# 10.3->11.0 (after upgrade cannot use sudo and pkg)



## IPTRACE (Oct 19, 2016)

Hello!

After upgrade I cannot use sudo nad even pkg.
Is it a bug?


```
sudo: error in /usr/local/etc/sudo.conf, line 0 while loading plugin `sudoers_policy'
sudo: unable to load /usr/local/libexec/sudo/sudoers.so: Shared object "libpam.so.5" not found, required by "sudoers.so"
sudo: fatal error, unable to load plugins
```


```
Shared object "libssl.so.7" not found, required by "pkg"
```

I cannot log in as root. I always use sudo(8).


----------



## Remington (Oct 19, 2016)

Try logging in as single user during boot-up.


----------



## IPTRACE (Oct 19, 2016)

I can't. This system is on bhyve and I use console to get boot screen but ESC and others keys do not stop booting.
Boot delay is set to 0.
Is there any other option key to get single user mode?


----------



## IPTRACE (Oct 19, 2016)

I have it (key 2 -digit). Headache to get single user mode.


----------



## Remington (Oct 19, 2016)

If you cannot login as sudo. What about `su`?


----------



## IPTRACE (Oct 19, 2016)

su does not work. I disabled to use root.
Ok, I'm in single user mode. What should I do to run properly pkg, sudo etc.?


----------



## Remington (Oct 19, 2016)

Have you done proper mount and are you using ZFS?

After major upgrades, you will need to upgrade pkg to use FreeBSD 11 by issuing this command:
`pkg-static install -f pkg`

And then reinstall all packages for FreeBSD 11 by doing this: `pkg upgrade -f`

Hopefully the required libraries will be installed for sudo to work.

You should enable root login for now until you get things running properly.


----------



## IPTRACE (Oct 19, 2016)

I'm using UFS. I'm in writable mode and can run/modify files as root etc.
I've run `pkg-static install -f pkg` and got:

```
[1/1] Reinstalling pkg-1.8.7_3...
[1/1] Extracting pkg-1.8.7_3: 100%
ldconfig: Cannot mmap "/var/run/ld-elf.so.hints": Invalid argument
pkg-static: POST-INSTALL script failed
```


----------



## _martin (Oct 19, 2016)

It happened because sudo is not in FreeBSD base. It's built from ports against the library which has been updated in 11.0. 

You need to rebuild it and/or download a new one. pkg-static(8) is your friend here. Assuming you have the internet connection you can do: 

`# pkg-static delete -f pkg`
`# pkg`

First one deletes pkg from the system. It requires -f as it tries to delete itself. The 2nd one fetches then the pkg from the internet. Then you can use it to delete/install the sudo and other packages if needed. Today I used the portupgrade(1) to rebuild all my packages in jails. 

As a side note you should not rely on sudo only. You should have user that could su to root (i.e. have him in wheel group).


----------



## IPTRACE (Oct 19, 2016)

Anyway, it was helpful. After that
`pkg upgrade -f`
and reboot - done all.

Thank you for your help.


----------



## cbrace (Oct 21, 2016)

Hi all,

I have encountered a similar problem that the instructions above haven't solved.

After rebooting, dovecot2' s auth won't run properly because it can't find libpam.so.5

In /usr/lib, I see the current version of that shared library is libpam.so.6

How do I get dovecot to find the new version?

Thanks


----------



## IPTRACE (Oct 21, 2016)

Hello!

Try to delete dovecot package and install it again.

I'm going to upgrade other several servers with dovecot, so I can encounter the same problem.
I'll check it of course.


----------



## cbrace (Oct 21, 2016)

Thanks, I tried that -- deleting and reinstalling -- but dovecot is still looking for libpam.s.05. I hope someone here has a suggestion as I've run out of ideas.


----------



## IPTRACE (Oct 21, 2016)

Is there libpam.s file in the system?


----------



## cbrace (Oct 21, 2016)

Fixed it. I forgot to do a *make clean *first.


----------



## IPTRACE (Oct 21, 2016)

Did you use port instead pkg to install dovecot?


----------



## Remington (Oct 21, 2016)

cbrace said:


> Fixed it. I forgot to do a *make clean *first.



Sometimes I run into something like this so the quickest fix is to make a softlink to a newer library.


----------



## kpa (Oct 21, 2016)

Remington said:


> Sometimes I run into something like this so the quickest fix is to make a softlink to a newer library.



