The most recent version of bsdinstall does not seem to respect any of
the checkboxes in the "Choose the services you would like to be started
at boot" dialog. None of the chosen services end up in the rc.conf file
that is installed onto the target system.
This is caused by the bsdinstall/scripts/hardening script, which
implements the new hardening options dialog. The script starts by
overwriting the previously written rc.conf.services file:
echo -n > $BSDINSTALL_TMPETC/rc.conf.services
which is obviously incorrect. It should clear out rc.conf.hardening
instead.
Reviewed by: allanjude
PR: 211506
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D7387
If an encrypted install is attempted and fails for any reason, the disk
cannot be erased by the installer because the partition is in use by GELI
At the start of the installation process, all ZFS pools are exported and
all GELI instances are detached, to allow a restarted install to proceed
PR: 210814
Reported by: jonathan
MFC after: 10 days
The pools are exported and reimported in order to write the bootcode
This causes an error when the bootpool is later mounted by common code
The bootpool is now imported with the -N flag to prevent mounting
Reported by: Michael Dexter
MFC after: 5 days
This patch add new 'hardening' file responsible for new bsdinstall
'System Hardening' menu allowing users to set some sane and carefully
picked system security options (like random process id's, hiding
other users/groups processes and others).
All options are OFF by default in this patch due to POLA principle
with intention to turn change some of them to ON by default in future.
Reviewed by: adrian, allanjude, bdrewery, nwhitehorn
Approved by: adrian, allanjude
MFC after: 7 days
Not having the correct date and time makes many PKI based things not work
In 10 and 11, it can mean that Unbound, ntpd, and sshd won't start
Submitted by: des (original patch)
MFC after: 7 days
Apply the LenovoFix (fake partition in pMBR is 2nd rather than 1st)
and GPT Active fix (mark the fake pMBR partition active) to respective
hardware that is confirmed to require such to boot correct.
Submitted by: Sam Fourman Jr. <sfourman@gmail.com> (ThinkPad W520)
Submitted by: Matthias Apitz <guru@unixarea.de> (Latitude E6330)
Approved by: re (gjb)
Sponsored by: ScaleEngine Inc.
A separate bootpool is used when the selected partition type is MBR
or when the disk is GELI encrypted and a UEFI loader is selected.
BIOS avoids the bootpool by using bootcode and loader that support GELI.
bsdinstall did not remount the bootpool after creating the main pool,
which caused an error when mkdir tried to create /boot/zfs
PR: 210717
Approved by: re (gjb)
Sponsored by: ScaleEngine Inc.
Fix an error where vfs.root.mountfrom was not always set as required
when creating a bootpool. After the recent geliboot changes, it was only
set if the main pool was encrypted.
Also resolve an error where the bootpool was unmounted twice causing
bsdinstall to stop with an error message about the failed command.
Approved by: re (gjb)
Sponsored by: BSDCan Hacker Lounge
Allow to setup country and/or regulatory domain before scanning
(since channel list is affected by regulatory restrictions this may
impact scan results).
PR: 182600 (originally)
Differential Revision: https://reviews.freebsd.org/D6325
Do not set canmount=noauto on the boot environment at create time, because
this causes / to not be mounted, and since the chroot is read only, new
mountpoints cannot be created.
The property is set later, when other properties are adjusted
Reported by: HardenedBSD
Sponsored by: ScaleEngine Inc.
In this configuration, a separate bootpool is not required.
This allows ZFS Boot Environments to be used with GELI encrypted ZFS pools.
Support for GPT+EFI+GELI is planned for the future.
Tested by: Joseph Mingrone, HardenedBSD
Relnotes: yes
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D5869
The root file system is mounted early via vfs.root.mountfrom.
The canmount=noauto property only affects the zfs rc.d script.
This ensures that the 'default' BE is not mounted overtop of another BE when
one is selected from the beastie menu
Sponsored by: ScaleEngine Inc.
Installs both pmbr+gptzfsboot as well as boot1.efifat in separate partitions
The resulting system can be booted with either UEFI or BIOS/CSM.
Preference is controlled by the user's firmware boot settings.
This is now the default for zfsboot installs
PR: 208629
Submitted by: Galael LAPLANCHE <ganael.laplanche@corp.ovh.com> (original version)
If a user requested encrypted swap, but 0 sized, it would still be added to fstab
PR: 208630
Submitted by: Ganael LAPLANCHE <ganael.laplanche@corp.ovh.com>
MFC after: 2 weeks
Sponsored by: ScaleEngine Inc.
If the bootpool does not start at the first sector of the BSD partition
then zfsldr seeks to the wrong offset inside the ZFS vdev label, and is
unable to find zfsboot, so the system does not boot
If 4k alignment is requested, align the BSD partition in the MBR table,
and align the swap and data pool, but the bootpool must start at sector 1
While here, if 4k alignment is requested, disable MBR CHS alignment, as
this results in not-4k aligned partitions.
Reported by: Alex Wilkinson
MFC after: 5 days
Sponsored by: ScaleEngine Inc.
The Dell Precision Tower 5810 fails to boot from GPT in Legacy/BIOS mode
without the Active flag in the Protective MBR. Suggest the workaround
during installation.
Since an increasing number of Dell systems exhibit this behavior,
I imagine all Dells past a certain date will do so. I would like
to suggest the workaround for all Dells with a BIOS date of, say,
2014 or later, but I would need to test a variety of systems before
committing such a change.
Reviewed by: allanjude, dteske
MFC after: 5 days
Relnotes: We should probably suggest using GPT+Active on "recent" Dells.
Sponsored by: Dell Inc.
Differential Revision: https://reviews.freebsd.org/D4075
- Rework MANIFEST generation and parsing via bsdinstall(8).
- Allow selecting debugging distribution sets during install.
- Rework bsdinstall(8) to fetch remote debug distribution sets
when they are not available on the local install medium.
- Allow selecting additional non-GENERIC kernels during install.
At present, GENERIC is still required, and installed by default.
Tested with: head@r293203
Sponsored by: The FreeBSD Foundation
For Lenovo laptops with buggy bios (x220, t420, t520):
Write the 0xee entry into the second slot in the pmbr instead of the first
For some Dell and HP models:
The BIOS gives a warning message when booting in legacy mode from a GPT partitioned disk where the 0xee partition in the pmbr is not flagged active
For models known to have this problem, mark the pmbr active during installation
Use smbios data to identify machines known to be affected by any of the above, and offer the user the option to apply the workaround
In bsdinstall's ufs auto mode (autopart partition wizard):
Allow users to select which type of partition table to use
Keep current defaults: MBR for BIOS, GPT for UEFI
This allows users to choose GPT for legacy boot if they wish
PR: 184910
PR: 194359
Reviewed by: Michael Dexter
Approved by: marcel
MFC after: 3 days
X-MFC-With: r285594
Relnotes: yes
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D3091
A variable was misspelled resulting in chmod executing on the installer instead of on the target chroot
PR: 191402
Submitted by: Martin Simmons <martin@lispworks.com>
Approved by: brueffer
MFC after: 3 days
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D3061
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796
Reviewed by: brooks imp
A new loader.conf(5) option of geom_eli_passphrase_prompt="YES" will now
allow you to enter your geli(8) root-mount credentials prior to invoking
the kernel.
See check-password.4th(8) for details.
Differential Revision: https://reviews.freebsd.org/D2105
Reviewed by: imp, kmoore
Discussed on: -current
MFC after: 3 days
X-MFC-to: stable/10
Relnotes: yes
Summary:
Add "GELI Passphrase:" prompt to boot loader.
A new loader.conf(5) option of geom_eli_passphrase_prompt="YES" will now
allow you to enter your geli(8) root-mount credentials prior to invoking
the kernel.
See check-password.4th(8) for details.
Differential Revision: https://reviews.freebsd.org/D2105
Reviewed by: (your name[s] here)
MFC after: 3 days
X-MFC-to: stable/10
Relnotes: yes
Test Plan:
Drop a head copy of check-password.4th into /boot and then apply the patch
(only the patch to /boot/check-password.4th is required; no other changes are
required but you do have to have a HEAD copy of check-password.4th to
apply the patch).
NB: The rest of your /boot files can be up to 2 years old but no older.
NB: The test won't work unless your kernel has the following change
https://svnweb.freebsd.org/base?view=revision&revision=273489
Now, put into /boot/loader.conf:
geom_eli_passphrase_prompt="YES"
and reboot.
You should be prompted for a GELI passphrase before the menu (if enabled),
just after loading loader.conf(5).
NB: It doesn't matter if you're using GELI or not. However if you are using
GELI and a sufficiently new enough release (has SVN r273489) and you entered
the proper passphrase to mount your GELI encrypted root device(s), you should
notice that the boot process did not stop (you went from loader all the way to login).
Reviewers: cperciva, allanjude, scottl, kmoore
Subscribers: jkh, imp
Differential Revision: https://reviews.freebsd.org/D2105
bsdconfig's f_package_add doesn't seem to support using the pkg repo from /etc/pkg/FreeBSD.conf, it also tries to run the commands on the installer image, not in the destination chroot
Instead, manually bootstrap pkg in the chroot, and then install the requested packages (in the chroot)
Doesn't use pkg -c, because pkg is not installed on the installer image
PR: 196250
Differential Revision: https://reviews.freebsd.org/D2026
Approved by: bapt
Sponsored by: ScaleEngine Inc.
Previously we used gnop(8) to fake 4K sector size disks but ZFS now has a
sysctl to control this when creating new top level vdev's so use that
instead.
Differential Revision: D566
MFC after: 1 month
Sponsored by: Multiplay
ZFS property canmount=off so that /var/db/pkg and other such directories
are part of the / dataset, and only /var/mail, /var/log, and /var/crash
are excluded from the ZFS boot environment (beadm).
PR: 193971
Approved by: jmg
MFC after: ASAP
Relnotes: yes
Sponsored by: ScaleEngine Inc.
reality. In particular, draw a connection between the auto ZFS script and
the auto UFS one, since they fulfill similar functions. I'm not sure the
auto ZFS code is actually experimental anymore, so it might be worth
changing that label still.
an embedded newline appearing within the options string surrounded by
double-quotes. Rework the logic that goes into setting dataset options on
the root pool dataset while we're here -- added two new variables (which
can be altered via scripting) ZFSBOOT_POOL_CREATE_OPTIONS and also
ZFSBOOT_BOOT_POOL_CREATE_OPTIONS for setting pool/dataset attributes at
the time of pool creation. The former is for setting options on the root
pool (zroot) and the latter is for setting options on the optional separate
boot pool (bootpool) implicitly enabled when using either GELI or MBR. The
default value for the root pool variable (ZFSBOOT_POOL_CREATE_OPTIONS) is
"-O compress=lz4 -O atime=off" and the default value for separate boot pool
variable (ZFSBOOT_BOOT_POOL_CREATE_OPTIONS) is NULL (no additional options
for the separate boot pool dataset).
Reviewed by: allanjude
MFC after: 7 days
X-MFC-with: r266107-266109
It starts off being used to track the grammar for the number of disks
(singular vs plural) and then it is reused as the list of available disks.
Replace the variable with disks_grammar and move 'disk' and 'disks' to
msg_ vars so they can be translated in the future.
Submitted by: Allan Jude <freebsd@allanjude.com>
Reviewed by: roberto
MFC after: 2 weeks
Sponsored by: ScaleEngine Inc.
Set compress=lz4 for the entire pool, removing it from the individual
datasets
Remove exec=no from /usr/src, breaks the test suite.
Submitted by: Allan Jude <freebsd@allanjude.com>
Reviewed by: roberto
MFC after: 2 weeks
Sponsored by: ScaleEngine Inc.
encryption for swap, and optional gmirror for swap (which can be combined)
Submitted by: Allan Jude <freebsd@allanjude.com>
Requested By: roberto
Sponsored By: ScaleEngine Inc.
MFC after: 2 weeks
GEOM support (thereby adding GEOM support to the disk selection
menu of bsdinstall(8)'s `zfsboot' module updated herein).
MFC after: 1 week
X-MFC-with: 264840
that the slightly older dialog(1) requires --separate-output when using the
--checklist widget to force response to produce unquoted values (whereas in
stable/10 --checklist widget without --separate-output will only quote the
checklist labels in the response if the label is multi-word (contains any
whitespace).
