# cannot upgrade - securelevel greater than zero



## junialter (Apr 14, 2021)

Hi,

I'm running a virtualized (qemu) FreeBSD 12.2 which I would lik to upgrade to 13-RELEASE.
The system had been modified for the use of iocage jails, meaning I recompiled the kernel in order to support vnet devices, like this:

```
pkg install subversion
svn checkout https://svn.freebsd.org/base/releng/`uname -r | cut -d'-' -f1,1` /usr/src
cp -v /usr/src/share/examples/jails/VIMAGE /usr/src/sys/amd64/conf/VIMAGE
cd /usr/src
make KERNCONF=VIMAGE kernel
```

When I try to upgrade I run:

```
freebsd-update -r 13.0-RELEASE upgrade
```
and then

```
freebsd-update install
```
After the last command it fails with:

```
Updates cannot be installed when the system securelevel
is greater than zero.
```

Is it possible that I cannot update to to my manual modifications?
What can I do to upgrade successfully?
Thank you


----------



## SirDice (Apr 14, 2021)

You've set the `kern.securelevel`, you will need to lower that first.


```
-1    Permanently insecure mode - always run the system in insecure mode.
           This is the default initial value.

     0     Insecure mode - immutable and append-only flags may be turned off.
           All devices may be read or written subject to their permissions.

     1     Secure mode - the system immutable and system append-only flags may
           not be turned off; disks for mounted file systems, /dev/mem and
           /dev/kmem may not be opened for writing; /dev/io (if your platform
           has it) may not be opened at all; kernel modules (see kld(4)) may
           not be loaded or unloaded.  The kernel debugger may not be entered
           using the debug.kdb.enter sysctl.  A panic or trap cannot be forced
           using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.

     2     Highly secure mode - same as secure mode, plus disks may not be
           opened for writing (except by mount(2)) whether mounted or not.
           This level precludes tampering with file systems by unmounting
           them, but also inhibits running newfs(8) while the system is multi-
           user.

           In addition, kernel time changes are restricted to less than or
           equal to one second.  Attempts to change the time by more than this
           will log the message “Time adjustment clamped to +1 second”.

     3     Network secure mode - same as highly secure mode, plus IP packet
           filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
           changed and dummynet(4) or pf(4) configuration cannot be adjusted.

     The security level can be configured with variables documented in
     rc.conf(5).
```


----------



## zirias@ (Apr 14, 2021)

Seems you have `kern.securelevel` set in /etc/rc.conf (or /etc/sysctl.conf). Comment it out and reboot. It can't be lowered in the running system, that's the point of it.


----------



## junialter (Apr 14, 2021)

Well that's weird. In rc.conf there is no such config but in sysctl.conf there is this:

```
kern.securelevel = 0
```
Yet, when I run

```
sysctl -a
```
I get this:

```
kern.securelevel: 1
```


----------



## MarcoB (Apr 14, 2021)

Just remove the line from your sysctl.conf. The default securelevel is -1 in FreeBSD. If you set it to 0 it will change to 1 during booting.


----------



## junialter (Apr 14, 2021)

That worked, thank you.


----------