No, don't. There is nothing in FreeBSD ports that requires that the newer version of the same shared library has to implement the API/ABI of the previous version, it's left completely to the upstream vendor and the maintainer of the FreeBSD port to decide if they want to maintain such backward compatibility. Doing this will bite you eventually.


----------



## Remington (Oct 21, 2016)

kpa said:


> No, don't. There is nothing in FreeBSD ports that requires that the newer version of the same shared library has to implement the API/ABI of the previous version, it's left completely to the upstream vendor and the maintainer of the FreeBSD port to decide if they want to maintain such backward compatibility. Doing this will bite you eventually.



It usually rare in these cases when I don't have time to fetch and build customized ports and I would resort to making softlink as a temporary fix.  It's never a permanent solution because something will break eventually.


----------



## cbrace (Oct 21, 2016)

Once again hi all,

I have two question about this process which I hope some people here can answer.

First, I have been using `freebsd-upgrade` for some years now to perform OS upgrades (major and minor) and this is the first time I have encountered problems with obsolete libraries. Previously I never rebuilt the installed ports; I first made sure all ports were up to date with `portmaster`, and I then ran `freebsd-upgrade`. Reboot, done. Has something change? Or did I just have dumb luck previously?

Second, `pkg upgrade -f` seems to work well for most of the ports installed. But what about ports for which you need a non-default configuration? For example, my setup requires postfix with the mysql interface, which I believe is not a default option. To get my server back to normal today, I found I needed to run `pkg upgrade -f`  and then also rebuild both dovecot2 and postfix from source. That finally solved the library issues. 

Your thoughts? I would like to be prepared for the next major upgrade


----------



## marino (Oct 21, 2016)

nothing changed and you had dumb luck before.
You have to remove all the old packages and reinstall / rebuild them all again.  You can't "use portmaster to make sure they are up to date".  portmaster can't detect wrong library linkages.


----------



## Remington (Oct 21, 2016)

It's a lot easier to use port-mgmt/synth or port-mgmt/poudriere to build your own clean packages.  That way you'll know if something breaks and it won't mess up your running system.  Also it keeps your installed packages and dependencies to minimum without cluttering up with bunch of orphaned built dependencies from ports.  You can build your own packages with your custom options.  I have mail server with many customized packages and I can simply delete all packages, reinstall all of them and its all up running without changing anything.


----------



## cbrace (Oct 21, 2016)

marino@ said:


> nothing changed and you had dumb luck before.
> You have to remove all the old packages and reinstall / rebuild them all again.  You can't "use portmaster to make sure they are up to date".  portmaster can't detect wrong library linkages.



You may be right about dumb luck  But the Handbook does recommend portmaster to manage the transition:

After a major version upgrade, all installed packages and ports need to be upgraded. Packages can be upgraded using pkg upgrade. To upgrade installed ports, use a utility such as ports-mgmt/portmaster.

A forced upgrade of all installed packages will replace the packages with fresh versions from the repository even if the version number has not increased. This is required because of the ABI version change when upgrading between major versions of FreeBSD. The forced upgrade can be accomplished by performing:

# *pkg-static upgrade -f*
A rebuild of all installed applications can be accomplished with this command:

# *portmaster -af*​
https://www.freebsd.org/doc/en_US.I...freebsdupdate.html#freebsdupdate-portsrebuild


----------



## marino (Oct 21, 2016)

for one, I have already tried getting references to portmaster removed from the handbook.  Secondly, it's a badly written paragraph.  "upgrading" is not needed, what's needed is a complete replacement of all packages, whether that be through binary packages or rebuilding from source.  They have to be built on the same release.  If you upgrade, all the packages where the version didn't change won't get rebuilt, right?

when compared to modern building options, portmaster is *awful*.  Some die-hards won't admit it though so you'll people defend it despite it effectively not receiving updates for years.


----------



## cbrace (Oct 21, 2016)

Is `pkg upgrade` the preferred method? If not, what do you recommend?


