FreeBSD 14.0 にアップグレードする事が出来たのでメモ書きする事にしました。

作業時間

筆者の環境では、約4時間ほどで作業が完了する事が出来ました。

旧カーネルアップデートの確認

uname -a
FreeBSD FreeBSD 13.2-RELEASE-p8 FreeBSD 13.2-RELEASE-p8 GENERIC amd64

アップグレード実施

①.現時点の最新のパッチを適用します。

freebsd-update fetch
freebsd-update install

②.アップグレードのコマンドを実行する。

freebsd-update upgrade -r 14.0-RELEASE

③.Does this look reasonable は Y にする。

[root@FreeBSD ~]# freebsd-update upgrade -r 14.0-RELEASE
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Inspecting system... done.

The following components of FreeBSD seem to be installed:
kernel/generic kernel/generic-dbg src/src world/base world/lib32

The following components of FreeBSD do not seem to be installed:
world/base-dbg world/lib32-dbg

oes this look reasonable (y/n)? y

④.アップグレードに必要なソフト類をダウンロードするので時間が掛かります。

Fetching metadata signature for 14.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.
Fetching files from 13.2-RELEASE for merging... done.
Preparing to download files... done.
Fetching 55717 patches.....10....20....30....省略....55700....55710... done.
Fetching 12988 files... ....10....20....30....省略....12970....12980.... done.
Attempting to automatically merge changes in files... done.

⑤.手動による修正が必要なコメントが表示する。

The following file could not be merged automatically: /etc/group
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...


<<<<<<< current version
# $FreeBSD$
#
wheel:*:0:root,yoxxxx
=======
wheel:*:0:root
>>>>>>> 14.0-RELEASE
daemon:*:1:
kmem:*:2:
sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:clamav,postfix
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
ftp:*:14:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
video:*:44:
realtime:*:47:
idletime:*:48:
bind:*:53:
unbound:*:59:
proxy:*:62:
authpf:*:63:
_pflogd:*:64:
_dhcp:*:65:
uucp:*:66:
dialer:*:68:
network:*:69:
audit:*:77:
www:*:80:
u2f:*:116:
ntpd:*:123:
_ypldap:*:160:
hast:*:845:
tests:*:977:
nogroup:*:65533:
nobody:*:65534:
hamanaka:*:1001:
_tss:*:601:
messagebus:*:556:
avahi:*:558:
cups:*:193:
polkitd:*:565:
colord:*:970:
mysql:*:88:
clamav:*:106:
cyrus:*:60:
maildrop:*:126:
postfix:*:125:
dovecot:*:143:
dovenull:*:144:
spamd:*:58:
munin:*:842:

⑥.手動による修正が必要なコメントが表示する。

The following file could not be merged automatically: /etc/hosts.allow
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...



<<<<<<< current version
ALL : localhost 127.0.0.1 192.168.0. : allow
sshd : .ne.jp : allow
ALL : ALL : deny
=======
#
# hosts.allow access control file for "tcp wrapped" applications.
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#       See hosts_options(5) for the format of this file.
#       hosts_access(5) no longer fully applies.
#
#   _____                                      _          _
#  | ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#  |  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#  | |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#  |_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#                                     |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny

# The rest of the daemons are protected.
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."
>>>>>>> 14.0-RELEASE

⑦.手動による修正が必要なコメントが表示する。

The following file could not be merged automatically: /etc/master.passwd
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...

<<<<<<< current version
# $FreeBSD$
#
root:$6$f667jkxZL.fe8uP.$vv.KaVHMGyzFMkY/cEIHQBNrn6FGwYJk9kFUnwmyrNEYK9eVO9vfdUi55us02aw/l
QmlzimV01dbPUe.WvJzx.:0:0::0:0:Charlie &:/root:/usr/local/bin/bash
=======
root::0:0::0:0:Charlie &:/root:/bin/sh
>>>>>>> 14.0-RELEASE
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

⑧.手動による修正が必要なコメントが表示する。

The following file could not be merged automatically: /etc/ntp.conf
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...



<<<<<<< current version
pool            ntp.nict.jp iburst
pool            ntp.jst.mfeed.ad.jp iburst
pool            time.google.com iburst
=======
#
#
# Default NTP servers for the FreeBSD operating system.
#
# Don't forget to enable ntpd in /etc/rc.conf with:
# ntpd_enable="YES"
#
# The driftfile is by default /var/db/ntpd.drift, check
# /etc/defaults/rc.conf on how to change the location.
#
>>>>>>> 14.0-RELEASE

logfile         /var/log/ntpd.log
logconfig       =syncstatus +sysevents +clockall

<<<<<<< current version
restrict        default noquery nomodify notrap
restrict        192.168.0.0 mask 255.255.255.0 nomodify notrap
restrict        127.0.0.1
=======
#
# The following pool statements will give you a random set of IPv4 and IPv6
# NTP servers geographically close to you.  A single pool statement adds
# multiple servers from the pool, according to the tos minclock/maxclock
# targets.
# See http://www.pool.ntp.org/ for details.  Note, pool.ntp.org encourages
# users with a static IP and good upstream NTP servers to add a server
# to the pool.  See http://www.pool.ntp.org/join.html if you are interested.
#
# The option `iburst' is used for faster initial synchronization.
#
pool 0.freebsd.pool.ntp.org iburst
pool 2.freebsd.pool.ntp.org iburst

#
# If you want to pick yourself which country's public NTP server
# you want to sync against, comment out the above pool statements,
# uncomment the next ones, and replace CC with the country's abbreviation.
# Make sure that the hostnames resolves to a proper IP address!
#
# pool 0.CC.pool.ntp.org iburst
# pool 2.CC.pool.ntp.org iburst

#
# To configure a specific server, such as an organization-wide local
# server, add lines similar to the following.  One or more specific
# servers can be configured in addition to, or instead of, any server
# pools specified above.  When both are configured, ntpd first adds all
# the specific servers, then adds servers from the pool until the tos
# minclock/maxclock targets are met.
#
#server time.my-internal.org iburst

#
# Security:
#
# By default, only allow time queries and block all other requests
# from unauthenticated clients.
#
# The "restrict source" line allows peers to be mobilized when added by
# ntpd from a pool, but does not enable mobilizing a new peer association
# by other dynamic means (broadcast, manycast, ntpq commands, etc).
#
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
# for more information.
#
restrict default limited kod nomodify notrap noquery nopeer
restrict source  limited kod nomodify notrap noquery

#
# Alternatively, the following rules would block all unauthorized access.
#
#restrict default ignore
#
# In this case, all remote NTP time servers also need to be explicitly
# allowed or they would not be able to exchange time information with
# this server.
#
# Please note that this example doesn't work for the servers in
# the pool.ntp.org domain since they return multiple A records.
#
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
#
# The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict ::1

#
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# to provide a time source when this happens, but it should usually
# be configured on just one server on a network. For more details see
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
# The use of Orphan Mode may be preferable.
#
#server 127.127.1.0
#fudge 127.127.1.0 stratum 10

# See http://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.14.
# for documentation regarding leapfile. Updates to the file can be obtained
# from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/.
# Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db.
#leapfile "/etc/ntp/leap-seconds"
leapfile "/var/db/ntpd.leap-seconds.list"

# Specify the number of megabytes of memory that should be allocated and
# locked. -1 (default) means "do not lock the process into memory".
# 0 means "lock whatever memory the process wants into memory". Any other
# number means to lock up to that number of megabytes into memory.
# 0 may result in a segfault when ASLR with stack gap randomization
# is enabled.
#rlimit memlock 32
>>>>>>> 14.0-RELEASE

⑨.手動による修正が必要なコメントが表示する。

The following file could not be merged automatically: /etc/passwd
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...


