Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for afterboot (netbsd section 8)

AFTERBOOT(8)			   BSD System Manager's Manual			     AFTERBOOT(8)

     afterboot -- things to check after the first complete boot

   Starting Out
     This document attempts to list items for the system administrator to check and set up after
     the installation and first complete boot of the system.  The idea is to create a list of
     items that can be checked off so that you have a warm fuzzy feeling that something obvious
     has not been missed.  A basic knowledge of UNIX is assumed.

     Complete instructions for correcting and fixing items is not provided.  There are manual
     pages and other methodologies available for doing that.  For example, to view the man page
     for the ls(1) command, type:

	   man 1 ls

     Administrators will rapidly become more familiar with NetBSD if they get used to using the
     manual pages.

   Security alerts
     By the time that you have installed your system, it is quite likely that bugs in the release
     have been found.  All significant and easily fixed problems will be reported at
     http://www.NetBSD.org/support/security/.  It is recommended that you check this page regu-

     Additionally, you should set ``fetch_pkg_vulnerabilities=YES'' in /etc/daily.conf to allow
     your system to automatically update the local database of known vulnerable packages to the
     latest version available on-line.	The system will later check, on a daily basis, if any of
     your installed packages are vulnerable based on the contents of this database.  See
     daily.conf(5) and security.conf(5) for more details.

     Login as ``root''.  You can do so on the console, or over the network using ssh(1).  If you
     have enabled the SSH daemon (see sshd(8)) and wish to allow root logins over the network,
     edit the /etc/ssh/sshd_config file and set ``PermitRootLogin'' to ``yes'' (see
     sshd_config(5)).  The default is to not permit root logins over the network after fresh
     install in NetBSD.

     Upon successful login on the console, you may see the message ``We recommend creating a
     non-root account...''.  For security reasons, it is bad practice to login as root during
     regular use and maintenance of the system.  In fact, the system will only let you login as
     root on a secure terminal.  By default, only the console is considered to be a secure termi-
     nal.  Instead, administrators are encouraged to add a ``regular'' user, add said user to the
     ``wheel'' group, then use the su(1) command when root privileges are required.  This process
     is described in more detail later.

   Root password
     Change the password for the root user.  (Note that throughout the documentation, the term
     ``superuser'' is a synonym for the root user.)  Choose a password that has numbers, digits,
     and special characters (not space) as well as from the upper and lower case alphabet.  Do
     not choose any word in any language.  It is common for an intruder to use dictionary
     attacks.  Type the command /usr/bin/passwd to change it.

     It is a good idea to always specify the full path name for both the passwd(1) and su(1) com-
     mands as this inhibits the possibility of files placed in your execution PATH for most
     shells.  Furthermore, the superuser's PATH should never contain the current directory

   System date
     Check the system date with the date(1) command.  If needed, change the date, and/or change
     the symbolic link of /etc/localtime to the correct time zone in the /usr/share/zoneinfo


     date 200205101820
	   Set the current date to May 10th, 2002 6:20pm.

     ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
	   Set the time zone to Eastern Europe Summer Time.

   Console settings
     One of the first things you will likely need to do is to set up your keyboard map (and maybe
     some other aspects about the system console).  To change your keyboard encoding, edit the
     ``encoding'' variable found in /etc/wscons.conf.

     wscons.conf(5) contains more information about this file.

   Check hostname
     Use the hostname command to verify that the name of your machine is correct.  See the man
     page for hostname(1) if it needs to be changed.  You will also need to change the contents
     of the ``hostname'' variable in /etc/rc.conf or edit the /etc/myname file to have it stick
     around for the next reboot.  Note that ``hostname'' is supposed include a domainname, and
     that this should not be confused with YP (NIS) domainname(1).  If you are using dhclient(8)
     to configure network interfaces, it might override these local hostname settings if your
     DHCP server specifies client's hostname with other network configurations.

   Verify network interface configuration
     The first thing to do is an ifconfig -a to see if the network interfaces are properly con-
     figured.  Correct by editing /etc/ifconfig.interface or the corresponding
     ``ifconfig_interface'' variable in rc.conf(5) (where interface is the interface name, e.g.,
     ``le0'') and then using ifconfig(8) to manually configure it if you do not wish to reboot.

