OpenBSD Upgrade Guide: 3.8 to 3.9

[FAQ Index] | [3.7 -> 3.8] | [3.9 -> 4.0]

Note: Upgrades are only supported from one release to the release immediately following it. Do not skip releases.

It is highly recommended that you read through and fully understand this process before attempting it. If you are doing it on a critical or physically remote machine, it is recommended that you test this process on an identical, local system to verify its success before attempting on a critical or remote computer.

Upgrading is a convenient way to bring your OpenBSD system up to the most recent version. However, the results are not intended to precisely match the results of a wipe-and-reload installation. Old library files in particular are not removed in the upgrade process, as they may be required by older applications that may or may not be upgraded at this time. If you REALLY wish to get rid of all these old files, you are probably better off reinstalling from scratch.

Table of Contents:

Before upgrading
The upgrade process
Final steps

Before upgrading

If your machine has a PCI NIC using the le(4) driver, it has probably been replaced by the pcn(4) driver. BEFORE doing the upgrade, copy your /etc/hostname.le* file(s) to corresponding /etc/hostname.pcn* files, otherwise you will not have functioning network during and after the upgrade process.

Due to the addition of debugging symbols, the size of library files has increased very significantly. For instance, on the i386 platform, the size taken up by the /usr/lib directory went up from 47.7MB in 3.8 to 209MB in 3.9. Make sure you have sufficient space available before starting the upgrade.

Check whether you have made any modifications to your kernel. For example, you might have modified your network device to use a non-default setting using config(8). Note your changes, so you can repeat them for the new 3.9 kernel.

pfsync(4) has changed format, so it can not keep state between a 3.8 and a 3.9 box. Mismatched systems will lose all connections when you switch which box is master, as states will not be transferred between systems. You can minimize the impact of this by upgrading your backup boxes first, so there is only one loss of active states.

carp(4) users with more than one address on a single carp(4) interface may experience another bump when upgrading: interfaces are sorted by address now, so having aliases in exactly the same order is not as critical as it was in the past. It does mean, however, there may be problems between old and new systems. You can sort aliases manually on the old systems to work around this problem if necessary.

ftp-proxy(8) has changed, as detailed below, so your pf.conf(5) file may need to be updated.

ancontrol(8) has been replaced by additional functionality in ifconfig(8). This may impact how you configure your wireless interfaces.

The upgrade process

Upgrading by install media

The easiest and safest way to upgrade is to boot from install media and follow the upgrade steps, which are very similar to the install process. Afterwards, complete the upgrade by following the final steps as detailed below.

Upgrading without install media

This is NOT the recommended process. Use the install media method if at all possible!

Sometimes, one needs to do an upgrade of a machine when one can't easily use the normal upgrade process. One can usually do this by carefully following a process similar to building the system from source:

Place install files in a "good" location. Make sure you have sufficient space!
Stop any "insecure" applications from starting at boot: There will be a time when PF will be unlikely to be running during this upgrade process, but your applications may still start and run properly. Any application dependent upon PF for security should be disabled before this happens, and should not be re-enabled until proper PF operation is verified after upgrade. There may be other applications which you wish to keep from running during the upgrade, stop and disable them as well.
Check the kernel: Although most people can skip this step, if you had a modified kernel in 3.8, it is likely you will need to modify the stock kernel of 3.9. Especially when you are performing the upgrade process remotely, now is the time to make sure the new kernel will work upon rebooting the machine. If any changes must be made to the kernel, the safest thing to do is to make those changes on a local 3.9 system. This can be as simple as modifying a specific device using config(8), or it can involve a recompilation if the option you need is not included in the GENERIC kernel. Please consult FAQ 5 - Building the system from source before considering to recompile your kernel.
Install new kernel(s)
```
export RELEASEPATH=/yourpath
cd ${RELEASEPATH}
rm /obsd ; ln /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
cp bsd.rd bsd.mp /
```
Note the extra steps for copying over the primary kernel: those are done to ensure that there is always a valid copy of the kernel on the disk that the system can boot from should there be a really badly timed power outage or system crash.
Install new /etc/firmware files: Due to the fact that some uploaded "firmware" blobs were relocated from the kernel to files in the /etc/firmware directory, there are a few drivers which will break if there is no uploadable firmware file available when the new kernel boots. This will impact users of only a few devices, though all users can use this step without harm. To extract the firmware files from base39.tgz, use the following as root:
```
cd /
tar xzpf ${RELEASEPATH}/base39.tgz "*etc/firmware/*"
```
Reboot on the new kernel: This might be a tempting step to skip, but it should be done now, as usually, the new kernel will run old userland apps (such as the soon to be important reboot!), but often a new userland will NOT work on the old kernel.
Install new userland applications. Do NOT install etc39.tgz and xetc39.tgz now, because that will overwrite your current configuration files!
```
export RELEASEPATH=/yourpath
cd /
tar xzpf ${RELEASEPATH}/base39.tgz
tar xzpf ${RELEASEPATH}/comp39.tgz
tar xzpf ${RELEASEPATH}/game39.tgz
tar xzpf ${RELEASEPATH}/man39.tgz
tar xzpf ${RELEASEPATH}/misc39.tgz
tar xzpf ${RELEASEPATH}/xbase39.tgz
tar xzpf ${RELEASEPATH}/xfont39.tgz
tar xzpf ${RELEASEPATH}/xserv39.tgz
tar xzpf ${RELEASEPATH}/xshare39.tgz
```
Note: not all file sets will need to be installed for all applications, however if you installed a file set originally, you should certainly upgrade it with the new file set now.
Note: the files in /etc are handled separately below, so etc39.tgz and xetc39.tgz are NOT unpacked here.
Upgrade /dev. The new MAKEDEV file will be copied to /dev by the installation of base39.tgz, so you simply need to do the following:
```
cd /dev
./MAKEDEV all
```
Upgrade /etc as below.
Reboot

During this process, sendmail(8) may produce some error messages like the following:

    Nov 1 12:47:05 puffy sm-mta[16733]: filesys_update failed: No such file or directory, fs=., avail=-1, blocksize=380204

These messages can be safely ignored, or you may wish to halt sendmail(8) during the upgrade process.

Final steps

1. Upgrading `/etc`

Whether you upgrade by using an install media and doing a formal "upgrade" process, or do a "in-place" binary upgrade, there are certain manual steps that have to be performed.

1.1. New users and groups

no new users or groups

1.2. Operational changes

ftp-proxy ftp-proxy(8) was replaced by what was previously called pftpx. The new ftp-proxy runs stand-alone and not from inetd.conf(5) as it used to. You will have to update /etc/inetd.conf to no longer invoke ftp-proxy(8), and update /etc/rc.conf and /etc/rc to run the new one. Edit rc.conf or rc.conf.local to invoke the new program, for example:
```
echo 'ftpproxy_flags=""' >> /etc/rc.conf.local
```
The new proxy uses anchors to allow data connections, which means that your existing /etc/pf.conf must be adapted. In the NAT section you need:
```
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
```
They are mandatory, even if you don't use NAT otherwise. The following rule, that is probably already there for the old ftp-proxy, must stay:
```
rdr pass on $int_if proto tcp from $lan to any port 21 -> \
    127.0.0.1 port 8021
```
In the rules section, this is needed:
```
anchor "ftp-proxy/*"
```
Rules that allow the proxy to make FTP control connections (destination port 21/tcp) must stay. Rules that allow FTP data connections are no longer needed. Those rules may contain "user proxy" or "to port > 49151". Care has been taken to keep the command line switches similar, but some differ. See the ftp-proxy(8) man page.
One case warrants special mention: if you have old clients that rely on active mode data connections which use 20/tcp as a source port, you need the '-r' switch (for this you had to run the old proxy with "-u root").
Run ftp-proxy with "-d -D7" if you run into trouble and want to diagnose what's happening.

1.3. `/etc` file changes

You will want to extract the etc39.tgz files to a temporary location:

cd /tmp
tar xzpf ${RELEASEPATH}/etc39.tgz

Files that can probably be copied from etc39.tgz "as is":

daily
ipsec.conf
magic
monthly
netstart
rc
security
services
weekly
mtree/*

Note that it IS possible to locally modify these files, if this has been done, manual merging will be needed. Here are copy/paste lines for copying these files, assuming you unpacked etc39.tgz in the above recommended place:

cd /tmp/etc
cp daily ipsec.conf magic monthly netstart rc security services weekly /etc
cp mtree/* /etc/mtree/

Files that must be manually merged, respecting any local changes made to them, if they were modified from the default, otherwise, just copy them over, too:

changelist
inetd.conf
lynx.cfg
rc.conf
ssh/ssh_config
ssh/sshd_config
sysctl.conf

The changes to these files are in this patch file. You can attempt to use this by executing the following as root:

cd /
patch -C -p0 < upgrade39.patch

This will test the patch to see how well it will apply to YOUR system, to actually apply it, leave off the "-C" option. Note that it is likely that if you have customized files or not kept them closely updated, or are upgrading from a snapshot of 3.8, they may not accept the patch cleanly. In those cases, you will need to manually apply the changes. Please test this process before relying on it for a machine you can not easily get to.

The following files have had changes which should be looked at, but it is unlikely they should be directly copied or merged (i.e., if you are using pf.conf, look at the suggested change of strategy, and decide if it is appropriate for your use).

hostapd.conf
pf.conf
spamd.conf

Delete the libresolv files, which are no longer used:

rm /usr/lib/libresolv*

Finally, use mtree(8) to create any new directories:

mtree -qdef /etc/mtree/4.4BSD.dist -p / -u

2. Checking the kernel

Note: most people can skip this step!

If you followed the instructions for the upgrade process without install media, you have already completed this step. However, if you used the install media, and if you had a modified kernel in 3.8, it is likely you will need to modify the stock kernel of 3.9. This can be as simple as modifying a specific device using config(8), or it can involve a recompilation if the option you need is not included in the GENERIC kernel. Please consult FAQ 5 - Building the system from source before considering to recompile your kernel.

3. Upgrading packages

If you installed any packages on your system, you may want to upgrade them after completing the upgrade of the base system. In OpenBSD 3.9, the pkg tools now support in-place updating using pkg_add -u. This has been checked to work with most packages, in particular with the CD packages available in 3.8. For instance, to update all your packages, make sure PKG_PATH is pointing to the 3.9 packages directory on your CD or nearest FTP mirror, and use something like

# pkg_add -ui -F update -F updatedepends

where the -u indicates update mode, and -i specifies interactive mode, so pkg_add will prompt you for input when it encounters some ambiguity. Read the pkg_add(1) manual page and the package management chapter of the FAQ for more information.

[FAQ Index] | [3.7 -> 3.8] | [3.9 -> 4.0]

$OpenBSD: upgrade39.html,v 1.26 2019/10/04 10:15:36 fcambus Exp $