<<<<<<< current version
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
=======
root:*:0:0:Charlie &:/root:/bin/sh
>>>>>>> 14.0-RELEASE
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
ntpd:*:123:123:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
tests:*:977:977:Unprivileged user for tests:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TCG Software Stack user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
polkitd:*:565:565:Polkit Daemon User:/var/empty:/usr/sbin/nologin
colord:*:970:970:colord color management daemon:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
clamav:*:106:106:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
cyrus:*:60:60:the cyrus mail server:/nonexistent:/usr/sbin/nologin
postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
dovecot:*:143:143:Dovecot User:/var/empty:/usr/sbin/nologin
dovenull:*:144:144:Dovecot login User:/var/empty:/usr/sbin/nologin

⑩.手動による修正が必要なコメントが表示する。

The following file could not be merged automatically: /etc/ssh/sshd_config
Press Enter to edit this file in /usr/bin/vi and resolve the conflicts
manually...


#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
<<<<<<< current version
#VersionAddendum FreeBSD-20230316
=======
#VersionAddendum FreeBSD-20231004
>>>>>>> 14.0-RELEASE

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server


Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

⑪.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/blacklistd.conf:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
 #
 # Blacklist rule
 # adr/mask:port        type    proto   owner           name    nfail   disable
 [local]
 ssh            stream  *       *               *       3       24h
Does this look reasonable (y/n)?

⑫.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/crontab:
--- current version
+++ new version
@@ -1,8 +1,7 @@
 # /etc/crontab - root's crontab for FreeBSD
 #
-# $FreeBSD$
 #
 SHELL=/bin/sh
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 #
 #minute        hour    mday    month   wday    who     command
Does this look reasonable (y/n)?

⑬.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/group:
--- current version
+++ new version
@@ -29,10 +29,11 @@
 uucp:*:66:
 dialer:*:68:
 network:*:69:
 audit:*:77:
 www:*:80:
+u2f:*:116:
 ntpd:*:123:
 _ypldap:*:160:
 hast:*:845:
 tests:*:977:
 nogroup:*:65533:
Does this look reasonable (y/n)?

⑭.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/hosts:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
 #
 # Host Database
 #
 # This file should contain the addresses and aliases for local hosts that
 # share this file.  Replace 'my.domain' below with the domainname of your
@@ -18,17 +17,17 @@
 #
 # Imaginary network.
 #10.0.0.2              myname.my.domain myname
 #10.0.0.3              myfriend.my.domain myfriend
 #
-# According to RFC 1918, you can use the following IP networks for
-# private nets which will never be connected to the Internet:
+# According to RFC 1918, you can use the following IP blocks for
+# private internets:
 #
-#      10.0.0.0        -   10.255.255.255
-#      172.16.0.0      -   172.31.255.255
-#      192.168.0.0     -   192.168.255.255
+#      10.0.0.0        -   10.255.255.255      (10/8 prefix)
+#      172.16.0.0      -   172.31.255.255      (172.16/12 prefix)
+#      192.168.0.0     -   192.168.255.255     (192.168/16 prefix)
 #
-# In case you want to be able to connect to the Internet, you need
+# In case you want to make addresses available on the Internet, you need
 # real official assigned numbers.  Do not try to invent your own network
 # numbers but instead get one from your network provider (if any) or
 # from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
 #
Does this look reasonable (y/n)?

⑮.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/mail/aliases:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
 #      @(#)aliases     5.3 (Berkeley) 5/24/90
 #
 #  Aliases in this file will NOT be expanded in the header from
 #  Mail, but WILL be visible over networks.
 #
Does this look reasonable (y/n)?

⑯.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/newsyslog.conf:
--- current version
+++ new version
@@ -1,7 +1,6 @@
 # configuration file for newsyslog
-# $FreeBSD$
 #
 # Entries which do not specify the '/pid_file' field will cause the
 # syslogd process to be signalled when that log file is rotated.  This
 # action is only appropriate for log files which are written to by the
 # syslogd process (ie, files listed in /etc/syslog.conf).  If there
@@ -14,25 +13,25 @@
 # contents of maillog, messages, and lpd-errs to be confidential.  In the
 # future, these defaults may change to more conservative ones.
 #
 # logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
 /var/log/all.log                       600  7     *    @T00  J
-/var/log/auth.log                      600  7     1000 @0101T JC
+/var/log/auth.log                      600  7     1000 @0101T JC
 /var/log/console.log                   600  5     1000 *     J
 /var/log/cron                          600  3     1000 *     JC
+/var/log/daemon.log                    644  5     1000 @0101T JC
 /var/log/daily.log                     640  7     *    @T00  JN
-/var/log/debug.log                     600  7     1000 *     JC
+/var/log/debug.log                     600  7     1000 *     JC
+/var/log/devd.log                      644  3     1000 *     JC
 /var/log/init.log                      644  3     1000 *     J
 /var/log/kerberos.log                  600  7     1000 *     J
 /var/log/maillog                       640  7     *    @T00  JC
 /var/log/messages                      644  5     1000 @0101T JC
 /var/log/monthly.log                   640  12    *    $M1D0 JN
-/var/log/devd.log                      644  3     1000 *     JC
 /var/log/security                      600  10    1000 *     JC
 /var/log/utx.log                       644  3     *    @01T05 B
 /var/log/weekly.log                    640  5     *    $W6D0 JN
-/var/log/daemon.log                    644  5     1000 @0101T JC

