rhoekman
Verified User
FreeBSD 5.3 Release (Beta) test report
Ok, it's not officially released (it will be tommorow ) but it's already on the mirror's and I couldn't resist. Right at the moment I'm upgrading my secondary DNS without DA to see if there's anything you should look out for. If that is going well I'll take the plunge when they officially anounce it and upgrade the DA machine. I'll keep you posted if there's anything that you should be aware of when upgrading..
---- REPORT BELOW ----
1. Biggest change is from Bind 8 to 9 and it's location and that it runs in a chrooted environment. This could break DA installations.
2. Minor: Firewall (PF) is enabled in the kernel by default. It got me a little alarmed because the upgrades exits with an error when the 'Proxy' user does not exist. It needs this to run the firewall in userland I guess.
The release notes have more information on it:
20040928:
If enabled, the default is now to run named in a chroot
"sandbox." For users with existing configurations in
/etc/namedb the migration should be simple. Upgrade your
world as usual, then after installworld but before
mergemaster do the following:
If named is running: /etc/rc.d/named stop
cd /etc
mv namedb namedb.bak
mkdir -p /var/named/etc/namedb
cp -Rp namedb.bak/* /var/named/etc/namedb/
mergemaster (with your usual options)
If using the generated localhost* files:
cd /var/named/etc/namedb
/bin/sh make-localhost
rm -f localhost-v6.rev localhost.rev
/etc/rc.d/syslogd restart
/etc/rc.d/named start
If you are using a custom configuration, or if you have
customised the named_* variables in /etc/rc.conf[.local]
then you may have to adjust the instructions accordingly.
It is suggested that you carefully examine the new named
variables in /etc/defaults/rc.conf and the options in
/var/named/etc/namedb/named.conf to see if they might
now be more suitable.
20040308:
The packet filter (pf) is now installed with the base system. Make
sure to run mergemaster -p before installworld to create required
user account ("proxy"). If you do not want to build pf with your
system you can use the NO_PF knob in make.conf.
Also note that pf requires "options PFIL_HOOKS" in the kernel. The
pf system consists of the following three devices:
device pf # required
device pflog # optional
device pfsync # optional
--- Damage report ---
I'm glad I did this on a server on location and not remote. There is also a change in OpenSSH and the protocol. I've had only SSH2 access and they changed it to default now (was SSH1 and SSH2) but I encounterd problems with the key and the protocol and had to dive in on the console.
Some of the damage I need to fix:
- OpenSSH is not accepting SSH2 but SSH1 and only if you use TIS authentication and this even if config is set on SSH2. This part is a riddle at moment.
fixed: This was probably due to a certificate error/corruption.
note: Dag-Erling Smorgrav has updated OpenSSH 3.8p1 to change some configuration defaults: the server no longer accepts protocol version 1 nor password authentication by default.
- Nameserver (BIND 9) is not running (and configured)
fixed: I have it up and running after running mergemaster and pointing to the old /etc/named
--- Uneffected ---
Also usefull is to report stuff that still worked after the upgrade. Note that it was not a DA box I upgraded so I post what DA uses:
mysql-server-4.0.18_1
apache+mod_ssl-1.3.31+2.8.17_3
php4-4.3.8_2
vm-pop3d-1.1.6_1
--- Effected Libraries and Programs ---
I ran NMAP and it started to yell at me saying that something was wrong with:
libpcre
Now I believe that Exim uses this lib with perl to use regular expressions (filtering etc)
So my guess is we have a broken Exim after the upgrade. Major issue.
NMAP worked after recompile so I hope we just have to recompile Exim and uses the new libs. This needs proper testing.
Ok, it's not officially released (it will be tommorow ) but it's already on the mirror's and I couldn't resist. Right at the moment I'm upgrading my secondary DNS without DA to see if there's anything you should look out for. If that is going well I'll take the plunge when they officially anounce it and upgrade the DA machine. I'll keep you posted if there's anything that you should be aware of when upgrading..
---- REPORT BELOW ----
1. Biggest change is from Bind 8 to 9 and it's location and that it runs in a chrooted environment. This could break DA installations.
2. Minor: Firewall (PF) is enabled in the kernel by default. It got me a little alarmed because the upgrades exits with an error when the 'Proxy' user does not exist. It needs this to run the firewall in userland I guess.
The release notes have more information on it:
20040928:
If enabled, the default is now to run named in a chroot
"sandbox." For users with existing configurations in
/etc/namedb the migration should be simple. Upgrade your
world as usual, then after installworld but before
mergemaster do the following:
If named is running: /etc/rc.d/named stop
cd /etc
mv namedb namedb.bak
mkdir -p /var/named/etc/namedb
cp -Rp namedb.bak/* /var/named/etc/namedb/
mergemaster (with your usual options)
If using the generated localhost* files:
cd /var/named/etc/namedb
/bin/sh make-localhost
rm -f localhost-v6.rev localhost.rev
/etc/rc.d/syslogd restart
/etc/rc.d/named start
If you are using a custom configuration, or if you have
customised the named_* variables in /etc/rc.conf[.local]
then you may have to adjust the instructions accordingly.
It is suggested that you carefully examine the new named
variables in /etc/defaults/rc.conf and the options in
/var/named/etc/namedb/named.conf to see if they might
now be more suitable.
20040308:
The packet filter (pf) is now installed with the base system. Make
sure to run mergemaster -p before installworld to create required
user account ("proxy"). If you do not want to build pf with your
system you can use the NO_PF knob in make.conf.
Also note that pf requires "options PFIL_HOOKS" in the kernel. The
pf system consists of the following three devices:
device pf # required
device pflog # optional
device pfsync # optional
--- Damage report ---
I'm glad I did this on a server on location and not remote. There is also a change in OpenSSH and the protocol. I've had only SSH2 access and they changed it to default now (was SSH1 and SSH2) but I encounterd problems with the key and the protocol and had to dive in on the console.
Some of the damage I need to fix:
- OpenSSH is not accepting SSH2 but SSH1 and only if you use TIS authentication and this even if config is set on SSH2. This part is a riddle at moment.
fixed: This was probably due to a certificate error/corruption.
note: Dag-Erling Smorgrav has updated OpenSSH 3.8p1 to change some configuration defaults: the server no longer accepts protocol version 1 nor password authentication by default.
- Nameserver (BIND 9) is not running (and configured)
fixed: I have it up and running after running mergemaster and pointing to the old /etc/named
--- Uneffected ---
Also usefull is to report stuff that still worked after the upgrade. Note that it was not a DA box I upgraded so I post what DA uses:
mysql-server-4.0.18_1
apache+mod_ssl-1.3.31+2.8.17_3
php4-4.3.8_2
vm-pop3d-1.1.6_1
--- Effected Libraries and Programs ---
I ran NMAP and it started to yell at me saying that something was wrong with:
libpcre
Now I believe that Exim uses this lib with perl to use regular expressions (filtering etc)
So my guess is we have a broken Exim after the upgrade. Major issue.
NMAP worked after recompile so I hope we just have to recompile Exim and uses the new libs. This needs proper testing.
Last edited: