FreeBSD 14.0 にアップグレードする事が出来たのでメモ書きする事にしました。
作業時間
筆者の環境では、約4時間ほどで作業が完了する事が出来ました。
旧カーネルアップデートの確認
uname -aFreeBSD FreeBSD 13.2-RELEASE-p8 FreeBSD 13.2-RELEASE-p8 GENERIC amd64アップグレード実施
①.現時点の最新のパッチを適用します。
freebsd-update fetch
freebsd-update install②.アップグレードのコマンドを実行する。
freebsd-update upgrade -r 14.0-RELEASE③.Does this look reasonable は Y にする。
[root@FreeBSD ~]# freebsd-update upgrade -r 14.0-RELEASE
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Inspecting system... done.
The following components of FreeBSD seem to be installed:
kernel/generic kernel/generic-dbg src/src world/base world/lib32
The following components of FreeBSD do not seem to be installed:
world/base-dbg world/lib32-dbg
oes this look reasonable (y/n)? y④.アップグレードに必要なソフト類をダウンロードするので時間が掛かります。
Fetching metadata signature for 14.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Fetching files from 13.2-RELEASE for merging... done.
Preparing to download files... done.
Fetching 55717 patches.....10....20....30....省略....55700....55710... done.
Fetching 12988 files... ....10....20....30....省略....12970....12980.... done.
Attempting to automatically merge changes in files... done.
⑤.手動による修正が必要なコメントが表示する。
The following file could not be merged automatically: /etc/group
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...
<<<<<<< current version
# $FreeBSD$
#
wheel:*:0:root,yoxxxx
=======
wheel:*:0:root
>>>>>>> 14.0-RELEASE
daemon:*:1:
kmem:*:2:
sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:clamav,postfix
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
ftp:*:14:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
video:*:44:
realtime:*:47:
idletime:*:48:
bind:*:53:
unbound:*:59:
proxy:*:62:
authpf:*:63:
_pflogd:*:64:
_dhcp:*:65:
uucp:*:66:
dialer:*:68:
network:*:69:
audit:*:77:
www:*:80:
u2f:*:116:
ntpd:*:123:
_ypldap:*:160:
hast:*:845:
tests:*:977:
nogroup:*:65533:
nobody:*:65534:
hamanaka:*:1001:
_tss:*:601:
messagebus:*:556:
avahi:*:558:
cups:*:193:
polkitd:*:565:
colord:*:970:
mysql:*:88:
clamav:*:106:
cyrus:*:60:
maildrop:*:126:
postfix:*:125:
dovecot:*:143:
dovenull:*:144:
spamd:*:58:
munin:*:842:
⑥.手動による修正が必要なコメントが表示する。
The following file could not be merged automatically: /etc/hosts.allow
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...
<<<<<<< current version
ALL : localhost 127.0.0.1 192.168.0. : allow
sshd : .ne.jp : allow
ALL : ALL : deny
=======
#
# hosts.allow access control file for "tcp wrapped" applications.
#
# NOTE: The hosts.deny file is deprecated.
# Place both 'allow' and 'deny' rules in the hosts.allow file.
# See hosts_options(5) for the format of this file.
# hosts_access(5) no longer fully applies.
#
# _____ _ _
# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | |
# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | |
# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_|
# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_)
# |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow
# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow
# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow
# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
exim : ALL : allow
# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny
# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny
# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow
# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
: spawn (echo Finger. | \
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
: deny
# The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
>>>>>>> 14.0-RELEASE
⑦.手動による修正が必要なコメントが表示する。
The following file could not be merged automatically: /etc/master.passwd
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...
<<<<<<< current version
# $FreeBSD$
#
root:$6$f667jkxZL.fe8uP.$vv.KaVHMGyzFMkY/cEIHQBNrn6FGwYJk9kFUnwmyrNEYK9eVO9vfdUi55us02aw/l
QmlzimV01dbPUe.WvJzx.:0:0::0:0:Charlie &:/root:/usr/local/bin/bash
=======
root::0:0::0:0:Charlie &:/root:/bin/sh
>>>>>>> 14.0-RELEASE
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
⑧.手動による修正が必要なコメントが表示する。
The following file could not be merged automatically: /etc/ntp.conf
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...
