Upgrading All FreeBSD Ports via portupgrade

portupgrade is a tool that allows you to upgrade ports on your FreeBSD system. It has its faults, and it doesn't always work (see below), but its about as close as you can get on FreeBSD to a 'one-click' upgrade.

There are other tools for doing upgrades, and several (including portupgrade are outlined in the FreeBSD handbook.

Think about updating the base system. See the FreeBSD - Stable Upgrade page, or do a binary update.

First, make sure the ports tree and index file are up-to-date. You can do this either via portsnap, or via cvsup.

• cd /usr/ports
• cvsup ports-supfile (if you're doing this for the first time, you'll need to copy the ports-supfile from /usr/share/examples/cvsup/ports-supfile to /usr/ports/ports-supfile, and change the settings in the file as appropriate).
• portsdb -Uu to sync up the ports index file with the ports tree you just updated

• portsnap fetch
• portsnap extract (only needed the first time you run portsnap)
• portsnap update

Once the ports are up to do, you should backup the package database:

• tar cvfz ~/pkg_db_backup.tar.gz /var/db/pkg

Run an audit:

• portaudit -Fda

Then, update the package database:

• pkgdb -F

If the database is corrupted, fix it:

• pkgdb -fu

Look at the packages that need to be updated (note that portversion uses the ports index file, so you need to make sure you ran portsdb -Fu earlier to get the latest file):

• portversion -v | grep -v up-to-date

To see the full list, do:

• portversion -v

If you would prefer to check your ports against an actual can of the ports tree, you can use pkg_version instead of portsversion:

• pkg_version -v

Doing it this way is a lot slower than using portversion

First, figure out if any packages need to be upgraded manually. There isn't really any good way of doing this that I've figured out, but I've made a list of packages I've had problems with below. Feel free to add to it.

Next, do the actual update. You can do this one of two ways: either do a fully automatic upgrade, or do the upgrade bit-by-bit. The latter is STRONGLY recommended, as it allows you to go slowly and test things. The fully automatic upgrade will break things, and may take a lot of time to fix.

• Do it all at once: portupgrade -aRv If you do decide to do this, you will want to use the -x option to exclude packages that shouldn't be upgraded automatically (see below), or upgrade those packages manually first.

• Do it one package at a time: portupgrade -Rv <pkgname> The -R is optional; it will upgrade all the packages that <pkgname> depends on.

Run portsclean -PCDL to clean up old ports, libraries, distfiles and packages.

Then, reboot and then check /var/log/messages for any errors. Also check that all expected services are working on the box.

On the first server you do the upgrade on, do:

• Create the /usr/ports/packages directory if it doesn't exist already
• portupgrade -p -aRv This will build packages for each port in /usr/ports/packages
• tar up the contents of the packages directory, and copy it to another server: cd /usr/ports/packages; tar cvfz ~/packages_030309.tar.gz *
• Once logged into the other server, use portupgrade -P -aRv to install the ports using the packages you've made.

Some software doesn't behave well with the portupgrade process. Sometimes it's because you need to run a certain command after the upgrade and portupgrade doesn't know about it, or because you've installed the software with custom configuration options (although there are ways to mitigate that).

• Perl If perl needs to be upgraded, you should do that FIRST (manually), then run perl-after-upgrade -f to tell the system about the new version and update all packages necessary. See man perl-after-upgrade for full details.

• DSpam If DSpam is part of the upgrade process, you'll have to upgrade the CGI part of it by hand. Once its installed, you'll probably have to reset perms on /var/db/dspam to that the dspam user can write to its database.

* WARNING: If you have a lot of ports installed (who doesn't?), start this process EARLY in the day, because the whole thing takes several hours to run, and there are usually a few things that have to be fixed manually at the end.

• If some ports will not compile because of security problems, make them manually and use

make -DDISABLE_VULNERABILITIES Of course, make sure you actually know what you're getting yourself into when you're installing a port with known vulnerabilities.