     Alternatively, you can configure interfaces automatically via DHCP with dhclient(8) if you
     have a DHCP server running somewhere on your network.  To get dhclient(8) to start automati-
     cally on boot, you will need to have this line in /etc/rc.conf:


     See dhclient(8) and dhclient.conf(5) for more information on setting up a DHCP client.

     You can add new ``virtual interfaces'' by adding the required entries to
     /etc/ifconfig.interface.  Read the ifconfig.if(5) man page for more information on the for-
     mat of /etc/ifconfig.interface files.  The loopback interface will look something like:

	   lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
		   inet netmask 0xff000000
		   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
		   inet6 ::1 prefixlen 128

     an Ethernet interface something like:

		   inet netmask 0xffffff00 broadcast
		   inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1

     and a PPP interface something like:

		   inet --> netmask 0xffff0000

     See mrouted(8) for instructions on configuring multicast routing.

   Check routing tables
     Issue a netstat -rn command.  The output will look something like:

	   Routing tables

	   Destination	  Gateway	    Flags  Refs     Use  Mtu  Interface
	   default     UGS      0 11098028    -  le0
	   127	    UGRS     0	      0    -  lo0	    UH	     3	     24    -  lo0
	   192.168.4	  link#1	    UC	     0	      0    -  le0   8:0:20:73:b8:4a   UHL      1	   6707    -  le0  0:60:3e:99:67:ea  UHL      1	      0    -  le0

	   Destination	      Gateway	    Flags  Refs  Use	 Mtu  Interface
	   ::/96	      ::1	    UGRS     0	   0   32972  lo0 =>
	   ::1		      ::1	    UH	     4	   0   32972  lo0
	   ::ffff:  ::1	    UGRS     0	   0   32972  lo0
	   fc80::/10	      ::1	    UGRS     0	   0   32972  lo0
	   fe80::/10	      ::1	    UGRS     0	   0   32972  lo0
	   fe80::%le0/64      link#1	    UC	     0	   0	1500  le0
	   fe80::%lo0/64      fe80::1%lo0   U	     0	   0   32972  lo0
	   ff01::/32	      ::1	    U	     0	   0   32972  lo0
	   ff02::%le0/32      link#1	    UC	     0	   0	1500  le0
	   ff02::%lo0/32      fe80::1%lo0   UC	     0	   0   32972  lo0

     The default gateway address is stored in the ``defaultroute'' variable in /etc/rc.conf, or
     in the file /etc/mygate.  If you need to edit this file, a painless way to reconfigure the
     network afterwards is to issue

	   /etc/rc.d/network restart

     Or, you may prefer to manually configure using a series of route add and route delete com-
     mands (see route(8)).  If you run dhclient(8) you will have to kill it by running

	   /etc/rc.d/dhclient stop

     after you flush the routes.

     If you wish to route packets between interfaces, add one or both of the following directives
     (depending on whether IPv4 or IPv6 routing is required) to /etc/sysctl.conf:


     As an alternative, compile a new kernel with the ``GATEWAY'' option.  Packets are not for-
     warded by default, due to RFC requirements.

   Secure Shell (SSH)
     By default, all services are disabled in a fresh NetBSD installation, and SSH is no excep-
     tion.  You may wish to enable it so you can remotely control your system.	Set ``sshd=YES''
     in /etc/rc.conf and then starting the server with the command

	   /etc/rc.d/sshd start

     The first time the server is started, it will generate a new keypair, which will be stored
     inside the directory /etc/ssh.

   BIND Name Server (DNS)
     If you are using the BIND Name Server, check the /etc/resolv.conf file.  It may look some-
     thing like:

	   domain some.thing.dom
	   search some.thing.dom. thing.dom.

     For further details, see resolv.conf(5).  Note the name service lookup order is set via
     nsswitch.conf(5) mechanism.

     If using a caching name server add the line "nameserver" first.	To get a local
     caching name server to run you will need to set ``named=YES'' in /etc/rc.conf and create the
     named.conf file in the appropriate place for named(8), usually in /etc/namedb.  The same
     holds true if the machine is going to be a name server for your domain.  In both these
     cases, make sure that named(8) is running (otherwise there are long waits for resolver time-

   RPC-based network services
     Several services depend on the RPC portmapper rpcbind(8) - formerly known as portmap - being
     running for proper operation.  This includes YP (NIS) and NFS exports, among other services.
     To get the RPC portmapper to start automatically on boot, you will need to have this line in


   YP (NIS) Setup
     Check the YP domain name with the domainname(1) command.  If necessary, correct it by edit-
     ing the /etc/defaultdomain file or by setting the ``domainname'' variable in /etc/rc.conf.
     The /etc/rc.d/network script reads this file on bootup to determine and set the domain name.
     You may also set the running system's domain name with the domainname(1) command.	To start
     YP client services, simply run ypbind, then perform the remaining YP activation as described
     in passwd(5) and group(5).

