptions, administering
networking on FreeBSD is basically the same as on SunOS 4.0 or
Ultrix.How can I setup Ethernet aliases?Add netmask 0xffffffff to your ifconfig
command-line like the following:&prompt.root; ifconfig ed0 alias 204.141.95.2 netmask 0xffffffffHow do I get my 3C503 to use the other network port?If you want to use the other ports, you'll have to specify an
additional parameter on the
ifconfig command line. The
default port is link0. To use the AUI port instead of
the BNC one, use link2. These flags should be specified
using the ifconfig_* variables in /etc/rc.conf.I'm having problems with NFS to/from FreeBSD.Certain PC network cards are better than others (to put it
mildly) and can sometimes cause problems with network intensive
applications like NFS.See the Handbook entry on NFS
for more information on this topic.Why can't I NFS-mount from a Linux box?Some versions of the Linux NFS code only accept mount requests
from a privileged port; try&prompt.root; mount -o -P linuxbox:/blah /mntWhy can't I NFS-mount from a Sun box?Sun workstations running SunOS 4.X only accept mount requests
from a privileged port; try&prompt.root; mount -o -P sunbox:/blah /mntI'm having problems talking PPP to NeXTStep machines.Try disabling the TCP extensions in /etc/rc.conf by
changing the following variable to NO:tcp_extensions=NOXylogic's Annex boxes are also broken in this regard and you must
use the above change to connect thru them.How do I enable IP multicast support?Multicast host operations are fully supported in FreeBSD 2.0 and
later by default. If you want your box to run as a multicast router,
you will need to recompile your kernel with the MROUTING
option and run mrouted. FreeBSD 2.2 and later will start
mrouted at boot time if the flag mrouted_enable is set
to "YES" in /etc/rc.conf.MBONE tools are available in their own ports category, mbone. If
you are looking for the conference tools vic and
vat,
look there!For more information, see the
Mbone Information Web.Which network cards are based on the DEC PCI chipset?Here is a list compiled by Glen Foster, with some more modern additions:Vendor Model
----------------------------------------------
ASUS PCI-L101-TB
Accton ENI1203
Cogent EM960PCI
Compex ENET32-PCI
D-Link DE-530
Dayna DP1203, DP2100
DEC DE435, DE450
Danpex EN-9400P3
JCIS Condor JC1260
Linksys EtherPCI
Mylex LNP101
SMC EtherPower 10/100 (Model 9332)
SMC EtherPower (Model 8432)
TopWare TE-3500P
Znyx (2.2.x) ZX312, ZX314, ZX342, ZX345, ZX346, ZX348
(3.x) ZX345Q, ZX346Q, ZX348Q, ZX412Q, ZX414, ZX442,
ZX444, ZX474, ZX478, ZX212, ZX214 (10mbps/hd)Why do I have to use the FQDN for hosts on my site?You will probably find that the host is actually in a different
domain; for example, if you are in foo.bar.edu and you wish to reach
a host called mumble in the bar.edu domain, you will have to
refer to it by the fully-qualified domain name, mumble.bar.edu,
instead of just mumble.Traditionally, this was allowed by BSD BIND resolvers. However
the current version of bind that ships
with FreeBSD no longer provides default abbreviations for non-fully
qualified domain names other than the domain you are in.
So an unqualified host mumble must either be found
as mumble.foo.bar.edu, or it will be searched for
in the root domain.This is different from the previous behavior, where the
search continued across mumble.bar.edu, and
mumble.edu. Have a look at RFC 1535 for why this
was considered bad practice, or even a security hole.As a good workaround, you can place the linesearch foo.bar.edu bar.eduinstead of the previousdomain foo.bar.eduinto your /etc/resolv.conf file. However, make sure that the search order
does not go beyond the boundary between local and public
administration, as RFC 1535 calls it.Permission denied for all networking operations.If you have compiled your kernel with the IPFIREWALL
option, you need to be aware that the default policy as of
2.1.7R (this actually changed during 2.1-STABLE development)
is to deny all packets that are not explicitly allowed.If you had unintentionally misconfigured your system for
firewalling, you can restore network operability by typing
the following while logged in as root:&prompt.root; ipfw add 65534 allow all from any to anyYou can also set firewall_type="open" in /etc/rc.conf.For further information on configuring a FreeBSD firewall,
see the Handbook section.How much overhead does IPFW incur?The answer to this depends mostly on your rule set and processor
speed. For most applications dealing with ethernet and small
rule sets, the answer is, negligible. For those of you that need
actual measurements to satisfy your curiosity, read on.The following measurements were made using 2.2.5-STABLE on
a 486-66. IPFW was modified to measure the time spent within
the ip_fw_chk routine, displaying the results to the console
every 1000 packets.Two rule sets, each with 1000 rules were tested. The first set
was designed to demonstrate a worst case scenario by repeating the
rule:&prompt.root; ipfw add deny tcp from any to any 55555This demonstrates worst case by causing most of IPFW's packet
check routine to be executed before finally deciding that the
packet does not match the rule (by virtue of the port number).
Following the 999th iteration of this rule was an allow ip
from any to any.The second set of rules were designed to abort the rule
check quickly:&prompt.root; ipfw add deny ip from 1.2.3.4 to 1.2.3.4The nonmatching source IP address for the above rule causes
these rules to be skipped very quickly. As before, the 1000th
rule was an allow ip from any to any.The per-packet processing overhead in the former case was
approximately 2.703ms/packet, or roughly 2.7 microseconds per
rule. Thus the theoretical packet processing limit with these
rules is around 370 packets per second. Assuming 10Mbps ethernet
and a ~1500 byte packet size, we would only be able to achieve a
55.5% bandwidth utilization.For the latter case each packet was processed in
approximately 1.172ms, or roughly 1.2 microseconds per rule.
The theoretical packet processing limit here would be about
853 packets per second, which could consume 10Mbps ethernet
bandwidth.The excessive number of rules tested and the nature of those
rules do not provide a real-world scenario -- they were used only
to generate the timing information presented here. Here are a
few things to keep in mind when building an efficient rule set:Place an established rule early on to handle the
majority of TCP traffic. Don't put any allow tcp
statements before this rule.
Place heavily triggered rules earlier in the rule
set than those rarely used (without changing the
permissiveness of the firewall, of course). You can see
which rules are used most often by examining the packet counting
statistics with ipfw -a l.
How can I redirect service requests from one machine to another?
You can redirect FTP (and other service) request with the socket
package, available in the ports tree in category sysutils.
Simply replace the service's commandline to call socket instead, like so:ftp stream tcp nowait nobody /usr/local/bin/socket socket ftp.foo.comftpwhere ftp.foo.com and ftp are the host and port to redirect to,
respectively.Where can I get a bandwidth management tool?There are two bandwidth management tools available for FreeBSD.
ALTQ is available for free; Bandwidth Manager from
Emerging Technologies is
a commercial product. Why do I get /dev/bpf0: device not configured?The Berkeley Packet Filter (bpf) driver
needs to be enabled before running programs that utilize it.
Add this to your kernel config file and build a new kernel:pseudo-device bpfilter # Berkeley Packet FilterSecondly, after rebooting you will have to create the device
node. This can be accomplished by a change to the /dev
directory, followed by the execution of:&prompt.root; sh MAKEDEV bpf0Please see the handbook's entry on device nodes for more information
on creating devices.How do I mount a disk from a Windows machine that's on my
network, like smbmount in Linux?Use the sharity
light package in the ports collection.PPP I can't make ppp work. What am I doing wrong ?
You should first read the ppp man page and
the ppp section of the handbook. Enable logging with the commandset log Phase Chat Connect Carrier lcp ipcp ccp commandThis command may be typed at the ppp command prompt or
it may be entered in the /etc/ppp/ppp.conf configuration file
(the start of the default section is the best place to put it).
Make sure that /etc/syslog.conf contains the lines!ppp
*.* /var/log/ppp.logand that the file /var/log/ppp.log exists. You can
now find out a lot about what's going on from the log file.
Don't worry if it doesn't all make sense. If you need to
get help from someone, it may make sense to them.If your version of ppp doesn't understand the set log
command, you should download the
latest version.
It will build on FreeBSD version 2.1.5 and higher.Ppp just hangs when I run itThis is usually because your hostname won't resolve. The best
way to fix this is to make sure that /etc/hosts is
consoluted by your resolver first by editing /etc/host.conf
and putting the hosts line first. Then, simply put an
entry in /etc/hosts for your local machine. If you have
no local network, change your localhost line:127.0.0.1 foo.bar.com foo localhostOtherwise, simply add another entry for your host. Consult the
relevant man pages for more details.You should be able to successfully ping -c1 `hostname`
when you're done.Ppp won't dial in -auto modeFirst, check that you've got a default route. By running
netstat -rn,
you should see two entries like this:Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.2 UGSc 0 0 tun0
10.0.0.2 10.0.0.1 UH 0 0 tun0This is assuming that you've used the addresses from the
handbook, the man page or from the ppp.conf.sample file.
If you haven't got a default route, it may be because you're
running an old version of ppp that doesn't understand the
word HISADDR in the ppp.conf file. If your version of
ppp is from before FreeBSD 2.2.5, change theadd 0 0 HISADDRline to one sayingadd 0 0 10.0.0.2Another reason for the default route line being missing is that
you have mistakenly set up a default router in your
/etc/rc.conf file (this file was called
/etc/sysconfig prior to release 2.2.2), and you have
omitted the line sayingdelete ALLfrom ppp.conf. If this is the case, go back to the
Final system configuration section of the handbook.What does No route to host meanThis error is usually due to a missingMYADDR:
delete ALL
add 0 0 HISADDRsection in your /etc/ppp/ppp.linkup file. This is
only necessary if you have a dynamic IP address or don't know the
address of your gateway. If you're using interactive mode, you can
type the following after entering packet mode (packet mode is
indicated by the capitalized PPP in the prompt):delete ALL
add 0 0 HISADDRRefer to the PPP and Dynamic IP addresses section of the handbook
for further details.My connection drops after about 3 minutesThe default ppp timeout is 3 minutes. This can be adjusted
with the lineset timeout NNNwhere NNN is the number of seconds of inactivity before the
connection is closed. If NNN is zero, the connection is
never closed due to a timeout. It is possible to put this command in
the ppp.conf file, or to type it at the prompt in
interactive mode. It is also possible to adjust it on the fly while
the line is active by connecting to ppps server socket using
telnet
or pppctl. Refer to the
ppp man
page for further details.My connection drops under heavy loadIf you have Link Quality Reporting (LQR) configured, it is
possible that too many LQR packets are lost between your
machine and the peer. Ppp deduces that the line must therefore
be bad, and disconnects. Prior to FreeBSD version 2.2.5,
LQR was enabled by default. It is now disabled by default.
LQR can be disabled with the linedisable lqrMy connection drops after a random amount of timeSometimes, on a noisy phone line or even on a line with
call waiting enabled, your modem may hang up because it
thinks (incorrectly) that it lost carrier.There's a setting on most modems for determining how tolerant
it should be to temporary losses of carrier. On a USR
Sportster for example, this is measured by the S10 register in
tenths of a second. To make your modem more forgiving, you could
add the following send-expect sequence to your dial string:set dial "...... ATS10=10 OK ......"Refer to your modem manual for details.My connection hangs after a random amount of timeMany people experience hung connections with no apparent
explaination. The first thing to establish is which side of the
link is hung.If you are using an external modem, you can simply try using
ping to see if the TD light is flashing when you
transmit data. If it flashes (and the RD light doesn't), the
problem is with the remote end. If TD doesn't flash, the problem
is local. With an internal modem, you'll need to use the set
server command in your ppp.conf file. When the hang occurs,
connect to ppp using pppctl. If your network connection suddenly
revives (ppp was revived due to the activity on the diagnostic socket)
or if you can't connect (assuming the set socket command
succeeded at startup time), the problem is local. If you can connect
and things are still hung, enable local async logging with set log
local async and use ping from another window or terminal to make
use of the link. The async logging will show you the data being
transmitted and received on the link. If data is going out and not
coming back, the problem is remote.Having established whether the problem is local or remote,
you now have two possibilities:The remote end isn't respondingThere's very little you can do about this. Most ISPs will
refuse to help if you're not running a Microsoft OS. You can
enable lqr in your ppp.conf file, allowing ppp to
detect the remote failure and hang up, but this detection is
relatively slow and therefore not that useful. You may want
to avoid telling your ISP that you're running user-ppp....First, try disabling all local compression by adding the
following to your configuration:disable pred1 deflate deflate24 protocomp acfcomp shortseq vj
deny pred1 deflate deflate24 protocomp acfcomp shortseq vjThen reconnect to ensure that this makes no difference.
If things improve or if the problem is solved completely,
determine which setting makes the difference through trial
and error. This will provide good amunition when you contact
your ISP (although it may make it apparent that you're not
running a Microsoft product).Before contacting your ISP, enable async logging locally
and wait until the connection hangs again. This may use up
quite a bit of disk space. The last data read from the port
may be of interest. It is usually ascii data, and may even
describe the problem (Memory fault, core dumped ?).If your ISP is helpful, they should be able to enable logging
on their end, then when the next link drop occurs, they may be
able to tell you why their side is having a problem. Feel free
to send the details to &a.brian;, or even to ask your ISP to
contact me directly.Ppp is hungYour best bet here is to rebuild ppp by adding CFLAGS+=-g
and STRIP= to the end of the Makefile, then doing a
make clean && make && make install. When
ppp hangs, find the ppp process id with ps ajxww | fgrep ppp
and run gdb ppp PID. From the gdb prompt, you can then use
bt to get a stack trace.Send the results to brian@Awfulhak.org.Nothing happens after the Login OK! messagePrior to FreeBSD version 2.2.5, once the link was established,
ppp would wait for the peer to initiate the Line Control
Protocol (LCP). Many ISPs will not initiate negotiations and
expect the client to do so. To force ppp to initiate
the LCP, use the following line:set openmode activeNote: It usually does no harm if both sides initiate
negotiation, so openmode is now active by default. However,
the next section explains when it does do some harm.I keep seeing errors about magic being the sameOccasionally, just after connecting, you may see messages in
the log that say magic is the same. Sometimes, these
messages are harmless, and sometimes one side or the other
exits. Most ppp implementations cannot survive this problem, and
even if the link seems to come up, you'll see repeated configure
requests and configure acknowledgements in the log file until
ppp eventually gives up and closes the connection.This normally happens on server machines with slow disks that
are spawning a getty on the port, and executing ppp from a
login script or program after login. I've also heard reports
of it happening consistently when using slirp. The reason is
that in the time taken between getty exiting and ppp starting, the
client-side ppp starts sending Line Control Protocol (LCP)
packets. Because ECHO is still switched on for the port on
the server, the client ppp sees these packets reflect back.One part of the LCP negotiation is to establish a magic number
for each side of the link so that reflections can be detected.
The protocol says that when the peer tries to negotiate
the same magic number, a NAK should be sent and a new magic
number should be chosen. During the period that the server
port has ECHO turned on, the client ppp sends LCP packets,
sees the same magic in the reflected packet and NAKs it. It
also sees the NAK reflect (which also means ppp must change
its magic). This produces a potentially enormous number of
magic number changes, all of which are happily piling into
the server's tty buffer. As soon as ppp starts on the server,
it's flooded with magic number changes and almost immediately
decides it's tried enough to negotiate LCP and gives up.
Meanwhile, the client, who no longer sees the reflections,
becomes happy just in time to see a hangup from the server.This can be avoided by allowing the peer to start negotiating
with the following line in your ppp.conf file:set openmode passiveThis tells ppp to wait for the server to initiate LCP
negotiations. Some servers however may never initiate negotiations.
If this is the case, you can do something like:set openmode active 3This tells ppp to be passive for 3 seconds, and then to start
sending LCP requests. If the peer starts sending requests during
this period, ppp will immediately respond rather than waiting for
the full 3 second period. LCP negotiations continue 'till the connection is closed
There is currently an implementation mis-feature in ppp
where it doesn't associate LCP, CCP & IPCP responses with
their original requests. As a result, if one ppp
implementation is more than 6 seconds slower than the other side,
the other side will send two additional LCP configuration requests.
This is fatal.Consider two implementations, A and B. A starts
sending LCP requests immediately after connecting and B takes
7 seconds to start. When B starts, A has sent 3 LCP
REQs. We're assuming the line has ECHO switched off, otherwise
we'd see magic number problems as described in the previous section.
B sends a REQ, then an ACK to the first of A's REQs.
This results in A entering the OPENED state and sending
and ACK (the first) back to B. In the meantime, B sends
back two more ACKs in response to the two additional REQs sent by
A before B started up. B then receives the first
ACK from A and enters the OPENED state. A receives
the second ACK from B and goes back to the REQ-SENT state,
sending another (forth) REQ as per the RFC. It then receives the
third ACK and enters the OPENED state. In the meantime,
B receives the forth REQ from A, resulting in it reverting
to the ACK-SENT state and sending another (second) REQ and
(forth) ACK as per the RFC. A gets the REQ, goes into
REQ-SENT and sends another REQ. It immediately receives the
following ACK and enters OPENED.This goes on 'till one side figures out that they're getting
nowhere and gives up.The best way to avoid this is to configure one side to be
passive - that is, make one side wait for the other to start
negotiating. This can be done with theset openmode passivecommand. Care should be taken with this option. You should also
use theset stopped Ncommand to limit the amount of time that ppp waits for the peer
to begin negotiations. Alternatively, theset openmode active Ncommand (where N is the number of seconds to wait before
starting negotiations) can be used. Check the manual page for
details.Ppp locks up shortly after connectingPrior to version 2.2.5 of FreeBSD, it was possible that your
link was disabled shortly after connection due to ppp
mis-handling Predictor1 compression negotiation. This would
only happen if both sides tried to negotiate different
Compression Control Protocols (CCP). This problem is now
corrected, but if you're still running an old version of
ppp, the problem can be circumvented with the linedisable pred1Ppp locks up when I shell out to test itWhen you execute the shell or ! command,
ppp
executes a shell (or if you've passed any arguements, ppp
will execute those arguements). Ppp will wait for the command
to complete before continuing. If you attempt to use the
ppp link while running the command, the link will appear to have
frozen. This is because ppp is waiting for the command
to complete.If you wish to execute commands like this, use the
!bg command instead. This will execute the given command
in the background, and ppp can continue to service the link.Ppp over a null-modem cable never exitsThere is no way for ppp to automatically determine that
a direct connection has been dropped. This is due to the
lines that are used in a null-modem serial cable. When using
this sort of connection, LQR should always be enabled with
the lineenable lqrLQR is accepted by default if negotiated by the peer.Why does ppp dial for no reason in -auto modeIf ppp is dialing unexpectedly, you must determine the
cause, and set up Dial filters (dfilters) to prevent such dialing.To determine the cause, use the following line:set log +tcp/ipThis will log all traffic through the connection. The next
time the line comes up unexpectedly, you will see the reason
logged with a convenient timestamp next to it.You can now disable dialing under these circumstances. Usually,
this sort of problem arises due to DNS lookups. To prevent
DNS lookups from establishing a connection (this will not
prevent ppp from passing the packets through an established
connection), use the following:set dfilter 1 deny udp src eq 53
set dfilter 2 deny udp dst eq 53
set dfilter 3 permit 0/0 0/0This is not always suitable, as it will effectively break your
demand-dial capabilities - most programs will need a DNS lookup
before doing any other network related things.In the DNS case, you should try to determine what is actually
trying to resolve a host name. A lot of the time,
sendmail is the culprit. You should make sure that you tell
sendmail not to do any DNS lookups in its configuration file. See
the section on Mail Configuration for
details on how to create your own configuration file and what should
go into it. You may also want to add the following line to your
.mc file:define(`confDELIVERY_MODE', `d')dnlThis will make sendmail queue everything until the queue is
run (usually, sendmail is invoked with , telling it
to run the queue every 30 minutes) or until a sendmail -q
is done (perhaps from your ppp.linkup file).What do these CCP errors meanI keep seeing the following errors in my log file:CCP: CcpSendConfigReq
CCP: Received Terminate Ack (1) state = Req-Sent (6)This is because ppp is trying to negotiate Predictor1
compression, and the peer does not want to negotiate any
compression at all. The messages are harmless, but if you
wish to remove them, you can disable Predictor1 compression
locally too:disable pred1Ppp locks up during file transfers with IO errorsUnder FreeBSD 2.2.2 and before, there was a bug in the tun
driver that prevents incoming packets of a size larger than
the tun interface's MTU size. Receipt of a packet greater than
the MTU size results in an IO error being logged via syslogd.The ppp specification says that an MRU of 1500 should
always be accepted as a minimum, despite any LCP
negotiations, therefore it is possible that should you decrease
the MTU to less than 1500, your ISP will transmit packets of
1500 regardless, and you will tickle this non-feature - locking
up your link.The problem can be circumvented by never setting an MTU of
less than 1500 under FreeBSD 2.2.2 or before.Why doesn't ppp log my connection speed?In order to log all lines of your modem conversation,
you must enable the following:set log +connectThis will make
ppp
log everything up until the last requested expect string.If you wish to see your connect speed and are using PAP or CHAP
(and therefore don't have anything to chat after the CONNECT
in the dial script - no set login script), you must make sure that
you instruct ppp to expect the whole CONNECT line, something like
this:set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 4 \
\"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"Here, we get our CONNECT, send nothing, then expect a line-feed,
forcing ppp to read the whole CONNECT response.Ppp ignores the \ character in my chat scriptPpp parses each line in your config files so that it can
interpret strings such as set phone "123 456 789" correctly
(and realize that the number is actually only one argument.
In order to specify a " character, you must escape it using
a backslash (\).When the chat interpreter parses each argument, it re-interprets
the argument in order to find any special escape sequences such
as \P or \T (see the man page). As a result of this
double-parsing, you must remember to use the correct number of
escapes.If you wish to actually send a \ character to (say) your
modem, you'd need something like:set dial "\"\" ATZ OK-ATZ-OK AT\\\\X OK"resulting in the following sequence:ATZ
OK
AT\X
OKorset phone 1234567
set dial "\"\" ATZ OK ATDT\\T"resulting in the following sequence:ATZ
OK
ATDT1234567Ppp gets a seg-fault, but I see no ppp.core filePpp (or any other program for that matter) should never
dump core. Because ppp runs with an effective user id of 0,
the operating system will not write ppps core image to disk
before terminating it. If, however ppp is actually
termating due to a segmentation violation or some other
signal that normally causes core to be dumped, and you're
sure you're using the latest version (see the start of this
section), then you should do the following:&prompt.user; tar xfz ppp-*.src.tar.gz
&prompt.user; cd ppp*/ppp
&prompt.user; echo STRIP= >>Makefile
&prompt.user; echo CFLAGS+=-g >>Makefile
&prompt.user; make clean all
&prompt.user; su
&prompt.root; make install
&prompt.root; chmod 555 /usr/sbin/pppYou will now have a debuggable version of ppp installed. You
will have to be root to run ppp as all of its privileges have
been revoked. When you start ppp, take a careful note of what
your current directory was at the time.Now, if and when ppp receives the segmentation violation, it
will dump a core file called ppp.core. You should then do the
following:&prompt.user; su
&prompt.root; gdb /usr/sbin/ppp ppp.core(gdb)bt
.....
(gdb)f 0
....
(gdb)i args
....
(gdb)l
.....All of this information should be given alongside your
question, making it possible to diagnose the problem.If you're familiar with gdb, you may wish to find out some
other bits and pieces such as what actually caused the dump and
the addresses & values of the relevant variables. The process that forces a dial in auto mode never connects
This was a known problem with ppp set up to negotiate
a dynamic local IP number with the peer in auto mode. It is
fixed in the latest version - search the man page for iface.The problem was that when that initial program calls
connect(2), the IP number of the tun interface is
assigned to the socket endpoint. The kernel creates the first
outgoing packet and writes it to the tun device. Ppp then
reads the packet and establishes a connection. If, as a result
of ppps dynamic IP assignment, the interface address is changed,
the original socket endpoint will be invalid. Any subsequent
packets sent to the peer will usually be dropped. Even if
they aren't, any responses will not route back to the originating
machine as the IP number is no longer owned by that machine.There are several theoretical ways to approach this problem.
It would be nicest if the peer would re-assign the same IP number
if possible :-) The current version of ppp does this,
but most other implementations don't.The easiest method from our side would be to never change the
tun interface IP number, but instead to change all outgoing packets
so that the source IP number is changed from the interface IP to
the negotiated IP on the fly. This is essentially what the
iface-alias option in the latest version of ppp is
doing (with the help of libalias(3)
and ppp's switch) - it's maintaining all previous
interface addresses and NATing them to the last negotiated address.Another alternative (and probably the most reliable) would be
to implement a system call that changes all bound sockets from one
IP to another. Ppp would use this call to modify the
sockets of all existing programs when a new IP number is
negotiated. The same system call could be used by dhcp clients
when they are forced to re-bind() their sockets.Yet another possibility is to allow an interface to be brought
up without an IP number. Outgoing packets would be given
an IP number of 255.255.255.255 up until the first SIOCAIFADDR
ioctl is done. This would result in fully binding the socket. It
would be up to ppp to change the source IP number, but only if
it's set to 255.255.255.255, and only the IP number and IP checksum
would need to change. This, however is a bit of a hack as
the kernel would be sending bad packets to an improperly
configured interface, on the assumption that some other mechanism
is capable of fixing things retrospectively.Why don't most games work with the -nat switchThe reason games and the like don't work when libalias is
in use is that the machine on the outside will try to open a
connection or send (unsolicited) UDP packets to the machine
on the inside. The NAT software doesn't know that
it should send these packets to the interior machine.To make things work, make sure that the only thing running
is the software that you're having problems with, then either
run tcpdump on the tun interface of the gateway or enable ppp
tcp/ip logging (set log +tcp/ip) on the gateway.When you start the offending software, you should see packets
passing through the gateway machine. When something comes back
from the outside, it'll be dropped (that's the problem). Note
the port number of these packets then shut down the offending
software. Do this a few times to see if the port numbers are
consistent. If they are, then the following line in the relevant
section of /etc/ppp/ppp.conf will make the software functional:nat port protointernalmachine:portportwhere proto is either tcp or udp,
internalmachine is the machine that you want the packets
to be sent to and port is the destination port number of
the packets.You won't be able to use the software on other machines
without changing the above command, and running the software
on two internal machines at the same time is out of the question
- after all, the outside world is seeing your entire internal
network as being just a single machine.If the port numbers aren't consistent, there are three more
options:1) Submit support in libalias. Examples of special
cases can be found in /usr/src/lib/libalias/alias_*.c (alias_ftp.c
is a good prototype). This usually involves reading certain
recognised outgoing packets, identifying the instruction that
tells the outside machine to initiate a connection back to the
internal machine on a specific (random) port and setting up a
route in the alias table so that the subsequent packets
know where to go.This is the most difficult solution, but it is the best and
will make the software work with multiple machines.2) Use a proxy. The application may support socks5
for example, or (as in the cvsup case) may have a passive
option that avoids ever requesting that the peer open connections
back to the local machine.3) Redirect everything to the internal machine using
nat addr. This is the sledge-hammer approach.Has anybody made a list of useful port numbers ?Not yet, but this is intended to grow into such a list (if
any interest is shown). In each example, internal should
be replaced with the IP number of the machine playing the game.Asheron's Callnat port udp internal:65000 65000Manually change the port number within the game to 65000.
