This is the NetBSD System Manager's Manual, derived from the bsdwiki book.

Contents

Installing and Upgrading NetBSD
Securing the NetBSD Operating System
Files, Filesystems and Disks
Users and Accounts Management
Basic System Administration
Network Administration
Basic Unix Skills

Installing and Upgrading NetBSD

Recognize the installation program used by NetBSD

Recognize which commands are available for upgrading

Understand the difference between a pre-compiled binary and compiling from source

Understand when it is preferable to install a pre-compiled binary and how to do so

if cpu power is low and or disk space is limited.

Recognize the available methods for compiling a customized binary

Determine what software is installed on a system

To obtain a list of all third-party software installed on a NetBSD system using the pkgsrc package management system, execute the pkg_info(1) command with no arguments.

$ pkg_info

Determine which software requires upgrading

To determine which software requires upgrading, you have to install pkg_chk first, which is available in pkgtools/pkg_chk from pkgsrc. When done, asure that your pkgsrc tree is up to date and enter:

# pkg_chk -q -u

to see which packages needs to be upgraded.

Upgrade installed software

There are many ways to upgrade installed software use one of the following

pkgtools/pkg_rolling-replace
pkgtools/pkg_chk

or use make update in the pkgsrc directory of the package that needs to be updated.

Determine which software have outstanding security advisories

You can use pkgsrc's auditing feature to (periodicaly) check for package vulnerabilites.

Install security/audit-packages first.

_If you dont know how to install a package, read the section about installing packages, or the pkgsrc user guide.

To audit the packages, you have to download the vulnerability list:

# download-vulenability-list

You can put the following to your crontab to automate this:

0 3 * * * /usr/pkg/sbin/download-vulnerability-list >/dev/null 2>&1

This will update the vulnerability list every day at 3AM. You may wish to do this more often than once a day.

You can also ask NetBSD to include the vulnerability check in the security report:

Put this into /etc/security.local:

if [ -x /usr/pkg/sbin/audit-packages ]; then
        /usr/pkg/sbin/audit-packages
fi

Follow the instructions in a security advisory to apply a security patch

Securing the NetBSD Operating System

Determine the system's security level

See the value of kern.securelevel (cf. sysctl(8)) :

$ sysctl kern.securelevel kern.securelevel = 1

Recognize basic recommended access methods

Configure an SSH server according to a set of requirements

Edit /etc/ssh/sshd_config. When all seems fine, relaunch sshd(8) daemon with :

# /etc/rc.d/sshd restart

If you are working remotely via an SSH connexion, don't worry: with privileges separation (as default), your working connexion won't be claused.

Configure an SSH server to use a key pair for authentication

In /etc/ssh/sshd_config, uncomment lines:

PasswordAuthentication no
PermitEmptyPasswords no

If you want to connect as root (don't do this), at least use keys with:

PermitRootLogin without-password

Don't forget to relaunch daemon.

Preserve existing SSH host keys during a system upgrade

The SSH keys live under /etc/ssh. Just tar(1) up all key files and extract the archive on the new system.

Recognize alternate authentication mechanisms

Recognize alternate authorization schemes

Recognize firewalls and rulesets

To see input rules:

# ipfstat -hin

-o (instead of -i) option gives output rules. -6 option manipulates IPv6 rules. -n display groups and rules numbers, useful when searching from logs.

IPNAT rules can be listed with:

# ipnat -l

Recognize utilities that shape traffic or control bandwidth

Recognize mechanisms for encrypting devices

$ man cgd

Recognize methods for verifying the validity of binaries

By default, /etc/daily launch /etc/security which uses mtree(8).

To check if veriexec(4) is up:

$ sysctl kern.veriexec.strict kern.veriexec.strict=1

Read veriexec chapter from NetBSD Guide for more information.

Enable exploit mitigation

Follow advices in security(7) man page.

Recognize methods for restraining a service

Modify the system banner

Edit /etc/motd.

You can also add a banner before SSH connexion; to do that, add:

Banner /etc/ssh/issue

in /etc/ssh/sshd_config and put what you want to be displayed before SSH auth in file /etc/ssh/issue.

