Date: Sat, 6 Jun 2009 01:39:04 +0200 From: FLEURIOT Damien <ml@my.gd> To: freebsd-stable@freebsd.org Subject: Re: make installworld and securelevel Message-ID: <20090605233903.GA8984@sd-13813.dedibox.fr> In-Reply-To: <44prdimhh2.fsf@lowell-desk.lan> References: <20090605154544.GA1855@sd-13813.dedibox.fr> <20090605233507.42ee1c96@gluon.draftnet> <44prdimhh2.fsf@lowell-desk.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 05, 2009 at 06:41:13PM -0400 or thereabouts, Lowell Gilbert wrote: > Bruce Cran <bruce@cran.org.uk> writes: > > > On Fri, 5 Jun 2009 17:45:50 +0200 > > FLEURIOT Damien <ml@my.gd> wrote: > > > >> > >> Hello list, > >> > >> > >> I apologize if this issue has been raised already but I couldn't > >> find it anywhere. > >> > >> > >> Find below a snip from my installworld: > >> > >> -------------------------------------------------------------- > >> >>> Installing everything > >> -------------------------------------------------------------- > >> cd /usr/src; make -f Makefile.inc1 install > >> ===> share/info (install) > >> ===> lib (install) > >> ===> lib/csu/i386-elf (install) > >> install -o root -g wheel -m 444 crt1.o crti.o crtn.o gcrt1.o > >> /usr/lib > >> ===> lib/libc (install) > >> install -C -o root -g wheel -m 444 libc.a /usr/lib > >> install -C -o root -g wheel -m 444 libc_p.a /usr/lib > >> install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib > >> ^C > >> > >> > >> My concern is with the last line which installs libc.so.7 and > >> chflags it. > >> > >> I was running with securelevel 1 and got denied. > >> I had to revert to the old kernel, change my securelevel, reinstall > >> the new 7.2 kernel, then run my installworld. > >> > >> This hasn't caused me any other issue, but what will happen the day > >> the libc.a or libc_p.a which are installed in the early steps of > >> installworld become incompatible with the old kernel (if this is at > >> all possible) ? > >> > >> I wouldn't have been able to boot anymore (this is a remote host). > >> The server has a rescue system, but I think a lot of trouble could > >> be saved by interrupting "make installworld" if we're running above > >> securelevel 0. > > > > Although it's often safe to run installworld in multi user mode, it's > > recommended to run it in single user mode to avoid issues like this. > > From /usr/src/UPDATING: > > > > <make sure you have good level 0 dumps> > > make buildworld > > make kernel KERNCONF=YOUR_KERNEL_HERE > > [1] > > <reboot in single user> [3] > > mergemaster -p [5] > > make installworld > > make delete-old > > mergemaster [4] > > <reboot> > > Still, I don't really see any obvious downsides to the suggestion. > Maybe it could cause problems with jail updates? That's the only > issue I've been able to think of... Well, I'm afraid running single user isn't an option for me, hosted server. I've always skipped the single user boot, I just go multi-user and follow the other steps. Never done "make delete-old" though, it's not in the Handbook. Is it really important ? It might be worth adding to the Handbook. Regarding jails, seeing the securelevel can't be lowered, just disable chflag'ing during installworld within one ? -- Damien
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090605233903.GA8984>