If you've got a number of machines that you wish to play on assign
a unique port number for each (i.e. 65001, 65002, etc) and add a
nat port line for each one.Half Lifenat port udp internal:27005 27015PCAnywhere 8.0nat port udp internal:5632 5632nat port tcp internal:5631 5631Quakenat port udp internal:6112 6112Alternatively, you may want to take a look at
www.battle.net for Quake proxy support.Quake 2nat port udp internal:27901 27910Red Alertnat port udp internal:8675 8675nat port udp internal:5009 5009What are FCS errors ?FCS stands for Frame Check Sequence. Each
ppp packet has a checksum attached to ensure that the data
being received is the data being sent. If the FCS of an
incoming packet is incorrect, the packet is dropped and the
HDLC FCS count is increased. The HDLC error values can be
displayed using the show hdlc command.If your link is bad (or if your serial driver is dropping
packets), you will see the occasional FCS error. This is not
usually worth worrying about although it does slow down the
compression protocols substantially. If you have an external
modem, make sure your cable is properly shielded from
interference - this may eradicate the problem.If your link freezes as soon as you've connected and you see
a large number of FCS errors, this may be because your link is
not 8 bit clean. Make sure your modem is not using software
flow control (XON/XOFF). If your datalink must use
software flow control, use the command
set accmap 0x000a0000 to tell ppp to escape
the ^Q and ^S characters.Another reason for seeing too many FCS errors may be that
the remote end has stopped talking PPP. You may want to
enable async logging at this point to determine if the
incoming data is actually a login or shell prompt. If you
have a shell prompt at the remote end, it's possible to
terminate ppp without dropping the line by using the
close lcp command (a following term command
will reconnect you to the shell on the remote machine.If nothing in your log file indicates why the link might
have been terminated, you should ask the remote administrator
(your ISP?) why the session was terminated.Why do MacOS and Windows 98 connections freeze when running PPPoE on the gateway
Thanks to Michael Wozniak mwozniak@netcom.ca for figuring
this out and Dan Flemming danflemming@mac.com for the Mac
solution:
This is due to what's called a Black Hole router. MacOS and Windows 98 (and
maybe other Microsoft OSs) send TCP packets with a requested
segment size too big to fit into a PPPoE frame (MTU is 1500 by default
for ethernet) and have the don't fragment
bit set (default of TCP) and the Telco router is not sending ICMP must
fragment back to the www site you are trying to load. When the www
server is sending you frames that don't fit into the PPPoE pipe the Telco
router drops them on the floor and your page doesn't load (some
pages/graphics do as they are smaller than a MSS.) This seems to be the
default of most Telco PPPoE configurations (if only they knew how to
program a router... sigh...)
One fix is to use regedit on your 95/98 boxes to add the following
registry entry...
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\0000\MaxMTU
It should be a string with a value 1450 (more accurately it
should be 1464 to fit TCP packets into a PPPoE frame
perfectly but the 1450 gives you a margin of error for
other IP protocols you may encounter).
Refer to MS KB # Q158474 - Windows TCPIP Registry Entries
and Q120642 - TCPIP & NBT Configuration Parameters for Windows NT
for more information on changing Windoze MTU to work with a
FreeBSD/NAT/PPPoE router.
Unfortunately, MacOS does not provide an interface for changing TCP/IP
settings. However, there is commercial software available, such as
OTAdvancedTuner (OT for OpenTransport, the MacOS TCP/IP stack) by
Sustainable Softworks,
that will allow users to customize TCP/IP settings. MacOS NAT users
should select ip_interface_MTU from the drop-down
menu, enter 1450 instead of 1500
in the box, click the box next to Save as Auto
Configure, and click Make Active.
None of this helps - I'm desperate !If all else fails, send as much information as you can,
including your config files, how you're starting ppp,
the relevant parts of your log file and the output of the
netstat -rn command (before and after connecting) to the
freebsd-questions@FreeBSD.org mailing list or the
comp.unix.bsd.freebsd.misc news group, and someone
should point you in the right direction.Serial CommunicationsThis section answers common questions about serial communications
with FreeBSD. PPP and SLIP are covered in the section.How do I tell if FreeBSD found my serial ports?As the FreeBSD kernel boots, it will probe for the serial ports
in your system for which the kernel was configured. You can
either watch your system closely for the messages it prints or
run the command&prompt.user; dmesg | grep sioafter your system's up and running.Here's some example output from the above command:sio0 at 0x3f8-0x3ff irq 4 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550AThis shows two serial ports. The first is on irq 4, is using
port address 0x3f8, and has a 16550A-type UART chip. The
second uses the same kind of chip but is on irq 3 and is at port
address 0x2f8. Internal modem cards are treated just like
serial ports---except that they always have a modem attached
to the port.The GENERIC kernel includes support for two serial ports
using the same irq and port address settings in the above
example. If these settings aren't right for your system, or if
you've added modem cards or have more serial ports than your
kernel is configured for, just reconfigure your kernel. See
section about building a kernel for
more details.How do I tell if FreeBSD found my modem cards?Refer to the answer to the previous question.I just upgraded to 2.0.5 and my tty0X are missing!Don't worry, they have been merged with the ttydX devices.
You'll have to change any old configuration files you have, though.How do I access the serial ports on FreeBSD?The third serial port, sio2 (known as
COM3 in DOS), is on /dev/cuaa2 for dial-out devices, and on
/dev/ttyd2 for dial-in devices. What's the difference
between these two classes of devices?You use ttydX for dial-ins. When opening /dev/ttydX
in blocking mode, a process will wait for the corresponding
cuaaX device to become inactive, and then wait
for the carrier detect line to go active. When you open the
cuaaX device, it makes sure the serial port isn't already in
use by the ttydX device. If the port's available, it
steals it from the ttydX device. Also,
the cuaXX
device doesn't care about carrier detect. With this scheme and
an auto-answer modem, you can have remote users log in and you
can still dialout with the same modem and the system will take
care of all the conflicts.How do I enable support for a multiport serial card?Again, the section on kernel configuration provides information
about configuring your kernel. For a multiport serial card,
place an sio line for each serial port on the card in the
kernel configuration file. But place the irq and vector
specifiers on only one of the entries. All of the ports on the
card should share one irq. For consistency, use the last serial
port to specify the irq. Also, specify the COM_MULTIPORT
option.The following example is for an AST 4-port serial card on irq 7:options "COM_MULTIPORT"
device sio4 at isa? port 0x2a0 tty flags 0x781
device sio5 at isa? port 0x2a8 tty flags 0x781
device sio6 at isa? port 0x2b0 tty flags 0x781
device sio7 at isa? port 0x2b8 tty flags 0x781 irq 7 vector siointrThe flags indicate that the master port has minor number 7
(0x700), diagnostics enabled during probe (0x080), and
all the ports share an irq (0x001).Can FreeBSD handle multiport serial cards sharing irqs?Not yet. You'll have to use a different irq for each card.Can I set the default serial parameters for a port?The ttydX (or cuaaX) device is the regular device
you'll want to open for your applications. When a process opens
the device, it'll have a default set of terminal I/O settings.
You can see these settings with the command&prompt.root; stty -a -f /dev/ttyd1When you change the settings to this device, the settings are in
effect until the device is closed. When it's reopened, it goes
back to the default set. To make changes to the default set, you
can open and adjust the settings of the initial state device.
For example, to turn on CLOCAL mode, 8 bits, and
XON/XOFF flow control by default for ttyd5, do:&prompt.root; stty -f /dev/ttyid5 clocal cs8 ixon ixoffA good place to do this is in /etc/rc.serial. Now, an
application will have these settings by default when it opens
ttyd5. It can still change these settings to its liking,
though.You can also prevent certain settings from being changed by an
application by making adjustments to the lock state device.
For example, to lock the speed of ttyd5 to 57600 bps, do&prompt.root; stty -f /dev/ttyld5 57600Now, an application that opens ttyd5 and tries to change the
speed of the port will be stuck with 57600 bps.Naturally, you should make the initial state and lock state
devices writable only by root. The
MAKEDEV
script does NOT do this when it creates the
device entries.How can I enable dialup logins on my modem?So you want to become an Internet service provider, eh? First,
you'll need one or more modems that can auto-answer. Your modem
will need to assert carrier-detect when it detects a carrier and
not assert it all the time. It will need to hang up the phone
and reset itself when the data terminal ready (DTR) line
goes from on to off. It should probably use RTS/CTS
flow control or no local flow control at all. Finally, it must
use a constant speed between the computer and itself, but (to be
nice to your callers) it should negotiate a speed between itself
and the remote modem.For many Hayes command-set--compatible modems, this command will
make these settings and store them in nonvolatile memory:AT &C1 &D3 &K3 &Q6 S0=1 &WSee the section on sending AT commands below for information on how to make these settings
without resorting to an MS-DOS terminal program.Next, make an entry in /etc/ttys for the
modem. This file lists all the ports on which the operating system will
await logins. Add a line that looks something like this:ttyd1 "/usr/libexec/getty std.57600" dialup on insecureThis line indicates that the second serial port
(/dev/ttyd1) has a modem connected running at 57600 bps
and no parity (std.57600, which comes from the file
/etc/gettytab). The terminal type for this port is
dialup. The port is on and is insecure---meaning
root logins on the port aren't allowed. For dialin ports like
this one, use the ttydX entry.It's common practice to use dialup as the terminal type.
Many users set up in their .profile or .login files a prompt for
the actual terminal type if the starting type is dialup. The
example shows the port as insecure. To become root on this port,
you have to login as a regular user, then su to become
root. If you use secure then
root can login in directly.After making modifications to /etc/ttys, you
need to send a hangup or HUP signal to the init process:&prompt.root; kill -HUP 1This forces the init process to reread /etc/ttys. The
init process will then start getty processes on all on ports.
You can find out if logins are available for your port by typing&prompt.user; ps -ax | grep '[t]tyd1'You should see something like:747 ?? I 0:00.04 /usr/libexec/getty std.57600 ttyd1How can I connect a dumb terminal to my FreeBSD box?If you're using another computer as a terminal into your FreeBSD
system, get a null modem cable to go between the two serial
ports. If you're using an actual terminal, see its accompanying
instructions.Then, modify /etc/ttys, like above. For example, if you're hooking up a
WYSE-50 terminal to the fifth serial port, use an entry like this:ttyd4 "/usr/libexec/getty std.38400" wyse50 on secureThis example shows that the port on /dev/ttyd4 has a
wyse50 terminal connected at 38400 bps with no parity
(std.38400 from /etc/gettytab) and
root logins are allowed (secure).Why can't I run tip or cu?On your system, the programs tip and cu are probably
executable only by uucp and group
dialer. You can use the group dialer
to control who has access to your modem or remote systems. Just add
yourself to group dialer.Alternatively, you can let everyone on your system run tip
and cu by typing:&prompt.root; chmod 4511 /usr/bin/cu
&prompt.root; chmod 4511 /usr/bin/tipMy stock Hayes modem isn't supported---what can I do?Actually, the man page for tip is out of
date. There is a generic Hayes dialer already built in. Just use
at=hayes in your /etc/remote file.The Hayes driver isn't smart enough to recognize some of the
advanced features of newer modems---messages like BUSY,
NO DIALTONE, or CONNECT 115200 will just confuse it.
You should turn those messages off when you use tip (using
ATX0&W).Also, the dial timeout for tip is 60 seconds. Your modem
should use something less, or else tip will think there's a
communication problem. Try ATS7=45&W.Actually, as shipped tip doesn't yet support it fully. The
solution is to edit the file tipconf.h in the directory
/usr/src/usr.bin/tip/tip. Obviously you need the source
distribution to do this.Edit the line #define HAYES 0 to #define HAYES 1.
Then make and make install. Everything
works nicely after that. How am I expected to enter these AT commands?
Make what's called a direct entry in your
/etc/remote file. For example, if your modem's hooked
up to the first serial port, /dev/cuaa0, then put in the
following line:cuaa0:dv=/dev/cuaa0:br#19200:pa=noneUse the highest bps rate your modem supports in the br
capability. Then, type tip cuaa0 and
you'll be connected to your modem.If there is no /dev/cuaa0 on your system, do this:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV cuaa0Or use cu as root with the following command:&prompt.root; cu -lline -sspeedwith line being the serial port (e.g./dev/cuaa0)
and speed being the speed (e.g.57600). When you are done
entering the AT commands hit ~. to exit.The <@> sign for the pn capability doesn't work!The <@> sign in the phone number capability tells tip to look in
/etc/phones for a phone number. But the <@> sign is
also a special character in capability files like
/etc/remote. Escape it with a backslash:pn=\@How can I dial a phone number on the command line?Put what's called a generic entry in your
/etc/remote file. For example:tip115200|Dial any phone number at 115200 bps:\
:dv=/dev/cuaa0:br#115200:at=hayes:pa=none:du:
tip57600|Dial any phone number at 57600 bps:\
:dv=/dev/cuaa0:br#57600:at=hayes:pa=none:du:Then you can do something like tip -115200 5551234. If you
prefer cu over tip, use a
generic cu entry:cu115200|Use cu to dial any number at 115200bps:\
:dv=/dev/cuaa1:br#57600:at=hayes:pa=none:du:and type cu 5551234 -s 115200.Do I have to type in the bps rate every time I do that?Put in an entry for tip1200 or cu1200, but go ahead and
use whatever bps rate is appropriate with the br capability. tip thinks a good
default is 1200 bps which is why it looks for a tip1200 entry.
You don't have to use 1200 bps, though.I access a number of hosts through a terminal server.Rather than waiting until you're connected and typing
CONNECT host each time, use tip's cm
capability. For example, these entries in
/etc/remote:pain|pain.deep13.com|Forrester's machine:\
:cm=CONNECT pain\n:tc=deep13:
muffin|muffin.deep13.com|Frank's machine:\
:cm=CONNECT muffin\n:tc=deep13:
deep13:Gizmonics Institute terminal server:\
:dv=/dev/cua02:br#38400:at=hayes:du:pa=none:pn=5551234:will let you type tip pain or tip muffin to
connect to the hosts pain or muffin;
and tip deep13 to
get to the terminal server.Can tip try more than one line for each site?This is often a problem where a university has several modem lines
and several thousand students trying to use them...Make an entry for your university in /etc/remote
and use <\@> for the pn capability:big-university:\
:pn=\@:tc=dialout
dialout:\
:dv=/dev/cuaa3:br#9600:at=courier:du:pa=none:Then, list the phone numbers for the university in
/etc/phones:big-university 5551111
big-university 5551112
big-university 5551113
big-university 5551114tip will try each one in the listed order, then give up. If
you want to keep retrying, run tip in a while loop.Why do I have to hit CTRL+P twice to send CTRL+P once?CTRL+P is the default force character, used to tell
tip
that the next character is literal data. You can set the force
character to any other character with the ~s escape, which
means set a variable.Type ~sforce=single-char followed by a newline.
single-char is any single character. If you leave
out single-char, then the force character is the nul
character, which you can get by typing CTRL+2 or CTRL+SPACE. A
pretty good value for single-char is SHIFT+CTRL+6,
which I've seen only used on some terminal servers.You can have the force character be whatever you want by
specifying the following in your $HOME/.tiprc
file:force=single-charSuddenly everything I type is in UPPER CASE??You must've pressed CTRL+A, tipraise
character, specially designed for people with broken caps-lock keys.
Use ~s as above and set the variable raisechar to something
reasonable. In fact, you can set it to the same as the force
character, if you never expect to use either of these features.Here's a sample .tiprc file perfect for Emacs users who need to
type CTRL+2 and CTRL+A a lot:force=^^
raisechar=^^The ^^ is SHIFT+CTRL+6.How can I do file transfers with tip?If you're talking to another UNIX system, you can send and
receive files with ~p (put) and ~t (take). These
commands run cat and echo on the remote system to accept and send files. The syntax
is:~p <local-file> [<remote-file>]
~t <remote-file> [<local-file>]There's no error checking, so you probably should use another
protocol, like zmodem.How can I run zmodem with tip?First, install one of the zmodem programs from the ports
collection (such as one of the two from the comms category,
lrzsz
and rzsz).To receive files, start the sending program on the remote end.
Then, press enter and type ~C rz (or ~C lrz if
you installed lrzsz) to begin receiving them locally.To send files, start the receiving program on the remote end.
Then, press enter and type ~C sz files (or
~C lsz files) to send them to the
remote system.FreeBSD can't seem to find my serial ports, even when the
settings are correct.Motherboards and cards with Acer UARTs do not probe properly under
the FreeBSD sio probe. Obtain a patch from
www.lemis.com to fix your problem.Miscellaneous Questions FreeBSD uses far more swap space than Linux. Why?
FreeBSD only appears to use more swap than Linux. In actual fact,
it does not. The main difference between FreeBSD and Linux in this
regard is that FreeBSD will proactively move entirely idle, unused pages
of main memory into swap in order to make more main memory available
for active use. Linux tends to only move pages to swap as a last resort.
The perceived heavier use of swap is balanced by the more efficient use
of main memory. Note that while FreeBSD is proactive in this regard, it does not
arbitrarily decide to swap pages when the system is truely idle. Thus
you will not find your system all paged out when you get up in the
morning after leaving it idle overnight.Why does &man.top.1; show very little free memory even
when I have very few programs running?The simple answer is that free memory is wasted
memory. Any memory that your programs don't actively
allocate is used within the FreeBSD kernel as disk
cache. The values shown by &man.top.1; labelled as
Inact, Cache, and
Buf are all cached data at different
aging levels. This cached data means the system does
not have to access a slow disk again for data it has
accessed recently, thus increasing overall performance.
In general, a low value shown for Free
memory in &man.top.1; is good, provided it is not
very low. Why use (what are) a.out and ELF executable formats?
To understand why FreeBSD uses the ELF format, you must
first know a little about the 3 currently dominant executable
formats for UNIX:Prior to FreeBSD 3.x, FreeBSD used the a.out format.a.outThe oldest and classic unix object format. It uses a
short and compact header with a magic number at the beginning
that's often used to characterize the format (see
a.out(5) for more details). It contains three loaded
segments: .text, .data, and .bss plus a symbol table and a
string table.COFF
The SVR3 object format. The header now comprises a section
table, so you can have more than just .text, .data, and .bss
sections.ELF
The successor to COFF, featuring Multiple sections
and 32-bit or 64-bit possible values. One major drawback:
ELF was also designed with the assumption that there
would be only one ABI per system architecture. That
assumption is actually quite incorrect, and not even in the
commercial SYSV world (which has at least three ABIs: SVR4,
Solaris, SCO) does it hold true.FreeBSD tries to work around this problem somewhat by
providing a utility for branding a known ELF
executable with information about the ABI it's compliant with.
See the man page for
brandelf for more information.FreeBSD comes from the classic camp and has traditionally used
the a.out format, a technology tried and proven through
many generations of BSD releases. Though it has also been possible
for some time to build and run native ELF binaries (and
kernels) on a FreeBSD system, FreeBSD initially resisted the push
to switch to ELF as the default format. Why? Well,
when the Linux camp made their painful transition to ELF, it
was not so much to flee the a.out executable format
as it was their inflexible jump-table based shared library
mechanism, which made the construction of shared libraries
very difficult for vendors and developers alike. Since the ELF
tools available offered a solution to the shared library
problem and were generally seen as the way forward anyway, the
migration cost was accepted as necessary and the transition
made.In FreeBSD's case, our shared
library mechanism is based more closely on Sun's
SunOS-style shared library mechanism and, as such, is very
easy to use.
However, starting with 3.0, FreeBSD officially supports ELF
binaries as the default format. Even though the a.out
executable format has served us well, the GNU people, who author the
compiler tools we use, have dropped support for the a.out
format. This has forced us to maintain a divergent version of
the compler and linker, and has kept us from reaping the benefits
of the latest GNU development efforts. Also the demands of
ISO-C++, notably contstructors and destructors, has also led to
native ELF support in future FreeBSD releases.Yes, but why are there so many different
formats?Back in the dim, dark past, there was simple hardware. This
simple hardware supported a simple, small system. a.out was
completely adequate for the job of representing binaries on this
simple system (a PDP-11). As people ported unix from this
simple system, they retained the a.out format because it was
sufficient for the early ports of unix to architectures like the
Motorola 68k, VAXen, etc.Then some bright hardware engineer decided that if he could
force software to do some sleazy tricks, then he'd be able to
shave a few gates off the design and allow his CPU core to run
faster. While it was made to work with this new kind of
hardware (known these days as RISC), a.out was ill-suited
for this hardware, so many formats were developed to get to a
better performance from this hardware than the limited, simple
a.out format could offer. Things like COFF,
ECOFF, and a few obscure others were invented and their
limitations explored before things seemed to settle on ELF.In addition, program sizes were getting huge and disks (and
physical memory) were still relatively small so the concept of a
shared library was born. The VM system also became more
sophisticated. While each one of these advancements was done
using the a.out format, its usefulness was stretched more
and more with each new feature. In addition, people wanted to
dynamically load things at run time, or to junk parts of their
program after the init code had run to save in core memory
and/or swap space. Languages became more sophistocated and
people wanted code called before main automatically. Lots of
hacks were done to the a.out format to allow all of these
things to happen, and they basically worked for a time. In
time, a.out wasn't up to handling all these problems
without an ever increasing overhead in code and complexity.
While ELF solved many of these problems, it would be
painful to switch from the system that basically worked. So
ELF had to wait until it was more painful to remain with
a.out than it was to migrate to ELF.However, as time passed, the build tools that FreeBSD derived
their build tools from (the assembler and loader especially)
evolved in two parallel trees. The FreeBSD tree added shared
libraries and fixed some bugs. The GNU folks that originally
write these programs rewrote them and added simpler support for
building cross compilers, plugging in different formats at will,
etc. Since many people wanted to build cross compilers
targeting FreeBSD, they were out of luck since the older sources
that FreeBSD had for as and ld weren't up to the task. The new
gnu tools chain (binutils) does support cross compiling,
ELF, shared libraries, C++ extnensions, etc. In addition,
many vendors are releasing ELF binaries, and it is a good
thing for FreeBSD to run them. And if it is running ELF
binaries, why bother having a.out any more? It is a tired
old horse that has proven useful for a long time, but it is time
to turn him out to pasture for his long, faithful years of
service.ELF is more expressive than a.out and will allow more
extensibility in the base system. The ELF tools are better
maintained, and offer cross compilation support, which is
important to many people. ELF may be a little slower than
a.out, but trying to measure it can be difficult. There are
also numerous details that are different between the two in how
they map pages, handle init code, etc. None of these are very
important, but they are differences. In time support for
a.out will be moved out of the GENERIC kernel, and
eventually removed from the kernel once the need to run legacy
a.out programs is past.Why won't chmod change the permissions on symlinks?Symlinks do not have permissions, and by default,
&man.chmod.1; will not follow symlinks to change the permissions
on the target file. So if you have a file,
foo, and a symlink to that file,
bar, then this command will always
succeed.&prompt.user; chmod g-w barHowever, the permissions on foo will not
have changed.You have to use either or together with
the option to make this work. See the chmod and
symlink
man pages for more info.The option does a RECURSIVE
chmod. Be careful about specifying directories or symlinks
to directories to chmod. If you want to change the
permissions of a directory referenced by a symlink, use
chmod
without any options and follow the symlink with a trailing slash
(/). For example, if foo is a symlink to
directory bar, and you want to change the permissions of
foo (actually bar), you would do something like:&prompt.user; chmod 555 foo/With the trailing slash, chmod will
follow the symlink, foo, to change the permissions of the
directory, bar. Why are login names still restricted to 8 characters?
You'd think it'd be easy enough to change UT_NAMESIZE and rebuild
the whole world, and everything would just work. Unfortunately there
are often scads of applications and utilities (including system tools)
that have hard-coded small numbers (not always 8 or 9, but oddball
ones like 15 and 20) in structures and buffers. Not only will
this get you log files which are trashed (due to variable-length
records getting written when fixed records were expected), but it can
break Sun's NIS clients and potentially cause other problems in
interacting with other UNIX systems.In FreeBSD 3.0 and later, the maximum name length has been
increased to 16 characters and those various utilities with
hard-coded name sizes have been found and fixed. The fact that this
touched so many areas of the system is why, in fact, the change was
not made until 3.0.If you're absolutely confident in your ability to find and fix
these sorts of problems for yourself when and if they pop up, you
can increase the login name length in earlier releases by editing
/usr/include/utmp.h and changing UT_NAMESIZE accordingly. You must
also update MAXLOGNAME in /usr/include/sys/param.h to match
the UT_NAMESIZE change. Finally, if you build from sources, don't
forget that /usr/include is updated each time! Change the appropriate
files in /usr/src/.. instead.Can I run DOS binaries under FreeBSD?Yes, starting with version 3.0 you can using BSDI's doscmd
DOS emulation which has been integrated and enhanced.
Send mail to The FreeBSD emulation discussion list if you're interested in
joining this ongoing effort!For pre-3.0 systems, there is a neat utility called
pcemu
in the ports collection which emulates an 8088 and enough BIOS services
to run DOS text mode applications. It requires the X Window
System (provided as XFree86). What is sup, and how do I use it?
SUP
stands for Software Update Protocol, and was developed by CMU
for keeping their development trees in sync. We used it to keep
remote sites in sync with our central development sources.SUP is not bandwidth friendly, and has been retired. The current
recommended method to keep your sources up to date is
Handbook entry on CVSupHow cool is FreeBSD?Q. Has anyone done any temperature testing while running FreeBSD?
I know Linux runs cooler than dos, but have never seen a mention of
FreeBSD. It seems to run really hot.A. No, but we have done numerous taste tests on blindfolded
volunteers who have also had 250 micrograms of LSD-25
administered beforehand. 35% of the volunteers said that FreeBSD
tasted sort of orange, whereas Linux tasted like purple haze.
Neither group mentioned any particular variances in temperature
that I can remember. We eventually had to throw the results of
this survey out entirely anyway when we found that too many
volunteers were wandering out of the room during the tests, thus
skewing the results. I think most of the volunteers are at Apple
now, working on their new scratch and sniff GUI. It's a
funny old business we're in!Seriously, both FreeBSD and Linux use the HLT (halt)
instruction when the system is idle thus lowering its energy
consumption and therefore the heat it generates. Also if you
have APM (advanced power management) configured, then FreeBSD
can also put the CPU into a low power mode.Who's scratching in my memory banks??Q. Is there anything odd that FreeBSD does when compiling the
kernel which would cause the memory to make a scratchy sound? When
compiling (and for a brief moment after recognizing the floppy drive
upon startup, as well), a strange scratchy sound emanates from what
appears to be the memory banks.A. Yes! You'll see frequent references to daemons in the BSD
documentation, and what most people don't know is that this
refers to genuine, non-corporeal entities that now possess your
computer. The scratchy sound coming from your memory is actually
high-pitched whispering exchanged among the daemons as they best
decide how to deal with various system administration tasks.If the noise gets to you, a good fdisk /mbr from DOS
will get rid of them, but don't be surprised if they react
adversely and try to stop you. In fact, if at any point during
the exercise you hear the satanic voice of Bill Gates coming from
the built-in speaker, take off running and don't ever look back!
Freed from the counterbalancing influence of the BSD daemons, the
twin demons of DOS and Windows are often able to re-assert total
control over your machine to the eternal damnation of your soul.