Files, Filesystems and Disks

Mount or unmount local filesystems

To mount a file system, use the mount(8) command. The general syntax is:

# mount [options] device_node mount_point

The available options may be found in the man page. Typically, it will be necessary to at least use the -t command to specify the type of filesystem to be mounted. For example, to mount a CD-ROM device, specify the ISO 9660 format with a command like the following:

# mount -t cd9660 /dev/cd0d /mnt/cdrom

To unmount a mounted filesystem, use the umount(8) command. To unmount the mounted filesystem /mnt/cdrom, simply execute:

# umount /mnt/cdrom

Note that unmounting a filesystem will fail if any running process has a directory in that filesystem as its present working directory. For example:

# mount -t cd9660 /dev/cd0d /mnt/cdrom
# cd /mnt/cdrom
# umount /mnt/cdrom
umount: /mnt/cdrom: Device busy
# cd
# umount /mnt/cdrom
#

Configure data to be available through NFS

Let's share /export/data. Create the file /etc/exports as:

$ cat /etc/exports
/export/data -maproot=nobody -ro -network 192.168.1.0 -mask 255.255.255.0

Here, the file system will be read only (option -ro), available only for clients from 192.168.1.0/24 and root access from clients will be mapped as nobody access on server (we don't have confidence with our clients). The syntax and options are documented in exports(5).

We have to start rpcbind(8), mountd(8), rpc.lockd(8), nfsd(8) and rpc.statd(8). In order to do that, edit /etc/rc.conf and set:

rpcbind=YES rpcbind_flags="-l" mountd=YES nfs_server=YES statd=YES lockd=YES

The flag -l tells rpcbind(8) to use libwrap (hosts_options(5)). Edit the /etc/hosts.access and set:

rpcbind: 192.168.1.0/255.255.255.0 ALLOW

to allow clients to connect to the server.

On the clients, we have to start rpcbind(8), rpc.statd(8) and rpc.lockd(8); edit /etc/rc.conf and set:

rpcbind=YES rpcbind_flags="-l" nfs_client=YES statd=YES lockd=YES

Now, lets mount the file system on the client:

# mount -o ro server:/export/data /data
$ mount | grep data
server:/export/data on /data type nfs (read-only)

Don't forget to add a line in /etc/fstab (fstab(5)):

server:/export/data /data nfs ro 0 0

to mount the file system at boot time. That's all.

See the NetBSD Guide ?1(http://www.netbsd.org/docs/guide/en/chap-net-misc.html#chap-net-misc-nfs) for more details.

Determine which filesystems are currently mounted and which will be mounted at system boot

A list of currently mounted filesystems can be obtained by running the mount(8) command without any arguments.

The file fstab(5) in /etc contains information about which files are mounted at system boot and what options they are mounted with, whether they should be fsck(8)ed and if so in what order, etc.

Determine disk capacity and which files are consuming the most disk space

Disk capacity:

$ df -h

Find the size of files in a directory:

$ du -sk

Report by file size:

$ du -k | sort -n

Create and view symbolic or hard links

Symbolic link:

$ ln -s sourcefile targetfile

Hard link:

$ ln sourcefile targetfile

View file permissions and modify them using either symbolic or octal mode

View file permissions:

$ ls -l filename

Change file permissions

$ chmod 644 filename

Modify a file's owner or group

The chown(8) command can be used to modify a file's owner or group.

To change the owner of the file somefile to the user someuser, execute:

chown someuser somefile

Similarly, to change the group of the file somefile to the group somegroup, execute:

chown :somegroup somefile

If you like, can change both the group and owner of a file with a single command. To implement both of the modifications made by the two commands above, execute:

chown someuser:somegroup somefile

Note that there is also a chgrp(1) command to change the group of a file.

To change the group of the file somefile to the group somegroup, execute:

chgrp somegroup somefile

Backup and restore a specified set of files and directories to local disk or tape

Create your (compressed) archive with:

$ tar cvfz backup.tgz somedirectory/

c option: create the archive,
z option: compress the archive whith gzip(1),
f option: output to a file; if you miss this option, tar(1) will output archive to /dev/st0 (default tape),
v option: verbose output ie. files added to archive will be displayed.