     In particular, to enable YP passwd support, you'll need to update /etc/nsswitch.conf to
     include ``nis'' for the ``passwd'' and ``group'' entries.	A traditional way to accomplish
     the same thing is to add following entry to local passwd database via vipw(8):


     Note this entry has to be the very last one.  This traditional way works with the default
     nsswitch.conf(5) setting of ``passwd'', which is ``compat''.

     There are many more YP man pages available to help you.  You can find more information by
     starting with nis(8).

   Check disk mounts
     Check that the disks are mounted correctly by comparing the /etc/fstab file against the out-
     put of the mount(8) and df(1) commands.  Example:

	   # cat /etc/fstab
	   /dev/sd0a / ffs     rw	       1 1
	   /dev/sd0b none swap sw
	   /dev/sd0e /usr ffs  rw	       1 2
	   /dev/sd0f /var ffs  rw	       1 3
	   /dev/sd0g /tmp ffs  rw	       1 4
	   /dev/sd0h /home ffs rw	       1 5

	   # mount
	   /dev/sd0a on / type ffs (local)
	   /dev/sd0e on /usr type ffs (local)
	   /dev/sd0f on /var type ffs (local)
	   /dev/sd0g on /tmp type ffs (local)
	   /dev/sd0h on /home type ffs (local)

	   # df
	   Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
	   /dev/sd0a	     22311    14589	6606	69%    /
	   /dev/sd0e	    203399   150221    43008	78%    /usr
	   /dev/sd0f	     10447	682	9242	 7%    /var
	   /dev/sd0g	     18823	  2    17879	 0%    /tmp
	   /dev/sd0h	      7519     5255	1888	74%    /home

	   # pstat -s
	   Device      512-blocks     Used    Avail Capacity  Priority
	   /dev/sd0b	   131072    84656    46416    65%    0

     Edit /etc/fstab and use the mount(8) and umount(8) commands as appropriate.  Refer to the
     above example and fstab(5) for information on the format of this file.

     You may wish to do NFS mounts now too, or you can do them later.

   Concatenated disks (ccd)
     If you are using ccd(4) concatenated disks, edit /etc/ccd.conf.  You may wish to take a look
     to ccdconfig(8) for more information about this file.  Use the ccdconfig -U command to
     unload and the ccdconfig -C command to create tables internal to the kernel for the concate-
     nated disks.  You then mount(8), umount(8), and edit /etc/fstab as needed.

   Automounter daemon (AMD)
     To use the amd(8) automounter, create the /etc/amd directory, copy example config files from
     /usr/share/examples/amd to /etc/amd and customize them as needed.	Alternatively, you can
     get your maps with YP.

   Clock synchronization
     In order to make sure the system clock is synchronized to that of a publicly accessible NTP
     server, make sure that /etc/rc.conf contains the following:


     See date(1), ntpdate(8), ntpd(8), rdate(8), and timed(8) for more information on setting the
     system's date.

     The system should be usable now, but you may wish to do more customizing, such as adding
     users, etc.  Many of the following sections may be skipped if you are not using that package
     (for example, skip the Kerberos section if you won't be using Kerberos).  We suggest that
     you cd /etc and edit most of the files in that directory.

     Note that the /etc/motd file is modified by /etc/rc.d/motd whenever the system is booted.
     To keep any custom message intact, ensure that you leave two blank lines at the top, or your
     message will be overwritten.

   Add new users
     To add new users and groups, there are useradd(8) and groupadd(8); see also user(8) for fur-
     ther programs for user and group manipulation.  You may use vipw(8) to add users to the
     /etc/passwd file and edit /etc/group by hand to add new groups.  The manual page for su(1),
     tells you to make sure to put people in the 'wheel' group if they need root access (non-Ker-
     beros).  For example:


     Follow instructions for kerberos(8) if using Kerberos for authentication.

   System boot scripts and /etc/rc.local
     /etc/rc and the /etc/rc.d/* scripts are invoked at boot time after single user mode has
     exited, and at shutdown.  The whole process is controlled by the master script /etc/rc.
     This script should not be changed by administrators.