Given a choice, I think I'd prefer to get used to the scratchy
noises, myself!What does MFC mean?MFC is an acronym for Merged From -CURRENT. It's used in the CVS
logs to denote when a change was migrated from the CURRENT to the STABLE
branches.What does BSD mean?It stands for something in a secret language that only
members can know. It doesn't translate literally but its ok to
tell you that BSD's translation is something between, Formula-1
Racing Team, Penguins are tasty snacks, and We have a better
sense of humor than Linux. :-)Seriously, BSD is an acronym for Berkeley Software
Distribution, which is the name the Berkeley CSRG (Computer
Systems Research Group) chose for their Unix distribution way
back when.What is a repo-copy?A repo-copy (which is a short form of repository
copy) refers to the direct copying of files within the CVS
repository.Without a repo-copy, if a file needed to be copied or moved to
another place in the repository, the committer would run cvs
add to put the file in its new location, and then cvs
rm on the old file if the old copy was being removed.The disadvantage of this method is that the history (i.e. the
entries in the CVS logs) of the file would not be copied to the new
location. As the FreeBSD Project considers this history very useful,
a repository copy is often used instead. This is a process where one
of the repository meisters will copy the files directly within the
repository, rather than using the cvs program.Why should I care what color the bikeshed is?The really, really short answer is that you shouldn't.
The somewhat longer answer is that just because you are
capable of building a bikeshed doesn't mean you should stop
others from building one just because you don't like the
color they plan to paint it. This is a metaphor indicating
that you need not argue about every little feature just
because you know enough to do so. Some people have
commented that the amount of noise generated by a change is
inversely proportional to the complexity of the
change.The longer and more complete answer is that after a very
long argument about whether &man.sleep.1; should take
fractional second arguments, &a.phk; posted a long
message entitled A
bike shed (any colour will do) on greener
grass.... The appropriate portions of that
message are quoted below.
&a.phk; on freebsd-hackers, October
2, 1999What is it about this bike shed? Some
of you have asked me.It's a long story, or rather it's an old story, but
it is quite short actually. C. Northcote Parkinson wrote
a book in the early 1960'ies, called Parkinson's
Law, which contains a lot of insight into the
dynamics of management.[snip a bit of commentary on the book]In the specific example involving the bike shed, the
other vital component is an atomic power-plant, I guess
that illustrates the age of the book.Parkinson shows how you can go in to the board of
directors and get approval for building a multi-million or
even billion dollar atomic power plant, but if you want to
build a bike shed you will be tangled up in endless
discussions.Parkinson explains that this is because an atomic
plant is so vast, so expensive and so complicated that
people cannot grasp it, and rather than try, they fall
back on the assumption that somebody else checked all the
details before it got this far. Richard P. Feynmann
gives a couple of interesting, and very much to the point,
examples relating to Los Alamos in his books.A bike shed on the other hand. Anyone can build one
of those over a weekend, and still have time to watch the
game on TV. So no matter how well prepared, no matter how
reasonable you are with your proposal, somebody will seize
the chance to show that he is doing his job, that he is
paying attention, that he is
here.In Denmark we call it setting your
fingerprint. It is about personal pride and
prestige, it is about being able to point somewhere and
say There! I did that.
It is a strong trait in politicians, but present in most
people given the chance. Just think about footsteps in
wet cement.
How many FreeBSD hackers does it take to change a lightbulb?One thousand, one hundred and seventy-two:Twenty-three to complain to -CURRENT about the lights being
out;Four to claim that it is a configuration problem, and that
such matters really belong on -questions;Three to submit PRs about it, one of which is misfiled under
doc and consists only of "it's dark";One to commit an untested lightbulb which breaks buildworld,
then back it out five minutes later;Eight to flame the PR originators for not including patches
in their PRs;Five to complain about buildworld being broken;Thirty-one to answer that it works for them, and they must
have cvsupped at a bad time;One to post a patch for a new lightbulb to -hackers;One to complain that he had patches for this three years ago,
but when he sent them to -CURRENT they were just ignored, and he
has had bad experiences with the PR system; besides, the
proposed new lightbulb is non-reflexive;Thirty-seven to scream that lightbulbs do not belong in the
base system, that committers have no right to do things like
this without consulting the Community, and WHAT IS -CORE DOING
ABOUT IT!?Two hundred to complain about the color of the bicycle shed;Three to point out that the patch breaks style(9);Seventeen to complain that the proposed new lightbulb is
under GPL;Five hundred and eighty-six to engage in a flame war about
the comparative advantages of the GPL, the BSD license, the MIT
license, the NPL, and the personal hygiene of unnamed FSF
founders;Seven to move various portions of the thread to -chat and
-advocacy;One to commit the suggested lightbulb, even though it shines
dimmer than the old one;Two to back it out with a furious flame of a commit message,
arguing that FreeBSD is better off in the dark than with a dim
lightbulb;Forty-six to argue vociferously about the backing out of the
dim lightbulb and demanding a statement from -core;Eleven to request a smaller lightbulb so it will fit their
Tamagotchi if we ever decide to port FreeBSD to that platform;Seventy-three to complain about the SNR on -hackers and -chat
and unsubscribe in protest;Thirteen to post "unsubscribe", "How do I unsubscribe?", or
"Please remove me from the list", followed by the usual footer;One to commit a working lightbulb while everybody is too busy
flaming everybody else to notice;Thirty-one to point out that the new lightbulb would shine
0.364% brighter if compiled with TenDRA (although it will have
to be reshaped into a cube), and that FreeBSD should therefore
switch to TenDRA instead of EGCS;One to complain that the new lightbulb lacks fairings;Nine (including the PR originators) to ask "what is MFC?";Fifty-seven to complain about the lights being out two weeks
after the bulb has been changed.&a.nik; adds:I was laughing quite hard at this.And then I thought, "Hang on, shouldn't there be '1 to
document it.' in that list somewhere?"And then I was enlightened :-)This entry is Copyright (c) 1999 &a.des;.
Please do not reproduce without attribution.For serious FreeBSD hackers only What are SNAPs and RELEASEs?
There are currently three active/semi-active branches in the FreeBSD
CVS
Repository (the RELENG_2 branch is probably only changed twice
a year, which is why there are only three active branches of development):RELENG_2_2 AKA 2.2-STABLERELENG_3 AKA 3.X-STABLERELENG_4 AKA 4-STABLEHEAD AKA -CURRENT
AKA 5.0-CURRENTHEAD is not an actual branch tag, like the other two; it's
simply a symbolic constant for
the current, non-branched development stream which we simply
refer to as -CURRENT.Right now, -CURRENT is the 5.0 development stream and the
4-STABLE branch, RELENG_4, forked off from
-CURRENT in Mar 2000.The 2.2-STABLE branch, RELENG_2_2, departed -CURRENT in
November 1996, and has pretty much been retired. How do I make my own custom release?
To make a release you need to do three things: First, you need to
be running a kernel with the vn driver configured
in. Add this to your kernel config file and build a new kernel:pseudo-device vn #Vnode driver (turns a file into a device)Second, you have to have the whole CVS repository at hand.
To get this you can use CVSUP
but in your supfile set the release name to cvs and remove any tag or
date fields:*default prefix=/home/ncvs
*default base=/a
*default host=cvsup.FreeBSD.org
*default release=cvs
*default delete compress use-rel-suffix
## Main Source Tree
src-all
src-eBones
src-secure
# Other stuff
ports-all
www
doc-allThen run cvsup -g supfile to suck all the good bits onto your
box...Finally, you need a chunk of empty space to build into. Let's
say it's in /some/big/filesystem, and from the example
above you've got the CVS repository in /home/ncvs:&prompt.root; setenv CVSROOT /home/ncvs # or export CVSROOT=/home/ncvs
&prompt.root; cd /usr/src
&prompt.root; make buildworld
&prompt.root; cd /usr/src/release
&prompt.root; make release BUILDNAME=3.0-MY-SNAP CHROOTDIR=/some/big/filesystem/release
Please note that you do not need to
build world if you already have a populated
/usr/obj.
An entire release will be built in
/some/big/filesystem/release and you will have a full FTP-type
installation in /some/big/filesystem/release/R/ftp when you're
done. If you want to build your SNAP along some other branch than
-CURRENT, you can also add RELEASETAG=SOMETAG to
the make release command line above, e.g. RELEASETAG=RELENG_2_2
would build an up-to-the- minute 2.2-STABLE snapshot.How do I create customized installation disks?The entire process of creating installation disks and source and
binary archives is automated by various targets in
/usr/src/release/Makefile. The information there should
be enough to get you started. However, it should be said that this
involves doing a make world and will therefore take up a lot of
time and disk space.make world clobbers my existing installed binaries.Yes, this is the general idea; as its name might suggest,
make world rebuilds every system binary from scratch, so you can be
certain of having a clean and consistent environment at the end (which
is why it takes so long).If the environment variable DESTDIR is defined while running
make world or make install, the newly-created
binaries will be deposited in a directory tree identical to the
installed one, rooted at ${DESTDIR}.
Some random combination of shared libraries modifications and
program rebuilds can cause this to fail in make world
however. When my system boots, it says (bus speed defaulted).
The Adaptec 1542 SCSI host adapters allow the user to configure
their bus access speed in software. Previous versions of the
1542 driver tried to determine the fastest usable speed and set
the adapter to that. We found that this breaks some users'
systems, so you now have to define the TUNE_1542 kernel
configuration option in order to have this take place. Using it
on those systems where it works may make your disks run faster,
but on those systems where it doesn't, your data could be
corrupted. Can I follow current with limited Internet access?
Yes, you can do this without downloading the whole source tree
by using the CTM facility.How did you split the distribution into 240k files?Newer BSD based systems have a option to split that
allows them to split files on arbitrary byte boundaries.Here is an example from /usr/src/Makefile.bin-tarball:
(cd ${DISTDIR}; \
tar cf - . \
gzip --no-name -9 -c | \
split -b 240640 - \
${RELEASEDIR}/tarballs/bindist/bin_tgz.)I've written a kernel extension, who do I send it to?Please take a look at The Handbook entry on how to submit code.And thanks for the thought!How are Plug N Play ISA cards detected and initialized?By: Frank Durda IVIn a nutshell, there a few I/O ports that all of the PnP boards
respond to when the host asks if anyone is out there. So when
the PnP probe routine starts, he asks if there are any PnP boards
present, and all the PnP boards respond with their model # to
a I/O read of the same port, so the probe routine gets a wired-OR
yes to that question. At least one bit will be on in that
reply. Then the probe code is able to cause boards with board
model IDs (assigned by Microsoft/Intel) lower than X to go
off-line. It then looks to see if any boards are still
responding to the query. If the answer was 0, then
there are no boards with IDs above X. Now probe asks if there
are any boards below X. If so, probe knows there are boards
with a model numbers below X. Probe then asks for boards greater
than X-(limit/4) to go off-line. If repeats the query. By
repeating this semi-binary search of IDs-in-range enough times,
the probing code will eventually identify all PnP boards present
in a given machine with a number of iterations that is much lower
than what 2^64 would take.The IDs are two 32-bit fields (hence 2ˆ64) + 8 bit checksum.
The first 32 bits are a vendor identifier. They never come out
and say it, but it appears to be assumed that different types of
boards from the same vendor could have different 32-bit vendor
ids. The idea of needing 32 bits just for unique manufacturers
is a bit excessive.The lower 32 bits are a serial #, ethernet address, something
that makes this one board unique. The vendor must never produce
a second board that has the same lower 32 bits unless the upper
32 bits are also different. So you can have multiple boards of
the same type in the machine and the full 64 bits will still be
unique.The 32 bit groups can never be all zero. This allows the
wired-OR to show non-zero bits during the initial binary search.Once the system has identified all the board IDs present, it will
reactivate each board, one at a time (via the same I/O ports),
and find out what resources the given board needs, what interrupt
choices are available, etc. A scan is made over all the boards
to collect this information.This info is then combined with info from any ECU files on the
hard disk or wired into the MLB BIOS. The ECU and BIOS PnP
support for hardware on the MLB is usually synthetic, and the
peripherals don't really do genuine PnP. However by examining
the BIOS info plus the ECU info, the probe routines can cause the
devices that are PnP to avoid those devices the probe code cannot
relocate.Then the PnP devices are visited once more and given their I/O,
DMA, IRQ and Memory-map address assignments. The devices will
then appear at those locations and remain there until the next
reboot, although there is nothing that says you can't move them
around whenever you want.There is a lot of oversimplification above, but you should get
the general idea.Microsoft took over some of the primary printer status ports to
do PnP, on the logic that no boards decoded those addresses for
the opposing I/O cycles. I found a genuine IBM printer board
that did decode writes of the status port during the early PnP
proposal review period, but MS said tough. So they do a
write to the printer status port for setting addresses, plus that
use that address + 0x800, and a third I/O port for reading
that can be located anywhere between 0x200 and 0x3ff.Does FreeBSD support architectures other than the x86?Several groups of people have expressed interest in working on
multi-architecture ports for FreeBSD and the FreeBSD/AXP (ALPHA)
port is one such effort which has been quite successful, now
available in 3.0 SNAPshot release form at ftp://ftp.FreeBSD.org/pub/FreeBSD/alpha. The ALPHA
port currently runs on a growing number of ALPHA machine
types, among them the AlphaStation, AXPpci, PC164, Miata and Multia
models. This port is not yet considered a full release and won't be
until a full compliment of system installation tools and a distribution
on CDROM installation media is available, including a reasonable
number of working ports and packages.
FreeBSD/AXP should be considered BETA quality software at this
time. For status information, please join the
freebsd-alpha@FreeBSD.orgmailing list.Interest has also been expressed in a port of FreeBSD to
the SPARC architecture, join the freebsd-sparc@FreeBSD.orgmailing list if you are interested
in joining that project. For general discussion on new architectures,
join the freebsd-platforms@FreeBSD.org
mailing list.I need a major number for a device driver I've written.This depends on whether or not you plan on making the driver
publicly available. If you do, then please send us a copy of the
driver source code, plus the appropriate modifications to
files.i386, a sample configuration file entry, and the
appropriate MAKEDEV code to create any special files your device uses. If
you do not, or are unable to because of licensing restrictions, then
character major number 32 and block major number 8 have been reserved
specifically for this purpose; please use them. In any case, we'd
appreciate hearing about your driver on
freebsd-hackers@FreeBSD.org.Alternative layout policies for directoriesIn answer to the question of alternative layout policies for
directories, the scheme that is currently in use is unchanged
from what I wrote in 1983. I wrote that policy for the original
fast filesystem, and never revisited it. It works well at keeping
cylinder groups from filling up. As several of you have noted,
it works poorly for find. Most filesystems are created from
archives that were created by a depth first search (aka ftw).
These directories end up being striped across the cylinder groups
thus creating a worst possible senario for future depth first
searches. If one knew the total number of directories to be
created, the solution would be to create (total / fs_ncg) per
cylinder group before moving on. Obviously, one would have to
create some heuristic to guess at this number. Even using a
small fixed number like say 10 would make an order of magnitude
improvement. To differentiate restores from normal operation
(when the current algorithm is probably more sensible), you
could use the clustering of up to 10 if they were all done
within a ten second window. Anyway, my conclusion is that this
is an area ripe for experimentation.Kirk McKusick, September 1998Making the most of a kernel panic[This section was extracted from a mail written by &a.wpaul; on the
freebsd-current mailing list by &a.des;, who fixed a few typos and added the bracketed
comments]From: Bill Paul <wpaul@skynet.ctr.columbia.edu>
Subject: Re: the fs fun never stops
To: ben@rosengart.com
Date: Sun, 20 Sep 1998 15:22:50 -0400 (EDT)
Cc: current@FreeBSD.org[<ben@rosengart.com> posted the following panic
message]> Fatal trap 12: page fault while in kernel mode
> fault virtual address = 0x40
> fault code = supervisor read, page not present
> instruction pointer = 0x8:0xf014a7e5
^^^^^^^^^^
> stack pointer = 0x10:0xf4ed6f24
> frame pointer = 0x10:0xf4ed6f28
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, def32 1, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 80 (mount)
> interrupt mask =
> trap number = 12
> panic: page fault
[When] you see a message like this, it's not enough to just
reproduce it and send it in. The instruction pointer value that
I highlighted up there is important; unfortunately, it's also
configuration dependent. In other words, the value varies
depending on the exact kernel image that you're using. If you're
using a GENERIC kernel image from one of the snapshots, then
it's possible for somebody else to track down the offending
function, but if you're running a custom kernel then only
you can tell us where the fault occured. What you should do is this:Write down the instruction pointer value. Note that the
0x8: part at the begining is not significant in this case:
it's the 0xf0xxxxxx part that we want.When the system reboots, do the following:
&prompt.user; nm /kernel.that.caused.the.panic | grep f0xxxxxx
where f0xxxxxx is the instruction pointer value. The
odds are you will not get an exact match since the symbols
in the kernel symbol table are for the entry points of
functions and the instruction pointer address will be
somewhere inside a function, not at the start. If you don't
get an exact match, omit the last digit from the instruction
pointer value and try again, i.e.:
&prompt.user; nm /kernel.that.caused.the.panic | grep f0xxxxx
If that doesn't yield any results, chop off another digit.
Repeat until you get some sort of output. The result will be
a possible list of functions which caused the panic. This is
a less than exact mechanism for tracking down the point of
failure, but it's better than nothing. I see people constantly show panic messages like this but
rarely do I see someone take the time to match up the
instruction pointer with a function in the kernel symbol table. The best way to track down the cause of a panic is by
capturing a crash dump, then using gdb(1) to to a stack
trace on the crash dump. Of course, this depends on gdb(1)
in -CURRENT working correctly, which I can't guarantee (I recall
somebody saying that the new ELF-ized gdb(1) didn't handle
kernel crash dumps correctly: somebody should check this before
3.0 goes out of beta or there'll be a lot of red faces after the
CDs ship).In any case, the method I normally use is this:Set up a kernel config file, optionally adding options DDB if you
think you need the kernel debugger for something. (I use this mainly
for setting beakpoints if I suspect an infinite loop condition of
some kind.)Use config -g KERNELCONFIG to set up the build directory.cd /sys/compile/KERNELCONFIG; makeWait for kernel to finish compiling.make installrebootThe &man.make.1; process will have built two kernels.
kernel and
kernel.debug. kernel
was installed as /kernel, while
kernel.debug can be used as the source of
debugging symbols for gdb(1). To make sure you capture a crash dump, you need edit
/etc/rc.conf and set dumpdev to point to your swap
partition. This will cause the rc(8) scripts to use the
dumpon(8) command to enable crash dumps. You can also run
dumpon(8) manually. After a panic, the crash dump can be
recovered using savecore(8); if dumpdev is set in
/etc/rc.conf, the rc(8) scripts will run
savecore(8) automatically and put the crash dump in
/var/crash.FreeBSD crash dumps are usually the same size as the
physical RAM size of your machine. That is, if you have 64MB of
RAM, you will get a 64MB crash dump. Therefore you must make sure
there's enough space in /var/crash to hold the dump.
Alternatively, you run savecore(8) manually and have it
recover the crash dump to another directory where you have more
room. It's possible to limit the size of the crash dump by using
options MAXMEM=(foo) to set the amount of memory the kernel
will use to something a little more sensible. For example, if
you have 128MB of RAM, you can limit the kernel's memory usage
to 16MB so that your crash dump size will be 16MB instead of
128MB. Once you have recovered the crash dump, you can get a stack
trace with gdb(1) as follows:&prompt.user; gdb -k /sys/compile/KERNELCONFIG/kernel.debug /var/crash/vmcore.0(gdb)where Note that there may be several screens worth of information;
ideally you should use script(1) to capture all of them.
Using the unstripped kernel image with all the debug symbols
should show the exact line of kernel source code where the panic
occured. Usually you have to read the stack trace from the
bottom up in order to trace the exact sequence of events that
lead to the crash. You can also use gdb(1) to print out the
contents of various variables or structures in order to examine
the system state at the time of the crash. Now, if you're really insane and have a second computer, you
can also configure gdb(1) to do remote debugging such that
you can use gdb(1) on one system to debug the kernel on
another system, including setting breakpoints, single-stepping
through the kernel code, just like you can do with a normal
user-mode program. I haven't played with this yet as I don't
often have the chance to set up two machines side by side for
debugging purposes.[Bill adds: "I forgot to mention one thing: if you have
DDB enabled and the kernel drops into the debugger, you can
force a panic (and a crash dump) just by typing 'panic' at the
ddb prompt. It may stop in the debugger again during the panic
phase. If it does, type 'continue' and it will finish the crash
dump." -ed]dlsym() stopped working for ELF executables!The ELF toolchain does not, by default, make the symbols
defined in an executable visible to the dynamic linker.
Consequently dlsym() searches on handles obtained
from calls to dlopen(NULL, flags) will fail to find
such symbols.If you want to search, using dlsym(), for symbols
present in the main executable of a process, you need to link
the executable using the option to the
ELF linker.Increasing or reducing the kernel address spaceBy default, the kernel address space is 256 MB on FreeBSD 3.x
and 1 GB on FreeBSD 4.x. If you run a network-intensive server
(e.g. a large FTP or HTTP server), you might find that 256 MB is
not enough.So how do you increase the address space? There are two aspects
to this. First, you need to tell the kernel to reserve a larger
portion of the address space for itself. Second, since the
kernel is loaded at the top of the address space, you need to
lower the load address so it doesn't bump its head against the
ceiling.The first goal is achieved by increasing the value of
NKPDE in src/sys/i386/include/pmap.h. Here's what
it looks like for a 1 GB address space:#ifndef NKPDE
#ifdef SMP
#define NKPDE 254 /* addressable number of page tables/pde's */
#else
#define NKPDE 255 /* addressable number of page tables/pde's */
#endif /* SMP */
#endifTo find the correct value of NKPDE, divide the desired
address space size (in megabytes) by four, then subtract one for
UP and two for SMP.To achieve the second goal, you need to compute the correct load
address: simply subtract the address space size (in bytes) from
0x100100000; the result is 0xc0100000 for a 1 GB address space.
Set LOAD_ADDRESS in src/sys/i386/conf/Makefile.i386
to that value; then set the location counter in the beginning of
the section listing in src/sys/i386/conf/kernel.script
to the same value, as follows:OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(btext)
SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/obj/elf/home/src/tmp/usr/i386-unknown-freebsdelf/lib);
SECTIONS
{
/* Read-only sections, merged into text segment: */
. = 0xc0100000 + SIZEOF_HEADERS;
.interp : { *(.interp) }Then reconfig and rebuild your kernel. You will probably have
problems with ps(1), top(1) and the like; make
world should take care of it (or a manual rebuild of
libkvm, ps and top after copying the patched
pmap.h to /usr/include/vm/.NOTE: the size of the kernel address space must be a multiple of
four megabytes.[&a.dg;
adds: I think the kernel address space needs to be a power
of two, but I'm not certain about that. The old(er) boot code
used to monkey with the high order address bits and I think
expected at least 256MB granularity.]ACKNOWLEDGMENTS
FreeBSD Core TeamIf you see a problem with this FAQ, or wish to submit an
entry, please mail the &a.faq;. We appreciate your feedback, and
cannot make this a better FAQ without your help!
&a.jkh;Occasional fits of FAQ-reshuffling and updating.&a.dwhite;Services above and beyond the call of duty on freebsd-questions&a.joerg;Services above and beyond the call of duty on Usenet&a.wollman;Networking and formattingJim LoweMulticast information&a.pds;FreeBSD FAQ typing machine slaveyThe FreeBSD TeamKvetching, moaning, submitting dataAnd to any others we've forgotten, apologies and heartfelt thanks!
diff --git a/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml b/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml
index 1eccc0d2af..a9dd789058 100644
--- a/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml
+++ b/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml
@@ -1,721 +1,704 @@
IntroductionRestructured, reorganized, and parts rewritten by
&a.jim;, 17 January 2000.SynopsisThank you for your interest in FreeBSD! The following chapter
covers various items about the FreeBSD Project, such as its history,
goals, development model, and so on.FreeBSD is a 4.4BSD-Lite2 based operating system for the Intel
architecture (x86) and DEC Alpha based systems. Ports to other
architectures are also underway. For a brief overview of FreeBSD,
see the next section. You can also
read about the history of FreeBSD,
or the current release. If you
are interested in contributing something to the Project (code,
hardware, unmarked bills), see the contributing to FreeBSD section.Welcome to FreeBSD!Since you are still here reading this, you most likely have some
idea as to what FreeBSD is and what it can do for you. If you are
new to FreeBSD, read on for more information.What is FreeBSD?In general, FreeBSD is a state-of-the-art operating system
based on 4.4BSD-Lite2. It runs on computer systems based on the
Intel architecture (x86), and also the DEC Alpha
architecture.FreeBSD is used to power some of the biggest sites on the
Internet, including:Yahoo!HotmailApacheBe, Inc.Blue Mountain
ArtsPair
NetworksWhistle
CommunicationsWalnut Creek
CDROMand many more.What can FreeBSD do?FreeBSD has many noteworthy features. Some of these
are:Preemptive multitasking with
dynamic priority adjustment to ensure smooth and fair
sharing of the computer between applications and users, even
under the heaviest of loads.Multi-user facilities which allow many
people to use a FreeBSD system simultaneously for a variety
of things. This means, for example, that system peripherals
such as printers and tape drives are properly shared between
all users on the system or the network and that individual
resource limits can be placed on users or groups of users,
protecting critical system resources from over-use.Strong TCP/IP networking with
support for industry standards such as SLIP, PPP, NFS, DHCP,
and NIS. This means that your FreeBSD machine can
inter-operate easily with other systems as well as act as an
enterprise server, providing vital functions such as NFS
(remote file access) and e-mail services or putting your
organization on the Internet with WWW, FTP, routing and
firewall (security) services.Memory protection ensures that
applications (or users) cannot interfere with each other. One
application crashing will not affect others in any way.FreeBSD is a 32-bit operating
system (64-bit on the Alpha) and was
designed as such from the ground up.The industry standard X Window System
(X11R6) provides a graphical user interface (GUI) for the cost
of a common VGA card and monitor and comes with full
sources.Binary compatibility with many
programs built for Linux, SCO, SVR4, BSDI and NetBSD.Thousands of ready-to-run
applications are available from the FreeBSD
ports and packages
collection. Why search the net when you can find it all right
here?Thousands of additional and
easy-to-port applications are available
on the Internet. FreeBSD is source code compatible with most
popular commercial Unix systems and thus most applications
require few, if any, changes to compile.Demand paged virtual memory and
merged VM/buffer cache design efficiently
satisfies applications with large appetites for memory while
still maintaining interactive response to other users.SMP support for machines with
multiple CPUs (Intel only).A full complement of C,
C++, Fortran, and
Perl development tools.