To restore, use:

$ tar xzpf backup.tgz

x option: extract the archive,
p option: preserve ownership.

Backup and restore a file system

# dump 0f - | (cd /altroot; retore rf -)

See dump(8) and restore(8).

Backup using ffs snapshots

Snapshots allows to work with an atomic file system copy taken at a the time of the snapshot. This is very useful to for instance backup a file system on which there may be running database applications such as PostgreSQL, without the need to stop and restart the database application.

See fssconfig(8) and fss(4) for more details. Here for the sake of an example we will suppose that we want to backup a live / file system using rsync to a /backup file system.

Let's first create the "atomic" snapshot of the / file system:

# fssconfig -cx fss0 / /tmp/back

We now have configured the device /dev/fss0 to be a snapshot mirror of the / file system, using a temporary log of /tmp/back to which new writes will be added for as long as the snapshot device is configured. This file will be automatically deleted at device unconfiguration because of the optional -x switch. You may now use that device with the dump command or mount it and use other backup commands such as pax, tar or rsync as you wish.

# mount -o ro /dev/fss0 /mnt

We have now mounted the atomic copy of the file system to /mnt. Let's update our /backup file system from it:

# rsync -vaHx --delete /mnt/ /backup/

So our "atomic" live backup is done and we now no longer need our snapshot:

# umount /mnt
# fssconfig -u fss0

Determine the directory structure of a system

Manually run the file system checker and repair tool

For FFS filesystems (example, in this case is the first slice on your first IDE hard disk):

# fsck /dev/rwd0a

The -y option should be added with caution: fsck(8) assumes yes as the default answer for all its questions. Use it at your own risks.

View and modify file flags

use chflags to modify file flags, for example:

$ chflag uchange pkgsrc.tar.gz
$ ls -lo pkgsrc.tar.gz
-rw-r--r--  1 zafer  users  uchg 32072480 May 19 09:12 pkgsrc.tar.gz

Monitor the virtual memory system

Users and Accounts Management

Protect authentication data

Create, modify and remove user accounts

create

# useradd -m johndoe

delete

# userdel johndoe

modify

# usermod -m -d /home/foo johndoe

Create a system account

Control which files are copied to a new user's home directory during account creation

The -k option of the useradd(8) command can be used to specify a "skeleton directory". The contents of the specified skeleton directory will be copied to the new user's home directory. If no skeleton directory is specified with -k, the default of /etc/skel/ is used.

Change a password

The passwd(1) command can be used to change a password.

Executing passwd with no arguments will change the password of the executing user. The existing password must be supplied before changes can be made. The new password must be entered identically twice, to ensure the password is not set to a misspelling of the intended password. The process looks something like this - note that passwords do not echo:

$ passwd
Changing local password for user.
Old password:
New password:
Retype new password:

The superuser may change the password of an arbitrary user by supplying that user's name as the only argument to passwd. Root does not need to supply the user's existing password, and may simply supply a new one. The process looks something like this:

# passwd user
Changing local password for user.
New password:
Retype new password

Force the user to change their password upon next login

# usermod -F johndoe

Change the encryption algorithm used to encrypt the password database

The encryption algorithm or algorithms used to encrypt the password database are specified in the passwd.conf(5) file in /etc.

The syntax of the file is straightforward and is made clear by the following example, taken from the man page:

Use MD5 as the local cipher and old-style DES as the YP cipher. Use blowfish with 2⁵ rounds for root:

      default:
           localcipher = md5
           ypcipher = old


      root:
           localcipher = blowfish,5

The algorithm choices are: old',newsalt,', md5',sha1,', and `blowfish,'. Consult the man page for details on allowable round parameters.

Change a user's default shell

Make your market in /etc/shells file and pick up one. For example, we want to change the shell of johndoe to /bin/ksh:

# chsh -s /bin/ksh johndoe

# chpass -s /bin/ksh johndoe

See chsh(1) for mor details.

Lock a user account or reset a locked user account

Lock

# usermod -C yes johndoe

Unlock

# usermod -C no johndoe

Determine identity and group membership

$ id

Determine who is currently on the system or the last time a user was on the system

Enter

$ w

to determine who is currently on the system.

