My cheap dedicated server is running FreeBSD 5.1. I would like to go to 4.9, since that's the stable version. Has anyone else done this with only network access, no console? Much googling shows that it may be possible, but not supported by the FreeBSD people.
As a side note, doesn't it seem bizarre to put 5.1 on a machine? Seems to me 4.9 or 5.2.1 should be the choices.
Downgrading is certainly possible, but it is not recommended (especially using remote access). 5.x systems use the UFS2 filesystem by default, where 4.x uses UFS - going backwards will run you some issues there, since 4.x can't read UFS2 without some hackery if at all.
I'd recommened going to 5.2.1-RELEASE, it may not be -STABLE or 'production', but it is rock solid - set the tag to RELENG_5_2 in your world supfile, and fire away. Don't follow -CURRENT unless you have a real need to - eg you are developing and need to track OS changes. I upgraded a batch of 5.1 machines to 5.2.1 using remote access, and all went without issue - don't forget to read the docs, read /usr/src/UPDATING, etc.
IMHO, 5.1 wasn't as bad it's reputation, I still have a couple lying around here serving their purpose, providing they are patched, they will be reasonably stable and secure - trouble is, 5.1 is no longer supported by FreeBSD, so you'll need to backport the patches for 5.2. I'd make world them, but the machines are so old, it would take days!
There are known vulnerabilities in the non-current OpenSSL, which means OpenSSH and HTTPS are potentially vulnerable.
Using the latest released ports directory on 5.1, some packages don't build because the kernel doesn't match.
In the past, to give me a little piece of mind, I've firewalled my ssh port to only receive packets from a couple of machines I normally work from. For freeBSD, this involves rebuilding the kernel, etc. This seems wasted effort if I find I need to upgrade/downgrade.
I would feel better if I were on a platform that's mentioned on freebsd.org, which has an active ports directory.
When I asked for a 5.2.1 reinstall, I was told they'd do 5.2 for $75. I would be in basically the same situation, with another non-current, vulnerable OS.
Originally posted by Chrysalis yeah stay with 5.x for now I think 5.3 is only weeks away now and it is quite possible that will be the new -STABLE.
As far as I know, we're heading for 4.10-RELEASE in the stable branch some time early May. That means any hopes of making 5.x stable will be pushed back even further (notice how the release date for 5.3 - March 29th, has already been and gone, and it is now TBD). There still seems to be alot to do - just check out the TODO list
yes I noticed the 4.10 as well, 5.3 maynot be -STABLE but its possible.
sailorFred you should be able to get to 5.2.1 without any hiccups by using cvsup to grab the new src files and recompiling the world files and the kernel. About openssh etc. it is perfectly possible to update these using the ports, on my 4.9 box which is even older I just updated openssh and killed the other process and run the other one instead, also remember to set in rc.conf, you can do the same thing with openssl and perl etc.
5.2.1p5-Release resolves all known SA issues with OpenSSL and OpenSSH. As for the 5.1 to 5.2.1 upgrade be careful as there is some extra steps you must follow. Be sure to read /usr/src/UPDATING around the time 5.2-Release was cut.
You dont need to update the problems with ports since OpenSSL and OpenSSH are both part of the FreeBSD base.
If you track 4.9-Stable or use the patchsets like above with 5.2.1p5 you will also fix and SA's that are released. Both OpenSSL and OpenSSH are part of the FreeBSD base in 4.x and 5.x.
4.10 is also in beta right now and will be cut as a release soon which also fixes all outstanding SA's. FreeBSD has a excellent history of always backporting patches and fixes and still does to this day for all way back to the 2.x and 3.x trees.
Dont get me wrong you can use ports and packages to fix most of the problems but I prefer to update the base OS and fix it all in one swoop and not have any future problems with keeping the port versions upto date and not conflicting with the base versions.
The FreeBSD handbook indicates that one should boot single user between installing the kernel and installing the world. Obviously that's not in the cards for a remote upgrade. Is this them just being conservative?
Originally posted by Chrysalis hmm I hope freebsd 4.10 has the newest openssh in the base because freebsd 4.9-p5 has openssh 3.5p1 in the base which is old thats why I used the port for that. the base perl is also very old.
Please note that both OpenSSH and Perl are "FreeBSD" versions of the applications and have been patched and ported into the base of the OS and are tracked with patches and security that way. So it may appear to be a older version compared to the port or whatever the openssh.org site lists but it is the most current patched set of code for those services.
The FreeBSD development tree has there own version of everything that is in the base and its all tracked and secured whenever any sort of exploit is released. Same goes for Sendmail and BIND or any other base application.
Everytime as SA is released they tell you exactly how to check which version you have installed and give you detailed instructions on how to fix it.
nice site but it doesnt actually state what you just told me, I have never known freebsd to patch something without changing the version number eg. when they patched the base openssl recently the version number was changed from 0.9.7c to 0.9.7c-p1, and if you look in the release notes for the 5.x releases you see they are using upgraded releases of things like gcc and openssh reflected in the version numbers, same on the ports the version number will always be changed when they make a change.
If you look at the date and time which you last ran cvsup to get the latest source and compare it with the infromation above you can tell if you have the latest versions or latest source code to build the new versions that have the code fixes to solve any bugs.
And that other link was just a rant site
Last edited by Cirrostratus; 04-20-2004 at 05:08 PM.
Do not do this, the possibility of breaking your system is very strong. We have had many customers try this, and many ended up needing reinstalls. Stay at 5.1-RELEASE until 5.3-STABLE comes out, and do not follow -CURRENT unless your box is non-production.