Many additional languages for advanced research
and development are also available in the ports and packages
collection.Source code for the entire system
means you have the greatest degree of control over your
environment. Why be locked into a proprietary solution
at the mercy of your vendor when you can have a truly Open
System?Extensive on-line
documentation.And many more!FreeBSD is based on the 4.4BSD-Lite2 release from Computer
Systems Research Group (CSRG) at the University of California at
Berkeley, and carries on the distinguished tradition of BSD
systems development. In addition to the fine work provided by
CSRG, the FreeBSD Project has put in many thousands of hours in
fine tuning the system for maximum performance and reliability in
real-life load situations. As many of the commercial giants
struggle to field PC operating systems with such features,
performance and reliability, FreeBSD can offer them
now!The applications to which FreeBSD can be put are truly
limited only by your own imagination. From software development
to factory automation, inventory control to azimuth correction of
remote satellite antennae; if it can be done with a commercial
UNIX product then it is more than likely that you can do it with
FreeBSD, too! FreeBSD also benefits significantly from the
literally thousands of high quality applications developed by
research centers and universities around the world, often
available at little to no cost. Commercial applications are also
available and appearing in greater numbers every day.Because the source code for FreeBSD itself is generally
available, the system can also be customized to an almost unheard
of degree for special applications or projects, and in ways not
generally possible with operating systems from most major
commercial vendors. Here is just a sampling of some of the
applications in which people are currently using FreeBSD:Internet Services: The robust TCP/IP
networking built into FreeBSD makes it an ideal platform for a
variety of Internet services such as:FTP serversWorld Wide Web servers (standard or secure
[SSL])Firewalls and NAT (IP masquerading)
gateways.Electronic Mail serversUSENET News or Bulletin Board SystemsAnd more...With FreeBSD, you can easily start out small with an
inexpensive 386 class PC and upgrade all the way up to a
quad-processor Xeon with RAID storage as your enterprise
grows.Education: Are you a student of
computer science or a related engineering field? There is no
better way of learning about operating systems, computer
architecture and networking than the hands on, under the hood
experience that FreeBSD can provide. A number of freely
available CAD, mathematical and graphic design packages also
make it highly useful to those whose primary interest in a
computer is to get other work
done!Research: With source code for the
entire system available, FreeBSD is an excellent platform for
research in operating systems as well as other branches of
computer science. FreeBSD's freely available nature also makes
it possible for remote groups to collaborate on ideas or
shared development without having to worry about special
licensing agreements or limitations on what may be discussed
in open forums.Networking: Need a new router? A
name server (DNS)? A firewall to keep people out of your
internal network? FreeBSD can easily turn that unused 386 or
486 PC sitting in the corner into an advanced router with
sophisticated packet-filtering capabilities.X Window workstation: FreeBSD is a
fine choice for an inexpensive X terminal solution, either
using the freely available XFree86 server or one of the
excellent commercial servers provided by X Inside. Unlike an
X terminal, FreeBSD allows many applications to be run
locally, if desired, thus relieving the burden on a central
server. FreeBSD can even boot diskless, making
individual workstations even cheaper and easier to
administer.Software Development: The basic
FreeBSD system comes with a full complement of development
tools including the renowned GNU C/C++ compiler and
debugger.FreeBSD is available in both source and binary form on CDROM
and via anonymous FTP. See Obtaining
FreeBSD for more details.About the FreeBSD ProjectThe following section provides some background information on
the project, including a brief history, project goals, and the
development model of the project.A Brief History of FreeBSDContributed by &a.jkh;.The FreeBSD project had its genesis in the early part of 1993,
partially as an outgrowth of the Unofficial 386BSD
Patchkit by the patchkit's last 3 coordinators: Nate
Williams, Rod Grimes and myself.Our original goal was to produce an intermediate snapshot of
386BSD in order to fix a number of problems with it that the
patchkit mechanism just was not capable of solving. Some of you
may remember the early working title for the project being
386BSD 0.5 or 386BSD Interim in
reference to that fact.386BSD was Bill Jolitz's operating system, which had been up
to that point suffering rather severely from almost a year's worth
of neglect. As the patchkit swelled ever more uncomfortably with
each passing day, we were in unanimous agreement that something
had to be done and decided to try and assist Bill by providing
this interim cleanup snapshot. Those plans came to
a rude halt when Bill Jolitz suddenly decided to withdraw his
sanction from the project without any clear indication of what
would be done instead.It did not take us long to decide that the goal remained
worthwhile, even without Bill's support, and so we adopted the
name FreeBSD, coined by David Greenman. Our initial
objectives were set after consulting with the system's current
users and, once it became clear that the project was on the road
to perhaps even becoming a reality, I contacted Walnut Creek CDROM
with an eye towards improving FreeBSD's distribution channels for
those many unfortunates without easy access to the Internet.
Walnut Creek CDROM not only supported the idea of distributing
FreeBSD on CD but also went so far as to provide the project with a
machine to work on and a fast Internet connection. Without Walnut
Creek CDROM's almost unprecedented degree of faith in what was, at
the time, a completely unknown project, it is quite unlikely that
FreeBSD would have gotten as far, as fast, as it has today.The first CDROM (and general net-wide) distribution was
FreeBSD 1.0, released in December of 1993. This was based on the
4.3BSD-Lite (Net/2) tape from U.C. Berkeley, with
many components also provided by 386BSD and the Free Software
Foundation. It was a fairly reasonable success for a first
offering, and we followed it with the highly successful FreeBSD
1.1 release in May of 1994.Around this time, some rather unexpected storm clouds formed
on the horizon as Novell and U.C. Berkeley settled their
long-running lawsuit over the legal status of the Berkeley Net/2
tape. A condition of that settlement was U.C. Berkeley's
concession that large parts of Net/2 were encumbered
code and the property of Novell, who had in turn acquired it from
AT&T some time previously. What Berkeley got in return was
Novell's blessing that the 4.4BSD-Lite release, when
it was finally released, would be declared unencumbered and all
existing Net/2 users would be strongly encouraged to switch. This
included FreeBSD, and the project was given until the end of July
1994 to stop shipping its own Net/2 based product. Under the
terms of that agreement, the project was allowed one last release
before the deadline, that release being FreeBSD 1.1.5.1.FreeBSD then set about the arduous task of literally
re-inventing itself from a completely new and rather incomplete
set of 4.4BSD-Lite bits. The Lite releases were
light in part because Berkeley's CSRG had removed large chunks of
code required for actually constructing a bootable running system
(due to various legal requirements) and the fact that the Intel
port of 4.4 was highly incomplete. It took the project until
November of 1994 to make this transition, at which point it
released FreeBSD 2.0 to the net and on CDROM (in late December).
Despite being still more than a little rough around the edges,
the release was a significant success and was followed by the
more robust and easier to install FreeBSD 2.0.5 release in June of
1995.We released FreeBSD 2.1.5 in August of 1996, and it appeared
to be popular enough among the ISP and commercial communities that
another release along the 2.1-STABLE branch was merited. This was
FreeBSD 2.1.7.1, released in February 1997 and capping the end of
mainstream development on 2.1-STABLE. Now in maintenance mode,
only security enhancements and other critical bug fixes will be
done on this branch (RELENG_2_1_0).FreeBSD 2.2 was branched from the development mainline
(-CURRENT) in November 1996 as the RELENG_2_2
branch, and the first full release (2.2.1) was released in April
1997. Further releases along the 2.2 branch were done in the
summer and fall of '97, the last of which (2.2.8) appeared in
November 1998. The first official 3.0 release appeared in
October 1998 and spelled the beginning of the end for the 2.2
branch.The tree branched again on Jan 20, 1999, leading to the
4.0-CURRENT and 3.X-STABLE branches. From 3.X-STABLE, 3.1 was
released on February 15, 1999, 3.2 on May 15, 1999, 3.3 on
September 16, 1999, 3.4 on December 20, 1999, and 3.5 on
June 24, 2000, which was followed a few days later by a minor
point release update to 3.5.1, to incorporate some last-minute
security fixes to Kerberos. This will be the final release in the
3.X branch.There was another branch on March 13, 2000, which saw the
emergence of the 5.0-CURRENT and 4.X-STABLE branches. The only
release from this branch so far is &rel.current;-RELEASE.Long-term development projects continue to take place in the
5.0-CURRENT branch, and SNAPshot releases of 5.0 on CDROM (and, of
course, on the net) are continually made available as work
progresses.FreeBSD Project GoalsContributed by &a.jkh;.The goals of the FreeBSD Project are to provide software that
may be used for any purpose and without strings attached. Many of
us have a significant investment in the code (and project) and
would certainly not mind a little financial compensation now and
then, but we are definitely not prepared to insist on it. We
believe that our first and foremost mission is to
provide code to any and all comers, and for whatever purpose, so
that the code gets the widest possible use and provides the widest
possible benefit. This is, I believe, one of the most fundamental
goals of Free Software and one that we enthusiastically
support.That code in our source tree which falls under the GNU General
Public License (GPL) or Library General Public License (LGPL)
comes with slightly more strings attached, though at least on the
side of enforced access rather than the usual opposite. Due to
the additional complexities that can evolve in the commercial use
of GPL software we do, however, prefer software submitted under
the more relaxed BSD copyright when it's a reasonable option to
do so.The FreeBSD Development ModelContributed by &a.asami;.The development of FreeBSD is a very open and flexible
process, FreeBSD being literally built from the contributions of
hundreds of people around the world, as can be seen from our
list of contributors. We are
constantly on the lookout for new developers and ideas, and those
interested in becoming more closely involved with the project
need simply contact us at the &a.hackers;. The &a.announce; is
also available to those wishing to make other FreeBSD users aware
of major areas of work.Useful things to know about the FreeBSD project and its
development process, whether working independently or in close
cooperation:The CVS repositoryThe central source tree for FreeBSD is maintained by
CVS
(Concurrent Version System), a freely available source code
control tool that comes bundled with FreeBSD. The primary
CVS
repository resides on a machine in Concord CA, USA
from where it is replicated to numerous mirror machines
throughout the world. The CVS tree, as well as the -CURRENT and -STABLE trees which are checked out
of it, can be easily replicated to your own machine as well.
Please refer to the Synchronizing
your source tree section for more information on
doing this.The committers listThe committers
are the people who have write access to
the CVS tree, and are thus authorized to make modifications
to the FreeBSD source (the term committer
comes from the &man.cvs.1; commit
command, which is used to bring new changes into the CVS
repository). The best way of making submissions for review
by the committers list is to use the &man.send-pr.1;
command, though if something appears to be jammed in the
system then you may also reach them by sending mail to
cvs-committers@FreeBSD.org.The FreeBSD core teamThe FreeBSD core team
would be equivalent to the board of directors if the FreeBSD
Project were a company. The primary task of the core team
is to make sure the project, as a whole, is in good shape
and is heading in the right directions. Inviting dedicated
and responsible developers to join our group of committers
is one of the functions of the core team, as is the
recruitment of new core team members as others move on. Most
current members of the core team started as committers whose
addiction to the project got the better of them.Some core team members also have specific areas of responsibility, meaning
that they are committed to ensuring that some large portion
of the system works as advertised.Most members of the core team are volunteers when it
comes to FreeBSD development and do not benefit from the
project financially, so commitment should
also not be misconstrued as meaning guaranteed
support. The board of directors
analogy above is not actually very accurate, and it may be
more suitable to say that these are the people who gave up
their lives in favor of FreeBSD against their better
judgment! ;-)Outside contributorsLast, but definitely not least, the largest group of
developers are the users themselves who provide feedback and
bug fixes to us on an almost constant basis. The primary
way of keeping in touch with FreeBSD's more non-centralized
development is to subscribe to the &a.hackers; (see mailing list info) where
such things are discussed.The list of
those who have contributed something, which made its way into
our source tree, is a long and growing one, so why not join
it by contributing something back to FreeBSD today?
:-)Providing code is not the only way of contributing to
the project; for a more complete list of things that need
doing, please refer to the how to
contribute section in this handbook.In summary, our development model is organized as a loose set
of concentric circles. The centralized model is designed for the
convenience of the users of FreeBSD, who are
thereby provided with an easy way of tracking one central code
base, not to keep potential contributors out! Our desire is to
present a stable operating system with a large set of coherent
application programs that the users
can easily install and use, and this model works very well in
accomplishing that.All we ask of those who would join us as FreeBSD developers is
some of the same dedication its current people have to its
continued success!The Current FreeBSD ReleaseFreeBSD is a freely available, full source 4.4BSD-Lite2 based
release for Intel i386, i486, Pentium, Pentium Pro, Celeron,
Pentium II, Pentium III (or compatible) and DEC Alpha based computer
systems. It is based primarily on software from U.C. Berkeley's
CSRG group, with some enhancements from NetBSD, OpenBSD, 386BSD, and
the Free Software Foundation.Since our release of FreeBSD 2.0 in late 94, the performance,
feature set, and stability of FreeBSD has improved dramatically.
The largest change is a revamped virtual memory system with a merged
VM/file buffer cache that not only increases performance, but also
reduces FreeBSD's memory footprint, making a 5MB configuration a
more acceptable minimum. Other enhancements include full NIS client
and server support, transaction TCP support, dial-on-demand PPP,
integrated DHCP support, an improved SCSI subsystem, ISDN support,
support for ATM, FDDI, Fast and Gigabit Ethernet (1000Mbit)
adapters, improved support for the latest Adaptec controllers, and
many hundreds of bug fixes.We have also taken the comments and suggestions of many of our
users to heart and have attempted to provide what we hope is a more
sane and easily understood installation process. Your feedback on
this (constantly evolving) process is especially welcome!In addition to the base distributions, FreeBSD offers a
ported software collection with thousands of commonly sought-after
programs. By mid-January 2000, there were nearly 3000 ports! The
list of ports ranges from http (WWW) servers, to games, languages,
editors, and almost everything in between. The entire ports
collection requires approximately 50MB of storage, all ports being
expressed as deltas to their original sources. This
makes it much easier for us to update ports, and greatly reduces
the disk space demands made by the older 1.0 ports collection. To
compile a port, you simply change to the directory of the program
you wish to install, type make install, and let
the system do the rest. The full original distribution for each
port you build is retrieved dynamically off the CDROM or a local FTP
site, so you need only enough disk space to build the ports you
want. Almost every port is also provided as a pre-compiled
package, which can be installed with a simple command
(pkg_add) by those who do not wish to compile their own ports from
source.A number of additional documents which you may find very helpful
in the process of installing and using FreeBSD may now also be found
in the /usr/share/doc directory on any machine
running FreeBSD 2.1 or later. You may view the locally installed
manuals with any HTML capable browser using the following
URLs:The FreeBSD Handbookfile:/usr/share/doc/handbook/index.htmlThe FreeBSD FAQfile:/usr/share/doc/faq/index.htmlYou can also view the master (and most frequently updated)
copies at http://www.FreeBSD.org/.
-
- The core of FreeBSD does not contain DES code which would
- inhibit its being exported outside the United States. There is an
- add-on package to the core distribution, for use only in the United
- States, which contains the programs that normally use DES. The
- auxiliary packages provided separately can be used by anyone. A
- freely (from outside the U.S.) exportable European distribution of
- DES for our non-U.S. users also exists and is described in the
- FreeBSD FAQ.
-
- If password security for FreeBSD is all you need, and you have
- no requirement for copying encrypted passwords from different hosts
- (Suns, DEC machines, etc) into FreeBSD password entries, then
- FreeBSD's MD5 based security may be all you require! We feel that
- our default security model is more than a match for DES, and avoids
- dealing with any messy export issues. If you are outside (or even
- inside) the U.S., give it a try!
diff --git a/en_US.ISO_8859-1/books/handbook/security/chapter.sgml b/en_US.ISO_8859-1/books/handbook/security/chapter.sgml
index b9f1c86c3e..807870b165 100644
--- a/en_US.ISO_8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO_8859-1/books/handbook/security/chapter.sgml
@@ -1,2762 +1,2683 @@
SecurityMuch of this chapter has been taken from the
&man.security.7; man page, originally written by
&a.dillon;.SynopsisThe following chapter will provide a basic introduction to
system security concepts, some general good rules of thumb, and some
advanced topics such as S/Key, OpenSSL, Kerberos, and others.IntroductionSecurity is a function that begins and ends with the system
administrator. While all BSD UNIX multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
are ever competing with the human necessity for convenience. UNIX
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers – meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
internetworked, security becomes an ever bigger issue.Security is best implemented through a layered
onion approach. In a nutshell, what you want to do is
to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
at all.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash or otherwise make a
system unusable but do not attempt to break root. Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.A denial of service attack is an action that deprives the
machine of needed resources. Typically, D.O.S. attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
D.O.S. attacks try to take advantages of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop
short of cutting your system off from the internet. It may not be
able to take your machine down, but it can fill up internet
pipe.A user account compromise is even more common then a D.O.S.
attack. Many sysadmins still run standard telnetd, rlogind, rshd,
and ftpd servers on their machines. These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root. However, the reality is
that in a well secured and maintained system, access to a user
account does not necessarily give the attacker access to root. The
distinction is important because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more then mess with the user's files or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.System administrators must keep in mind that there are
potentially many ways to break root on a machine. The attacker
may know the root password, the attacker may find a bug in a
root-run server and be able to break root over a network
connection to that server, or the attacker may know of a bug in
an suid-root program that allows the attacker to break root once
he has broken into a user's account. If an attacker has found a
a way to break root on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. Backdoors provide the attacker with a way to easily
regain root access to the system, but it also gives the smart
system administrator a convenient way to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root – root-run servers and suid/sgid
binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
filesystems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.Securing FreeBSDThe sections that follow will cover the methods of securing your
FreeBSD system that were mentioned in the last section of this chapter.Securing the root account and staff accountsFirst off, do not bother securing staff accounts if you have
not secured the root account. Most systems have a password
assigned to the root account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your pty's are specified as being unsecure in the
/etc/ttys file so that direct root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct root logins
are disabled there as well. Consider every access method –
services such as FTP often fall through the cracks. Direct root
logins should only be allowed via the system console.Of course, as a sysadmin you have to be able to get to root,
so we open up a few holes. But we make sure these holes require
additional password verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root. You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access should be placed in the
wheel group. It is also possible, when using
an authentication method such as kerberos, to use kerberos'
.k5login file in the root account to allow a
&man.ksu.1; to root without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better then having
nothing at all, it is not necessarily the safest option.An indirect way to secure the root account is to secure your
staff accounts by using an alternative login access method and
*'ing out the crypted password for the staff
accounts. This way an intruder may be able to steal the password
file but will not be able to break into any staff accounts (or,
indirectly, root, even if root has a crypted password associated
with it). Staff members get into their staff accounts through a
secure login mechanism such as &man.kerberos.1; or &man.ssh.1;
using a private/public key pair. When you use something like
kerberos, you generally must secure the machines which run the
kerberos servers and your desktop workstation. When you use a
public/private key pair with ssh, you
must generally secure the machine you are logging in
from (typically your workstation), but you
can also add an additional layer of protection to the key pair by
password protecting the keypair when you create it with
&man.ssh-keygen.1;. Being able to * out the
passwords for staff accounts also guarantees that staff members can
only login through secure access methods that you have setup. You
can thus force all staff members to use secure, encrypted
connections for all of their sessions which closes an important
hole used by many intruders: That of sniffing the network from an
unrelated, less secure machine.The more indirect security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.Using something like kerberos also gives you the ability to
disable or change the password for a staff account in one place
and have it immediately effect all the machine the staff member
may have an account on. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with kerberos: not only can a
kerberos ticket be made to timeout after a while, but the kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of imapd or
popper is like giving a universal root ticket out to the entire
world. Never run a server that you have not checked out
carefully. Many servers do not need to be run as root. For
example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox isn't perfect unless
you go to a large amount of trouble, but the onion approach to
security still stands: If someone is able to break in through
a server running in a sandbox, they still have to break out of the
sandbox. The more layers the attacker must break through, the
lower the likelihood of his success. Root holes have historically
been found in virtually every server ever run as root, including
basic system servers. If you are running a machine through which
people only login via sshd and never
login via telnetd or
rshd or
rlogind, then turn off those
services!FreeBSD now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
The default rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.There are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work then you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other mechanisms to detect
break-ins that might occur through them.The other big potential root hole in a system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still, root holes are
occasionally found in these binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe then sorry and the prudent
sysadmin will restrict suid binaries that only staff should run to
a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary
the intruder might be able to read /dev/kmem
and thus read the crypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
pty's, including pty's used by users who login through secure
methods. An intruder that breaks the tty group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose Draconian access restrictions on your staff and
* out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and kerberos for user accounts is
more problematic due to the extra administration and technical
support required, but still a very good solution compared to a
crypted password file.Securing the Password FileThe only sure fire way is to * out as many
passwords as you can and use ssh or
kerberos for access to those accounts. Even though the crypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder to obtain read access
to that file even if the attacker cannot obtain root-write
access.Your security scripts should always check for and report
changes to the password file (see Checking file integrity
below).Securing the Kernel Core, Raw Devices, and
FilesystemsIf an attacker breaks root he can do just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under FreeBSD it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems should not have the bpf device compiled in.But even if you turn off the bpf device, you still have
/dev/mem and /dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf device or other sniffing
device on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags, such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files – everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important – detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
safety) if you cannot detect potential incursions. Half the job
of the onion is to slow down the attacker rather then stop him in
order to give the detection side of the equation a chance to catch
him in the act.The best way to detect an incursion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh keypairs to
allow the limit-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method – allowing you to monitor the
filesystems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you give a limit-access box at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
boxes at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather then NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh daemon on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
unsecure links, but it's also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth…
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries and devices on those
partitions is a good idea. The nodev and
nosuid options (see &man.mount.8;) are what you
want to look into. I would scan them anyway at least once a week,
since the object of this layer is to detect a break-in whether or
not the break-in is effective.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which I recommend
using as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in
occurs.Finally, security scripts should process the log files and the
logs themselves should be generated in as secure a manner as
possible – remote syslog can be very useful. An intruder
tries to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information on a continuing basis through a secure machine
monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features as long as they do not effect
convenience, and can add security features that do effect
convenience with some added thought. Even more importantly, a
security administrator should mix it up a bit – if you use
recommendations such as those given by this document verbatim, you
give away your methodologies to the prospective attacker who also
has access to this document.Denial of Service AttacksThis section covers Denial of Service attacks. A DOS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers.Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Kernel Route Cache.A common DOS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory
until the machine dies. Inetd (see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option which tends to work
much better than trying to use sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter when you start
sendmail high enough to handle your
expected load but no so high that the computer cannot handle that
number of sendmails without falling on
its face. It is also prudent to run sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for that sendmail to
prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as tcpwrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
tcpwrappers for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise. Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other internet-accessible
services. If you try to configure the firewall the other way
– as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall to allow permissive-like operation
without compromising your low ports. Also take note that FreeBSD
allows you to control the range of port numbers used for dynamic
binding via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. I usually use a normal first/last range
of 4000 to 5000, and a hiport range of 49152 to 65535, then block
everything under 4000 off in my firewall (except for certain
specific internet-accessible ports, of course).Another common DOS attack is called a springboard attack
– to attack a server in a manner that causes the server to
generate responses which then overload the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping's to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
mbuf's, especially if the server cannot drain the ICMP responses
it generates fast enough. The FreeBSD kernel has a new kernel
compile option called ICMP_BANDLIM which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it to less then
rtminexpire. There are two problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the internet via a T3 or
better it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
you want to crash the machine :-). Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHThere are a few issues with both kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos V is an excellent
authentication protocol but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an unsecure machine, your keys
becomes exposed. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login and if a attacker has broken root on the
unsecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with kerberos whenever possible for staff logins.
ssh can be compiled with kerberos
support. This reduces your reliance on potentially exposable
ssh keys while at the same time
protecting passwords via kerberos. ssh
keys should only be used for automated tasks from secure machines
(something that kerberos is unsuited to). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.DES, MD5, and CryptParts rewritten and updated by &a.unfurl;, 21 March
2000.Every user on a UNIX system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
- the US, but since the source code for DES cannot be exported
+ the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
US law and retain compatibility with all the other UNIX
variants that still use DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing your crypt mechanismIt is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those with
encrypted with the DES hash and also begin with the characters
$1$. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The libraries can identify the passwords this way as well.
As a result, the DES libraries are able to identify MD5
passwords, and use MD5 to check passwords that were encrypted
that way, and DES for the rest. They are able to do this
because the DES libraries also contain MD5. Unfortunately, the
reverse is not true, so the MD5 libraries cannot authenticate
passwords that were encrypted with DES.Identifying which library is being used by the programs on
your system is easy as well. Any program that uses crypt is linked
against libcrypt which for each type of library is a symbolic link
to the appropriate implementation. For example, on a system using
the DES versions:&prompt.user; ls -l /usr/lib/libcrypt*
lrwxr-xr-x 1 root wheel 13 Mar 19 06:56 libcrypt.a -> libdescrypt.a
lrwxr-xr-x 1 root wheel 18 Mar 19 06:56 libcrypt.so.2.0 -> libdescrypt.so.2.0
lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -> libdescrypt_p.aOn a system using the MD5-based libraries, the same links will
be present, but the target will be libscrypt
rather than libdescrypt.
+
+ If you have installed the DES-capable crypt library
+ libdescrypt (e.g. by installing the
+ "crypto" distribution), then which password format will be used
+ for new passwords is controlled by the
+ passwd_format login capability in
+ /etc/login.conf, which takes values of
+ either des or md5. See the
+ login.conf(5) manpage for more information about login
+ capabilities.S/KeyS/Key is a one-time password scheme based on a one-way hash
function. FreeBSD uses the MD4 hash for compatibility but other
systems have used MD5 and DES-MAC. S/Key has been part of the
FreeBSD base system since version 1.1.5 and is also used on a
growing number of other operating systems. S/Key is a registered
trademark of Bell Communications Research, Inc.There are three different sorts of passwords which we will talk
about in the discussion below. The first is your usual UNIX-style or
Kerberos password; we will call this a UNIX password.
The second sort is the one-time password which is generated by the
S/Key key program and accepted by the
keyinit program and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
key program (and sometimes the
keyinit program) which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.The secret password does not have anything to do with your UNIX
password; they can be the same but this is not recommended. S/Key
secret passwords are not limited to 8 characters like UNIX passwords,
they can be as long as you like. Passwords of six or seven word
long phrases are fairly common. For the most part, the S/Key system
operates completely independently of the UNIX password
system.Besides the password, there are two other pieces of data that
are important to S/Key. One is what is known as the
seed or key and consists of two letters
and five digits. The other is what is called the iteration
count and is a number between 1 and 100. S/Key creates the
one-time password by concatenating the seed and the secret password,
then applying the MD4 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
login and su programs keep
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1 S/Key must be
reinitialized.There are four programs involved in the S/Key system which we
will discuss below. The key program accepts an
iteration count, a seed, and a secret password, and generates a
one-time password. The keyinit program is used
to initialized S/Key, and to change passwords, iteration counts, or
seeds; it takes either a secret password, or an iteration count,
seed, and one-time password. The keyinfo program
examines the /etc/skeykeys file and prints out
the invoking user's current iteration count and seed. Finally, the
login and su programs contain
the necessary logic to accept S/Key one-time passwords for
authentication. The login program is also
capable of disallowing the use of UNIX passwords on connections
coming from specified addresses.There are four different sorts of operations we will cover. The
first is using the keyinit program over a secure
connection to set up S/Key for the first time, or to change your
password or seed. The second operation is using the
keyinit program over an insecure connection, in
conjunction with the key program over a secure
connection, to do the same. The third is using the
key program to log in over an insecure
connection. The fourth is using the key program
to generate a number of keys which can be written down or printed
out to carry with you when going to some location without secure
connections to anywhere.Secure connection initializationTo initialize S/Key for the first time, change your password,
or change your seed while logged in over a secure connection
(e.g., on the console of a machine or via ssh), use the
keyinit command without any parameters while
logged in as yourself:&prompt.user; keyinit
Adding unfurl:
Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID unfurl s/key is 99 to17757
DEFY CLUB PRO NASH LACE SOFTAt the Enter secret password: prompt you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular S/Key instance; your login name, the
iteration count, and seed. When logging in with S/Key, the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure connection initializationTo initialize S/Key or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run the
key program; this might be in the form of a
desk accessory on a Macintosh, or a shell prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use the keyinit
-s command:&prompt.user; keyinit -s
Updating unfurl:
Old key: to17758
Reminder you need the 6 English words from the key command.