Enter

$ last

to determine the last time a user was on the system.

Enable accounting and view system usage statistics

Basic System Administration

Determine which process are consuming the most CPU

The top(1) command displays and regularly updates a list of top CPU consuming processes. The list includes details such as the command used to create the process, the user who ran that command, the process' PID, what state the process is currently in and how much memory and CPU time the process is consuming.

View and send signals to active processes

The ps(1) command can be used to view a list of names and details (such as PID) currently active processes. Exactly which processes and what details about them are displayed can be customised using the options described in the man page. To get the default details of all processes, execute:

$ ps ax

Sending signals to processes is done using the kill(1) command. The signal to be sent may be specified either by name (e.g. HUP, INT, QUIT, ABRT, KILL, ALRM, TERM; see also kill -l output) or by an integer code, as specified in the man page.

The simplest syntax for kill(1) is:

$ kill {signal name or code} pid

where pid is the PID of the process to be killed. Note that if no signal name or code is specified (i.e. just kill pid is used) then a TERM signal is sent by default.

Note that it is not typical to immediately know the PID of a process one wants to signal. One can either use the ps(1) command as described above to find the pid (perhaps with the assistance of grep(1), or one can use the pkill(1) command, which works like kill(1) except that it accepts a process name rather than a PID.

Use an rc(8) script to determine if a service is running and start, restart or stop it as required

To see if a service is running, execute that service's rc(8) script with an argument of status. The output will indicate if that service is running. Not all rc scripts have a status option. For example:

# /etc/rc.d/sshd status                                                      
sshd is not running.
# /etc/rc.d/sshd start
# /etc/rc.d/sshd status                                                    
sshd is running as pid 383.
# /etc/rc.d/sshd stop

Note that while every script in /etc/rc.d is supposed to accept the status argument, many do not.

If a service is not running, it can be started by executing its rc(8) script with an argument of start. Once a service is running, it can be restarted or stopped in a similar manner, using the arguments restart and stop.

Note that an rc script can not launch a service if this service is not marked as runable in /etc/rc.conf (via service=YES entry).

Configure a service to start at boot time

Add or copy the rc skript to /etc/rc.d/ and then add the service to your /etc/rc.conf

View and configure system hardware

View pci bus (use pci0 - 2)

$ pcictl /dev/pci0 list

View, load, or unload a kernel module

View

$ modstat

Load

# modload file

Unload

# modunload -i id

See the manual page for lkm.conf(5) for information on how to automatically load modules at boot time. Please note that for this to work, lkm=YES must be set in /etc/rc.conf. Also note the critical_filesystems_local setting in rc.conf(5), which may be required for bootloaded modules located under /usr if /usr is on a separate partition than /.

Modify a kernel parameter on the fly

# sysctl -w <variable>=<value>

View the status of a software RAID mirror or stripe

Verify parity:

# raidctl -p raid0
/dev/rraid0c: Parity status: clean

View configuration and state:

# raidctl -s raid0

raidctl(8) man page is very useful, don't miss it.

Configure system logging

Verify that syslogd(8) is running. If not, enable it in /etc/rc.conf and launch it:

# /etc/rc.d/syslogd start

The logging daemon is configured with /etc/syslog.conf (see syslog.conf(5). When you have modified this file, you have to tell to the daemon to reread it:

# pkill -HUP syslogd

by sending a SIGHUP.

If you add files in /etc/syslog.conf, don't forget to configure rotation in /etc/newsyslog.conf (newsyslog.conf(5)).

If the original daemon's filtering features are too poor for you, try sysutils/syslog-ng package.

To log signals sent to processes:

# sysctl -w kern.logsigexit=1

Review log files to troubleshoot and monitor system behavior

$ tail -f /var/log/messages |grep daemon

Try also these packages:

misc/root-tail or misc/xtail if you use X11,
misc/colortail or misc/mail if you want colors,
sysutils/wtail or misc/multitail to view multiples files.

