OpenBSD Upgrade Guide: 6.0 to 6.1

[FAQ Index] | [5.9 -> 6.0] [6.1 -> 6.2]

Upgrades are only supported from one release to the release immediately following it. Read through and understand this process before attempting it. For critical or physically remote machines, test it on an identical, local system first.

Alternatively, you can use the manual upgrade process.

You may wish to check the errata page or upgrade to the stable branch to get any post-release fixes.

Before rebooting into the install kernel

• clean out /usr/share/man. To remove all outdated manuals, issue rm -rf /usr/share/man.

• cwm(1) bind function changes. The configuration syntax for binding functions to keys and mouse buttons has changed, replacing the bind and mousebind keywords with bind-key, bind-mouse, unbind-key and unbind-mouse. See the cwmrc(5) man page for new bind function names.

• installer changes. On amd64, armv7, i386, hppa and macppc, the bsd.rd installer defaults to fetching sets over https. Your autoinstall(8) response file may need the additional line:

    Unable to connect using https. Use http instead = yes	# "no" is default

  between the HTTP Server and Set name(s) responses. Moreover, the xdm question was changed to

    Do you want the X Window System to be started by xenodm(1) 

After upgrading

• build system changes. If you intend to build the system from source in the future, you need to fix some permissions:

    # rm -rf /usr/obj/* /usr/xobj/*
    # chown build:wobj /usr/{,x}obj
    # chmod 770 /usr/{,x}obj

  It is recommended that you add users who need to work with the src trees to the group wobj, so that they can still write to /usr/obj.

  It is best to check out a fresh source tree from an AnonCVS server. If you need to update on top of a pre-existing source tree, you need to do some cleanup first.

• new mandoc.db(5) format. To update all mandoc.db(5) files to the new format, run:

    makewhatis

• softraid crypto switched to bcrypt PBKDF. New volumes will be created with bcrypt PBKDF, however existing volumes will continue to use PKCS5 PBKDF2 until a passphrase change is made.

  If you're booting from softraid crypto, ensure that your boot loader has been upgraded to a version that supports bcrypt prior to changing your passphrase. The boot(8) version should be at least 3.33 on amd64 and 3.31 on i386. Also be aware that once the passphrase has been changed, an older version of bioctl(8) (one that does not support bcrypt PBKDF) will not be able to "unlock" the volume.

• sqlite3 moved back to ports. SQLite has moved from base back to ports. Remove the following files after upgrading the OS and updating the packages, but before building any ports:

    rm /usr/bin/sqlite3
    rm /usr/include/sqlite3*.h
    rm /usr/lib/pkgconfig/sqlite3.pc
    rm /usr/libdata/perl5/site_perl/*-openbsd/sqlite3*.ph
    rm /usr/lib/libsqlite3*

  uucp and news users removed. The uucp user and the news group have been removed from base. If you use the net/uucp port, please follow these instructions first. Issue

    userdel uucp
    groupdel news
    rm -rf /var/spool/uucp*	# unless you use the net/uucp port

• uxterm and koi8xterm removed. The uxterm and koi8rxterm shell scripts have been removed, as xterm(1) on OpenBSD is already set up to support UTF-8:

    cd /usr/X11R6
    rm bin/koi8rxterm bin/uxterm
    rm share/X11/app-defaults/KOI8RXTerm share/X11/app-defaults/UXTerm
    rm man/man1/koi8rxterm.1 man/man1/uxterm.1

  If you edited any configuration files to call uxterm, do not forget to change these to call xterm directly. If you defined X resources for UXTerm, consider moving them to XTerm.

• xdm(1) replaced with xenodm(1). The X Display Manager has been switched to xenodm(1). If you enabled xdm in /etc/rc.conf.local, you need to update your configuration:

    rcctl disable xdm
    rcctl enable xenodm

  If any local configuration change was made to /etc/X11/xdm/, it should be migrated to the corresponding /etc/X11/xenodm file. After that the xdm files can be removed:

    rm -rf /etc/X11/xdm
    rm /usr/X11R6/bin/xdm /usr/X11R6/man/man1/xdm.1 /etc/rc.d/xdm

Configuration and syntax changes

• iked(8): RFC5114 MODP groups removed. Support for the additional modular exponential groups specified in RFC5114 was removed from iked(8). As a result, iked(8) will no longer accept proposals with the MODP2048-256 group (grp24) and thus will not be able to act as a responder for clients running OpenBSD 6.0 or earlier. Therefore the configuration on older installations needs to be changed: select a specific MODP group by adding a line such as ikesa group modp2048 childsa group modp2048 to be able to talk to endpoints running newer versions.