     The directory /etc/rc.d contains a series of scripts used at startup/shutdown, called by
     /etc/rc.  /etc/rc is in turn influenced by the configuration variables present in

     The script /etc/rc.local is run as the last thing during multiuser boot, and is provided to
     allow any other local hooks necessary for the system.

     To enable or disable various services on system startup, corresponding entries can be made
     in /etc/rc.conf.  You can take a look at /etc/defaults/rc.conf to see a list of default sys-
     tem variables, which you can override in /etc/rc.conf.  Note you are not supposed to change
     /etc/defaults/rc.conf directly, edit only /etc/rc.conf.  See rc.conf(5) for further informa-

   X Display Manager
     If you've installed X, you may want to turn on xdm(1), the X Display Manager.  To do this,
     set ``xdm=YES'' in /etc/rc.conf.

     Edit /etc/printcap and /etc/hosts.lpd to get any printers set up.	Consult lpd(8) and
     printcap(5) if needed.

   Tighten up security
     In /etc/inetd.conf comment out any extra entries you do not need, and only add things that
     are really needed.  Note that by default all services are disabled for security reasons.

     If you are going to use Kerberos for authentication, see kerberos(8) and ``info heimdal''
     for more information.  If you already have a Kerberos master, change directory to
     /etc/kerberosV and configure.  Remember to get a srvtab from the master so that the remote
     commands work.

   Mail Aliases
     Check /etc/mail/aliases and update appropriately if you want e-mail to be routed to non-
     local addresses or to different users.

     Run newaliases(1) after changes.

     NetBSD uses Postfix as its MTA.  Postfix is started by default, but its initial configura-
     tion does not cause it to listen on the network for incoming connections.	To configure
     Postfix, see /etc/postfix/main.cf and /etc/postfix/master.cf.  If you wish to use a differ-
     ent MTA (e.g., sendmail), install your MTA of choice and edit /etc/mailer.conf to point to
     the proper binaries.

   DHCP server
     If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces as needed.  You
     will have to make sure /etc/rc.conf has ``dhcpd=YES'' or run dhcpd(8) manually.

   Bootparam server
     If this is a Bootparam server, edit /etc/bootparams as needed.  You will have to turn it on
     in /etc/rc.conf by adding ``bootparamd=YES''.

   NFS server
     If this is an NFS server, make sure /etc/rc.conf has:


     Edit /etc/exports and get it correct.  After this, you can start the server by issuing:

	   /etc/rc.d/rpcbind start
	   /etc/rc.d/mountd start
	   /etc/rc.d/nfsd start
     which will also start dependencies.

   HP remote boot server
     Edit /etc/rbootd.conf if needed for remote booting.  If you do not have HP computers doing
     remote booting, do not enable this.

   Daily, weekly, monthly scripts
     Look at and possibly edit the /etc/daily.conf, /etc/weekly.conf, and /etc/monthly.conf con-
     figuration files.	You can check which values you can set by looking to their matching files
     in /etc/defaults.	Your site specific things should go into /etc/daily.local,
     /etc/weekly.local, and /etc/monthly.local.

     These scripts have been limited so as to keep the system running without filling up disk
     space from normal running processes and database updates.	(You probably do not need to
     understand them.)

   Other files in /etc
     Look at the other files in /etc and edit them as needed.  (Do not edit files ending in .db
     -- like pwd.db, spwd.db, nor localtime, nor rmt, nor any directories.)

   Crontab (background running processes)
     Check what is running by typing crontab -l as root and see if anything unexpected is
     present.  Do you need anything else?  Do you wish to change things?  For example, if you do
     not like root getting standard output of the daily scripts, and want only the security
     scripts that are mailed internally, you can type crontab -e and change some of the lines to

	   30  1  *  *	*   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
	   30  3  *  *	6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
	   30  5  1  *	*   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out

     See crontab(5).

   Next day cleanup
     After the first night's security run, change ownerships and permissions on files, directo-
     ries, and devices; root should have received mail with subject: "<hostname> daily insecurity
     output.".	This mail contains a set of security recommendations, presented as a list looking
     like this:

		   permissions (0755, 0775)
		   user (0, 3)

     The best bet is to follow the advice in that list.  The recommended setting is the first
     item in parentheses, while the current setting is the second one.	This list is generated by
     mtree(8) using /etc/mtree/special.  Use chmod(1), chgrp(1), and chown(8) as needed.