Enter sequence count from 1 to 9999: 100
Enter new key [default to17759]:
s/key 100 to 17759
s/key access password:To accept the default seed (which the
keyinit program confusingly calls a
key), press return. Then before entering an
access password, move over to your secure connection or S/Key desk
accessory, and give it the same parameters:&prompt.user; key 100 to17759
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
CURE MIKE BANE HIM RACY GORENow switch back over to the insecure connection, and copy the
one-time password generated by key over to the
keyinit program:s/key access password:CURE MIKE BANE HIM RACY GORE
ID unfurl s/key is 100 to17759
CURE MIKE BANE HIM RACY GOREThe rest of the description from the previous section applies
here as well.Generating a single one-time passwordOnce you've initialized S/Key, when you login you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
s/key 97 fw13894
Password: As a side note, the S/Key prompt has a useful feature
(not shown here): if you press return at the password prompt, the
login program will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in an S/Key by hand, such as from a printout. Also, if this
machine were configured to disallow UNIX passwords over a
connection from my machine, the prompt would have also included
the annotation (s/key required), indicating
that only S/Key one-time passwords will be accepted.At this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run the key command on. (There
are versions of the key program from DOS,
Windows and MacOS as well.) The key program
needs both the iteration count and the seed as command line
options. You can cut-and-paste these right from the login prompt
on the machine that you are logging in to.On the trusted system:&prompt.user; key 97 fw13894
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
WELD LIP ACTS ENDS ME HAAGNow that you have your one-time password you can continue
logging in:login: <username>
s/key 97 fw13894
Password: <return to enable echo>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... This is the easiest mechanism if you have
a trusted machine. There is a Java S/Key key
applet, The Java OTP
Calculator, that you can download and run locally on any
Java supporting browser.Generating multiple one-time passwordsSometimes you have have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the key command to
generate a number of one-time passwords before hand to be printed
out and taken with you. For example:&prompt.user; key -n 5 30 zz99999
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
26: SODA RUDE LEA LIND BUDD SILT
27: JILT SPY DUTY GLOW COWL ROT
28: THEM OW COLA RUNT BONG SCOT
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILKThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.Restricting use of UNIX passwordsRestrictions can be placed on the use of UNIX passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file /etc/skey.access. The
&man.skey.access.5; manual page has more info on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.If there is no /etc/skey.access file
(this is the FreeBSD default), then all users will be allowed to
use UNIX passwords. If the file exists, however, then all users
will be required to use S/Key unless explicitly permitted to do
otherwise by configuration statements in the
skey.access file. In all cases, UNIX
passwords are permitted on the console.Here is a sample configuration file which illustrates the
three most common sorts of configuration statements:
permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0The first line (permit internet) allows
users whose IP source address (which is vulnerable to spoofing)
matches the specified value and mask, to use UNIX passwords. This
should not be considered a security mechanism, but rather, a means
to remind authorized users that they are using an insecure network
and need to use S/Key for authentication.The second line (permit user) allows the
specified username, in this case fnord, to use
UNIX passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the
key program, like those with dumb terminals, or
those who are uneducable.The third line (permit port) allows all
users logging in on the specified terminal line to use UNIX
passwords; this would be used for dial-ups.KerberosContributed by &a.markm; (based on contribution by
&a.md;).Kerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for FreeBSD. However, you should refer to the
relevant manual pages for a complete description.In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
distribution, but eBones, which had been previously ported to FreeBSD
- 1.1.5.1, and was sourced from outside the USA/Canada, and is thus
- available to system owners outside those countries.
-
- For those needing to get a legal foreign distribution of this
- software, please do not get it from a USA or Canada
- site. You will get that site in big trouble! A
- legal copy of this is available from ftp.internat.FreeBSD.org, which is in South
- Africa and an official FreeBSD mirror site.
+ 1.1.5.1, and was sourced from outside the USA/Canada, and was thus
+ available to system owners outside those countries during the era
+ of restrictive export controls on cryptographic code from the USA.
Creating the initial databaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, of if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be GRONDAR.ZA and the
server is grunt.grondar.za. We edit or create
the krb.conf file:&prompt.root; cat krb.conf
GRONDAR.ZA
GRONDAR.ZA grunt.grondar.za admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a hosts name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos man pages.Now we have to add grunt.grondar.za
to the GRONDAR.ZA realm and also add an entry to
put all hosts in the .grondar.za
domain in the GRONDAR.ZA realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.grondar.za GRONDAR.ZA
.grondar.za GRONDAR.ZA
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:GRONDAR.ZA
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this.&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making it all runTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like rcp,
rlogin and rsh.Now let's add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the server fileWe now have to extract all the instances which define the services
on each machine. For this we use the ext_srvtab
command. This will create a file which must be copied or moved
by secure means to each Kerberos client's
/etc/kerberosIV directory. This file must be present on each server
and client, and is crucial to the operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the server can pick
it up. Use the mv command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc/kerberosIV directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the databaseWe now have to add some user entries into the database. First
let's create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting it all outFirst we have to start the Kerberos daemons. NOTE that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automagically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: GRONDAR.ZA
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the id jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@GRONDAR.ZA
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.GRONDAR.ZA@GRONDAR.ZANow try changing the password using passwd to
check if the kpasswd daemon can get authorization to the Kerberos
database:&prompt.user; passwd
realm GRONDAR.ZA
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding su privilegesKerberos allows us to give each user who
needs root privileges their own separatesupassword. We could now add an id which is
authorized to su to root.
This is controlled by having an instance of root
associated with a principal. Using kdb_edit we can
create the entry jane.root in the Kerberos
database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's .klogin
file:&prompt.root; cat /root/.klogin
jane.root@GRONDAR.ZANow try doing the su:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@GRONDAR.ZA
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.GRONDAR.ZA@GRONDAR.ZAUsing other commandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to su to
root if the necessary entries are in the .klogin
file in root's home directory:&prompt.root; cat /root/.klogin
jane.root@GRONDAR.ZALikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@GRONDAR.ZA
jack@GRONDAR.ZAThis allows anyone in the GRONDAR.ZA realm
who has authenticated themselves to jane or
jack (via kinit, see above)
access to rlogin to jane's
account or files on this system (grunt) via
rlogin, rsh or
rcp.For example, Jane now logs into another system, using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.grondar.za)
Password:
%prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or Jack logs into Jane's account on the same machine (Jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance:&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.grondar.za)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995FirewallsContributed by &a.gpalmer; and Alex Nash.Firewalls are an area of increasing interest for people who are
connected to the Internet, and are even finding applications on private
networks to provide enhanced security. This section will hopefully
explain what firewalls are, how to use them, and how to use the
facilities provided in the FreeBSD kernel to implement them.People often think that having a firewall between your
internal network and the Big Bad Internet will solve all
your security problems. It may help, but a poorly setup firewall
system is more of a security risk than not having one at all. A
firewall can add another layer of security to your systems, but it
cannot stop a really determined cracker from penetrating your internal
network. If you let internal security lapse because you believe your
firewall to be impenetrable, you have just made the crackers job that
much easier.What is a firewall?There are currently two distinct types of firewalls in common use
on the Internet today. The first type is more properly called a
packet filtering router, where the kernel on a
multi-homed machine chooses whether to forward or block packets based
on a set of rules. The second type, known as a proxy
server, relies on daemons to provide authentication and to
forward packets, possibly on a multi-homed machine which has kernel
packet forwarding disabled.Sometimes sites combine the two types of firewalls, so that only a
certain machine (known as a bastion host) is
allowed to send packets through a packet filtering router onto an
internal network. Proxy services are run on the bastion host, which
are generally more secure than normal authentication
mechanisms.FreeBSD comes with a kernel packet filter (known as
IPFW), which is what the rest of this
section will concentrate on. Proxy servers can be built on FreeBSD
from third party software, but there is such a variety of proxy
servers available that it would be impossible to cover them in this
document.Packet filtering routersA router is a machine which forwards packets between two or more
networks. A packet filtering router has an extra piece of code in
its kernel which compares each packet to a list of rules before
deciding if it should be forwarded or not. Most modern IP routing
software has packet filtering code within it that defaults to
forwarding all packets. To enable the filters, you need to define a
set of rules for the filtering code so it can decide if the
packet should be allowed to pass or not.To decide whether a packet should be passed on, the code looks
through its set of rules for a rule which matches the contents of
this packets headers. Once a match is found, the rule action is
obeyed. The rule action could be to drop the packet, to forward the
packet, or even to send an ICMP message back to the originator.
Only the first match counts, as the rules are searched in order.
Hence, the list of rules can be referred to as a rule
chain.The packet matching criteria varies depending on the software
used, but typically you can specify rules which depend on the source
IP address of the packet, the destination IP address, the source
port number, the destination port number (for protocols which
support ports), or even the packet type (UDP, TCP, ICMP,
etc).Proxy serversProxy servers are machines which have had the normal system
daemons (telnetd, ftpd, etc) replaced with special servers. These
servers are called proxy servers as they
normally only allow onward connections to be made. This enables you
to run (for example) a proxy telnet server on your firewall host,
and people can telnet in to your firewall from the outside, go
through some authentication mechanism, and then gain access to the
internal network (alternatively, proxy servers can be used for
signals coming from the internal network and heading out).Proxy servers are normally more secure than normal servers, and
often have a wider variety of authentication mechanisms available,
including one-shot password systems so that even if
someone manages to discover what password you used, they will not be
able to use it to gain access to your systems as the password
instantly expires. As they do not actually give users access to the
host machine, it becomes a lot more difficult for someone to install
backdoors around your security system.Proxy servers often have ways of restricting access further, so
that only certain hosts can gain access to the servers, and often
they can be set up so that you can limit which users can talk to
which destination machine. Again, what facilities are available
depends largely on what proxy software you choose.What does IPFW allow me to do?IPFW, the software supplied with
FreeBSD, is a packet filtering and accounting system which resides in
the kernel, and has a user-land control utility,
&man.ipfw.8;. Together, they allow you to define and query the
rules currently used by the kernel in its routing decisions.There are two related parts to IPFW.
The firewall section allows you to perform packet filtering. There is
also an IP accounting section which allows you to track usage of your
router, based on similar rules to the firewall section. This allows
you to see (for example) how much traffic your router is getting from
a certain machine, or how much WWW (World Wide Web) traffic it is
forwarding.As a result of the way that IPFW is
designed, you can use IPFW on non-router
machines to perform packet filtering on incoming and outgoing
connections. This is a special case of the more general use of
IPFW, and the same commands and techniques
should be used in this situation.Enabling IPFW on FreeBSDAs the main part of the IPFW system
lives in the kernel, you will need to add one or more options to your
kernel configuration file, depending on what facilities you want, and
recompile your kernel. See reconfiguring
the kernel for more details on how to recompile your
kernel.There are currently three kernel configuration options relevant to
IPFW:options IPFIREWALLCompiles into the kernel the code for packet
filtering.options IPFIREWALL_VERBOSEEnables code to allow logging of packets through
&man.syslogd.8;. Without this option, even if you specify
that packets should be logged in the filter rules, nothing will
happen.options IPFIREWALL_VERBOSE_LIMIT=10Limits the number of packets logged through
&man.syslogd.8; on a per entry basis. You may wish to use
this option in hostile environments in which you want to log
firewall activity, but do not want to be open to a denial of
service attack via syslog flooding.When a chain entry reaches the packet limit specified,
logging is turned off for that particular entry. To resume
logging, you will need to reset the associated counter using the
&man.ipfw.8; utility:&prompt.root; ipfw zero 4500Where 4500 is the chain entry you wish to continue
logging.Previous versions of FreeBSD contained an
IPFIREWALL_ACCT option. This is now obsolete as
the firewall code automatically includes accounting
facilities.Configuring IPFWThe configuration of the IPFW software
is done through the &man.ipfw.8; utility. The syntax for this
command looks quite complicated, but it is relatively simple once you
understand its structure.There are currently four different command categories used by the
utility: addition/deletion, listing, flushing, and clearing.
Addition/deletion is used to build the rules that control how packets
are accepted, rejected, and logged. Listing is used to examine the
contents of your rule set (otherwise known as the chain) and packet
counters (accounting). Flushing is used to remove all entries from
the chain. Clearing is used to zero out one or more accounting
entries.Altering the IPFW rulesThe syntax for this form of the command is:
ipfw-NcommandindexactionlogprotocoladdressesoptionsThere is one valid flag when using this form of the
command:-NResolve addresses and service names in output.The command given can be shortened to the
shortest unique form. The valid commands
are:addAdd an entry to the firewall/accounting rule listdeleteDelete an entry from the firewall/accounting rule
listPrevious versions of IPFW used
separate firewall and accounting entries. The present version
provides packet accounting with each firewall entry.If an index value is supplied, it used to
place the entry at a specific point in the chain. Otherwise, the
entry is placed at the end of the chain at an index 100 greater than
the last chain entry (this does not include the default policy, rule
65535, deny).The log option causes matching rules to be
output to the system console if the kernel was compiled with
IPFIREWALL_VERBOSE.Valid actions are:rejectDrop the packet, and send an ICMP host or port unreachable
(as appropriate) packet to the source.allowPass the packet on as normal. (aliases:
pass and
accept)denyDrop the packet. The source is not notified via an
ICMP message (thus it appears that the packet never
arrived at the destination).countUpdate packet counters but do not allow/deny the packet
based on this rule. The search continues with the next chain
entry.Each action will be recognized by the
shortest unambiguous prefix.The protocols which can be specified
are:allMatches any IP packeticmpMatches ICMP packetstcpMatches TCP packetsudpMatches UDP packetsThe address specification is:fromaddress/maskporttoaddress/maskportvia interfaceYou can only specify port in
conjunction with protocols which support ports
(UDP and TCP).The is optional and may specify the IP
address or domain name of a local IP interface, or an interface name
(e.g. ed0) to match only packets coming
through this interface. Interface unit numbers can be specified
with an optional wildcard. For example, ppp*
would match all kernel PPP interfaces.The syntax used to specify an
address/mask is:
address
or
address/mask-bits
or
address:mask-patternA valid hostname may be specified in place of the IP address.
is a decimal
number representing how many bits in the address mask should be set.
e.g. specifying 192.216.222.1/24 will create a
mask which will allow any address in a class C subnet (in this case,
192.216.222) to be matched.
is an IP
address which will be logically AND'ed with the address given. The
keyword any may be used to specify any IP
address.The port numbers to be blocked are specified as:
port,port,port…
to specify either a single port or a list of ports, or
port-port
to specify a range of ports. You may also combine a single range
with a list, but the range must always be specified first.The options available are:fragMatches if the packet is not the first fragment of the
datagram.inMatches if the packet is on the way in.outMatches if the packet is on the way out.ipoptions specMatches if the IP header contains the comma separated list
of options specified in spec. The
supported list of IP options are: ssrr
(strict source route), lsrr (loose source
route), rr (record packet route), and
ts (time stamp). The absence of a
particular option may be denoted with a leading
!.establishedMatches if the packet is part of an already established
TCP connection (i.e. it has the RST or ACK bits set). You can
optimize the performance of the firewall by placing
established rules early in the
chain.setupMatches if the packet is an attempt to establish a TCP
connection (the SYN bit set is set but the ACK bit is
not).tcpflags flagsMatches if the TCP header contains the comma separated
list of flags. The supported flags
are fin, syn,
rst, psh,
ack, and urg. The
absence of a particular flag may be indicated by a leading
!.icmptypes typesMatches if the ICMP type is present in the list
types. The list may be specified
as any combination of ranges and/or individual types separated
by commas. Commonly used ICMP types are: 0
echo reply (ping reply), 3 destination
unreachable, 5 redirect,
8 echo request (ping request), and
11 time exceeded (used to indicate TTL
expiration as with &man.traceroute.8;).Listing the IPFW rulesThe syntax for this form of the command is:
ipfw-a-t-NlThere are three valid flags when using this form of the
command:-aWhile listing, show counter values. This option is the
only way to see accounting counters.-tDisplay the last match times for each chain entry. The
time listing is incompatible with the input syntax used by the
&man.ipfw.8; utility.-NAttempt to resolve given addresses and service
names.Flushing the IPFW rulesThe syntax for flushing the chain is:
ipfwflushThis causes all entries in the firewall chain to be removed
except the fixed default policy enforced by the kernel (index
65535). Use caution when flushing rules, the default deny policy
will leave your system cut off from the network until allow entries
are added to the chain.Clearing the IPFW packet countersThe syntax for clearing one or more packet counters is:
ipfwzeroindexWhen used without an index argument,
all packet counters are cleared. If an
index is supplied, the clearing operation
only affects a specific chain entry.Example commands for ipfwThis command will deny all packets from the host evil.crackers.org to the telnet port of the
host nice.people.org:&prompt.root ipfw add deny tcp from evil.crackers.org to nice.people.org 23The next example denies and logs any TCP traffic from the entire
crackers.org network (a class C) to
the nice.people.org machine (any
port).&prompt.root; ipfw add deny log tcp from evil.crackers.org/24 to nice.people.orgIf you do not want people sending X sessions to your internal
network (a subnet of a class C), the following command will do the
necessary filtering:&prompt.root; ipfw add deny tcp from any to my.org/28 6000 setupTo see the accounting records:
&prompt.root; ipfw -a list
or in the short form
&prompt.root; ipfw -a lYou can also see the last time a chain entry was matched
with:&prompt.root; ipfw -at lBuilding a packet filtering firewallThe following suggestions are just that: suggestions. The
requirements of each firewall are different and I cannot tell you
how to build a firewall to meet your particular requirements.When initially setting up your firewall, unless you have a test
bench setup where you can configure your firewall host in a controlled
environment, I strongly recommend you use the logging version of the
commands and enable logging in the kernel. This will allow you to
quickly identify problem areas and cure them without too much
disruption. Even after the initial setup phase is complete, I
recommend using the logging for `deny' as it allows tracing of
possible attacks and also modification of the firewall rules if your
requirements alter.If you use the logging versions of the accept
command, it can generate large amounts of log
data as one log line will be generated for every packet that passes
through the firewall, so large ftp/http transfers, etc, will really
slow the system down. It also increases the latencies on those
packets as it requires more work to be done by the kernel before the
packet can be passed on. syslogd with also start using up a lot
more processor time as it logs all the extra data to disk, and it
could quite easily fill the partition /var/log
is located on.You should enable your firewall from
/etc/rc.conf.local or
/etc/rc.conf. The associated man page explains
which knobs to fiddle and lists some preset firewall configurations.
If you do not use a preset configuration, ipfw list
will output the current ruleset into a file that you can
pass to rc.conf. If you do not use
/etc/rc.conf.local or
/etc/rc.conf to enable your firewall,
it is important to make sure your firewall is enabled before
any IP interfaces are configured.
The next problem is what your firewall should actually
do! This is largely dependent on what access to
your network you want to allow from the outside, and how much access
to the outside world you want to allow from the inside. Some general
rules are:Block all incoming access to ports below 1024 for TCP. This is
where most of the security sensitive services are, like finger,
SMTP (mail) and telnet.Block all incoming UDP traffic. There
are very few useful services that travel over UDP, and what useful
traffic there is is normally a security threat (e.g. Suns RPC and
NFS protocols). This has its disadvantages also, since UDP is a
connectionless protocol, denying incoming UDP traffic also blocks
the replies to outgoing UDP traffic. This can cause a problem for
people (on the inside) using external archie (prospero) servers.
If you want to allow access to archie, you'll have to allow
packets coming from ports 191 and 1525 to any internal UDP port
through the firewall. ntp is another service you may consider
allowing through, which comes from port 123.Block traffic to port 6000 from the outside. Port 6000 is the
port used for access to X11 servers, and can be a security threat
(especially if people are in the habit of doing xhost
+ on their workstations). X11 can actually use a
range of ports starting at 6000, the upper limit being how many X
displays you can run on the machine. The upper limit as defined
by RFC 1700 (Assigned Numbers) is 6063.Check what ports any internal servers use (e.g. SQL servers,
etc). It is probably a good idea to block those as well, as they
normally fall outside the 1-1024 range specified above.Another checklist for firewall configuration is available from
CERT at ftp://ftp.cert.org/pub/tech_tips/packet_filteringAs I said above, these are only guidelines.
You will have to decide what filter rules you want to use on your
firewall yourself. I cannot accept ANY responsibility if someone
breaks into your network, even if you follow the advice given
above.OpenSSLAs of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL
provides a general-purpose cryptography library, as well as the
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.
- However, some of the algorithms (specifically, RSA and IDEA)
- included in OpenSSL are protected by patents in the USA and
- elsewhere, and are not available for unrestricted use (in
- particular, IDEA is not available at all in FreeBSD's version of
- OpenSSL). As a result, FreeBSD has available two different
- versions of the OpenSSL RSA libraries depending on geographical
- location (USA/non-USA).
+ However, one of the algorithms (specifically IDEA)
+ included in OpenSSL is protected by patents in the USA and
+ elsewhere, and is not available for unrestricted use.
+ IDEA is included in the OpenSSL sources in FreeBSD, but it is not
+ built by default. If you wish to use it, and you comply with the
+ license terms, enable the MAKE_IDEA switch in /etc/make.conf and
+ rebuild your sources using 'make world'.
+
+ Today, the RSA algorithm is free for use in USA and other
+ countries. In the past it was protected by a patent.Source Code InstallationsOpenSSL is part of the src-crypto and
src-secure cvsup collections. See the Obtaining FreeBSD section for more
information about obtaining and updating FreeBSD source
code.
-
-
- International (Non-USA) Users
-
- People who are located outside the USA, and who obtain their
- crypto sources from internat.FreeBSD.org (the International
- Crypto Repository) or an international mirror site, will build a
- version of OpenSSL which includes the native OpenSSL
- implementation of
- RSA, but does not include IDEA, because the latter is restricted
- in certain locations elsewhere in the world. In the future a more
- flexible geographical identification system may allow building of
- IDEA in countries for which it is not restricted.
-
- Please be aware of any local restrictions on the import, use
- and redistribution of cryptography which may exist in your
- country.
-
-
-
- USA Users
-
- As noted above, RSA is patented in the USA, with terms
- preventing general use without an appropriate license. Therefore
- the standard OpenSSL RSA code may not be used in the USA, and has been
- removed from the version of OpenSSL carried on USA mirror sites.
- The RSA patent is due to expire on September 20, 2000, at which
- time it is intended to add the full RSA code back to
- the USA version of OpenSSL.
-
- However (and fortunately), the RSA patent holder (RSA Security, has
- provided a RSA reference implementation toolkit
- (RSAREF) which is available for certain classes of
- use, including non-commercial use
- (see the RSAREF license for their definition of
- non-commercial).
-
- If you meet the conditions of the RSAREF license and wish to
- use it in conjunction with OpenSSL to provide RSA support, you can
- install the rsaref port, which is located in
- /usr/ports/security/rsaref, or the
- rsaref-2.0 package. The OpenSSL library will
- then automatically detect and use the RSAREF libraries. Please obtain
- legal advice if you are unsure of your compliance with the license
- terms.
-
- The RSAREF implementation is inferior to the
- native OpenSSL implementation (it is much slower,
- and cannot be used with keys larger than 1024 bits). If you are not
- located in the USA then you are doing yourself a disadvantage by
- using RSAREF.
-
- Users who have purchased an appropriate RSA source code
- license from RSA Security may use the International version of
- OpenSSL described above to obtain native RSA support.
-
- IDEA code is also removed from the USA version of OpenSSL for
- patent reasons.
-
-
-
- Binary Installations
-
- If your FreeBSD installation was a binary installation (e.g.,
- installed from the Walnut Creek CDROM, or from a snapshot
- downloaded from
- ftp.FreeBSD.org) and you selected to
- install the crypto collection, then the
- sysinstall utility will automatically select
- the correct version to install during the installation
- process. If the international version was selected but could
- not be installed during sysinstall (e.g. you have not
- configured network access, and the version must be downloaded
- from a FTP site) then you can add the international RSA library
- after installation as a package.
-
- The librsaintl package contains the RSA
- code for International (non-USA) users. This is not legal for
- use in the USA, but international users should use this version
- because the RSA implementation is faster and more flexible. It
- is available from ftp.internat.FreeBSD.org and does not
- require RSAREF.
- IPsecContributed by &a.shin;, 5 March
2000.IPsec mechanism provides secure communication either for IP
layer and socket layer communication. This section should
explain how to use them. About IPsec implementation, please
refer section 23.5.4.The current IPsec implementation supports both transport mode
and tunnel mode. However, tunnel mode comes with some restrictions.
http://www.kame.net/newsletter/
has more comprehensive examples.Transport mode example with IPv4Let's setup security association to deploy a secure channel
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.Now we should choose algorithm to be used corresponding to
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.OK, let's assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
(1)
HOST A ------> HOST B
(1)PROTO=AH
ALG=MD5(RFC1826)
KEY=MYSECRETMYSECRET
SPI=1000
(2.1)
HOST A <------ HOST B
<------
(2.2)
(2.1)
PROTO=AH
ALG=new-HMAC-SHA1(new AH)
KEY=KAMEKAMEKAMEKAMEKAME
SPI=2000
(2.2)
PROTO=ESP
ALG=new-DES-expIV(new ESP)
IV length = 8
KEY=PASSWORD
SPI=3000
Now, let's setup security association. Execute &man.setkey.8;
on both HOST A and B:
&prompt.root; setkey -c
add 10.2.3.4 10.6.7.8 ah-old 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D
Actually, IPsec communication doesn't process until security policy
entries will be defined. In this case, you must setup each host.
At A:
&prompt.root; setkey -c
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
ah/transport/10.2.3.4-10.6.7.8/require ;
^D
At B:
&prompt.root; setkey -c
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
^D
HOST A --------------------------------------> HOST E
10.2.3.4 10.6.7.8
| |
========== old AH keyed-md5 ==========>
<========= new AH hmac-sha1 ===========
<========= new ESP des-cbc ============
Transport mode example with IPv6Another example using IPv6.ESP transport mode is recommended for TCP port number 110 between
Host-A and Host-B.
============ ESP ============
| |
Host-A Host-B
fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is "kamekame", and
authentication algorithm is hmac-sha1 whose key is "this is the test
key". Configuration at Host-A:
&prompt.root; setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
and at Host-B:
&prompt.root; setkey -c <<EOF
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
esp/transport/fec0::11-fec0::10/use ;
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
esp/transport/fec0::10-fec0::11/use ;
add fec0::10 fec0::11 esp 0x10001 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOF
Note the direction of SP.Tunnel mode example with IPv4Tunnel mode between two security gatewaysSecurity protocol is old AH tunnel mode, i.e. specified by
RFC1826, with keyed-md5 whose key is "this is the test" as
authentication algorithm.
======= AH =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:
&prompt.root; setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOF
If port number field is omitted such above then "[any]" is
employed. `-m' specifies the mode of SA to be used. "-m any" means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.and at Gateway-B:
&prompt.root; setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOF
Making SA bundle between two security gatewaysAH transport mode and ESP tunnel mode is required between
Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.