----------



## marino (Oct 21, 2016)

somebody mentioned `pkg upgrade -f` earlier but that only works if all options are default.  If not, you need poudriere or synth, as also previously mentioned.  (synth can mix custom option ports + packages, but poudriere requires all to be built)


----------



## ced (Oct 22, 2016)

I'm having the exact same problem upgrading from 10.2 -> 11.0


First did a `'freebsd-update fetch install'` which allowed me to do `'freebsd-update upgrade -r 11.0-RELEASE'` and `'freebsd-update install'`
All went fine without issues, after reboot, did the second `'freebsd-update install'`, and got a warning I need to rebuild all contrib software - which I wouldn't know how to do since I'm _ONLY_ using pkg and never even cloned the ports tree.
After a subsequent - and useless - `'freebsd-update install'` I was unable to run pkg anymore: 
	
	



```
Shared object "libssl.so.7" not found, required by "pkg"
```
. The same was true for sudo: 
	
	



```

```



```
sudo: error in /usr/local/etc/sudo.conf, line 0 while loading plugin `sudoers_policy'
sudo: unable to load /usr/local/libexec/sudo/sudoers.so: Shared object "libpam.so.5" not found, required by "sudoers.so"
sudo: fatal error, unable to load plugins
```

So the documented upgrade process is broken. I actually was under the impression that 11.0 would have the base system under pkg, so this would not have been a problem. In fact, I started my BSD experience with 10.2, and have only used 'pkg'. 

Should we raise a PR for this? Apparently upgrading today from a 10.x pkg-based system to 11.0 leads to a broken system?


----------



## ced (Oct 22, 2016)

Resolved thanks to previous comments by doing:


su - (become root)
pkg-static delete -f pkg
pkg
pkg upgrade -f
Should be documented maybe in the release notes for those like me upgrading from a pkg-only system.


----------



## marino (Oct 22, 2016)

ced said:


> All went fine without issues, after reboot, did the second `'freebsd-update install'`, and got a warning I need to rebuild all contrib software - which I wouldn't know how to do since I'm _ONLY_ using pkg and never even cloned the ports tree.



You don't need to "rebuild" them, you only need to reinstall the packages using versions for the new release.

Here's a step-by-step guide on how to quickly replace all packages only using pkg(8):
https://www.dragonflybsd.org/docs/howtos/HowToDPorts/#index4h1



> Should we raise a PR for this? Apparently upgrading today from a 10.x pkg-based system to 11.0 leads to a broken system?



I would say "no", this is a user error.  pkg(8) is itself a package and you didn't replace it, nor did you run the pkg-bootstrap program that would replace it.


----------



## IPTRACE (Oct 22, 2016)

I've encoutered the problem twice in several dozen upgrades.
Yes, pkg-static install -f pkg resolves the issue.


----------



## ced (Oct 22, 2016)

marino@ said:


> I would say "no", this is a user error.  pkg(8) is itself a package and you didn't replace it, nor did you run the pkg-bootstrap program that would replace it.



I agree it's a user error. But it's a user error caused by unclear documentation. The fact you have to recite DragonFly BSD documentation shows that as well. I don't know if it requires a PR - I'm too new to BSD in general - but I feel the release notes depicting the how to upgrade from 10.3 or older, can benefit from these few steps.


----------



## Remington (Oct 22, 2016)

You should avoid using `sudo` as it's not part of the base system.  FreeBSD is not Linux so login as root or use `su` command when doing maintenance or upgrades.


----------



## marino (Oct 22, 2016)

ced said:


> The fact you have to recite DragonFly BSD documentation shows that as well.



I didn't "have" to.  There are 100 ways to skin a cat.  I prefer to start from scratch so I wrote a HowTo and I felt that HowTo could help you.  It could be considered "overkill" but it's also bullet-proof; it always works.


----------



## ced (Oct 22, 2016)

marino@ said:


> I didn't "have" to.  There are 100 ways to skin a cat.  I prefer to start from scratch so I wrote a HowTo and I felt that HowTo could help you.  It could be considered "overkill" but it's also bullet-proof; it always works.


Don't get me wrong.. I like it. Just saying that release notes and the handbook could have that explanation as well. Apparently it's common knowledge, but for me - never having had to upgrade between major versions - it's undocumented. Maybe it'll be my first patch I submit against doc.. ;-)


----------



## chrbr (Oct 22, 2016)

There is something in the handbook. At the end of the section

```
23.2.3. Performing Major and Minor Version Upgrades
```
 is

```
The upgrade is now complete. If this was a major version upgrade, reinstall all ports and packages as described in Section 23.2.3.2, “Upgrading Packages After a Major Version Upgrade”.
```
where the procedure is documented.


----------



## cbrace (Oct 25, 2016)

Until reading this thread, I was unaware of ports-mgmt/synth. I've now installed it and used it to rebuild my ports, and will continue to use it to maintain my system. Many thanks to Marino@ for this wonderful utility!