  For example, if the old configuration in iked.conf(5) looked like this:

    ikev2 active esp from 10.3.0.0/24 to 10.1.0.0/24 \
            local 192.168.1.1 peer 192.168.2.1 \
            childsa enc aes-128-gcm \
            psk "secret"

  it needs to be amended to look like this:

    ikev2 active esp from 10.3.0.0/24 to 10.1.0.0/24 \
            local 192.168.1.1 peer 192.168.2.1 \
    	ikesa group modp2048 \
            childsa enc aes-128-gcm group modp2048 \
            psk "secret"

• one lo(4) interface per rdomain. A loopback interface is now created by default for every rdomain(4). Much like lo0 for rdomain 0, it can be used to see and filter local traffic via bpf(4) and pf(4).

  If you were previously using an loX in an rdomain other than X, it won't be possible to create rdomain X anymore. You need to either use a different lo(4) unit or rdomain(4) number.

• pkg.conf(5) no longer supported. The pkg_* tools now use the installurl(5) file to find the main package repository. If you install or upgrade from a mirror, this file is created automatically. Verify that /etc/installurl points to your preferred mirror and that the URI does not end in /6.1 (which may happen due to a bug in the installer).

  If necessary, please create the /etc/installurl file manually with your preferred mirror:

    echo 'https://your.mirror/pub/OpenBSD' > /etc/installurl

  Since the pkg.conf(5) file will no longer be used by tools, you may remove it:

    rm /etc{,/examples}/pkg.conf

  Use the PKG_PATH environment variable in case you need to specify more than one repository.

• sysctl machdep.lidsuspend renamed to machdep.lidaction. The machdep.lidsuspend sysctl variable has been renamed to machdep.lidaction. Setting it to 2 hibernates the machine when the lid is closed. Update sysctl.conf(5) to use the new name.

Files to remove

rm -rf /usr/libdata/perl5/site_perl \
/usr/bin/perl5* \
/usr/lib/libperl.so.17.* \
/usr/libdata/perl5/*-openbsd/5.*/ \
/usr/bin/a2p \
/usr/bin/config_data \
/usr/bin/find2perl \
/usr/bin/psed \
/usr/bin/s2p \
/usr/libdata/perl5/CGI* \
/usr/libdata/perl5/Locale/Codes/Constants.pod \
/usr/libdata/perl5/Module/Build* \
/usr/libdata/perl5/Package \
/usr/libdata/perl5/inc \
/usr/libdata/perl5/pod/a2p.pod \
/usr/libdata/perl5/unicore/lib/Gc/Lt.pl \
/usr/libdata/perl5/unicore/lib/Hyphen/Y.pl \
/usr/libdata/perl5/unicore/lib/LOE \
/usr/libdata/perl5/unicore/lib/NChar \
/usr/libdata/perl5/unicore/lib/PatWS \
/usr/libdata/perl5/unicore/lib/Perl/_XExtend.pl \
/usr/libdata/perl5/unicore/lib/Perl/_XRegula.pl \
/usr/libdata/perl5/unicore/lib/Perl/_XSpecia.pl \
/usr/libdata/perl5/unicore/lib/Space \
/usr/libdata/perl5/version/vpp.pm

rm -f /dev/sound*

Special packages

• ansible. The copy module of Ansible added a newline to the value of the content attribute in case it was not present. This behavior is non-standard and was not documented. It has been reverted in the ansible-2.1.2.0p0 package. If you previously relied on this behavior you will need to explicitly add \n to your playbooks.

• awesome. Awesome 4.0 comes with a major API break. Existing configuration and extensions need to be ported. Please read the official tips for upgrading your configuration.

• courier-authlib. A configuration change is needed to be able to use latest version of mail/courier-authlib. If MySQL or Postgresql is used as authentication source, the following lines should be appended to the appropriate config files (/etc/courier/authmysqlrc or /etc/courier/authpgsqlrc).

    ##NAME: MARKER:0
    #
    # Do not remove this section from this configuration file. This section
    # must be present at the end of this file.

  In addition, if MySQL is used, the option MYSQL_OPT 0 should also be set.

• leafnode. The _news account used to run leafnode switched from the news group to the _news group. After upgrading to leafnode-1.11.11p0, make sure that no leafnode process is running, then run

    usermod -g _news _news
    chgrp -R _news /var/spool/news/

• letskencrypt. The security/letskencrypt port was moved to base as the acme-client(1) utility. Configuration is done via the acme-client.conf(5) file. Adjust scripts/cronjobs as necessary.

• nginx. The www/nginx port has been converted to use subpackages with dynamic modules, instead of using flavors. If you previously were using a flavored version of nginx, or the mail or stream modules, you need to install the appropriate subpackage(s). You also need to modify your nginx configuration to use load_module for each dynamic module you want to load.

• postgresql. There was a major update to PostgreSQL 9.6.2. Use pg_upgrade as described in the postgresql-server pkg-readme or do a dump/restore.

• py-elasticsearch-curator. With the update of Elasticsearch Curator to the 4.x version, the CLI interface changed. Instead of parameters, yaml configuration files are used. Configuration file documentation can be found on the curator reference pages.

