NetBSD Notes/Gotchas

A hodge podge of notes on some of the things that were not so obvious to me in getting a Xen instance of NetBSD up and running. And latterly bits and pieces with NetBSD on a ye-olde laptop and then a Dell Optiplex after the laptop died.


In following the instructions need to do mount /dev/xvdb /mnt/xvdb in one line; I edited the wiki to suit.


Upgrading is pretty much exactly as per the installation. Boot the Finnix rescue image, download the new Xen kernel and install packages, reboot into the NetBSD profile, but select the "install NetBSD" option at the grub menu (that was set-up in the first installation) and follow the sysint upgrade instructions.

When upgrading it's xvdb1 as per the wiki notes.

When upgrading with an encrypted partition (I have /home) it'll fail to mount that partition. Have to force it to "try" in order to continue with the upgrade.

See man afterboot and man 7? tests (<-- Cool, these are Julio Merino's)

Also if you miss the messages the first time round you can run sudo postinstall check to see what "failed", assuming you have up to date sources in /usr/src, etc; Alternatively in /var/cache/sysupgrade/; If you download source sets need to get etc.tgz from relevant port, e.g:

Switching from 32-bit to 64-bit1

I did this on Linode to take advantage of their new infrastructure. I was fortunate that I had /home on a separate partition so I basically did a new install, keeping the existing partitions and then copied back /etc files I'd backed-up.

System Configuration


I couldn't get npf or pf firewalls to work. I just got "/dev/pf device not configured". Tried rebuilding MAKEDEV, because of something I read after searching, but it didn't really work and so then I wished I hadn't. Managed to put things back the way they were and then found that it's because npf and pf are not enabled in the Xen Kernels.

So that left ipf, as I really didn't want to get into building my own kernel so soon.

  • To enable ipf need ipfilter=YES in rc.conf.
  • To reload firewall rules: ipf -Fa -f /etc/ipf.conf
  • Actually, a better way is to do sudo /etc/rc.d/ipfilter restart
  • Also handy is restarting the network: sudo /etc/rc.d/network restart (I initially thought this and a ipfilter restart were good ways of fixing things when the firewall had gone "screwy" and I'd lost ipv6 connectivity, but they aren't really fixes. For instance restarting the network can get back ipv6 connectivity temporarily, but the firewall rules can then kill it again; I think the true issue was icmp packets, see below)
  • If you get ioctl(add/insert rule): File exists when reloading rules it is because there is a duplicate (redundant) rule
  • The quick keyword can be added to any rule that makes the rule take action at that match.
  • The key to getting ipv6 to work whilst still having a ipf6.conf is to leave icmp completely alone. Whether it's due to bugs in ipfilter or my incompetence on networking (it is confusing) a default block on tcp/udf/icmp will seemingly always take precedence over any allows on icmp. I even got to a point where I was logging blocks and I'd made sure no icmp packets were being blocked in the logs, but ipv6 still wasn't working. As soon as I changed my default blocks to target only tcp/udp it worked.

Domain name / Hostname

Might need to set this in a few places:

  • In .muttrc set hostname if don't want to use the domain in resolv.conf (for local message-ids)
  • In /etc/postfix/
  • In /etc/myname and /etc/defaultdomain

Restart network, etc to pick up changes

For setting hostname see afterboot manpage. Put in a file called /etc/myname.


For now I have just gone with bash as I am used to it and have it configured how I want. But I am interested in switching to mksh at some point.

  • To change shells: chsh -s /bin/mksh
  • Setting bash as default and sourcing bashrc means default paths get screwed. I "solved" this by loging in via lish and seeing what it gave me as a default.


Don't try to set $MANPATH instead do something like:

alias man="man -m /usr/local/share/man/"

SSL Certs

There is no /etc/ssl/cacerts, etc on NetBSD. There is an openssl package to install, but you still won't end up with any certs. You have to install certs from curl. See this answer on Stackoverflow.

For Ruby and open-uri just export SSL_CERT_FILE.

[Update: 2016-05-13] Install the Mozilla certs and just set environment variables pointing at those.


It took me a bit to get IPV6 working, but mainly because somehow I kept missing the correct bit of the documentation and instead went off tidbits from mailing lists, etc that got me into a muddle. At one point I'd unnecessarily tried to manually add a route, which left me IPV6 that wouldn't resolve routes. As a result I came across this utterly shit ipv6 issue in Python; By having an incorrectly configured IPV6 route it just hung when I was using snose.


NetBSD comes with its own Curses implementation, which is both good and bad. I like having it in the base install, but because it is it's own implementation I've noticed a few glitches to do with screen refreshing/re-painting - i.e bits of text from previous screens can stick around. My main bug-bear is snownews which has loads of these display glitches. I've tried building against ncurses (and ncursew, both available via PKGSRC), but I seem to then get a different bunch of display issues (which really confuses me as I had no issues on OSX 10.5 and that wasn't an exactly with-the-times OS).

  • I though ELinks was a bit screwy because of Curses, but it was just because I had not set it to 256 colours.
  • PWMan is a bit iffy built with NetBSD curses, but not too bad. Not tried with ncurses yet.
  • To check which curses it is linked to: ldd /path/to/binary
  • Mutt with ncurses doesn't highlight properly in list mode. I wonder if this is because Mutt is patched via PKGSRC to suit the NetBSD curses?

Ah ha! Figured it out. It's a Tmux thing. Outside of Tmux, then ncurses built stuff works fine, inside Tmux it's a bit screwy. So this should be fixable, somehow (worst come to the worst I could stop usinf Tmux and use something else). Ok, for now it's as simple as ensuring I have export TERM=xterm-color as opposed to just xterm (not that I'm using xterm, but that's another issue).