========== AH =========
| ======= ESP ===== |
| | | |
Network-A Gateway-A Gateway-B Network-B
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
Tunnel mode example with IPv6Encryption algorithm is 3des-cbc, and authentication algorithm
for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:
&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
EOF
Making SAs with the different endESP tunnel mode is required between Host-A and Gateway-A. Encryption
algorithm is cast128-cbc, and authentication algorithm for ESP is
hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
hmac-md5.
================== ESP =================
| ======= ESP ======= |
| | | |
Host-A Gateway-A Host-B
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:
&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
EOF
diff --git a/en_US.ISO_8859-1/books/porters-handbook/book.sgml b/en_US.ISO_8859-1/books/porters-handbook/book.sgml
index 632cfc6c50..b8e98b45bb 100644
--- a/en_US.ISO_8859-1/books/porters-handbook/book.sgml
+++ b/en_US.ISO_8859-1/books/porters-handbook/book.sgml
@@ -1,4165 +1,4165 @@
%man;
%bookinfo;
%authors;
%mailing-lists;
]>
FreeBSD Porter's HandbookThe FreeBSD Documentation ProjectApril 20002000The FreeBSD Documentation
Project
&bookinfo.legalnotice;
Making a port yourselfSo, now you are interested in making your own port or
upgrading an existing one? Great!What follows are some guidelines for creating a new port for
FreeBSD. If you want to upgrade an existing port, you should
read this and then read .When this document is not sufficiently detailed, you should
refer to /usr/ports/Mk/bsd.port.mk, which
all port Makefiles include. Even if you do not hack Makefiles
daily, it is well commented, and you will still gain much
knowledge from it. Additionally, you may send specific questions
to the &a.ports;.Only a fraction of the variables
(VAR) that can be
overridden are mentioned in this document. Most (if not all)
are documented at the start of bsd.port.mk.
This file uses a non-standard tab setting.
Emacs and
Vim should recognize the setting on
loading the file. Both vi and
ex can be set to use the correct value by
typing :set tabstop=4 once the file has been
loaded.Quick PortingThis section tells you how to do a quick port. In many cases, it
is not enough, but we will see.First, get the original tarball and put it into
DISTDIR, which defaults to
/usr/ports/distfiles.The following assumes that the software compiled out-of-the-box,
i.e., there was absolutely no change required for the port to work
on your FreeBSD box. If you needed to change something, you will
have to refer to the next section too.Writing the MakefileThe minimal Makefile would look something
like this:
# New ports collection makefile for: oneko
# Date created: 5 December 1994
# Whom: asami
#
# $FreeBSD$
#
PORTNAME= oneko
PORTVERSION= 1.1b
CATEGORIES= games
MASTER_SITES= ftp://ftp.cs.columbia.edu/archives/X11R5/contrib/
MAINTAINER= asami@FreeBSD.org
MAN1= oneko.1
MANCOMPRESSED= yes
USE_IMAKE= yes
.include <bsd.port.mk>See if you can figure it out. Do not worry about the contents
of the $FreeBSD$ line, it will be
filled in automatically by CVS when the port is imported to our main
ports tree. You can find a more detailed example in the sample Makefile section.Writing the description filesThere are three description files that are required for any
port, whether they actually package or not. They are
COMMENT, DESCR, and
PLIST, and reside in the
pkg subdirectory.COMMENTThis is the one-line description of the port.
Please do not include the package name (or
version number of the software) in the comment. The comment
should begin with a capital, and end without a period. Here
is an example:
A cat chasing a mouse all over the screenDESCRThis is a longer description of the port. One to a few
paragraphs concisely explaining what the port does is
sufficient.This is not a manual or an in-depth
description on how to use or compile the port! Please
be careful if you are copying from the
README or manpage; too often
they are not a concise description of the port or are in an
awkward format (e.g., manpages have justified spacing). If the
ported software has an official WWW homepage, you should list it
here. Prefix one of the websites with
WWW: so that automated tools will work
correctly.It is recommended that you sign your name at the end of this
file, as in:
This is a port of oneko, in which a cat chases a poor mouse all over
the screen.
:
(etc.)
WWW: http://www.oneko.org/
- Satoshi
asami@cs.berkeley.eduPLISTThis file lists all the files installed by the port. It is
also called the “packing list” because the package is
generated by packing the files listed here. The pathnames are
relative to the installation prefix (usually
/usr/local or
/usr/X11R6). If you are using the
MANn variables (as
you should be), do not list any manpages here.Here is a small example:
bin/oneko
lib/X11/app-defaults/Oneko
lib/X11/oneko/cat1.xpm
lib/X11/oneko/cat2.xpm
lib/X11/oneko/mouse.xpm
@dirrm lib/X11/onekoRefer to the &man.pkg.create.1; man page for details on the
packing list.You should list all the files, but not the name directories,
in the list. Also, if the port creates directories for itself
during installation, make sure to add @dirrm
lines as necessary to remove them when the port is
deleted.It is recommended that you keep all the filenames in this
file sorted alphabetically. It will make verifying the changes
when you upgrade the port much easier.Creating a packing list manually can be a very tedious
task. If the port installs a large numbers of files, creating the packing list
automatically might save time.Creating the checksum fileJust type make makesum. The ports make rules
will automatically generate the file
files/md5.Testing the portYou should make sure that the port rules do exactly what you
want them to do, including packaging up the port. These are the
important points you need to verify.PLIST does not contain anything not
installed by your portPLIST contains everything that is
installed by your portYour port can be installed multiple times using the
reinstall targetYour port cleans up
after itself upon deinstallRecommended test orderingmake installmake packagemake deinstallpkg_add package-namemake deinstallmake reinstallmake packageMake sure that there are not any warnings issued in any of the
package and
deinstall stages. After step 3, check to
see if all the new directories are correctly deleted. Also, try
using the software after step 4, to ensure that it works correctly
when installed from a package.Checking your port with portlintPlease use portlint to see if your port
conforms to our guidelines. The portlint program
is part of the ports collection. In particular, you may want to
check if the Makefile is in
the right shape and the package is named
appropriately.Submitting the portFirst, make sure you have read the DOs and DON'Ts section.Now that you are happy with your port, the only thing remaining
is to put it in the main FreeBSD ports tree and make everybody else
happy about it too. We do not need your work
directory or the pkgname.tgz package, so delete
them now. Next, simply include the output of shar `find
port_dir` in a bug report and send it with the
&man.send-pr.1; program (see Bug
Reports and General Commentary for more information about
&man.send-pr.1;. If the uncompressed port is larger than 20KB,
you should compress it into a tarfile and use &man.uuencode.1;
before including it in the bug report (uuencoded tarfiles are
acceptable even if the bug report is smaller than 20KB but are not
preferred). Be sure to classify the bug report as category
ports and class
change-request (Do not mark the report
confidential!).
Also add a short description of the program you ported
to the Description field of the PR and
the shar or uuencoded tarfile to the
Fix field. The latter one helps the committers
a lot, who use scripts for the ports-work.One more time, do not include the original source
distfile, the work directory, or the package
you built with make package.In the past, we asked you to upload new port submissions in
our ftp site (ftp.FreeBSD.org). This
is no longer recommended as read access is turned off on the
incoming/ directory of that site due to the
large amount of pirated software showing up there.We will look at your port, get back to you if necessary, and put
it in the tree. Your name will also appear in the list of
“Additional FreeBSD contributors” in the FreeBSD
Handbook and other files. Isn't that great?!? :-)You can make our work a lot easier, if you use a good
description in the synopsis of the problem report.
We prefer something like
“New port: <short description of the port>” for
new ports and
“Update port: <category>/<port> <short description
of the update>” for port updates.
If you stick to this scheme, the chance that one takes a look at
your PR soon is much bigger.Slow PortingOk, so it was not that simple, and the port required some
modifications to get it to work. In this section, we will explain,
step by step, how to modify it to get it to work with the ports
paradigm.How things workFirst, this is the sequence of events which occurs when the user
first types make in your port's directory.
You may find that having bsd.port.mk in another
window while you read this really helps to understand it.But do not worry if you do not really understand what
bsd.port.mk is doing, not many people do...
:->The fetch target is run. The
fetch target is responsible for making
sure that the tarball exists locally in
DISTDIR. If fetch
cannot find the required files in DISTDIR it
will look up the URL MASTER_SITES, which is
set in the Makefile, as well as our main ftp site at ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/,
where we put sanctioned distfiles as backup. It will then
attempt to fetch the named distribution file with
FETCH, assuming that the requesting site has
direct access to the Internet. If that succeeds, it will save
the file in DISTDIR for future use and
proceed.The extract target is run. It
looks for your port's distribution file (typically a gzip'd
tarball) in DISTDIR and unpacks it into a
temporary subdirectory specified by WRKDIR
(defaults to work).The patch target is run. First,
any patches defined in PATCHFILES are
applied. Second, if any patches are found in
PATCHDIR (defaults to the
patches subdirectory), they are applied at
this time in alphabetical order.The configure target is run. This
can do any one of many different things.If it exists, scripts/configure is
run.If HAS_CONFIGURE or
GNU_CONFIGURE is set,
WRKSRC/configure is
run.If USE_IMAKE is set,
XMKMF (default: xmkmf
-a) is run.The build target is run. This is
responsible for descending into the port's private working
directory (WRKSRC) and building it. If
USE_GMAKE is set, GNU make
will be used, otherwise the system make will
be used.The above are the default actions. In addition, you can define
targets
pre-something or
post-something,
or put scripts with those names, in the scripts
subdirectory, and they will be run before or after the default
actions are done.For example, if you have a post-extract
target defined in your Makefile, and a file
pre-build in the scripts
subdirectory, the post-extract target will
be called after the regular extraction actions, and the
pre-build script will be executed before the
default build rules are done. It is recommended that you use
Makefile targets if the actions are simple
enough, because it will be easier for someone to figure out what
kind of non-default action the port requires.The default actions are done by the
bsd.port.mk targets
do-something.
For example, the commands to extract a port are in the target
do-extract. If you are not happy with the
default target, you can fix it by redefining the
do-something
target in your Makefile.The “main” targets (e.g.,
extract,
configure, etc.) do nothing more than
make sure all the stages up to that one are completed and call
the real targets or scripts, and they are not intended to be
changed. If you want to fix the extraction, fix
do-extract, but never ever touch
extract!Now that you understand what goes on when the user types
make, let us go through the recommended steps to
create the perfect port.Getting the original sourcesGet the original sources (normally) as a compressed tarball
(foo.tar.gz or
foo.tar.Z) and copy
it into DISTDIR. Always use
mainstream sources when and where you
can.If you cannot find a ftp/http site that is well-connected to the
net, or can only find sites that have irritatingly non-standard
formats, you might want to put a copy on a reliable ftp or http
server that you control (e.g., your home page). Make sure you set
MASTER_SITES to reflect your choice.If you cannot find somewhere convenient and reliable to put the
distfile
we can “house” it ourselves
on ftp.FreeBSD.org.
The distfile must be placed into
~/public_distfiles/ of someone's
freefall account.
Ask the person who commits your port to do this.
This person will also set MASTER_SITES to
MASTER_SITE_LOCAL and
MASTER_SITE_SUBDIR to their
freefall username.If your port's distfile changes all the time for no good reason,
consider putting the distfile in your home page and listing it as
the first MASTER_SITES. This will prevent users
from getting checksum mismatch errors, and
also reduce the workload of maintainers of our ftp site. Also, if
there is only one master site for the port, it is recommended that
you house a backup at your site and list it as the second
MASTER_SITES.If your port requires some additional `patches' that are
available on the Internet, fetch them too and put them in
DISTDIR. Do not worry if they come from a site
other than where you got the main source tarball, we have a way to
handle these situations (see the description of PATCHFILES below).Modifying the portUnpack a copy of the tarball in a private directory and make
whatever changes are necessary to get the port to compile properly
under the current version of FreeBSD. Keep careful
track of everything you do, as you will be automating
the process shortly. Everything, including the deletion, addition,
or modification of files should be doable using an automated script
or patch file when your port is finished.If your port requires significant user interaction/customization
to compile or install, you should take a look at one of Larry Wall's
classic Configure scripts and perhaps do
something similar yourself. The goal of the new ports collection is
to make each port as “plug-and-play” as possible for the
end-user while using a minimum of disk space.Unless explicitly stated, patch files, scripts, and other
files you have created and contributed to the FreeBSD ports
collection are assumed to be covered by the standard BSD copyright
conditions.PatchingIn the preparation of the port, files that have been added or
changed can be picked up with a recursive diff for later feeding to
patch. Each set of patches you wish to apply should be collected
into a file named
patch-xx where
xx denotes the sequence in which the
patches will be applied — these are done in
alphabetical order, thus aa
first, ab second and so on. These files should
be stored in PATCHDIR, from where they will be
automatically applied. All patches should be relative to
WRKSRC (generally the directory your port's
tarball unpacks itself into, that being where the build is done).
To make fixes and upgrades easier, you should avoid having more than
one patch fix the same file (e.g., patch-aa and
patch-ab both changing
WRKSRC/foobar.c).ConfiguringInclude any additional customization commands in your
configure script and save it in the
scripts subdirectory. As mentioned above, you
can also do this with Makefile targets and/or
scripts with the name pre-configure or
post-configure.Handling user inputIf your port requires user input to build, configure, or install,
then set IS_INTERACTIVE in your Makefile. This
will allow “overnight builds” to skip your port if the
user sets the variable BATCH in his environment (and
if the user sets the variable INTERACTIVE, then
only those ports requiring interaction are
built).It is also recommended that if there are reasonable default
answers to the questions, you check the
PACKAGE_BUILDING variable and turn off the
interactive script when it is set. This will allow us to build the
packages for CD-ROMs and ftp.Configuring the MakefileConfiguring the Makefile is pretty simple, and again we suggest
that you look at existing examples before starting. Also, there is a
sample Makefile in this
handbook, so take a look and please follow the ordering of variables
and sections in that template to make your port easier for others to
read.Now, consider the following problems in sequence as you design
your new Makefile:The original sourceDoes it live in DISTDIR as a standard
gzip'd tarball named something like
foozolix-1.2.tar.gz? If so, you can go on
to the next step. If not, you should look at overriding any of
the DISTNAME, EXTRACT_CMD,
EXTRACT_BEFORE_ARGS,
EXTRACT_AFTER_ARGS,
EXTRACT_SUFX, or DISTFILES
variables, depending on how alien a format your port's
distribution file is. (The most common case is
EXTRACT_SUFX=.tar.Z, when the tarball is
condensed by regular compress, not
gzip.)In the worst case, you can simply create your own
do-extract target to override the
default, though this should be rarely, if ever,
necessary.PORTNAME and PORTVERSIONYou should set PORTNAME to the
base name of your port, and PORTVERSION
to the version number of the port.PKGNAMEPREFIX and PKGNAMESUFFIXTwo optional variables, PKGNAMEPREFIX and
PKGNAMESUFFIX, are combined with
PORTNAME and
PORTVERSION to
form PKGNAME as
${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}-${PORTVERSION}.
Make sure this conforms to our guidelines for a good package
name. In particular, you are not allowed to use a
hyphen (-) in
PORTVERSION. Also, if the package name
has the language- or the
compiled.specifics part, use
PKGNAMEPREFIX and
PKGNAMESUFFIX, respectively. Do not make
them part of PORTNAME.DISTNAMEDISTNAME is the name of the port as
called by the authors of the software.
DISTNAME defaults to
${PORTNAME}-${PORTVERSION}, so override it if necessary.
DISTNAME is only used in two places.
First, the distribution file list
(DISTFILES) defaults to
${DISTNAME}${EXTRACT_SUFX}.
Second, the distribution file is expected to extract into a
subdirectory named WRKSRC, which defaults
to work/${DISTNAME}.Note that PKGNAMEPREFIX and
PKGNAMESUFFIX do not affect
DISTNAME.CATEGORIESWhen a package is created, it is put under
/usr/ports/packages/All and links are made from
one or more subdirectories of
/usr/ports/packages. The names of these
subdirectories are specified by the variable
CATEGORIES. It is intended to make life easier
for the user when he is wading through the pile of packages on the
ftp site or the CD-ROM. Please take a look at the existing categories and pick the ones
that are suitable for your port.This list also determines where in the ports tree the port is
imported. If you put more than one category here, it is assumed
that the port files will be put in the subdirectory with the name in
the first category. See the categories section for more
discussion about how to pick the right categories.If your port truly belongs to something that is different from
all the existing ones, you can even create a new category name. In
that case, please send mail to the &a.ports; to propose a new
category.There is no error checking for category names. make
package will happily create a new directory if you
mistype the category name, so be careful!MASTER_SITESRecord the directory part of the ftp/http-URL pointing at the
original tarball in MASTER_SITES. Do not forget
the trailing slash (/)!The make macros will try to use this
specification for grabbing the distribution file with
FETCH if they cannot find it already on the
system.It is recommended that you put multiple sites on this list,
preferably from different continents. This will safeguard against
wide-area network problems, and we are even planning to add support
for automatically determining the closest master site and fetching
from there!If the original tarball is part of one of the following popular
archives: X-contrib, GNU, Perl CPAN, TeX CTAN, or Linux Sunsite, you
refer to those sites in an easy compact form using
MASTER_SITE_XCONTRIB,
MASTER_SITE_GNU,
MASTER_SITE_PERL_CPAN,
MASTER_SITE_TEX_CTAN, and
MASTER_SITE_SUNSITE. Simply set
MASTER_SITE_SUBDIR to the path within the
archive. Here is an example:
MASTER_SITES= ${MASTER_SITE_XCONTRIB}
MASTER_SITE_SUBDIR= applicationsThe user can also set the MASTER_SITE_*
variables in /etc/make.conf to override our
choices, and use their favorite mirrors of these popular archives
instead.PATCHFILESIf your port requires some additional patches that are available
by ftp or http, set PATCHFILES to the names of
the files and PATCH_SITES to the URL of the
directory that contains them (the format is the same as
MASTER_SITES).If the patch is not relative to the top of the source tree
(i.e., WRKSRC) because it contains some extra
pathnames, set PATCH_DIST_STRIP accordingly. For
instance, if all the pathnames in the patch have an extra
foozolix-1.0/ in front of the filenames, then set
PATCH_DIST_STRIP=-p1.Do not worry if the patches are compressed; they will be
decompressed automatically if the filenames end with
.gz or .Z.If the patch is distributed with some other files, such as
documentation, in a gzip'd tarball, you cannot just use
PATCHFILES. If that is the case, add the name
and the location of the patch tarball to
DISTFILES and MASTER_SITES.
Then, from the pre-patch target, apply the
patch either by running the patch command from there, or copying the
patch file into the PATCHDIR directory and
calling it
patch-xx.Note that the tarball will have been extracted alongside the
regular source by then, so there is no need to explicitly extract
it if it is a regular gzip'd or compress'd tarball. If you do the
latter, take extra care not to overwrite something that already
exists in that directory. Also, do not forget to add a command to
remove the copied patch in the pre-clean
target.MAINTAINERSet your mail-address here. Please. :-)For a detailed description of the responsibilities of maintainers,
refer to the MAINTAINER on
Makefiles section.DependenciesMany ports depend on other ports. There are five variables that
you can use to ensure that all the required bits will be on the
user's machine. There are also some pre-supported dependency
variables for common cases, plus a few more to control the behaviour
of dependencies.LIB_DEPENDSThis variable specifies the shared libraries this port depends
on. It is a list of
lib:dir:target
tuples where lib is the name of the
shared library, dir is the
directory in which to find it in case it is not available, and
target is the target to call in that
directory. For example, LIB_DEPENDS=
jpeg.9:${PORTSDIR}/graphics/jpeg:install
will check for a shared jpeg library with major version 9, and
descend into the graphics/jpeg subdirectory
of your ports tree to build and install it if it is not found.
The target part can be omitted if it is
equal to DEPENDS_TARGET (which defaults to
install).The lib part is an argument given
to ldconfig -r | grep -wF. There shall be no
regular expressions in this variable.The dependency is checked twice, once from within the
extract target and then from within the
install target. Also, the name of the
dependency is put into the package so that
pkg_add will automatically install it if it is
not on the user's system.RUN_DEPENDSThis variable specifies executables or files this port depends
on during run-time. It is a list of
path:dir:target
tuples where path is the name of the
executable or file, dir is the
directory in which to find it in case it is not available, and
target is the target to call in that
directory. If path starts with a slash
(/), it is treated as a file and its existence
is tested with test -e; otherwise, it is
assumed to be an executable, and which -s is
used to determine if the program exists in the user's search
path.For example,
RUN_DEPENDS= ${PREFIX}/etc/innd:${PORTSDIR}/news/inn \
wish8.0:${PORTSDIR}/x11-toolkits/tk80will check if the file or directory
/usr/local/etc/innd exists, and build and
install it from the news/inn subdirectory of
the ports tree if it is not found. It will also see if an
executable called wish8.0 is in your search
path, and descend into the x11-toolkits/tk80
subdirectory of your ports tree to build and install it if it is
not found.In this case, innd is actually an
executable; if an executable is in a place that is not expected
to be in a normal user's search path, you should use the full
pathname.The dependency is checked from within the
install target. Also, the name of the
dependency is put in to the package so that
pkg_add will automatically install it if it is
not on the user's system. The target
part can be omitted if it is the same as
DEPENDS_TARGET.BUILD_DEPENDSThis variable specifies executables or files this port
requires to build. Like RUN_DEPENDS, it is a
list of
path:dir:target
tuples. For example, BUILD_DEPENDS=
unzip:${PORTSDIR}/archivers/unzip will check
for an executable called unzip, and descend
into the archivers/unzip subdirectory of your
ports tree to build and install it if it is not found.“build” here means everything from extraction to
compilation. The dependency is checked from within the
extract target. The
target part can be omitted if it is
the same as DEPENDS_TARGETFETCH_DEPENDSThis variable specifies executables or files this port
requires to fetch. Like the previous two, it is a list of
path:dir:target
tuples. For example, FETCH_DEPENDS=
ncftp2:${PORTSDIR}/net/ncftp2 will check for an
executable called ncftp2, and descend into the
net/ncftp2 subdirectory of your ports tree to
build and install it if it is not found.The dependency is checked from within the
fetch target. The
target part can be omitted if it is the
same as DEPENDS_TARGET.DEPENDSIf there is a dependency that does not fall into either of the
above four categories, or your port requires having the source of
the other port extracted in addition to having it installed,
then use this variable. This is a list of
dir:target,
as there is nothing to check, unlike the previous four. The
target part can be omitted if it is the
same as DEPENDS_TARGET.Common dependency variablesDefine USE_XLIB=yes if your port requires
the X Window System to be installed (it is implied by
USE_IMAKE). Define
USE_GMAKE=yes if your port requires GNU
make instead of BSD make.
Define USE_AUTOCONF=yes if your port requires
GNU autoconf to be run. Define USE_QT=yes if
your port uses the latest qt toolkit. Use
USE_PERL5=yes if your port requires version 5
of the perl language. (The last is especially important since
some versions of FreeBSD have perl5 as part of the base system
while others do not.)Notes on dependenciesAs mentioned above, the default target to call when a
dependency is required is DEPENDS_TARGET.
It defaults to install. This is a user
variable; it is never defined in a port's
Makefile. If your port needs a special way
to handle a dependency, use the :target part of
the *_DEPENDS variables instead of redefining
DEPENDS_TARGET.When you type make clean, its dependencies
are automatically cleaned too. If you do not wish this to happen,
define the variable NOCLEANDEPENDS in your
environment.To depend on another port unconditionally, it is customary to
use the string nonexistent as the first field
of BUILD_DEPENDS or
RUN_DEPENDS. Use this only when you need to
the to get to the source of the other port. You can often save
compilation time by specifying the target too. For
instance
BUILD_DEPENDS= /nonexistent:${PORTSDIR}/graphics/jpeg:extract
will always descend to the JPEG port and extract it.Do not use DEPENDS unless there is no other
way the behaviour you want can be accomplished. It will cause the
other port to always be built (and installed, by default), and the
dependency will go into the packages as well. If this is really
what you need, I recommend you write it as
BUILD_DEPENDS and
RUN_DEPENDS instead—at least the
intention will be clear.Building mechanismsIf your package uses GNU make, set
USE_GMAKE=yes. If your package uses
configure, set
HAS_CONFIGURE=yes. If your package uses GNU
configure, set
GNU_CONFIGURE=yes (this implies
HAS_CONFIGURE). If you want to give some extra
arguments to configure (the default argument list
--prefix=${PREFIX} for GNU
configure and empty for non-GNU
configure), set those extra arguments in
CONFIGURE_ARGS. If your package uses GNU
autoconf, set
USE_AUTOCONF=yes. This implies
GNU_CONFIGURE, and will cause
autoconf to be run before
configure.If your package is an X application that creates
Makefiles from Imakefiles
using imake, then set
USE_IMAKE=yes. This will cause the configure
stage to automatically do an xmkmf -a. If the
flag is a problem for your port, set
XMKMF=xmkmf. If the port uses
imake but does not understand the
install.man target,
NO_INSTALL_MANPAGES=yes should be set. In
addition, the author of the original port should be shot. :->If your port's source Makefile has
something else than all as the main build
target, set ALL_TARGET accordingly. Same goes
for install and
INSTALL_TARGET.Special considerationsThere are some more things you have to take into account when you
create a port. This section explains the most common of those.Shared LibrariesIf your port installs one or more shared libraries, define a
INSTALLS_SHLIB make variable, which will instruct
a bsd.port.mk to run
${LDCONFIG} -m on the directory where the
new library is installed (usually
PREFIX/lib) during
post-install target to register it into the
shared library cache. This variable, when defined, will also
facilitate addition of an appropriate
@exec /sbin/ldconfig -m and
@unexec /sbin/ldconfig -R pair into your
pkg/PLIST file, so that a user who installed
the package can start using the shared library immediately and
deinstallation will not cause the system to still believe the
library is there.If you need, you can override default location where the new
library is installed by defining LDCONFIG_DIRS
make variable, which should contain a list of directories into which
shared libraries are to be installed. For example if your port
installs shared libraries into
PREFIX/lib/foo and
PREFIX/lib/bar directories
you could use the following in your
Makefile:
INSTALLS_SHLIB= yes
LDCONFIG_DIRS= %%PREFIX%%/lib/foo %%PREFIX%%/lib/barNote that content of LDCONFIG_DIRS is passed
through &man.sed.1; just like the rest of pkg/PLIST,
so PLIST_SUB substitutions also apply here. It is
recommended that you use %%PREFIX%% for
PREFIX, %%LOCALBASE%% for
LOCALBASE and %%X11BASE%% for
X11BASE.MASTERDIRIf your port needs to build slightly different versions of
packages by having a variable (for instance, resolution, or paper
size) take different values, create one subdirectory per package to
make it easier for users to see what to do, but try to share as many
files as possible between ports. Typically you only need a very short
Makefile in all but one of the directories if you
use variables cleverly. In the sole Makefiles,
you can use MASTERDIR to specify the directory
where the rest of the files are. Also, use a variable as part of
PKGNAMESUFFIX so
the packages will have different names.This will be best demonstrated by an example. This is part of
japanese/xdvi300/Makefile;
PORTNAME= xdvi
PORTVERSION= 17
PKGNAMEPREFIX= ja-
PKGNAMESUFFIX= ${RESOLUTION}
:
# default
RESOLUTION?= 300
.if ${RESOLUTION} != 118 && ${RESOLUTION} != 240 && \
${RESOLUTION} != 300 && ${RESOLUTION} != 400
@${ECHO} "Error: invalid value for RESOLUTION: \"${RESOLUTION}\""
@${ECHO} "Possible values are: 118, 240, 300 (default) and 400."