Since these enhancements (see revisions 263956 and 264437) were developed
originally on 10, the --separate-output option was omitted. When merged to
stable/9, we (Allan Jude) and I found during testing that the "always-
quoting" of the response was causing things like struct interpolation to
fail (`f_struct device_$dev' would produce `f_struct device_\"da0\"' for
example -- literal quotes inherited from dialog(1) --checklist response).
To see the behavior, execute the following on stable/9 versus stable/10:
dialog --checklist disks: 0 0 0 da0 "" off da1 "" off
Check both items and hit enter. On stable/10, the response is:
da0 da1
On stable/9 the response is:
"da0" "da1"
If you use the --separate-output option, the response is the same for both:
da0
da1
So applying --separate-output on every platform until either one of two
things occurs 1) dialog(1,3) gets synchronized between stable/9, higher or
2) we drop support for stable/9.
MFC after: 3 days
Reviewed by: Allan Jude
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
NB: If the zfsboot variables ($ZFSBOOT_*) are set, a script is
assumed to want zfsboot module instead of scriptedpart module.
Submitted by: Loïc Brarda <loic.brarda@cern.ch>
Reviewed by: nwhitehorn@
MFC after: 3 days
in the one-line comment associated with the dumpdev setting was not present
for the case where the user deselects the dumpdev service (restoring pre-
r256348 behaviour.
MFC After: 3 days
only allows basic username/password config, and does not provide the
ability to set any of the other WPA options. Regardless, this is
generally sufficient to associate.
Perhaps in the future this could allow full configuring (e.g. being able
to set "anonymous identity", and perhaps some of the more obscure WPA
options), though perhaps that will better belong in bsdconfig when that
grows wlan config ability.
MFC after: 1 week
location of /etc/rc.local on the install media is more appropriate as it
knows serial vs. non-serial and can also do the change earlier (so that
even the initial Install dialog can benefit from the change).
MFC after: 3 days
installation to 3-4+ (depending on vdev type) vdevs would result in odd
error messages where the zpool `create' command appeared to repeat itself
(an artifact of printf when you supply too many arguments -- caused by
neglecting to properly quote the multi-word expansion of $*vdevs when
creating the pool(s)). Example error below (taken from bsdinstall_log):
DEBUG: zfs_create_boot: Creating root pool...
DEBUG: zfs_create_boot: zpool create -o altroot=/mnt -m none -f "zroot" \
ada0p3.nop ada1p3.nopzpool create ada2p3.nop "ada3p3.nop"
DEBUG: zfs_create_boot: retval=1 <output below>
cannot open 'ada1p3.nopzpool': no such GEOM provider
DEBUG: Running installation step: hostname
rm: /tmp/bsdinstall_etc/fstab: No such file or directory
The two lines are unrelated, and the rm is spurious. Let's add `-f' to
that rm(1) so it doesn't confuse us when debugging an install.
MFC after: 3 days
should not have used DIALOG_CANCEL because dialog.subr wasn't included to
define it. The effect of the error was that you could not cancel the
partition dialog. Discovered by checking bsdinstall_log for something else.
MFC after: 3 days
required in such a case). But don't prevent the user from pointing the
gun at his/her foot -- you can disable 4k alignment after enabling geli).
MFC after: 3 days
and subsequent headaches caused by multiple pools with the same name.
Specifically, blast away any labels on the designated swap partition.
Problem was when you install to a given layout *with* swap and then turn
around and re-install the same layout *without* swap (we weren't doing a
labelclear for the swap device, so would end up with an "UNAVAIL" status
zroot pool that may only exist in the pool cache).
MFC after: 3 days
+ For GPT, always provision zfs# partition after swap [for resizability]
+ For MBR, always use a boot pool to relialy place root vdevs at EOD
NB: Fixes edge-cases where MBR combination failed boot (e.g. swap-less)
+ Generalize boot pool logic so it can be used for any scheme (namely MBR)
+ Update existing comments and some whitespace fixes
+ Change some variable names to make reading/debugging the code easier
in zfs_create_boot() (namely prepend zroot_ or bootpool_ to property)
+ Because zroot vdevs are at EOD, no longer need to calculate partsize
(vdev consumes remaining space after allocating swap)
+ Optimize processing of disks -- no reason to loop over the disks 3-4
separate times when we can logically use a single loop to do everything
Discussed on: -stable
MFC after: 3 days
+ De-obfuscate debugging to show actual values
+ Change graid(8) syntax; s/destroy/delete/ [destroy is not invalid syntax]
+ Log commands that were previously quiet
+ Added some new comemnts and updated some existing ones
+ Add missing local for `disk' used in zfs_create_boot()
+ Use $disks instead of multiply-expanding $* in zfs_create_boot()
+ Pedantically unset variable holding geli(8) passphrase after use
+ Pedantically add double-quotes around zpool names and zfs datasets
+ Fix quotation expansion for zpool_cache entries of loader.conf(5)
+ Some limited whitespace changes
MFC after: 3 days
https://communities.vmware.com/thread/107230https://communities.vmware.com/docs/DOC-11677
Basically, ignore the ``function 62'' and ``function 63'' interpretations
of the left/right command key when we're in the lengthiest portion of the
installation (initiated by the `auto' module).
The net effect is that you can now (once you've started the installer from
the media) escape the VM without prematurely terminating the current action
due to spurious escape sequence.
MFC after: 3 days
===
DEBUG: Running installation step: services
local: Not in a function
/usr/libexec/bsdinstall/services: cannot create : Read-only file system
/usr/libexec/bsdinstall/services: /tmp/bsdinstall/etc/rc.conf.services: \
Permission denied
===
The `local: Not in a function' is obvious, and was introduced by myself in
SVN revision 256348.
The latter two are caused by the attempt to use "\" to continue the line
after using the ">>" redirect. This appears to attempt to write a file with
the name " " in the current directory and subsequently attempts to execute
the file that was originally intended for writing (which is not executable;
hence the `Permission denied'). That was introduced in SVN r228192 about
2 years ago, apparently unnoticed until I started going over the debug
outputs very carefully.
MFC after: 3 days
after attempting to install to encrypted ZFS root (caused by a typo in a
variable name -- ZFSBOOT_BOOT_FSNAME -> ZFSBOOT_BOOTFS_NAME).
MFC after: 3 days
The effects of this patch would only be noticeable if you were purposefully
setting a bad value and trying to see what happens; and leaving the disks
intact if a bad value has been set seems fair.
+ Add a `-D FILE" command-line option for overriding the path to the
bsdinstall log file (BSDINSTALL_LOG env var).
+ Document new `-D FILE' in the man page for bsdinstall.
+ If FILE in `-D FILE' begins with a +, debug output goes to stdout
(interleaved between dialog(1) invocations/output) as well as to FILE
(minus the leading + of course).
+ If BSDINSTALL_LOG cannot be written, then debugging is disabled (except in
the case of a leading + in the pathname, wherein debug will still be
printed to stdout).
+ Update source code formatting style.
+ Fix a dangling participle ("Begun ..." -> "Began ...")
+ Rewrite the docsinstall script (was necessary to abate direct dependency
on BSDINSTALL_LOG (instead, use fault-tolerant bsdconfig framework which
displays appropriate errors for package management).
NB: docsinstall is still using pkg(8) after this change.
+ Add additional debug output for dhclient/rtsol/wpa_cliscan
+ Display script errors in a textbox rather than just on stdout
+ Update many coments.
+ Add new f_show_err() API call (like f_show_msg but changes the dialog
title to "Error")(see bsdconfig's `common.subr').
+ Add new f_eval_catch() API call for executing a command via eval but not
before logging the command to debug. Several example cases documented in
API header for function in bsdconfig's `common.subr'.
+ Fix dialog auto-sizing when launched as an rvalue to a pipe for indirected
scripts (previously would default to 24x80 sizing in this case, now it can
autosize to full size even when in a pipe chain).
+ Fix bug in f_snprintf if $format argument began with "-"; printf would
misinterpret as a flag. (this is in bsdcofig's `strings.subr').
+ Add accompanying f_sprintf() and f_vsprintf() to go along with already
existing f_snprintf() and f_vsnprintf() (see bsdconfig's `strings.subr').
+ Remove some unnecessary default ZFS datasets from the automatic "zfsboot"
script. Such as: /usr/ports/distfiles /usr/ports/packages /usr/obj /var/db
/var/empty /var/mail and /var/run (these can all be created as-needed once
the system is installed).
+ Remove setuid=off for /usr/home (as discussed from last round of CFT).
+ Fix some i18n string violations in "zfsboot".
+ Bolster debugging output in "zfsboot".
+ Fix some string quoting issues in "zfsboot".
+ Fix some variable scope issues in "zfsboot".
+ Change "Create" to "Install" in "zfsboot" main menu.
+ Increase error checking in "zfsboot" (type-check arguments and such).
+ Add call to "graid destroy" killing automatic metadata (part of the series
of pedantic destructions we do when bootstrapping a new/naked disk).
+ Make judicious use of new f_eval_catch() in "zfsboot".
+ Fixup some variable names for consistency (zfsboot).
+ Fix an underride syntax parameter expansion folly (zfsboot).
+ Confirm layout if not explicitly chosen when blindly proceeding (no
longer have to touch anything on the ZFS menu if it scares you, just
choose the omnibus "Install" option at the top and you'll be prompted to
select vdev type and disks in the layout confirmation dialog).
+ Change numbered menu items to alphabetic for more efficient navigation.
+ Consolidate vdev selection and disk selection into a single stateful
menu which performs validation and allows backing out to each previous
menu as you go deeper.
+ Redesign the ``Last Chance'' dialog (still using the same colors, but
make it conform to a tolerable width and make disks appear in a block-
quote style indented region).
+ Fix a bug wherein we used the a lowercase variable name by accident
(actual variable name declared as all-uppercase) at the time of
initializing fstab(5) (not believed to cause any issues though).
+ Update the geli setup infobox for each provider being initialized
(not just at the onset -- since each ``geli init'' causes kernel messages
to push our infobox off-screen).
Reviewed by: Allan Jude <freebsd@allanjude.com>
Discussed on: -current
MFC after: 3 days
and OpenSolaris/Illumos beadm use.
Remove /usr/local and /var/db/pkg datasets. Andriy Gapon writes:
I want to note that a good implementation of BEs should support a dependent
datasets feature. Unfortunately, it seems that we do not have any good BE
implementation for FreeBSD right now. If we had, personally I'd prefer to
have /usr/local in separate filesystem.
NOTE: Until then, remove these datasets.
Discussed on: src-committers
Submitted by: Bryan Drewery <bryan@shatow.net>
Reviewed by: Allan Jude <freebsd@allanjude.com>
MFC after: 3 days
so bootpool is imported after boot:
zpool_cache_load="YES"
zpool_cache_type="/boot/zfs/zpool.cache"
zpool_cache_name="/boot/zfs/zpool.cache"
otherwise /boot is a broken symlink after the system is up.
http://lists.freebsd.org/pipermail/freebsd-fs/2013-July/017891.html
NOTE: Fix a comment while here.
Reviewed by: gjb
services configuration and enable it by default. Committed with
slight change to menu text for length and content.
Submitted by: Allan Jude <freebsd@allanjude.com>
Approved by: re (glebius)
Patch from PR modified slightly for whitespace and style.
PR: bin/161547
Submitted by: Warren Block <wblock@wonkity.com>
Reviewed by: Allan Jude <freebsd@allanjude.com>
Approved by: re (glebius)
keymaps *and* provide a mechanism for testing the selection. With
this commit, bsdinstall is no longer dependent on kbdmap(1). The
keymap test menu was originally submitted by Warren Block but was
modified).
Submitted by: Warren Block <wblock@wonkity.com>
Reviewed by: Allan Jude <freebsd@allanjude.com>
Approved by: re (glebius)
to run interactively but it can be scripted too (optinally completely
non-interactive). Currently supports GELI and all ZFS vdev types. Also
performs validation on selections/settings providing error messages if
necessary, explaining (in plain language) what the issue is. Currently
the auto partitioning of naked disks only supports GPT and MBR (VTOC8
pending for sparc64), so is only available for i386/amd64 install.
Submitted by: Allan Jude <freebsd@allanjude.com>, myself
Reviewed by: Allan Jude <freebsd@allanjude.com>
Approved by: re (glebius)
newly installed system. This should greatly increase the amount of
entropy available when SSH host keys are generated during first boot.
Reviewed by: markm, nathanw
Approved by: re (gjb)