 # 設定追加
 /var/log/ntpd.log                       644  5     *    $W6D0 B
 /var/log/charon.log                     644  5     *    $W6D0 B
 /var/log/backup/backup.log              644  5     *    $W6D0 B
Does this look reasonable (y/n)?

⑰.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/ntp.conf:
--- current version
+++ new version
@@ -6,5 +6,6 @@
 logconfig       =syncstatus +sysevents +clockall

 restrict        default noquery nomodify notrap
 restrict        192.168.0.0 mask 255.255.255.0 nomodify notrap
 restrict        127.0.0.1
+
Does this look reasonable (y/n)?

⑱.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/profile:
--- current version
+++ new version
@@ -1,6 +1,5 @@
-# $FreeBSD$
 #
 # System-wide .profile file for sh(1).
 #
 # For the setting of languages and character sets please see
 # login.conf(5) and in particular the charset and lang options.
Does this look reasonable (y/n)?

⑲.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/shells:
--- current version
+++ new version
@@ -1,9 +1,7 @@
-# $FreeBSD$
-#
 # List of acceptable shells for chpass(1).
-# Ftpd will not allow users to connect who are not using
+# ftpd(8) will not allow users to connect who are not using
 # one of these shells.

 /bin/sh
 /bin/csh
 /bin/tcsh
Does this look reasonable (y/n)?

⑳.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/ssh/sshd_config:
--- current version
+++ new version
@@ -86,11 +86,11 @@
 #UsePAM yes

 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding yes
+#X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
@@ -103,11 +103,11 @@
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20230316
+#VersionAddendum FreeBSD-20231004

 # no default banner path
 #Banner none

 # override default of no subsystems
Does this look reasonable (y/n)?

㉑.手動による修正が必要なコメントが表示する。

The following changes, which occurred between FreeBSD 13.2-RELEASE and
FreeBSD 14.0-RELEASE have been merged into /etc/ttys:
--- current version
+++ new version
@@ -1,7 +1,6 @@
 #
-# $FreeBSD$
 #      @(#)ttys        5.1 (Berkeley) 4/17/89
 #
 # This file specifies various information about terminals on the system.
 # It is used by several different programs.  Common entries for the
 # various columns include:
@@ -44,10 +43,10 @@
 ttyu0  "/usr/libexec/getty 3wire"      vt100   onifconsole secure
 ttyu1  "/usr/libexec/getty 3wire"      vt100   onifconsole secure
 ttyu2  "/usr/libexec/getty 3wire"      vt100   onifconsole secure
 ttyu3  "/usr/libexec/getty 3wire"      vt100   onifconsole secure
 # Dumb console
-dcons  "/usr/libexec/getty std.9600"   vt100   off secure
+dcons  "/usr/libexec/getty std.115200" vt100   off secure
 # Xen Virtual console
 xc0    "/usr/libexec/getty Pc"         xterm   onifconsole secure
 # RISC-V HTIF console
-rcons  "/usr/libexec/getty std.9600"   vt100   onifconsole secure
+rcons  "/usr/libexec/getty std.115200" vt100   onifconsole secure
Does this look reasonable (y/n)?