@${FALSE}
.endifjapanese/xdvi300 also has all the regular
patches, package files, etc. If you type make
there, it will take the default value for the resolution (300) and
build the port normally.As for other resolutions, this is the entirexdvi118/Makefile:
RESOLUTION= 118
MASTERDIR= ${.CURDIR}/../xdvi300
.include ${MASTERDIR}/Makefile(xdvi240/Makefile and
xdvi400/Makefile are similar). The
MASTERDIR definition tells
bsd.port.mk that the regular set of
subdirectories like PATCHDIR and
PKGDIR are to be found under
xdvi300. The RESOLUTION=118
line will override the RESOLUTION=300 line in
xdvi300/Makefile and the port will be built with
resolution set to 118.Shared library versionsPlease read our policy on
shared library versioning to understand what to do with
shared library versions in general. Do not blindly assume software
authors know what they are doing; many of them do not. It is very
important that these details are carefully considered, as we have
quite a unique situation where we are trying to have dozens of
potentially incompatible software pairs co-exist. Careless port
imports have caused great trouble regarding shared libraries in the
past (ever wondered why the port jpeg-6b has a
shared library version of 9?). If in doubt, send a message to the
&a.ports;. Most of the time, your job ends by determining the right
shared library version and making appropriate patches to implement
it.ManpagesThe MAN[1-9LN] variables will automatically add
any manpages to pkg/PLIST (this means you must
not list manpages in the
PLIST—see generating PLIST for more). It also
makes the install stage automatically compress or uncompress manpages
depending on the setting of NOMANCOMPRESS in
/etc/make.conf.If your port tries to install multiple names for manpages using
symlinks or hardlinks, you must use the MLINKS
variable to identify these. The link installed by your port will
be destroyed and recreated by bsd.port.mk
to make sure it points to the correct file. Any manpages
listed in MLINKS must not be listed in the
PLIST.To specify whether the manpages are compressed upon installation,
use the MANCOMPRESSED variable. This variable can
take three values, yes, no and
maybe. yes means manpages are
already installed compressed, no means they are
not, and maybe means the software already respects
the value of NOMANCOMPRESS so
bsd.port.mk does not have to do anything
special.MANCOMPRESSED is automatically set to
yes if USE_IMAKE is set and
NO_INSTALL_MANPAGES is not set, and to
no otherwise. You do not have to explicitly define
it unless the default is not suitable for your port.If your port anchors its man tree somewhere other than
PREFIX, you can use the
MANPREFIX to set it. Also, if only manpages in
certain sections go in a non-standard place, such as some Perl modules
ports, you can set individual man paths using
MANsectPREFIX (where
sect is one of 1-9,
L or N).If your manpages go to language-specific subdirectories, set the
name of the languages to MANLANG. The value of
this variable defaults to "" (i.e., English
only).Here is an example that puts it all together.
MAN1= foo.1
MAN3= bar.3
MAN4= baz.4
MLINKS= foo.1 alt-name.8
MANLANG= "" ja
MAN3PREFIX= ${PREFIX}/share/foobar
MANCOMPRESSED= yesThis states that six files are installed by this port;
${PREFIX}/man/man1/foo.1.gz
${PREFIX}/man/ja/man1/foo.1.gz
${PREFIX}/share/foobar/man/man3/bar.3.gz
${PREFIX}/share/foobar/man/ja/man3/bar.3.gz
${PREFIX}/man/man4/baz.4.gz
${PREFIX}/man/ja/man4/baz.4.gzAdditionally ${PREFIX}/man/man8/alt-name.8.gz
may or may not be installed by your port. Regardless, a
symlink will be made to join the foo(1) manpage and
alt-name(8) manpage.Ports that require MotifThere are many programs that require a Motif library (available
from several commercial vendors, while there is a free clone reported
to be able to run many applications in
x11-toolkits/lesstif) to compile. Since it is a
popular toolkit and their licenses usually permit redistribution of
statically linked binaries, we have made special provisions for
handling ports that require Motif in a way that we can easily compile
binaries linked either dynamically (for people who are compiling from
the port) or statically (for people who distribute packages).REQUIRES_MOTIFIf your port requires Motif, define this variable in the
Makefile. This will prevent people who do not own a copy of Motif
from even attempting to build it.MOTIFLIBThis variable will be set by bsd.port.mk to
be the appropriate reference to the Motif library. Please patch the
source to use this wherever the Motif library is referenced in the
Makefile or
Imakefile.There are two common cases:If the port refers to the Motif library as
-lXm in its Makefile or
Imakefile, simply substitute
${MOTIFLIB} for it.If the port uses XmClientLibs in its
Imakefile, change it to
${MOTIFLIB} ${XTOOLLIB}
${XLIB}.Note that MOTIFLIB (usually) expands to
-L/usr/X11R6/lib -lXm or
/usr/X11R6/lib/libXm.a, so there is no need to
add -L or -l in front.X11 fontsIf your port installs fonts for the X Window system, put them in
X11BASE/lib/X11/fonts/local.
This directory is new to XFree86 release 3.3.3. If it does not exist,
please create it, and print out a message urging the user to update
their XFree86 to 3.3.3 or newer, or at least add this directory to the
font path in /etc/XF86Config.Info filesThe new version of texinfo (included in 2.2.2-RELEASE and onwards)
contains a utility called install-info to add and
delete entries to the dir file. If your port
installs any info documents, please follow these instructions so your
port/package will correctly update the user's
PREFIX/info/dir file. (Sorry
for the length of this section, but is it imperative to weave all the
info files together. If done correctly, it will produce a
beautiful listing, so please bear with me!First, this is what you (as a porter) need to know&prompt.user; install-info --help
install-info [OPTION]... [INFO-FILE [DIR-FILE]]
Install INFO-FILE in the Info directory file DIR-FILE.
Options:
--delete Delete existing entries in INFO-FILE;
don't insert any new entries.
:
--entry=TEXT Insert TEXT as an Info directory entry.
:
--section=SEC Put this file's entries in section SEC of the directory. :This program will not actually install info
files; it merely inserts or deletes entries in the
dir file.Here's a seven-step procedure to convert ports to use
install-info. I will use
editors/emacs as an example.Look at the texinfo sources and make a patch to insert
@dircategory and @direntry
statements to files that do not have them. This is part of my
patch:
--- ./man/vip.texi.org Fri Jun 16 15:31:11 1995
+++ ./man/vip.texi Tue May 20 01:28:33 1997
@@ -2,6 +2,10 @@
@setfilename ../info/vip
@settitle VIP
+@dircategory The Emacs editor and associated tools
+@direntry
+* VIP: (vip). A VI-emulation for Emacs.
+@end direntry
@iftex
@finalout
:The format should be self-explanatory. Many authors leave a
dir file in the source tree that contains all
the entries you need, so look around before you try to write your
own. Also, make sure you look into related ports and make the
section names and entry indentations consistent (we recommend that
all entry text start at the 4th tab stop).Note that you can put only one info entry per file because
of a bug in install-info --delete that
deletes only the first entry if you specify multiple entries in
the @direntry section.You can give the dir entries to
install-info as arguments
( and ) instead
of patching the texinfo sources. I do not think this is a good
idea for ports because you need to duplicate the same information
in three places
(Makefile and
@exec/@unexec of
PLIST; see below). However, if you have
Japanese (or other multibyte encoding) info files, you will have
to use the extra arguments to install-info
because makeinfo cannot handle those texinfo
sources. (See Makefile and
PLIST of japanese/skk
for examples on how to do this).Go back to the port directory and do a make clean;
make and verify that the info files are regenerated
from the texinfo sources. Since the texinfo sources are newer than
the info files, they should be rebuilt when you type
make; but many Makefiles
do not include correct dependencies for info files. In
emacs' case, I had to patch the main
Makefile.in so it will descend into the
man subdirectory to rebuild the info
pages.
--- ./Makefile.in.org Mon Aug 19 21:12:19 1996
+++ ./Makefile.in Tue Apr 15 00:15:28 1997
@@ -184,7 +184,7 @@
# Subdirectories to make recursively. `lisp' is not included
# because the compiled lisp files are part of the distribution
# and you cannot remake them without installing Emacs first.
-SUBDIR = lib-src src
+SUBDIR = lib-src src man
# The makefiles of the directories in $SUBDIR.
SUBDIR_MAKEFILES = lib-src/Makefile man/Makefile src/Makefile oldXMenu/Makefile
lwlib/Makefile
--- ./man/Makefile.in.org Thu Jun 27 15:27:19 1996
+++ ./man/Makefile.in Tue Apr 15 00:29:52 1997
@@ -66,6 +66,7 @@
${srcdir}/gnu1.texi \
${srcdir}/glossary.texi
+all: info
info: $(INFO_TARGETS)
dvi: $(DVI_TARGETS)The second hunk was necessary because the default target in
the man subdir is called
info, while the main
Makefile wants to call
all. I also deleted the installation of
the info info file because we already have
one with the same name in /usr/share/info
(that patch is not shown here).If there is a place in the Makefile that
is installing the dir file, delete it. Your
port may not be doing it. Also, remove any commands that are
otherwise mucking around with the dir
file.
--- ./Makefile.in.org Mon Aug 19 21:12:19 1996
+++ ./Makefile.in Mon Apr 14 23:38:07 1997
@@ -368,14 +368,8 @@
if [ `(cd ${srcdir}/info && /bin/pwd)` != `(cd ${infodir} && /bin/pwd)` ]; \
then \
(cd ${infodir}; \
- if [ -f dir ]; then \
- if [ ! -f dir.old ]; then mv -f dir dir.old; \
- else mv -f dir dir.bak; fi; \
- fi; \
cd ${srcdir}/info ; \
- (cd $${thisdir}; ${INSTALL_DATA} ${srcdir}/info/dir ${infodir}/dir);
\
- (cd $${thisdir}; chmod a+r ${infodir}/dir); \
for f in ccmode* cl* dired-x* ediff* emacs* forms* gnus* info* message* mh-e* sc* vip*; do \
(cd $${thisdir}; \
${INSTALL_DATA} ${srcdir}/info/$$f ${infodir}/$$f; \
chmod a+r ${infodir}/$$f); \(This step is only necessary if you are modifying an existing
port.) Take a look at pkg/PLIST and delete
anything that is trying to patch up info/dir.
They may be in pkg/INSTALL or some other
file, so search extensively.
Index: pkg/PLIST
===================================================================
RCS file: /usr/cvs/ports/editors/emacs/pkg/PLIST,v
retrieving revision 1.15
diff -u -r1.15 PLIST
--- PLIST 1997/03/04 08:04:00 1.15
+++ PLIST 1997/04/15 06:32:12
@@ -15,9 +15,6 @@
man/man1/emacs.1.gz
man/man1/etags.1.gz
man/man1/ctags.1.gz
-@unexec cp %D/info/dir %D/info/dir.bak
-info/dir
-@unexec cp %D/info/dir.bak %D/info/dir
info/cl
info/cl-1
info/cl-2Add a post-install target to the
Makefile to call
install-info with the installed
info files. (It is no longer necessary to create the
dir file yourself;
install-info automatically creates this
file if it does not exist.)
Index: Makefile
===================================================================
RCS file: /usr/cvs/ports/editors/emacs/Makefile,v
retrieving revision 1.26
diff -u -r1.26 Makefile
--- Makefile 1996/11/19 13:14:40 1.26
+++ Makefile 1997/05/20 10:25:09 1.28
@@ -20,5 +20,8 @@
post-install:
.for file in emacs-19.34 emacsclient etags ctags b2m
strip ${PREFIX}/bin/${file}
.endfor
+.for info in emacs vip viper forms gnus mh-e cl sc dired-x ediff ccmode
+ install-info ${PREFIX}/info/${info} ${PREFIX}/info/dir
+.endfor
.include <bsd.port.mk>Edit PLIST and add equivalent
@exec statements and also
@unexec for
pkg_delete.
Index: pkg/PLIST
===================================================================
RCS file: /usr/cvs/ports/editors/emacs/pkg/PLIST,v
retrieving revision 1.15
diff -u -r1.15 PLIST
--- PLIST 1997/03/04 08:04:00 1.15
+++ PLIST 1997/05/20 10:25:12 1.17
@@ -16,7 +14,14 @@
man/man1/etags.1.gz
man/man1/ctags.1.gz
+@unexec install-info --delete %D/info/emacs %D/info/dir
:
+@unexec install-info --delete %D/info/ccmode %D/info/dir
info/cl
info/cl-1
@@ -87,6 +94,18 @@
info/viper-3
info/viper-4
+@exec install-info %D/info/emacs %D/info/dir
:
+@exec install-info %D/info/ccmode %D/info/dir
libexec/emacs/19.34/i386--freebsd/cvtmail
libexec/emacs/19.34/i386--freebsd/digest-docThe @unexec install-info --delete
commands have to be listed before the info files themselves so
they can read the files. Also, the @exec
install-info commands have to be after the info
files and the @exec command that creates the
the dir file.Test and admire your
work. :-). Check the
dir file before and after each step.The pkg/ subdirectoryThere are some tricks we have not mentioned yet about the
pkg/ subdirectory that come in handy
sometimes.MESSAGEIf you need to display a message to the installer, you may place
the message in pkg/MESSAGE. This capability is
often useful to display additional installation steps to be taken
after a pkg_add or to display licensing
information.The pkg/MESSAGE file does not need to be
added to pkg/PLIST. Also, it will not get
automatically printed if the user is using the port, not the
package, so you should probably display it from the
post-install target yourself.INSTALLIf your port needs to execute commands when the binary package
is installed with pkg_add you can do this via the
pkg/INSTALL script. This script will
automatically be added to the package, and will be run twice by
pkg_add. The first time will as INSTALL
${PKGNAME} PRE-INSTALL and the second time as
INSTALL ${PKGNAME} POST-INSTALL.
$2 can be tested to determine which mode
the script is being run in. The PKG_PREFIX
environmental variable will be set to the package installation
directory. See &man.pkg.add.1; for
additional information.This script is not run automatically if you install the port
with make install. If you are depending on it
being run, you will have to explicitly call it from your port's
Makefile.REQIf your port needs to determine if it should install or not, you
can create a pkg/REQ “requirements”
script. It will be invoked automatically at
installation/deinstallation time to determine whether or not
installation/deinstallation should proceed.Changing PLIST based on make
variablesSome ports, particularly the p5- ports, need to change their
PLIST depending on what options they are
configured with (or version of perl, in the case of p5- ports). To
make this easy, any instances in the PLIST of
%%OSREL%%, %%PERL_VER%%, and
%%PERL_VERSION%% will be substituted for
appropriately. The value of %%OSREL%% is the
numeric revision of the operating system (e.g.,
2.2.7). %%PERL_VERSION%% is
the full version number of perl (e.g., 5.00502)
and %%PERL_VER%% is the perl version number minus
the patchlevel (e.g., 5.005).If you need to make other substitutions, you can set the
PLIST_SUB variable with a list of
VAR=VALUE
pairs and instances of
%%VAR%%' will be
substituted with VALUE in the
PLIST.For instance, if you have a port that installs many files in a
version-specific subdirectory, you can put something like
OCTAVE_VERSION= 2.0.13
PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION}
in the Makefile and use
%%OCTAVE_VERSION%% wherever the version shows up
in PLIST. That way, when you upgrade the port,
you will not have to change dozens (or in some cases, hundreds) of
lines in the PLIST.This substitution (as well as addition of any man pages) will be done between
the do-install and
post-install targets, by reading from
PLIST and writing to TMPPLIST
(default:
WRKDIR/.PLIST.mktmp). So if
your port builds PLIST on the fly, do so in or
before do-install. Also, if your port
needs to edit the resulting file, do so in
post-install to a file named
TMPPLIST.Changing the names of files in the
pkg subdirectoryAll the filenames in the pkg subdirectory
are defined using variables so you can change them in your
Makefile if need be. This is especially useful
when you are sharing the same pkg subdirectory
among several ports or have to write to one of the above files (see
writing to places other than
WRKDIR for why it is a bad idea to write
directly in to the pkg subdirectory).Here is a list of variable names and their default
values.VariableDefault valueCOMMENT${PKGDIR}/COMMENTDESCR${PKGDIR}/DESCRPLIST${PKGDIR}/PLISTPKGINSTALL${PKGDIR}/INSTALLPKGDEINSTALL${PKGDIR}/DEINSTALLPKGREQ${PKGDIR}/REQPKGMESSAGE${PKGDIR}/MESSAGEPlease change these variables rather than overriding
PKG_ARGS. If you change
PKG_ARGS, those files will not correctly be
installed in /var/db/pkg upon install from a
port.Licensing ProblemsSome software packages have restrictive licenses or can be in
- violation of the law (PKP's patent on public key crypto, ITAR (export
- of crypto software) to name just two of them). What we can do with
+ violation of the law in some countries (such as violating a patent).
+ What we can do with
them varies a lot, depending on the exact wordings of the respective
licenses.It is your responsibility as a porter to read the licensing
terms of the software and make sure that the FreeBSD project will
not be held accountable for violating them by redistributing the
source or compiled binaries either via ftp or CD-ROM. If in doubt,
please contact the &a.ports;.There are two variables you can set in the Makefile to handle the
situations that arise frequently:If the port has a “do not sell for profit” type of
license, set the variable NO_CDROM to a string
describing the reason why. We will make sure such ports will not go
into the CD-ROM come release time. The distfile and package will
still be available via ftp.If the resulting package needs to be built uniquely for each
site, or the resulting binary package cannot be distributed due to
licensing; set the variable NO_PACKAGE to a
string describing the reason why. We will make sure such packages
will not go on the ftp site, nor into the CD-ROM come release time.
The distfile will still be included on both however.If the port has legal restrictions on who can use it (e.g.,
- crypto stuff) or has a “no commercial use” license,
+ patented stuff) or has a “no commercial use” license,
set the variable RESTRICTED to be the string
describing the reason why. For such ports, the distfiles/packages
will not be available even from our ftp sites.The GNU General Public License (GPL), both version 1 and 2,
should not be a problem for ports.If you are a committer, make sure you update the
ports/LEGAL file too.UpgradingWhen you notice that a port is out of date compared to the latest
version from the original authors, first make sure you have the latest
port. You can find them in the
ports/ports-current directory of the ftp mirror
sites. You may also use CVSup to keep your whole ports collection
up-to-date, as described in the Handbook.The next step is to send a mail to the maintainer, if one is
listed in the port's Makefile. That person may
already be working on an upgrade, or have a reason to not upgrade the
port right now (because of, for example, stability problems of the new
version).If the maintainer asks you to do the upgrade or there is not any
such person to begin with, please make the upgrade and send the
recursive diff (either unified or context diff is fine, but port
committers appear to prefer unified diff more) of the new and old
ports directories to us (e.g., if your modified port directory is
called superedit and the original as in our tree
is superedit.bak, then send us the result of
diff -ruN superedit.bak superedit). Please examine
the output to make sure all the changes make sense. The best way to
send us the diff is by including it via &man.send-pr.1; (category
ports). Please mention any added or deleted files
in the message, as they have to be explicitly specified to CVS when
doing a commit. If the diff is more than about 20KB, please compress
and uuencode it; otherwise, just include it in the PR as is.Once again, please use &man.diff.1; and not &man.shar.1; to send
updates to existing ports!Dos and Don'tsHere is a list of common dos and don'ts that you encounter during
the porting process.You should check your own port against this list,
but you can also check ports in the PR database that others have
submitted. Submit any comments on ports you check as described in
Bug Reports and General
Commentary. Checking ports in the PR database will both make
it faster for us to commit them, and prove that you know what you are
doing.Strip BinariesDo strip binaries. If the original source already strips the
binaries, fine; otherwise you should add a
post-install rule to to it yourself. Here is an
example:
post-install:
strip ${PREFIX}/bin/xdlUse the &man.file.1; command on the installed executable to
check whether the binary is stripped or not. If it does not say
not stripped, it is stripped.INSTALL_* macrosDo use the macros provided in bsd.port.mk
to ensure correct modes and ownership of files in your own
*-install targets.INSTALL_PROGRAM is a command to install
binary executables.INSTALL_SCRIPT is a command to install
executable scripts.INSTALL_DATA is a command to install
sharable data.INSTALL_MAN is a command to install
manpages and other documentation (it does not compress
anything).These are basically the install command with
all the appropriate flags. See below for an example on how to use
them.WRKDIRDo not write anything to files outside
WRKDIR. WRKDIR is the only
place that is guaranteed to be writable during the port build (see
compiling ports from CDROM for an
example of building ports from a read-only tree). If you need to
modify some file in PKGDIR, do so by redefining a variable, not by
writing over it.WRKDIRPREFIXMake sure your port honors WRKDIRPREFIX.
Most ports do not have to worry about this. In particular, if you
are referring to a WRKDIR of another port, note
that the correct location is
WRKDIRPREFIXPORTSDIR/subdir/name/work not PORTSDIR/subdir/name/work or .CURDIR/../../subdir/name/work or some such.Also, if you are defining WRKDIR yourself,
make sure you prepend
${WRKDIRPREFIX}${.CURDIR} in the
front.Differentiating operating systems and OS versionsYou may come across code that needs modifications or conditional
compilation based upon what version of UNIX it is running under. If
you need to make such changes to the code for conditional
compilation, make sure you make the changes as general as possible
so that we can back-port code to FreeBSD 1.x systems and cross-port
to other BSD systems such as 4.4BSD from CSRG, BSD/386, 386BSD,
NetBSD, and OpenBSD.The preferred way to tell 4.3BSD/Reno (1990) and newer versions
of the BSD code apart is by using the BSD macro
defined in <sys/param.h>. Hopefully that
file is already included; if not, add the code:
#if (defined(__unix__) || defined(unix)) && !defined(USG)
#include <sys/param.h>
#endifto the proper place in the .c file. We
believe that every system that defines these two symbols has
sys/param.h. If you find a system that
does not, we would like to know. Please send mail to the
&a.ports;.Another way is to use the GNU Autoconf style of doing
this:
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
#endifDo not forget to add -DHAVE_SYS_PARAM_H to the
CFLAGS in the Makefile for
this method.Once you have sys/param.h included, you may
use:
#if (defined(BSD) && (BSD >= 199103))to detect if the code is being compiled on a 4.3 Net2 code base
or newer (e.g. FreeBSD 1.x, 4.3/Reno, NetBSD 0.9, 386BSD, BSD/386
1.1 and below).Use:
#if (defined(BSD) && (BSD >= 199306))to detect if the code is being compiled on a 4.4 code base or
newer (e.g. FreeBSD 2.x, 4.4, NetBSD 1.0, BSD/386 2.0 or
above).The value of the BSD macro is
199506 for the 4.4BSD-Lite2 code base. This is
stated for informational purposes only. It should not be used to
distinguish between versions of FreeBSD based only on 4.4-Lite vs.
versions that have merged in changes from 4.4-Lite2. The
__FreeBSD__ macro should be used instead.Use sparingly:__FreeBSD__ is defined in all versions of
FreeBSD. Use it if the change you are making
only affects FreeBSD. Porting gotchas like
the use of sys_errlist[] vs
strerror() are Berkeleyisms, not FreeBSD
changes.In FreeBSD 2.x, __FreeBSD__ is defined to
be 2. In earlier versions, it is
1. Later versions will bump it to match
their major version number.If you need to tell the difference between a FreeBSD 1.x
system and a FreeBSD 2.x or 3.x system, usually the right answer
is to use the BSD macros described above. If
there actually is a FreeBSD specific change (such as special
shared library options when using ld) then it
is OK to use __FreeBSD__ and #if
__FreeBSD__ > 1 to detect a FreeBSD 2.x and later
system. If you need more granularity in detecting FreeBSD
systems since 2.0-RELEASE you can use the following:
#if __FreeBSD__ >= 2
#include <osreldate.h>
# if __FreeBSD_version >= 199504
/* 2.0.5+ release specific code here */
# endif
#endifRelease__FreeBSD_version2.0-RELEASE1194112.1-CURRENT199501, 1995032.0.5-RELEASE1995042.2-CURRENT before 2.11995082.1.0-RELEASE1995112.2-CURRENT before 2.1.51995122.1.5-RELEASE1996072.2-CURRENT before 2.1.61996082.1.6-RELEASE1996122.1.7-RELEASE1996122.2-RELEASE2200002.2.1-RELEASE220000 (no change)2.2-STABLE after 2.2.1-RELEASE220000 (no change)2.2-STABLE after texinfo-3.92210012.2-STABLE after top2210022.2.2-RELEASE2220002.2-STABLE after 2.2.2-RELEASE2220012.2.5-RELEASE2250002.2-STABLE after 2.2.5-RELEASE2250012.2-STABLE after ldconfig -R merge2250022.2.6-RELEASE2260002.2.7-RELEASE2270002.2-STABLE after 2.2.7-RELEASE2270012.2-STABLE after semctl(2) change2270022.2.8-RELEASE2280002.2-STABLE after 2.2.8-RELEASE2280013.0-CURRENT before mount(2) change3000003.0-CURRENT after mount(2) change3000013.0-CURRENT after semctl(2) change3000023.0-CURRENT after ioctl arg changes3000033.0-CURRENT after ELF conversion3000043.0-RELEASE3000053.0-CURRENT after 3.0-RELEASE3000063.0-STABLE after 3/4 branch3000073.1-RELEASE3100003.1-STABLE after 3.1-RELEASE3100013.1-STABLE after C++ constructor/destructor order
change3100023.2-RELEASE3200003.2-STABLE3200013.2-STABLE after binary-incompatible IPFW and
socket changes3200023.3-RELEASE3300003.3-STABLE3300013.3-STABLE after adding mkstemps() to libc3300023.4-RELEASE3400003.4-STABLE3400014.0-CURRENT after 3.4 branch4000004.0-CURRENT after change in dynamic linker
handling4000014.0-CURRENT after C++ constructor/destructor
order change4000024.0-CURRENT after functioning dladdr(3)4000034.0-CURRENT after __deregister_frame_info dynamic
linker bug fix (also 4.0-CURRENT after EGCS 1.1.2
integration)
4000044.0-CURRENT after suser(9) API change
(also 4.0-CURRENT after newbus)4000054.0-CURRENT after cdevsw registration change4000064.0-CURRENT after the addition of so_cred for
socket level credentials4000074.0-CURRENT after the addition of a poll syscall
wrapper to libc_r4000084.0-CURRENT after the change of the kernel's
dev_t type to struct
specinfo pointer4000094.0-CURRENT after fixing a hole in jail(2)4000104.0-CURRENT after the sigset_t
datatype change4000114.0-CURRENT after the cutover to the GCC 2.95.2
compiler4000124.0-CURRENT after adding pluggable linux-mode
ioctl handlers4000134.0-CURRENT after importing OpenSSL4000144.0-CURRENT after the C++ ABI change in GCC 2.95.2
from -fvtable-thunks to -fno-vtable-thunks by
default4000154.0-CURRENT after importing OpenSSH4000164.0-RELEASE4000174.0-STABLE after 4.0-RELEASE4000184.0-STABLE after merging libxpg4 code into
libc.4000204.0-STABLE after upgrading Binutils to 2.10.0, ELF
branding changes, and tcsh in the base system.4000214.1-RELEASE4100004.1-STABLE after 4.1-RELEASE4100014.1-STABLE after setproctitle() moved from
libutil to libc.4100024.1.1-RELEASE4110004.1.1-STABLE after 4.1.1-RELEASE4110015.0-CURRENT5000005.0-CURRENT after adding addition ELF header fields,
and changing our ELF binary branding method.5000015.0-CURRENT after kld metadata changes.5000025.0-CURRENT after buf/bio changes.5000035.0-CURRENT after binutils upgrade.5000045.0-CURRENT after merging libxpg4 code into
libc and after TASKQ interface introduction.5000055.0-CURRENT after the addition of AGP
interfaces.5000065.0-CURRENT after Perl upgrade to 5.6.05000075.0-CURRENT after the update of KAME code to
2000/07 sources.5000085.0-CURRENT after ether_ifattach() and
ether_ifdetach() changes.5000095.0-CURRENT after changing mtree defaults
back to original variant, adding -L to follow
symlinks.5000105.0-CURRENT after kqueue API changed.5000115.0-CURRENT after setproctitle() moved from
libutil to libc.5000125.0-CURRENT after the first SMPng commit.500013Note that 2.2-STABLE sometimes identifies itself as
“2.2.5-STABLE” after the 2.2.5-RELEASE. The pattern
used to be year followed by the month, but we decided to change it
to a more straightforward major/minor system starting from 2.2.