• railo. Railo has been replaced with Lucee (a fork). Make notes on your existing Railo configuration before updating. You will need to adjust Tomcat configuration, and configure Lucee according to your previous Railo configuration.

• sympa. The mail/sympa mailing list server port was updated to a new version. The upgrade notes explain how to migrate your setup.

• tomcat. www/tomcat/v8 has been updated to 8.5, which now enforces a default umask of 027 (previously, unless other changes were made, 022 would be used). This behavior can be controlled by setting the UMASK environment variable. If using the rc.d script and the previous behaviour is required, the following can be added to /etc/login.conf:

    tomcat:\
          :setenv=UMASK=022:\
          :tc=daemon:

  All branches of www/tomcat now have stricter requirements on URL encoding to avoid a range of invalid characters (see CVE-2016-6816). This includes several characters which are quite often used in unencoded form: { } and |. For these three characters only, if callers cannot be fixed, the restriction can be relaxed by listing the ones you need in this setting in /etc/rc.conf.local:

    tomcat_flags=-server -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='|'

• uucp. Starting with uucp-1.07p4, the uucp suite now runs under the _uucp account. Ensure that you have no uucp process running, then adjust the ownership of some files:

    find /etc/ /var/spool/ -user uucp -exec chown _uucp {} ';'

Upgrade without the install kernel

Sometimes, you need to do an upgrade of a machine for which the normal upgrade process is not possible. The most common case is a machine in a remote location and there is no easy access to the system console.

Preparation

• Place install files in a good location. Make sure you have sufficient space! Running out of space on a remote upgrade could be...unfortunate. Note that using softdeps can exaggerate the situation as deleted and overwritten files do not release their space immediately. Consider disabling the softdep mount option in /etc/fstab and rebooting before undertaking a manual upgrade. Having at least 200MB free on /usr would be recommended.

• Become root. While using doas(1) before each command is generally a good practice, the command will likely be broken by the last steps, so you should become root before starting this process. It might be good to verify your access to root using a method other than doas at this point, i.e., direct login or using su(1).

• Stop and/or disable any appropriate applications. During this process, all the userland applications will be replaced but may not be runnable, and strange things may happen as a result. You may also have issues with DNS resolution during the first reboot, so PF rules and NFS mounts dependent upon DNS may cause boot-up problems. There may be other applications which you wish to keep from running immediately after the upgrade, stop and disable them as well.

• Install new boot blocks. This should actually be done at the end of any upgrade. If this has been neglected, then failure to do this now may break serial console or other things, depending on your platform. Use installboot(8), assuming sd0 is your boot disk:

      installboot sd0

Upgrading manually

• Install new kernels. The extra steps for copying over the primary kernel are done to ensure that there is always a valid kernel on the disk.

  If using the multiprocessor kernel:

      cd /usr/rel    # where you put the release files
      ln -f /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd
      cp bsd.rd /
      cp bsd /bsd.sp

  If using the single processor kernel:

      cd /usr/rel    # where you put the release files
      ln -f /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
      cp bsd.rd bsd.mp /    # may give a harmless warning

• Install new userland. Save a copy of reboot(8), extract and install the release tarballs, reboot. Install base61.tgz last, because the new base system, in particular tar(1), gzip(1) and reboot(8), will not work with the old kernel. Either untar the needed filesets manually

      cp /sbin/reboot /sbin/oreboot
      tar -C / -xzphf xshare61.tgz
      tar -C / -xzphf xserv61.tgz
      tar -C / -xzphf xfont61.tgz
      tar -C / -xzphf xbase61.tgz
      tar -C / -xzphf man61.tgz
      tar -C / -xzphf game61.tgz
      tar -C / -xzphf comp61.tgz
      tar -C / -xzphf base61.tgz    # Install last!
      /sbin/oreboot

  or, if you use ksh(1), you can do

      cp /sbin/reboot /sbin/oreboot
      for _f in [!b]*61.tgz base61.tgz; do tar -C / -xzphf "$_f" || break; done
      /sbin/oreboot

  Note that tar(1) can expand only one archive per invocation, so a simple glob won't work.

• After reboot, update /dev. Run MAKEDEV(8):

      cd /dev
      ./MAKEDEV all

• Update boot loader. Still assuming sd0 is your boot disk:

      installboot sd0

• Update system configuration files. Run sysmerge(8):

      sysmerge

• Update firmware. There may be new firmware for your system. Update it with fw_update(1):

      fw_update

• Finish up. Review the console output from boot (using dmesg -s) and correct any failures as necessary. All the steps following after upgrading above also apply to manual upgrades. Finally, remove /sbin/oreboot and update packages: pkg_add -u.

[FAQ Index] | [5.9 -> 6.0] [6.1 -> 6.2]