<<<<<<< current version
pool ntp.nict.jp iburst
pool ntp.jst.mfeed.ad.jp iburst
pool time.google.com iburst
=======
#
#
# Default NTP servers for the FreeBSD operating system.
#
# Don't forget to enable ntpd in /etc/rc.conf with:
# ntpd_enable="YES"
#
# The driftfile is by default /var/db/ntpd.drift, check
# /etc/defaults/rc.conf on how to change the location.
#
>>>>>>> 14.0-RELEASE
logfile /var/log/ntpd.log
logconfig =syncstatus +sysevents +clockall
<<<<<<< current version
restrict default noquery nomodify notrap
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
restrict 127.0.0.1
=======
#
# The following pool statements will give you a random set of IPv4 and IPv6
# NTP servers geographically close to you. A single pool statement adds
# multiple servers from the pool, according to the tos minclock/maxclock
# targets.
# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages
# users with a static IP and good upstream NTP servers to add a server
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
#
# The option `iburst' is used for faster initial synchronization.
#
pool 0.freebsd.pool.ntp.org iburst
pool 2.freebsd.pool.ntp.org iburst
#
# If you want to pick yourself which country's public NTP server
# you want to sync against, comment out the above pool statements,
# uncomment the next ones, and replace CC with the country's abbreviation.
# Make sure that the hostnames resolves to a proper IP address!
#
# pool 0.CC.pool.ntp.org iburst
# pool 2.CC.pool.ntp.org iburst
#
# To configure a specific server, such as an organization-wide local
# server, add lines similar to the following. One or more specific
# servers can be configured in addition to, or instead of, any server
# pools specified above. When both are configured, ntpd first adds all
# the specific servers, then adds servers from the pool until the tos
# minclock/maxclock targets are met.
#
#server time.my-internal.org iburst
#
# Security:
#
# By default, only allow time queries and block all other requests
# from unauthenticated clients.
#
# The "restrict source" line allows peers to be mobilized when added by
# ntpd from a pool, but does not enable mobilizing a new peer association
# by other dynamic means (broadcast, manycast, ntpq commands, etc).
#
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
# for more information.
#
restrict default limited kod nomodify notrap noquery nopeer
restrict source limited kod nomodify notrap noquery
#
# Alternatively, the following rules would block all unauthorized access.
#
#restrict default ignore
#
# In this case, all remote NTP time servers also need to be explicitly
# allowed or they would not be able to exchange time information with
# this server.
#
# Please note that this example doesn't work for the servers in
# the pool.ntp.org domain since they return multiple A records.
#
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
#
# The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict ::1
#
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# to provide a time source when this happens, but it should usually
# be configured on just one server on a network. For more details see
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
# The use of Orphan Mode may be preferable.
#
#server 127.127.1.0
#fudge 127.127.1.0 stratum 10
# See http://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.14.
# for documentation regarding leapfile. Updates to the file can be obtained
# from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/.
# Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db.
#leapfile "/etc/ntp/leap-seconds"
leapfile "/var/db/ntpd.leap-seconds.list"
# Specify the number of megabytes of memory that should be allocated and
# locked. -1 (default) means "do not lock the process into memory".
# 0 means "lock whatever memory the process wants into memory". Any other
# number means to lock up to that number of megabytes into memory.
# 0 may result in a segfault when ASLR with stack gap randomization
# is enabled.
#rlimit memlock 32
>>>>>>> 14.0-RELEASE
⑨.手動による修正が必要なコメントが表示する。
The following file could not be merged automatically: /etc/passwd
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...
<<<<<<< current version
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
=======
root:*:0:0:Charlie &:/root:/bin/sh
>>>>>>> 14.0-RELEASE
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
ntpd:*:123:123:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
tests:*:977:977:Unprivileged user for tests:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TCG Software Stack user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
polkitd:*:565:565:Polkit Daemon User:/var/empty:/usr/sbin/nologin
colord:*:970:970:colord color management daemon:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
clamav:*:106:106:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
cyrus:*:60:60:the cyrus mail server:/nonexistent:/usr/sbin/nologin
postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
dovecot:*:143:143:Dovecot User:/var/empty:/usr/sbin/nologin
dovenull:*:144:144:Dovecot login User:/var/empty:/usr/sbin/nologin
⑩.手動による修正が必要なコメントが表示する。
The following file could not be merged automatically: /etc/ssh/sshd_config
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
<<<<<<< current version
#VersionAddendum FreeBSD-20230316
=======
#VersionAddendum FreeBSD-20231004
>>>>>>> 14.0-RELEASE
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
⑪.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/blacklistd.conf:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
#
# Blacklist rule
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 3 24h
Does this look reasonable (y/n)?⑫.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/crontab:
--- current version
+++ new version
@@ -1,8 +1,7 @@
# /etc/crontab - root's crontab for FreeBSD
#
-# $FreeBSD$
#
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
#
#minute hour mday month wday who command
Does this look reasonable (y/n)?⑬.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/group:
--- current version
+++ new version
@@ -29,10 +29,11 @@
uucp:*:66:
dialer:*:68:
network:*:69:
audit:*:77:
www:*:80:
+u2f:*:116:
ntpd:*:123:
_ypldap:*:160:
hast:*:845:
tests:*:977:
nogroup:*:65533:
Does this look reasonable (y/n)?⑭.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/hosts:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
@@ -18,17 +17,17 @@
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
-# According to RFC 1918, you can use the following IP networks for
-# private nets which will never be connected to the Internet:
+# According to RFC 1918, you can use the following IP blocks for
+# private internets:
#
-# 10.0.0.0 - 10.255.255.255
-# 172.16.0.0 - 172.31.255.255
-# 192.168.0.0 - 192.168.255.255
+# 10.0.0.0 - 10.255.255.255 (10/8 prefix)
+# 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
+# 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
#
-# In case you want to be able to connect to the Internet, you need
+# In case you want to make addresses available on the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#
Does this look reasonable (y/n)?