----------



## listentoreason (Jan 8, 2017)

I appear to have a similar problem, but the suggested solutions are not working for me. At the moment, both `pkg` and `sudo` are broken. The problems began during a "routine" `pkg upgrade`. I had updated from 9.1 to 10.0-RELEASE in August 2014, and have been running the system (and updating) without incident since then. I don't remember all the steps I took when switched over to `pkg`, or when I did so, but I believe it was after the update to 10.0.

Now, when I run either sudo or pkg I get the following error:

```
sudo su
/lib/libc.so.7: version FBSD_1.4 required by /usr/local/bin/sudo not found
pkg
/lib/libc.so.7: version FBSD_1.4 required by /usr/local/lib/libpkg.so.3 not found
```
Per suggestions above I've used `pkg-static` to upgrade `pkg`:


```
pkg-static install -f pkg
# Probably identical, but I also tried:
pkg-static delete -f pkg
pkg
```

Both appear to run without issue, but `pkg` is still non-functional afterwards (same complaint about libc.so). I've also run:


```
pkg-static upgrade -f
```

... which ran without apparent incident (once I realized that I should answer "no" to questions about "no direct installation candidate" for a ruby package). I had hoped that it would somehow resolve the issues with libc, but no luck so far.

Any advice would be much appreciated!


```
uname -a
FreeBSD citadel 10.0-RELEASE-p7 FreeBSD 10.0-RELEASE-p7 #0: Tue Jul  8 06:37:44 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```


----------



## SirDice (Jan 9, 2017)

FreeBSD 10.0 has been EoL since February 2015 (almost 2 years ago). 

https://www.freebsd.org/security/unsupported.html


----------



## japoc (Feb 2, 2017)

Hi, I cannot do anything anymore on my server because of this, as my only access is by ssh-ing to the account of a sudoer, and sudo doesn't work anymore.
How can I avoid this problem next time I upgrade my server to a new release?


----------



## ASX (Feb 2, 2017)

japoc said:


> Hi, I cannot do anything anymore on my server because of this, as my only access is by ssh-ing to the account of a sudoer, and sudo doesn't work anymore.



This should still work:

```
su -
```


----------



## SirDice (Feb 2, 2017)

Only if the account is a member of the wheel group.


----------



## ASX (Feb 2, 2017)

SirDice said:


> Only if the account is a member of the wheel group.


As far as I know this is also true for sudo, so I assumed it is the case.


----------



## SirDice (Feb 2, 2017)

ASX said:


> As far as I know this is also true for sudo,


It's not. Not by default at least. But it can definitely be configured that way, if I recall correctly it's even mentioned as an example in the sudoers file.


----------



## japoc (Feb 2, 2017)

ASX said:


> This should still work:
> 
> ```
> su -
> ```


No this doesn't work. I get:
`$ su -
su: Sorry.`
I don't have a root password anyway. If I remember well, I had disabled it in order to make sure only my passwordless ssh-ing sudoer can do any administrative work (using sudo) and no user can use "su". I think the only thing I can do now is reinstall the server.
My question is rather how to avoid this problem in the future.
I'd like to make sure that `sudo` always work even after running  `sudo freebsd-update install`.


----------



## ASX (Feb 2, 2017)

japoc said:


> I think the only thing I can do now is reinstall the server.


I would think you can still access it in single user mode ...


japoc said:


> My question is rather how to avoid this problem in the future.


I guess you need to rely on what is available in system, and not on what is in ports/pkgs (like sudo)


----------



## japoc (Feb 2, 2017)

ASX said:


> I guess you need to rely on what is available in system, and not on what is in ports/pkgs (like sudo)



You mean the best way to manage a FreeBSD server would be to ssh into the root account ? (I don't have physical access to the machine). This is what people do?


----------



## ASX (Feb 2, 2017)

japoc said:


> You mean the best way to manage a FreeBSD server would be to ssh into the root account ? (I don't have physical access to the machine). This is what people do?


May be not ssh to root directly, but setting the user in the wheel group would do. (and using `su`).
And yes, that's what I do.


----------



## SirDice (Feb 2, 2017)

Yep, me too. I have one user account (mine) in the wheel group and I have the root password. Normally I use sudo(8) as does everybody else. But my account could also be used in a pinch. We also have various KVM/IPMI solutions, so we always have remote access to the console.


----------