Determine which MTA is being used on the system

$ less /etc/mailer.conf

Create or modify email aliases for Sendmail or Postfix

View the Sendmail or Postfix mail queue

$ mailq

Read mail on the local system

$ mail

Understand basic printer troubleshooting

Halt, reboot, or bring the system to single-user mode

to halt enter:

# shutdown -h now

to reboot enter either:

# reboot

# shutdown -r now

to bring the system to single-user mode press any key during boot countdown and then enter:

boot -s

From multi-user mode, you should:

# kill -TERM 1

to return to single-user mode.

Recognize the difference between hard and soft limits and modify existing resource limits

Recognize common, possibly third-party, server configuration files

Configure the scripts that run periodically to perform various system maintenance tasks

Determine the last system boot time and the workload on the system

$ uptime

$ w

Monitor disk input/output

$ iostat -w 1

Deal with busy devices

Determine information regarding the operating system

$ uname -a

Understand the advantages of using a BSD license

Network Administration

Determine the current TCP/IP settings on a system

First, see the interfaces which are connected:

$ ifconfig -ls
wm0 wm1 wm2 wm3 wm4 lo0 pflog0 vlan0 vlan1 vlan2 vlan3

To see the IP adress of an interface:

$ ifconfig vlan3
vlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       vlan: 847 parent: wm4
       address: 00:04:23:af:f1:e4
       inet 172.17.13.254 netmask 0xfffffe00 broadcast 172.17.13.255

We have the MAC (hardware adress, here 00:04:23:af:f1:e4) and the IP adress with netmask (here 172.17.13.254 with 255.255.254.0).

Now, we want to know IPv4 routing settings:

$ netstat -rn -f inet | head -5
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu  Interface
default            172.16.200.130     UG1         0  9607369      -  wm0

The default route is tagged default, here it is 172.16.200.130 on wm0 interface.

See ifconfig(8) and netstat(8) for more details.

Set a system's TCP/IP settings

# ifconfig fxp0 192.168.0.1 netmask 255.255.255.0 up

Determine which TCP or UDP ports are open on a system

$ sockstat -cl

Verify the availability of a TCP/IP service

$ sockstat -l

Query a DNS server

Find responsible nameservers for a given domain

$ dig ns netbsd.org

Query a DNS server

$ dig @adns1.berkeley.edu A www.netbsd.org

Determine who is responsible for a DNS zone

Use dig(1) to check the SOA section:

$ dig www.netbsd.org soa ; <<>> DiG 9.3.2 <<>> www.netbsd.org soa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22618 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.netbsd.org.                        IN      SOA

;; AUTHORITY SECTION:
netbsd.org.             10800   IN      SOA     ns.netbsd.org. hostmaster.netbsd.org.  2007032701 21600 10800 2419200 86400

;; Query time: 163 msec
;; SERVER: 191.168.1.1#53(191.168.1.1)
;; WHEN: Sun Jul  1 11:56:27 2007
;; MSG SIZE  rcvd: 92

The master server is ns.netbsd.org and the responsible is hostmaster [at] netbsd [dot] org.

Change the order of name resolution

You live in home.org but you often work on hosts in work.com. To avoid typing FQDN all the time, put this in /etc/resolv.conf:

nameserver 1.2.3.4
nameserver 5.6.7.8
domain home.org
search home.org work.com

The first two lines say which DNS servers to use. The third says that the resolver has to search host first in home.org. The last tells it search also in work.com. After that, you should have:

$ host www
www.work.com has address 192.168.1.2

Convert a subnet mask between dotted decimal, hexadecimal or CIDR notation

Use either:

Gather information using an IP address and subnet mask

Understand IPv6 address theory

Demonstrate basic tcpdump(1) skills

# tcpdump -i fxp0 not port 22

Manipulate ARP and neighbor discovery caches

View ARP cache

$ arp -a

Configure a system to use NTP

Edit /etc/ntp.conf and choose from the list at least two servers, or add two new ones. The time servers should be located as close as possible (network topology) to your server.
Add ntpd=yes to /etc/rc.conf
Start the ntp daemon by entering: /etc/rc.d/ntpd start
Verify the service, by entering ntpq and then peers.

View and renew a DHCP lease

Renew a DHCP lease

# dhcpcd -k
# dhcpcd

Recognize when and how to set or remove an interface alias

set alias

# ifconfig fxp0 inet 192.168.0.2 netmask 255.255.255.0 alias

remove alias

# ifconfig fxp0 inet 192.168.0.2 netmask 255.255.255.0 -alias

Basic Unix Skills

Demonstrate proficiency in using redirection, pipes and tees

Output redirection

$ ls > myfiles.txt

runs ls and redirects the output in the file myfiles.txt

$ ls >> myfiles.txt

runs ls and appends the output to the file myfiles.txt

Pipes

$ ls -l | wc -l

runs ls -l and uses its output as the input for the command wc -l

Recognize, view and modify environmental variables

Viewing environmental variables

On sh based shells like sh, ksh, bash this is done with the command export

$ export

On csh, tcsh with env

$ env

Modifying environmental variables

On sh based shells you assign the variable on the left side the value on the right side using an equal sign.

$ export MYVAR="hello kitty"

On csh, tcsh to assign use a single space instead of an equal sign.

$ setenv MYVAR "hello kitty"

Be familiar with the vi(1) editor

hjkl movement

i insert

0 beginning of line

$ end of line

o/O insert new line

x/X delete char

w/W Word

e/E End of word

b/B begin of word

dd delete a line

yy yank a line

Determine if a file is a binary, text, or data file

The file(1) command is capable of discerning between executable (binary) files, text files and data files. In many cases it is able to determine further information about data files, e.g. it can recognise image files as being GIFs or JPGs.

$ file /bin/sh /bin/sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for NetBSD 4.99.72, dynamically linked (uses shared libs), not stripped

$ file /etc/wscons.conf
/etc/wscons.conf: ASCII English text


$  file AnsweringMachine.ogg
AnsweringMachine.ogg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~256000 bps, created by: Xiph.Org libVorbis I (1.1.0 RC1)


$ file photo.jpg
photo.jpg: JPEG image data, JFIF standard 1.01

Locate files and binaries on a system

Binaries

$ whereis netstat

Overcome command line length limitations

Find a file with a given set of attributes

Create a simple Bourne shell script

vi myshellscript.sh

Find appropriate documentation

$ apropos keyword
$ man command

Recognize the different sections of the manual

Sections are from 1 to 9

1 General commands manual

$ man 1 df
2 System calls manual

$ man 2 lseek
3 Library functions manual

$ man 3 sprintf
4 Kernel interfaces manual

$ man 4 null
5 File formats manual

$ man 5 exports
6 Games manual

$ man 6 tetris
7 Miscellanea

$ man 7 me
8 System manager's manual

$ man 8 reboot
9 Kernel developer's manual

$ man 9 kauth

Verify a file's message digest fingerprint (checksum)

Depending on what sort of digest is used enter either:

$ md5 _filename_

$ sha1 _filename_

and compare the output.

Demonstrate familiarity with the default shell

Use job control

List jobs

$ jobs -l

Put job into background

# /usr/libexec/locate.updatedb &

Put job into foreground

# fg pid

Put job into background

# bg pid

Demonstrate proficiency with regular expressions

Understand various "domain" contexts

Configure an action to be scheduled by cron(8)

There are two ways to accomplish this task. You either put the cronjob in the global crontab file /etc/crontab or you edit your own crontab with crontab -e.

$ crontab -e

(this command invokes your favorite text editor specified by $EDITOR environment variable or VISUAL, by default /usr/bin/vi).

Add a cronjob:

0 23 * * *     sh /my/home/shellskript

Here, the script will be run all days at 23:00. The fields order is minute, hour, day of month, month and day of week; the last field is the command to run. See crontab(5) for details. List your current crontab:

$ crontab -l

As root you can see and edit any users crontab by supplying -u username

# crontab -l -u john

or edit it

# crontab -e -u john

When using the global /etc/crontab you have to supply the user who is executing the cronjob:

# vi /etc/crontab
0 22 * * *    john    sh /johns/work/shellskript

Add a comment

Links: user management

Last edited Wednesday afternoon, September 9th, 2020

Preferences | Logout