⑮.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/mail/aliases:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
# @(#)aliases 5.3 (Berkeley) 5/24/90
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks.
#
Does this look reasonable (y/n)?⑯.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/newsyslog.conf:
--- current version
+++ new version
@@ -1,7 +1,6 @@
# configuration file for newsyslog
-# $FreeBSD$
#
# Entries which do not specify the '/pid_file' field will cause the
# syslogd process to be signalled when that log file is rotated. This
# action is only appropriate for log files which are written to by the
# syslogd process (ie, files listed in /etc/syslog.conf). If there
@@ -14,25 +13,25 @@
# contents of maillog, messages, and lpd-errs to be confidential. In the
# future, these defaults may change to more conservative ones.
#
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/all.log 600 7 * @T00 J
-/var/log/auth.log 600 7 1000 @0101T JC
+/var/log/auth.log 600 7 1000 @0101T JC
/var/log/console.log 600 5 1000 * J
/var/log/cron 600 3 1000 * JC
+/var/log/daemon.log 644 5 1000 @0101T JC
/var/log/daily.log 640 7 * @T00 JN
-/var/log/debug.log 600 7 1000 * JC
+/var/log/debug.log 600 7 1000 * JC
+/var/log/devd.log 644 3 1000 * JC
/var/log/init.log 644 3 1000 * J
/var/log/kerberos.log 600 7 1000 * J
/var/log/maillog 640 7 * @T00 JC
/var/log/messages 644 5 1000 @0101T JC
/var/log/monthly.log 640 12 * $M1D0 JN
-/var/log/devd.log 644 3 1000 * JC
/var/log/security 600 10 1000 * JC
/var/log/utx.log 644 3 * @01T05 B
/var/log/weekly.log 640 5 * $W6D0 JN
-/var/log/daemon.log 644 5 1000 @0101T JC
# 設定追加
/var/log/ntpd.log 644 5 * $W6D0 B
/var/log/charon.log 644 5 * $W6D0 B
/var/log/backup/backup.log 644 5 * $W6D0 B
Does this look reasonable (y/n)?⑰.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/ntp.conf:
--- current version
+++ new version
@@ -6,5 +6,6 @@
logconfig =syncstatus +sysevents +clockall
restrict default noquery nomodify notrap
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
restrict 127.0.0.1
+
Does this look reasonable (y/n)?⑱.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/profile:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
#
# System-wide .profile file for sh(1).
#
# For the setting of languages and character sets please see
# login.conf(5) and in particular the charset and lang options.
Does this look reasonable (y/n)?⑲.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/shells:
--- current version
+++ new version
@@ -1,9 +1,7 @@
-# $FreeBSD$
-#
# List of acceptable shells for chpass(1).
-# Ftpd will not allow users to connect who are not using
+# ftpd(8) will not allow users to connect who are not using
# one of these shells.
/bin/sh
/bin/csh
/bin/tcsh
Does this look reasonable (y/n)?⑳.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/ssh/sshd_config:
--- current version
+++ new version
@@ -86,11 +86,11 @@
#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding yes
+#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
@@ -103,11 +103,11 @@
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
-#VersionAddendum FreeBSD-20230316
+#VersionAddendum FreeBSD-20231004
# no default banner path
#Banner none
# override default of no subsystems
Does this look reasonable (y/n)?㉑.手動による修正が必要なコメントが表示する。
The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/ttys:
--- current version
+++ new version
@@ -1,7 +1,6 @@
#
-# $FreeBSD$
# @(#)ttys 5.1 (Berkeley) 4/17/89
#
# This file specifies various information about terminals on the system.
# It is used by several different programs. Common entries for the
# various columns include:
@@ -44,10 +43,10 @@
ttyu0 "/usr/libexec/getty 3wire" vt100 onifconsole secure
ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole secure
ttyu2 "/usr/libexec/getty 3wire" vt100 onifconsole secure
ttyu3 "/usr/libexec/getty 3wire" vt100 onifconsole secure
# Dumb console
-dcons "/usr/libexec/getty std.9600" vt100 off secure
+dcons "/usr/libexec/getty std.115200" vt100 off secure
# Xen Virtual console
xc0 "/usr/libexec/getty Pc" xterm onifconsole secure
# RISC-V HTIF console
-rcons "/usr/libexec/getty std.9600" vt100 onifconsole secure
+rcons "/usr/libexec/getty std.115200" vt100 onifconsole secure
Does this look reasonable (y/n)?㉒.何度も「Does this look reasonable」が表示する部分は、Y を選択しました。
㉓.「/usr/sbin/freebsd-update install」が表示する事を確認する。
The following files will be removed as part of updating to
14.0-RELEASE-p4:
/boot/kernel/amr.ko
/boot/kernel/amr_cam.ko
/boot/kernel/amr_linux.ko
/boot/kernel/cloudabi.ko
/boot/kernel/cloudabi32.ko
/boot/kernel/cloudabi64.ko
/boot/kernel/esp.ko
/boot/kernel/geom_part_vtoc8.ko
省略
/bin/hostname
/bin/kenv
/bin/kill
/bin/link
/bin/ln
/bin/ls
/bin/mkdir
/bin/mv
To install the downloaded upgrades, run "/usr/sbin/freebsd-update install".
㉔.アップデートのコマンドを実行する。
/usr/sbin/freebsd-update installInstalling updates...
Kernel updates have been installed. Please reboot and run
"/usr/sbin/freebsd-update install" again to finish installing updates.前回、ファイヤーウォールを無効化しないと、正常にアップグレード出来なかった事あったため
同じように、ファイヤーウォール(ipfw)を無効化する事にしました。
㉕.ipfw(ファイヤーウォール)を無効にする。
vim /etc/rc.conf#firewall_enable="YES"
#firewall_script="/shell/ipfw/ipfw.rules"
#firewall_logging="YES"㉖.再起動する。
reboot㉗.カーネルバージョンを確認する
uname -aFreeBSD FreeBSD 14.0-RELEASE-p3 FreeBSD 14.0-RELEASE-p3 #0: Mon Dec 11 04:56:01 UTC 2023 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
FreeBSD 14.0 と表示されている事を確認する。
㉘.再度、freebsd-update install を実行する。
/usr/sbin/freebsd-update install
Installing updates...rm: ///usr/src/contrib/llvm-project/libcxx/include/__string: is a directory
rm: ///usr/include/c++/v1/__string: is a directory
Restarting sshd after upgrade
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 1431, 1431.
Performing sanity check on sshd configuration.
Starting sshd.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
Completing this upgrade requires removing old shared object files.
Please rebuild all installed 3rd party software (e.g., programs
installed from the ports tree) and then run "/usr/sbin/freebsd-update install"
again to finish installing updates.
㉙.アップグレード時に使用したデータを削除する。
rm -rf /var/db/freebsd-update/files㉚.ipfw(ファイヤーウォール)を有効にする。
vim /etc/rc.conffirewall_enable="YES"
firewall_script="/shell/ipfw/ipfw.rules"
firewall_logging="YES"㉛.再起動する。
正常に動作している事を確認する。
注意点①
SSHでのログインが出来なくなり、ログを確認すると以下のログが出力されてました。
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms回避方法としては、「ssh-rsa」が使用できなくなっているため、以下のファイルを修正しました。
vim /etc/ssh/sshd_config下記のコマンドを追加することで回避することができました。
PubkeyAcceptedAlgorithms = +ssh-rsa注意点②
Mail が使用できないので、Dovecot のログを確認すると以下のメッセージが表示されてました。
Jan 12 16:32:23 FreeBSD dovecot[15316]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:25066067:DSO support routines:dlfcn_load:could not load the shared library: filename(libproviders.so): Shared object "libproviders.so" not found, required by "imap-login", error:25070067:DSO support routines:DSO_load:could not load the shared library, error:0E07506E:configuration file routines:module_load_dso:error loading dso: module=providers, path=providers, error:0E076071:configuration file routines:mo
Jan 12 16:32:23 FreeBSD dovecot[15316]: imap-login: Error: dule_run:unknown module name: module=providers: user=<>, rip=192.168.0.30, lip=192.168.0.10, session=<ly5CqroO2vDAqAAe>
回避方法としては、以下の設定ファイルを修正する必要がありました。
vim /etc/ssl/openssl.cnf「providers = provider_sect」をコメントアウトします。
[openssl_init]
#providers = provider_sectDovecot を再起動します。
/usr/local/etc/rc.d/dovecot restart再起動後、Mailが正常に使用できれば大丈夫です。
