Keeping FreeBSD Up-to-Date - Part 2
This is the second article in a multi-part series on keeping FreeBSD up-to-date. You can read the first article in this series, Keeping The OS Up-to-Date, by clicking here.
Keeping Ports Up-to-Date
This article will attempt to explain how to keep your FreeBSD ports tree up-to-date and how to install ports and upgrade any already installed ports. I will also show you how to check any of your installed ports for any security vulnerabilities. The tools we will use in this tutorial are portsnap, portupgrade, pkg_add, portversion, and portaudit. This tutorial will be based on FreeBSD 6.0.
First things first: What is the FreeBSD ports tree? The FreeBSD ports tree is a set of 14,000+ applications, utilities, deamons, etc. that are preconfigured to work on the FreeBSD operating system. You can install ports from packages if a binary package is available or compile from source using the ports. The two terms are almost interchangeable except package refers to a binary and a port refers to source code. Either way, you get the application installed. It’s just a matter of how long it will take and if you need any customization for the install or not.
Installing Ports
The first thing you will want to do is update your ports tree. First set an environment variable to fetch the latest and greatest ports that are deemed “stable”. From the command line run:
# setenv PACKAGESITE ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
You can also add the above environment variable to your default shell’s “rc” file so that it will be set each time you log on to the system. In my case, .cshrc. You can also change “ftp2″ in the above URL to point to your FreeBSD FTP server of choice.
Now we will use an application that is a part of the base system called portsnap to fetch any updated ports and prepare them for installation on the system. To run portsnap for the first time, simply run:
# portsnap fetch && portsnap extract
This will fetch the ports tree from the Internet and extract the necessary files to their proper location within /usr/ports/. Each subsequent time you run portsnap, run it as follows:
# portsnap fetch && portsnap update
Run portsnap as often as you would like to keep your ports tree up-to-date. Now that your ports tree is up-to-date you can begin installing your third-party applications knowing that you are installing the latest and greatest version of the application you’re interested in. To install an application (nmap in these examples) you can attempt to install from a package or install from the port. To install nmap via package, run the following command:
# pkg_add -r nmap
To install nmap from the port and compile it from source, first locate where the port is by running:
# whereis nmap
nmap: /usr/ports/security/nmap
You can see from the output returned that nmap is located in /usr/ports/security/nmap. To install the application from source, run the following:
# cd /usr/ports/security/nmap && make install clean
If any configure options are available you will be prompted and will have to answer them before the compilation will continue. If you installed from a package or port, run rehash (this may be specific to csh, I’m not sure) and you will be ready to run the installed application from the command line.
Upgrading Ports
Now that you have installed all of your favorite applications using the above methods, you’ll want to make sure they are the most current version so you won’t have any vulnerable software out there and so you can take advantage of any bug fixes subsequent releases patch. So, as in the Installing Ports section, update your ports tree by running:
# portsnap fetch && portsnap update
Once the tree is up-to-date, install portupgrade by running:
# pkg_add -r portupgrade
When portupgrade is installed, you now have a number of useful utilities to assist you in maintaing your ports tree and keeping your applications up-to-date. The two we will focus on here are portupgrade and portversion.
When your ports tree is finished updating and you have completed the portupgrade install (don’t forget to run rehash to make the newly installed applications available to you in the current shell) you will need to determine what installed ports are older than the updated ports tree. To do this, simply run:
# portversion -v -l "<"
This will return a list of installed ports that are older versions than the ones available in the ports tree. The output should look something like the below depending on what installed applications you have and if they are out of sync with the ports tree or not. I have truncated the below list for space constraints but this will give you an idea of what to expect when running the above command.
atk-1.10.3 < needs updating (port has 1.10.3_1)
bash-3.0.16_1 < needs updating (port has 3.1.10_1)
cairo-1.0.2_1 < needs updating (port has 1.0.4)
ethereal-0.10.14 < needs updating (port has 0.10.14_1)
To upgrade the applications that portversion has determined are out of sync, try upgrading from packages first. This will save you a lot of time if the packages are available. To do this, run:
# portupgrade -varRPP
This will upgrade any out of sync ports and any dependencies via binary packages. Once this is completed, you will be shown the number of ports that failed during the upgrade. This means these will have to be installed via the ports and compiled from source. To do this, run:
# portupgrade -varR
Keep your eye on this process as some ports may require you to answer some configure options before they can be compiled. This process can take quite a while depending on the number of ports you have to upgrade in this manner.
You should run portsnap, portversion, and portupgrade as often as possible to keep your ports up-to-date as well as your installed applications. I run these steps on my machine almost daily. Obviously there are a number of other options you could use when running these applications but these are the ones I use most often. Normally, if I add anything to the portupgrade process it is --exclude <package/port name> so I don’t upgrade the specified package or port. The only time I have done this is when I don’t feel like sitting through a 12-36 hour compiling of OpenOffice.org.
Checking Installed Ports for Vulnerabilities
You will need to check your installed ports for any vulnerabilities from time to time. This is extremely easy to do with a tool called portaudit. To install portaudit, run the following at the command line:
# pkg_add -r portaudit
Once the application is finished installing it gives you the command for checking your ports for vulnerabilities. The output is listed below:
===> To check your installed ports for known vulnerabilities now, do: /usr/local/sbin/portaudit -Fda
So, run the above command and it will list any ports that require attention. Don’t forget to run rehash before running the command so it will be available from the command line. Depending on the installed ports on your system, the outlook should look similar to the below output:
# portaudit -Fda
auditfile.tbz 100% of 33 kB 108 kBps
New database installed.
Database created: Tue Mar 28 14:10:15 CST 2006
Affected package: xorg-server-6.9.0
Type of problem: xorg-server -- privilege escalation.
Reference: http://www.FreeBSD.org/ports/portaudit/61534682-b8f4-11da-8e62-000e0c33c2dc.html
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.
The FreeBSD ports maintainers are very prompt in responding to vulnerable packages. To correct the issue, update your ports tree and use the upgrading procedures defined above in the Upgrading Ports section.
The next, and possibly final article in this series will be on upgrading your system using the cvsup method. The cvsup method allows you to update a system with custom kernels but requires you to compile from source. I am still fairly new to this method of updating and am doing some further testing before documenting this procedure. When I feel more confident in doing this, I will document it here on average admins for everyone’s enjoyment. Until next time…