This is because the parallel development on several branches made
it infeasible to classify the releases simply by their real
release dates. If you are making a port now, you do not have to
worry about old -CURRENTs; they are listed here just for your
reference.In the hundreds of ports that have been done, there have only
been one or two cases where __FreeBSD__ should
have been used. Just because an earlier port screwed up and used it
in the wrong place does not mean you should do so too.Writing something after
bsd.port.mkDo not write anything after the .include
<bsd.port.mk> line. It usually can be avoided by
including bsd.port.pre.mk somewhere in the
middle of your Makefile and
bsd.port.post.mk at the end.You need to include either the
pre.mk/post.mk pair or
bsd.port.mk only; do not mix these two.bsd.port.pre.mk only defines a few
variables, which can be used in tests in the
Makefile, bsd.port.post.mk
defines the rest.Here are some important variables defined in
bsd.port.pre.mk (this is not the complete list,
please read bsd.port.mk for the complete
list).VariableDescriptionARCHThe architecture as returned by uname
-m (e.g., i386)OPSYSThe operating system type, as returned by
uname -s (e.g.,
FreeBSD)OSRELThe release version of the operating system (e.g.,
2.1.5 or
2.2.7)OSVERSIONThe numeric version of the operating system, same as
__FreeBSD_version.PORTOBJFORMATThe object format of the system
(aout or elf)LOCALBASEThe base of the “local” tree (e.g.,
/usr/local/)X11BASEThe base of the “X11” tree (e.g.,
/usr/X11R6)PREFIXWhere the port installs itself (see more on
PREFIX).If you have to define the variables
USE_IMAKE, USE_X_PREFIX, or
MASTERDIR, do so before including
bsd.port.pre.mk.Here are some examples of things you can write after
bsd.port.pre.mk:
# no need to compile lang/perl5 if perl5 is already in system
.if ${OSVERSION} > 300003
BROKEN= perl is in system
.endif
# only one shlib version number for ELF
.if ${PORTOBJFORMAT} == "elf"
TCL_LIB_FILE= ${TCL_LIB}.${SHLIB_MAJOR}
.else
TCL_LIB_FILE= ${TCL_LIB}.${SHLIB_MAJOR}.${SHLIB_MINOR}
.endif
# software already makes link for ELF, but not for a.out
post-install:
.if ${PORTOBJFORMAT} == "aout"
${LN} -sf liblinpack.so.1.0 ${PREFIX}/lib/liblinpack.so
.endifInstall additional documentationIf your software has some documentation other than the standard
man and info pages that you think is useful for the user, install it
under PREFIX/share/doc.
This can be done, like the previous item, in the
post-install target.Create a new directory for your port. The directory name should
reflect what the port is. This usually means
PORTNAME. However, if you
think the user might want different versions of the port to be
installed at the same time, you can use the whole
PKGNAME.Make the installation dependent to the variable
NOPORTDOCS so that users can disable it in
/etc/make.conf, like this:
post-install:
.if !defined(NOPORTDOCS)
${MKDIR} ${PREFIX}/share/doc/xv
${INSTALL_MAN} ${WRKSRC}/docs/xvdocs.ps ${PREFIX}/share/doc/xv
.endifDo not forget to add them to pkg/PLIST too!
(Do not worry about NOPORTDOCS here; there is
currently no way for the packages to read variables from
/etc/make.conf.)You can also use the pkg/MESSAGE file to
display messages upon installation. See the using
pkg/MESSAGE section for
details.MESSAGE does not need to be added to
pkg/PLIST.DIST_SUBDIRDo not let your port clutter
/usr/ports/distfiles. If your port requires a
lot of files to be fetched, or contains a file that has a name that
might conflict with other ports (e.g.,
Makefile), set DIST_SUBDIR
to the name of the port (${PORTNAME} or
${PKGNAMEPREFIX}${PORTNAME}
should work fine). This will change
DISTDIR from the default
/usr/ports/distfiles to
/usr/ports/distfiles/DIST_SUBDIR,
and in effect puts everything that is required for your port into
that subdirectory.It will also look at the subdirectory with the same name on the
backup master site at ftp.FreeBSD.org.
(Setting DISTDIR explicitly in your
Makefile will not accomplish this, so please use
DIST_SUBDIR.)This does not affect the MASTER_SITES you
define in your Makefile.Package informationDo include package information, i.e.
COMMENT, DESCR, and
PLIST, in pkg.Note that these files are not used only for packaging anymore,
and are mandatory now, even if
NO_PACKAGE is set.RCS stringsDo not put RCS strings in patches. CVS will mangle them when we
put the files into the ports tree, and when we check them out again,
they will come out different and the patch will fail. RCS strings
are surrounded by dollar ($) signs, and
typically start with $Id or
$RCS.Recursive diffUsing the recurse () option to
diff to generate patches is fine, but please take
a look at the resulting patches to make sure you do not have any
unnecessary junk in there. In particular, diffs between two backup
files, Makefiles when the port uses
Imake or GNU configure, etc.,
are unnecessary and should be deleted. If you had to edit
configure.in and run
autoconf to regenerate
configure, do not take the diffs of
configure (it often grows to a few thousand
lines!); define USE_AUTOCONF=yes and take the
diffs of configure.in.Also, if you had to delete a file, then you can do it in the
post-extract target rather than as part of
the patch. Once you are happy with the resulting diff, please split
it up into one source file per patch file.PREFIXDo try to make your port install relative to
PREFIX. (The value of this variable will be set
to LOCALBASE (default
/usr/local), unless
USE_X_PREFIX or USE_IMAKE is
set, in which case it will be X11BASE (default
/usr/X11R6).)Not hard-coding /usr/local or
/usr/X11R6 anywhere in the source will make the
port much more flexible and able to cater to the needs of other
sites. For X ports that use imake, this is
automatic; otherwise, this can often be done by simply replacing the
occurrences of /usr/local (or
/usr/X11R6 for X ports that do not use imake)
in the various scripts/Makefiles in the port to read
PREFIX, as this variable is automatically passed
down to every stage of the build and install processes.Do not set USE_X_PREFIX unless your port
truly requires it (i.e., it links against X libs or it needs to
reference files in X11BASE).The variable PREFIX can be reassigned in your
Makefile or in the user's environment.
However, it is strongly discouraged for individual ports to set this
variable explicitly in the Makefiles.Also, refer to programs/files from other ports with the
variables mentioned above, not explicit pathnames. For instance, if
your port requires a macro PAGER to be the full
pathname of less, use the compiler flag:
-DPAGER=\"${PREFIX}/bin/less\"
or
-DPAGER=\"${LOCALBASE}/bin/less\"
if this is an X port, instead of
-DPAGER=\"/usr/local/bin/less\". This way it will
have a better chance of working if the system administrator has
moved the whole `/usr/local' tree somewhere else.SubdirectoriesTry to let the port put things in the right subdirectories of
PREFIX. Some ports lump everything and put it in
the subdirectory with the port's name, which is incorrect. Also,
many ports put everything except binaries, header files and manual
pages in the a subdirectory of lib, which does
not bode well with the BSD paradigm. Many of the files should be
moved to one of the following: etc
(setup/configuration files), libexec
(executables started internally), sbin
(executables for superusers/managers), info
(documentation for info browser) or share
(architecture independent files). See man &man.hier.7; for details,
the rules governing
/usr pretty much apply to
/usr/local too. The exception are ports
dealing with USENET “news”. They may use
PREFIX/news as a destination
for their files.Cleaning up empty directoriesDo make your ports clean up after themselves when they are
deinstalled. This is usually accomplished by adding
@dirrm lines for all directories that are
specifically created by the port. You need to delete subdirectories
before you can delete parent directories.
:
lib/X11/oneko/pixmaps/cat.xpm
lib/X11/oneko/sounds/cat.au
:
@dirrm lib/X11/oneko/pixmaps
@dirrm lib/X11/oneko/sounds
@dirrm lib/X11/onekoHowever, sometimes @dirrm will give you
errors because other ports also share the same subdirectory. You
can call rmdir from @unexec to
remove only empty directories without warning.
@unexec rmdir %D/share/doc/gimp 2>/dev/null || trueThis will neither print any error messages nor cause
pkg_delete to exit abnormally even if
PREFIX/share/doc/gimp is not
empty due to other ports installing some files in there.UIDsIf your port requires a certain user to be on the installed
system, let the pkg/INSTALL script call
pw to create it automatically. Look at
net/cvsup-mirror for an example.If your port must use the same user/group ID number when it is
installed as a binary package as when it was compiled, then you must
choose a free UID from 50 to 99 and register it below. Look at
japanese/Wnn for an example.Make sure you do not use a UID already used by the system or
other ports. This is the current list of UIDs between 50 and
99.
majordom:*:54:54:Majordomo Pseudo User:/usr/local/majordomo:/nonexistent
cyrus:*:60:60:the cyrus mail server:/nonexistent:/nonexistent
gnats:*:61:1:GNATS database owner:/usr/local/share/gnats/gnats-db:/bin/sh
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67:X-10 daemon:/usr/local/xten:/nonexistent
pop:*:68:6:Post Office Owner (popper):/nonexistent:/nonexistent
wnn:*:69:7:Wnn:/nonexistent:/nonexistent
ifmail:*:70:66:Ifmail user:/nonexistent:/nonexistent
pgsql:*:70:70:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
ircd:*:72:72:IRCd hybrid:/nonexistent:/nonexistent
alias:*:81:81:QMail user:/var/qmail/alias:/nonexistent
qmaill:*:83:81:QMail user:/var/qmail:/nonexistent
qmaild:*:82:81:QMail user:/var/qmail:/nonexistent
qmailq:*:85:82:QMail user:/var/qmail:/nonexistent
qmails:*:87:82:QMail user:/var/qmail:/nonexistent
qmailp:*:84:81:QMail user:/var/qmail:/nonexistent
qmailr:*:86:82:QMail user:/var/qmail:/nonexistent
msql:*:87:87:mSQL-2 pseudo-user:/var/db/msqldb:/bin/sh
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/sbin/nologin
vpopmail:*:89:89::0:0:User &:/usr/local/vpopmail:/nonexistentPlease include a notice when you submit a port (or an upgrade)
that reserves a new UID or GID in this range. This allows us to
keep the list of reserved IDs up to date.Do things rationallyThe Makefile should do things simply and
reasonably. If you can make it a couple of lines shorter or more
readable, then do so. Examples include using a make
.if construct instead of a shell
if construct, not redefining
do-extract if you can redefine
EXTRACT* instead, and using
GNU_CONFIGURE instead of CONFIGURE_ARGS
+= --prefix=${PREFIX}.Respect CFLAGSThe port should respect the CFLAGS variable.
If it does not, please add NO_PACKAGE=ignores
cflags to the Makefile.An example of a Makefile respecting
the CFLAGS variable follows. Note the
+=:CFLAGS += -Wall -WerrorHere is an example which does not respect the
CFLAGS variable:CFLAGS = -Wall -WerrorThe CFLAGS variable is defined on
FreeBSD systems in /etc/make.conf. The
first example appends additional flags to the
CFLAGS variable, preserving any system-wide
definitions. The second example clobbers anything previously
defined.Configuration filesIf your port requires some configuration files in
PREFIX/etc, do
not just install them and list them in
pkg/PLIST. That will cause
pkg_delete to delete files carefully edited by
the user and a new installation to wipe them out.Instead, install sample files with a suffix
(filename.sample
will work well) and print out a message pointing out that the
user has to copy and edit the file before the software can be made
to work.PortlintDo check your work with portlint
before you submit or commit it.FeedbackDo send applicable changes/patches to the original
author/maintainer for inclusion in next release of the code. This
will only make your job that much easier for the next
release.README.htmlDo not include the README.html file. This
file is not part of the cvs collection but is generated using the
make readme command.
MiscellaneaThe files pkg/DESCR,
pkg/COMMENT, and pkg/PLIST
should each be double-checked. If you are reviewing a port and feel
they can be worded better, do so.Do not copy more copies of the GNU General Public License into
our system, please.Please be careful to note any legal issues! Do not let us
illegally distribute software!If you are stuck…Do look at existing examples and the
bsd.port.mk file before asking us questions!
;-)Do ask us questions if you have any trouble! Do not just beat
your head against a wall! :-)A Sample MakefileHere is a sample Makefile that you can use to
create a new port. Make sure you remove all the extra comments (ones
between brackets)!It is recommended that you follow this format (ordering of
variables, empty lines between sections, etc.). This format is
designed so that the most important information is easy to locate. We
recommend that you use portlint to check the
Makefile.
[the header...just to make it easier for us to identify the ports.]
# New ports collection makefile for: xdvi
[the "version required" line is only needed when the PORTVERSION
variable is not specific enough to describe the port.]
# Version required: pl18 + japanization patches 18.1 and 18.2
[this is the date when the first version of this Makefile was created.
Never change this when doing an update of the port.]
# Date created: 26 May 1995
[this is the person who did the original port to FreeBSD, in particular, the
person who wrote the first version of this Makefile. Remember, this should
not be changed when upgrading the port later.]
# Whom: Satoshi Asami <asami@FreeBSD.org>
#
# $FreeBSD$
[ ^^^^^^^^^ This will be automatically replaced with RCS ID string by CVS
when it is committed to our repository. If upgrading a port, do not alter
this line back to "$FreeBSD$". CVS deals with it automatically.]
#
[section to describe the port itself and the master site - PORTNAME
and PORTVERSION are always first, followed by CATEGORIES,
and then MASTER_SITES, which can be followed by MASTER_SITE_SUBDIR.
PKGNAMEPREFIX and PKGNAMESUFFIX, if needed, will be after that.
Then comes DISTNAME, EXTRACT_SUFX and/or DISTFILES, and then
EXTRACT_ONLY, as necessary.]
PORTNAME= xdvi
PORTVERSION= 18.2
CATEGORIES= print
[do not forget the trailing slash ("/")!
if you are not using MASTER_SITE_* macros]
MASTER_SITES= ${MASTER_SITE_XCONTRIB}
MASTER_SITE_SUBDIR= applications
PKGNAMEPREFIX= ja-
DISTNAME= xdvi-pl18
[set this if the source is not in the standard ".tar.gz" form]
EXTRACT_SUFX= .tar.Z
[section for distributed patches -- can be empty]
PATCH_SITES= ftp://ftp.sra.co.jp/pub/X11/japanese/
PATCHFILES= xdvi-18.patch1.gz xdvi-18.patch2.gz
[maintainer; *mandatory*! This is the person (preferably with commit
privileges) whom a user can contact for questions and bug reports - this
person should be the porter or someone who can forward questions to the
original porter reasonably promptly. If you really do not want to have
your address here, set it to "ports@FreeBSD.org".]
MAINTAINER= asami@FreeBSD.org
[dependencies -- can be empty]
RUN_DEPENDS= gs:${PORTSDIR}/print/ghostscript
LIB_DEPENDS= Xpm.5:${PORTSDIR}/graphics/xpm
[this section is for other standard bsd.port.mk variables that do not
belong to any of the above]
[If it asks questions during configure, build, install...]
IS_INTERACTIVE= yes
[If it extracts to a directory other than ${DISTNAME}...]
WRKSRC= ${WRKDIR}/xdvi-new
[If the distributed patches were not made relative to ${WRKSRC}, you
may need to tweak this]
PATCH_DIST_STRIP= -p1
[If it requires a "configure" script generated by GNU autoconf to be run]
GNU_CONFIGURE= yes
[If it requires GNU make, not /usr/bin/make, to build...]
USE_GMAKE= yes
[If it is an X application and requires "xmkmf -a" to be run...]
USE_IMAKE= yes
[et cetera.]
[non-standard variables to be used in the rules below]
MY_FAVORITE_RESPONSE= "yeah, right"
[then the special rules, in the order they are called]
pre-fetch:
i go fetch something, yeah
post-patch:
i need to do something after patch, great
pre-install:
and then some more stuff before installing, wow
[and then the epilogue]
.include <bsd.port.mk>Automated package list creationFirst, make sure your port is almost complete, with only
PLIST missing. Create an empty
PLIST.&prompt.root; touch PLISTNext, create a new set of directories which your port can be
installed, and install any dependencies.&prompt.root; mtree -U -f /etc/mtree/BSD.local.dist -d -e -p /var/tmp/port-name
&prompt.root; make depends PREFIX=/var/tmp/port-nameStore the directory structure in a new file.&prompt.root; (cd /var/tmp/port-name && find * -type d) > OLD-DIRSIf your port honors PREFIX (which it should)
you can then install the port and create the package list.&prompt.root; make install PREFIX=/var/tmp/port-name
&prompt.root; (cd /var/tmp/port-name && find * \! -type d) > pkg/PLISTYou must also add any newly created directories to the packing
list.&prompt.root; (cd /var/tmp/port-name && find * -type d) | comm -13 OLD-DIRS - | sed -e 's#^#@dirrm #' >> pkg/PLISTFinally, you need to tidy up the packing list by hand. I lied
when I said this was all automated. Manual pages should be listed in
the port's Makefile under
MANn, and not in the
package list. User configuration files should be removed, or
installed as
filename.sample.
The info/dir file should not be listed
and appropriate install-info lines should
be added as noted in the info
files section. Any
libraries installed by the port should be listed as specified in the
shared libraries section.Package NamesThe following are the conventions you should follow in naming your
packages. This is to have our package directory easy to scan, as
there are already lots and lots of packages and users are going to
turn away if they hurt their eyes!The package name should look like
language_region-name-compiled.specifics-version.numbers.The package name is defined as
${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}-${PORTVERSION}.
Make sure to set the variables to conform to that format.FreeBSD strives to support the native language of its users.
The language- part should be a two
letter abbreviation of the natural language defined by ISO-639 if
the port is specific to a certain language. Examples are
ja for Japanese, ru for
Russian, vi for Vietnamese,
zh for Chinese, ko for
Korean and de for German.If the port is specific to a certain region within the
language area, add the two letter country code as well.
Examples are en_US for US English and
fr_CH for Swiss French.The language- part should
be set in the PKGNAMEPREFIX variable.The name part should be all lowercase,
except for a really large package (with lots of programs in it).
Things like XFree86 (yes there really is a port of it, check it
out) and ImageMagick fall into this category. Otherwise, convert
the name (or at least the first letter) to lowercase. If the
capital letters are important to the name (for example, with
one-letter names like R or
V) you may use capital letters at your
discretion. There is a tradition of naming Perl 5 modules by
prepending p5- and converting the double-colon
separator to a hyphen; for example, the
Data::Dumper module becomes
p5-Data-Dumper. If the software in question
has numbers, hyphens, or underscores in its name, you may include
them as well (like kinput2).If the port can be built with different hardcoded defaults (usually
part of the directory name in a family of ports), the
-compiled.specifics part should state
the compiled-in defaults (the hyphen is optional). Examples are
papersize and font units.The compiled.specifics part
should be set in the PKGNAMESUFFIX
variable.The version string should follow a dash
(-) and be a period-separated list of
integers and single lowercase alphabetics. In particular,
it is not pormissible to have another dash inside the
version string. The only exception is the string
pl (meaning `patchlevel'), which can be
used only when there are no major and
minor version numbers in the software. If the software
version has strings like "alpha", "beta", or "pre", take
the first letter and put it immediately after a period.
If the version string continues after those names, the
numbers should follow the single alphabet without an extra
period between them.The idea is to make it easier to sort ports by looking
at the version string. In particular, make sure version
number components are always delimited by a period, and
if the date is part of the string, use the
yyyy.mm.dd
format, not
dd.mm.yyyy
or the non-Y2K compliant
yy.mm.dd
format.Here are some (real) examples on how to convert the name
as called by the software authors to a suitable package
name:Distribution NamePKGNAMEPREFIXPORTNAMEPKGNAMESUFFIXPORTVERSIONReasonmule-2.2.2(empty)mule(empty)2.2.2No changes requiredXFree86-3.3.6(empty)XFree86(empty)3.3.6No changes requiredEmiClock-1.0.2(empty)emiclock(empty)1.0.2No uppercase names for single programsrdist-1.3alpha(empty)rdist(empty)1.3.aNo strings like alpha
allowedes-0.9-beta1(empty)es(empty)0.9.b1No strings like beta
allowedv3.3beta021.src(empty)tiff(empty)3.3What the heck was that anyway?tvtwm(empty)tvtwm(empty)pl11Version string always requiredpiewm(empty)piewm(empty)1.0Version string always requiredxvgr-2.10pl1(empty)xvgr(empty)2.10.1pl allowed only when no
major/minor version numbersgawk-2.15.6ja-gawk(empty)2.15.6Japanese language versionpsutils-1.13(empty)psutils-letter1.13Papersize hardcoded at package build timepkfonts(empty)pkfonts3001.0Package for 300dpi fontsIf there is absolutely no trace of version information in the
original source and it is unlikely that the original author will ever
release another version, just set the version string to
1.0 (like the piewm example above). Otherwise, ask
the original author or use the date string
(yyyy.mm.dd)
as the version.CategoriesAs you already know, ports are classified in several categories.
But for this to work, it is important that porters and users understand
what each category is for and how we decide what to put in each
category.Current list of categoriesFirst, this is the current list of port categories. Those
marked with an asterisk (*) are
virtual categories—those that do not have
a corresponding subdirectory in the ports tree.For non-virtual categories, you will find a one-line
description in the pkg/COMMENT file in that
subdirectory (e.g.,
archivers/pkg/COMMENT).CategoryDescriptionafterstep*Ports to support the AfterStep window manager.archiversArchiving tools.astroAstronomical ports.audioSound support.benchmarksBenchmarking utilities.biologyBiology-related software.cadComputer aided design tools.chineseChinese language support.commsCommunication software. Mostly software to talk to
your serial port.convertersCharacter code converters.databasesDatabases.deskutilsThings that used to be on the desktop before
computers were invented.develDevelopment utilities. Do not put libraries here just
because they are libraries—unless they truly do not
belong anywhere else, they should not be in this
category.editorsGeneral editors. Specialized editors go in the section
for those tools (e.g., a mathematical-formula editor will go
in math).elisp*Emacs-lisp ports.emulatorsEmulators for other operating systems. Terminal
emulators do not belong
here—X-based ones should go to
x11 and text-based ones to either
comms or misc,
depending on the exact functionality.frenchFrench language support.ftpFTP client and server utilities. If your
port speaks both FTP and HTTP, put it in
ftp with a secondary
category of www.gamesGames.germanGerman language support.gnome*Ports from the GNU Object Model Environment (GNOME)
Project.graphicsGraphics utilities.hebrewHebrew language support.ircInternet Relay Chat utilities.ipv6*IPv6 related software.japaneseJapanese language support.javaJava language support.kde*Ports from the K Desktop Environment (KDE)
Project.koreanKorean language support.langProgramming languages.linux*Linux applications and support utilities.mailMail software.mathNumerical computation software and other utilities
for mathematics.mboneMBone applications.miscMiscellaneous utilities—basically things that
do not belong anywhere else. This is the only category
that should not appear with any other non-virtual category.
If you have misc with something else in
your CATEGORIES line, that means you can
safely delete misc and just put the port
in that other subdirectory!netMiscellaneous networking software.newsUSENET news software.offix*Ports from the OffiX suite.palmSoftware support for the 3Com Palm(tm) series.perl5*Ports that require perl version 5 to run.plan9*Various programs from Plan9.printPrinting software. Desktop publishing tools
(previewers, etc.) belong here too.python*Software written in python.ruby*Software written in ruby.russianRussian language support.securitySecurity utilities.shellsCommand line shells.sysutilsSystem utilities.tcl76*Ports that use Tcl version 7.6 to run.tcl80*Ports that use Tcl version 8.0 to run.tcl81*Ports that use Tcl version 8.1 to run.tcl82*Ports that use Tcl version 8.2 to run.textprocText processing utilities. It does not include
desktop publishing tools, which go to print/.tk42*Ports that use Tk version 4.2 to run.tk80*Ports that use Tk version 8.0 to run.tk81*Ports that use Tk version 8.1 to run.tk82*Ports that use Tk version 8.2 to run.tkstep80*Ports that use TkSTEP version 8.0 to run.vietnameseVietnamese language support.windowmaker*Ports to support the WindowMaker window
managerwwwSoftware related to the World Wide Web. HTML language
support belongs here too.x11The X window system and friends. This category is only
for software that directly supports the window system. Do not
put regular X applications here. If your port is an X
application, define USE_XLIB (implied by
USE_IMAKE) and put it in the appropriate
categories. Also, many of them go into other
x11-* categories (see below).x11-clocksX11 clocks.x11-fmX11 file managers.x11-fontsX11 fonts and font utilities.x11-serversX11 servers.x11-toolkitsX11 toolkits.x11-wmX11 window managers.zope*Zope support.Choosing the right categoryAs many of the categories overlap, you often have to choose
which of the categories should be the primary category of your port.
There are several rules that govern this issue. Here is the list of
priorities, in decreasing order of precedence.Language specific categories always come first. For
example, if your port installs Japanese X11 fonts, then your
CATEGORIES line would read japanese
x11-fonts.Specific categories win over less-specific ones. For
instance, an HTML editor should be listed as www
editors, not the other way around. Also, you do not
need to list net when the port belongs to
any of irc, mail,
mbone, news,
security, or www.x11 is used as a secondary category only
when the primary category is a natural language. In particular,
you should not put x11 in the category line
for X applications.Emacs modes should be
placed in the same ports category as the application
supported by the mode, not in
editors. For example, an
Emacs mode to edit source
files of some programming language should go into
lang.
If your port truly does not belong anywhere else, put it in
misc.If you are not sure about the category, please put a comment to
that effect in your send-pr submission so we can
discuss it before we import it. If you are a committer, send a note
to the &a.ports; so we can discuss it first—too often new ports are
imported to the wrong category only to be moved right away.Changes to this document and the ports systemIf you maintain a lot of ports, you should consider following the
&a.ports;. Important changes to the way ports work will be announced
there. You can always find more detailed information on the latest
changes by looking at the
bsd.port.mk CVS log.That is It, Folks!Boy, this sure was a long tutorial, wasn't it? Thanks for
following us to here, really. Now that you know how to do a port,
have at it and convert everything in the world into ports! That
is the easiest way to start contributing to the FreeBSD Project!
:-)