     Install your own packages.  The NetBSD packages collection, pkgsrc, includes a large set of
     third-party software.  A lot of it is available as binary packages that you can download
     from ftp://ftp.NetBSD.org/pub/NetBSD/packages/ or a mirror, and install using pkg_add(1).
     See http://www.NetBSD.org/docs/pkgsrc/ and pkgsrc/doc/pkgsrc.txt for more details.

     Copy vendor binaries and install them.  You will need to install any shared libraries, etc.
     (Hint: man -k compat to find out how to install and use compatibility mode.)

     There is also other third-party software that is available in source form only, either
     because it has not been ported to NetBSD yet, because licensing restrictions make binary
     redistribution impossible, or simply because you want to build your own binaries.	Sometimes
     checking the mailing lists for past problems that people have encountered will result in a
     fix posted.

   Check the running system
     You can use ps(1), netstat(1), and fstat(1) to check on running processes, network connec-
     tions, and opened files, respectively.  Other tools you may find useful are systat(1) and

     Note: The standard NetBSD kernel configuration (GENERIC) is suitable for most purposes.

     First, review the system message buffer in /var/run/dmesg.boot and by using the dmesg(8)
     command to find out information on your system's devices as probed by the kernel at boot.
     In particular, note which devices were not configured.  This information will prove useful
     when editing kernel configuration files.

     To compile a kernel inside a writable source tree, do the following:

	   $ cd /usr/src/sys/arch/SOMEARCH/conf
	   $ cp GENERIC SOMEFILE (only the first time)
	   $ vi SOMEFILE (adapt to your needs)
	   $ config SOMEFILE
	   $ cd ../compile/SOMEFILE
	   $ make depend
	   $ make

     where SOMEARCH is the architecture (e.g., i386), and SOMEFILE should be a name indicative of
     a particular configuration (often that of the hostname).

     If you are building your kernel again, before you do a make you should do a make clean after
     making changes to your kernel options.

     After either of these two methods, you can place the new kernel (called netbsd) in / (i.e.,
     /netbsd) by issuing make install and the system will boot it next time.  The old kernel is
     stored as /onetbsd so you can boot it in case of failure.

     If you are using toolchain to build your kernel, you will also need to build a new set of
     toolchain binaries.  You can do it by changing into /usr/src and issuing:

	   $ cd /usr/src
	   $ K=sys/arch/`uname -m`/conf
	   $ vi $K/SOMEFILE (adapt to your needs)
	   $ ./build.sh tools
	   $ ./build.sh kernel=SOMEFILE

     At this point, the system should be fully configured to your liking.  It is now a good time
     to ensure that the system behaves according to its specifications and that it is stable on
     your hardware.  Please refer to tests(7) for details on how to do so.

     chgrp(1), chmod(1), config(1), crontab(1), date(1), df(1), domainname(1), fstat(1),
     hostname(1), make(1), man(1), netstat(1), newaliases(1), passwd(1), pkg_add(1), ps(1),
     ssh(1), su(1), systat(1), top(1), xdm(1), ccd(4), aliases(5), crontab(5), dhclient.conf(5),
     exports(5), fstab(5), group(5), ifconfig.if(5), mailer.conf(5), nsswitch.conf(5), passwd(5),
     printcap(5), rc.conf(5), resolv.conf(5), sshd_config(5), wscons.conf(5), hier(7),
     hostname(7), pkgsrc(7), tests(7), amd(8), ccdconfig(8), chown(8), dhclient(8), dhcpd(8),
     dmesg(8), groupadd(8), ifconfig(8), inetd(8), kerberos(8), lpd(8), mount(8), mrouted(8),
     mtree(8), named(8), nis(8), ntpd(8), ntpdate(8), rbootd(8), rc(8), rdate(8), rmt(8),
     route(8), rpc.bootparamd(8), rpcbind(8), sshd(8), timed(8), umount(8), useradd(8), vipw(8),
     yp(8), ypbind(8)

     This document first appeared in OpenBSD 2.2.  It has been adapted to NetBSD and first
     appeared in NetBSD 2.0.

BSD					  June 26, 2010 				      BSD

All times are GMT -4. The time now is 01:44 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password

Not a Forum Member?
Forgot Password?