㉒.何度も「Does this look reasonable」が表示する部分は、Y を選択しました。

㉓.「/usr/sbin/freebsd-update install」が表示する事を確認する。

The following files will be removed as part of updating to
14.0-RELEASE-p4:
/boot/kernel/amr.ko
/boot/kernel/amr_cam.ko
/boot/kernel/amr_linux.ko
/boot/kernel/cloudabi.ko
/boot/kernel/cloudabi32.ko
/boot/kernel/cloudabi64.ko
/boot/kernel/esp.ko
/boot/kernel/geom_part_vtoc8.ko


省略


/bin/hostname
/bin/kenv
/bin/kill
/bin/link
/bin/ln
/bin/ls
/bin/mkdir
/bin/mv
To install the downloaded upgrades, run "/usr/sbin/freebsd-update install".

㉔.アップデートのコマンドを実行する。

/usr/sbin/freebsd-update install
Installing updates...
Kernel updates have been installed.  Please reboot and run
"/usr/sbin/freebsd-update install" again to finish installing updates.

前回、ファイヤーウォールを無効化しないと、正常にアップグレード出来なかった事あったため

同じように、ファイヤーウォール(ipfw)を無効化する事にしました。

㉕.ipfw(ファイヤーウォール)を無効にする。

vim /etc/rc.conf
#firewall_enable="YES"
#firewall_script="/shell/ipfw/ipfw.rules"
#firewall_logging="YES"

㉖.再起動する。

reboot

㉗.カーネルバージョンを確認する

uname -a
FreeBSD FreeBSD 14.0-RELEASE-p3 FreeBSD 14.0-RELEASE-p3 #0: Mon Dec 11 04:56:01 UTC 2023     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

FreeBSD 14.0 と表示されている事を確認する。

㉘.再度、freebsd-update install を実行する。

/usr/sbin/freebsd-update install

Installing updates...rm: ///usr/src/contrib/llvm-project/libcxx/include/__string: is a directory
rm: ///usr/include/c++/v1/__string: is a directory

Restarting sshd after upgrade
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 1431, 1431.
Performing sanity check on sshd configuration.
Starting sshd.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...

Completing this upgrade requires removing old shared object files.
Please rebuild all installed 3rd party software (e.g., programs
installed from the ports tree) and then run "/usr/sbin/freebsd-update install"
again to finish installing updates.

㉙.アップグレード時に使用したデータを削除する。

rm -rf /var/db/freebsd-update/files

㉚.ipfw(ファイヤーウォール)を有効にする。

vim /etc/rc.conf
firewall_enable="YES"
firewall_script="/shell/ipfw/ipfw.rules"
firewall_logging="YES"

㉛.再起動する。

正常に動作している事を確認する。

注意点①

SSHでのログインが出来なくなり、ログを確認すると以下のログが出力されてました。

userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms

回避方法としては、「ssh-rsa」が使用できなくなっているため、以下のファイルを修正しました。

vim /etc/ssh/sshd_config

下記のコマンドを追加することで回避することができました。

PubkeyAcceptedAlgorithms = +ssh-rsa

注意点②

Mail が使用できないので、Dovecot のログを確認すると以下のメッセージが表示されてました。

Jan 12 16:32:23 FreeBSD dovecot[15316]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:25066067:DSO support routines:dlfcn_load:could not load the shared library: filename(libproviders.so): Shared object "libproviders.so" not found, required by "imap-login", error:25070067:DSO support routines:DSO_load:could not load the shared library, error:0E07506E:configuration file routines:module_load_dso:error loading dso: module=providers, path=providers, error:0E076071:configuration file routines:mo
Jan 12 16:32:23 FreeBSD dovecot[15316]: imap-login: Error: dule_run:unknown module name: module=providers: user=<>, rip=192.168.0.30, lip=192.168.0.10, session=<ly5CqroO2vDAqAAe>

回避方法としては、以下の設定ファイルを修正する必要がありました。

vim /etc/ssl/openssl.cnf

「providers = provider_sect」をコメントアウトします。

[openssl_init]
#providers = provider_sect

Dovecot を再起動します。

/usr/local/etc/rc.d/dovecot restart

再起動後、Mailが正常に使用できれば大丈夫です。