From owner-freebsd-stable@FreeBSD.ORG Fri Jun 5 23:39:11 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EE931065672 for ; Fri, 5 Jun 2009 23:39:11 +0000 (UTC) (envelope-from dam@sd-13813.dedibox.fr) Received: from sd-13813.dedibox.fr (unknown [IPv6:2a01:e0b:1:78:2e0:f4ff:fe19:e9d2]) by mx1.freebsd.org (Postfix) with ESMTP id 9B7C28FC14 for ; Fri, 5 Jun 2009 23:39:10 +0000 (UTC) (envelope-from dam@sd-13813.dedibox.fr) Received: from sd-13813.dedibox.fr (localhost [127.0.0.1]) by sd-13813.dedibox.fr (8.14.3/8.14.3) with ESMTP id n55Nd99Z009115 for ; Sat, 6 Jun 2009 01:39:09 +0200 (CEST) (envelope-from dam@sd-13813.dedibox.fr) Received: (from dam@localhost) by sd-13813.dedibox.fr (8.14.3/8.14.3/Submit) id n55Nd4G8009114 for freebsd-stable@freebsd.org; Sat, 6 Jun 2009 01:39:04 +0200 (CEST) (envelope-from dam) Date: Sat, 6 Jun 2009 01:39:04 +0200 From: FLEURIOT Damien To: freebsd-stable@freebsd.org Message-ID: <20090605233903.GA8984@sd-13813.dedibox.fr> References: <20090605154544.GA1855@sd-13813.dedibox.fr> <20090605233507.42ee1c96@gluon.draftnet> <44prdimhh2.fsf@lowell-desk.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44prdimhh2.fsf@lowell-desk.lan> User-Agent: Mutt/1.5.19 (2009-01-05) Subject: Re: make installworld and securelevel X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 23:39:11 -0000 On Fri, Jun 05, 2009 at 06:41:13PM -0400 or thereabouts, Lowell Gilbert wrote: > Bruce Cran writes: > > > On Fri, 5 Jun 2009 17:45:50 +0200 > > FLEURIOT Damien wrote: > > > >> > >> Hello list, > >> > >> > >> I apologize if this issue has been raised already but I couldn't > >> find it anywhere. > >> > >> > >> Find below a snip from my installworld: > >> > >> -------------------------------------------------------------- > >> >>> Installing everything > >> -------------------------------------------------------------- > >> cd /usr/src; make -f Makefile.inc1 install > >> ===> share/info (install) > >> ===> lib (install) > >> ===> lib/csu/i386-elf (install) > >> install -o root -g wheel -m 444 crt1.o crti.o crtn.o gcrt1.o > >> /usr/lib > >> ===> lib/libc (install) > >> install -C -o root -g wheel -m 444 libc.a /usr/lib > >> install -C -o root -g wheel -m 444 libc_p.a /usr/lib > >> install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib > >> ^C > >> > >> > >> My concern is with the last line which installs libc.so.7 and > >> chflags it. > >> > >> I was running with securelevel 1 and got denied. > >> I had to revert to the old kernel, change my securelevel, reinstall > >> the new 7.2 kernel, then run my installworld. > >> > >> This hasn't caused me any other issue, but what will happen the day > >> the libc.a or libc_p.a which are installed in the early steps of > >> installworld become incompatible with the old kernel (if this is at > >> all possible) ? > >> > >> I wouldn't have been able to boot anymore (this is a remote host). > >> The server has a rescue system, but I think a lot of trouble could > >> be saved by interrupting "make installworld" if we're running above > >> securelevel 0. > > > > Although it's often safe to run installworld in multi user mode, it's > > recommended to run it in single user mode to avoid issues like this. > > From /usr/src/UPDATING: > > > > > > make buildworld > > make kernel KERNCONF=YOUR_KERNEL_HERE > > [1] > > [3] > > mergemaster -p [5] > > make installworld > > make delete-old > > mergemaster [4] > > > > Still, I don't really see any obvious downsides to the suggestion. > Maybe it could cause problems with jail updates? That's the only > issue I've been able to think of... Well, I'm afraid running single user isn't an option for me, hosted server. I've always skipped the single user boot, I just go multi-user and follow the other steps. Never done "make delete-old" though, it's not in the Handbook. Is it really important ? It might be worth adding to the Handbook. Regarding jails, seeing the securelevel can't be lowered, just disable chflag'ing during installworld within one ? -- Damien