On patching the mutt-notmuch thing like I had to do on OSX, as in this bit:

" | xargs -J % ln -s % $maildir/cur/");

This is tidier than the GNU one I ended up with on OSX. NetBSD's xargs does not run on empty by default. And then I just needed to place the % args in correct place.


For the bits and bobs I needed for Perl I mostly used the p5- packages. Failing that cpanminus again - It's awesome (I think the only thing I needed to install via cpanminus was TTYtter's readline)

To avoid the locale messages I just set LC_CTYPE and LC_MESSAGES.

[Note: 2015-01-04] I don't know if related to switching to 64-bit, but cpanm won't install Term::ReadLine::Gnu@1.24 (needed for Notmuch mutt integration) or the most recent version at the time of trying which was 1.25. Instead I installed via pkgin (p5-Term-ReadLine, version 1.24 at the time). It could have also been the case for 32-bit, I can't remember how I installed it then.


Similar issues to Perl with LC_CTYPE and encoding, etc when building some gems.


For installing packages to match required version (say if have Python2.7 and 3.3 installed) need to do:


Of course, not all packages seem to support this.

Elinks (Added 2014-03-09)

I forgot that when I first installed this in order to get Lua support there was a bit of fiddling around required. And at the time of writing the pkgsrc version still won't work correctly by default, especially since it now incorrectly says it requires Lua 5.2 (won't work, even in elinks master/head it is still only 5.1).

  • First set LUA_VERSION_DEFAULT=51 in mk.conf

Then you need to do the pkgsrc bits in stages, i.e:

  • make fetch
  • make extract
  • make patch

Then manually "patch" the configure file (because there is an existing pkgsrc patch for the configure file so I don't think it is possible to include a local one as well) and the line for suffix in "" 50; do and change to for suffix in "" 51 5.1; do and carry on:

  • make configure
  • make build
  • make install

Dillo 3.04 (Added 2014-07-27)

Had to do make install from the actual work directory to get the dpid bits and thus ssl to work. Also from pkgsrc rather than binary.

nzbget / hellanzb (Added 2014-08-01)

The only package available for nzbget is in "wip" and doesn't build, but it is for a really old version, 0.7.0. hellanzb is available in pkgsrc "news" which means there is also a binary available for install. So although I was used to nzbget I decided hellanzb might be a quicker option.

This patch/fix is needed for hellanzb. I couldn't get it working though - although the server bit of it would start I couldn't get anything to queue or download (but in hindsight I think the nzb file I was supplying was corrupt).

So I went back to nzbget and decided to build from source (which I should have done first of all, also in hindsight). Required libpar2 headers to be identified like so (older version of libpar2 in pkgsrc hence the "disable bugfixes check" bit):

./configure  --with-libpar2-includes=/usr/pkg/include --disable-libpar2-bugfixes-check

But otherwise builds fine.

Taskwarrior (Added 2015-08-24)

Need to specify the compiler version as default is too old

cmake -DCMAKE_CXX_COMPILER=/usr/pkg/gcc49/bin/g++ -DCMAKE_C_COMPILER=/usr/pkg/gcc49/bin/gcc

mpv (Added 2017-05-31)

Which I mainly use for the radio. Adding this now because I recently updated mpv and somehow could only play audio as root. Couldn't figure it out. But it was a pulseaudio thing. Pulse audio needs dbus to be running, then mpv plays as non-root; There's a possibility I'd built mpv previously not to use pulseaudio (because it's crap) and I just used OSS instead, but if so I can't recall for sure. Anyway, works again now. See:


Binary Packages

For binary package installs you need to export a path like so:

export PKG_PATH=""

Although it might make more sense to use a local mirror:

export PKG_PATH=""

To avoid doing this every single time you wish to use pkg_add then you need to set a default shell for Root and you can then use one of the default profiles provided to permanently set PKG_PATH. E.g. for csh edit .cshrc and uncomment the path bits.

Note these paths are in some of the root account dotfiles for various shells. Just nee uncommenting.

More on PKG_PATH here.

Basically use pkgin. Install that via pkg_add then go from there.

Source Packages

  • Ignore the csup stuff for pkgsrc cvs. I think that is out of date; In fact is the wiki trustworthy at all? Probably best stick to the FAQ, Guide and Man pages. Anyway, just do it by hand.
  • Getting the WIP directory is a bit more fiddly. This doesn't come with the normal CVS checkout. Do cd /usr/pkgsrc && cvs -q -z2 -d checkout -P wip
  • make show-options is like variants under macports, but then have to manually edit a /etc/mk.conf file to add them in. Which seemed a little weird at first, but I like it now as then it's configuration file like any other that you can back up and move around between systems.
  • Local patches are fairly easy to do so I did this with snownews. The only thing is that you might need a patch file in slightly different format. mkpatches works well (install pkgdiff).


NetBSD 7 on a Dell Optiplex 745

I got a i915drmkms panic/crash. Need to go to boot prompt, option 4, type userconf disable i915drmkms and then boot. I have just set this as a boot option as I have no need to get the newer graphics drivers working:

menu=Disable i915drmkms:rndseed /var/db/entropy-file;userconf disable i915drmkms;boot netbsd


Using wlanctl <interface> to find wireless signal strength (rssi). E.g: wlanctl urtwn0 might have an rssi of 20. 0 is no signal. 20 is a bit pants, but for some reason it insists on connecting to the furthest away access point.</interface>

Shutting down / powering off

Don't use poweroff as the shutdown scripts don't get run. This means the entropy-file doesn't get created. Use shutdown instead. Probably same deal goes for reboot as well.



Can get a long way with these:

  • dejavu-ttf
  • inconsolata-ttf (still my fav monospace)
  • twemoji-color-font-ttf (for today's needs)