OpenBSD Upgrade Guide: 4.9 to 5.0

[FAQ Index] | [4.8 -> 4.9] | [5.0 -> 5.1]

Note: Upgrades are only supported from one release to the release immediately following it. Do not skip releases.

It is highly recommended that you read through and fully understand this process before attempting it. If you are doing it on a critical or physically remote machine, it is recommended that you test this process on an identical, local system to verify its success before attempting on a critical or remote computer.

Upgrading is a convenient way to bring your OpenBSD system up to the most recent version. However, the results are not intended to precisely match the results of a wipe-and-reload installation. Old library files in particular are not removed in the upgrade process, as they may be required by older applications that may or may not be upgraded at this time. If you REALLY wish to get rid of all these old files, you are probably better off reinstalling from scratch.

Table of Contents:

• Before upgrading
  • System daemons start through rc.d
  • Special upgrade details for ypserv(8)
  • PF changes requiring changes to your pf.conf rules
  • New security(8) script
  • vnd(4) removed, svnd(4) renamed to vnd(4)
  • Xenocara switched to xkeyboard-config
  • timed(8) removed
  • Modified kernel
• The upgrade process
• Final steps
  • Merging locally changed files via sysmerge(8)
  • Merging locally changed files via patch file
  • Files to delete
  • Checking the kernel
  • Upgrading packages

Before upgrading: things to think about and be aware of

• System daemons now started through /etc/rc.d:
  Daemons are only started, though, if they are enabled in rc.conf.local. For the most part, this won't create an issue; before you update /etc, the system will come up the "old" way, after you update /etc, the system will start the new way. The files /etc/rc.local and /etc/rc.shutdown had some important changes for this (and likely your local customization), so they need to be handled carefully (and manually) during the upgrade.

  rc.conf 'rc_scripts' variable renamed to 'pkg_scripts': This change was introduced to make it clear that pkg_scripts should only be used to store packages(7) rc.d(8) scripts names.

• ypserv(8) must be explicitly invoked in rc.conf.local
  ypserv(8) is one exception to the above, if your machine is a YP server, before the update, add the line:

  ypserv_flags=""
  

  to your /etc/rc.conf.local.

• PF changes requiring changes to your pf.conf rules
  ftp-proxy(8) and tftp-proxy(8) have changed: They now use divert-to instead of rdr-to, which improves performance. Old rules like these:

  pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
  pass in quick on internal proto udp to port tftp rdr-to 127.0.0.1 port 6969
  

  should be replaced with:

  pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
  pass in quick on internal inet proto udp to port tftp divert-to 127.0.0.1 port 6969
  

  Note that with divert-to, the address family (in this example inet) must be specified explicitly.

  pf.conf 'set skip' now handles groups: In pf.conf, 'set skip on <...>' now works with interface groups. Previously if an interface type (without number) was used, e.g. 'set skip on vlan' or 'set skip on em' was used, it would have the undocumented behaviour of matching any interface of that type. Now it will only match an interface which is a member of the named group.

  This results in changed behaviour for some users: If you currently use "set skip" with a physical interface type (e.g. "set skip on ix") you will need to add the interface to a group of that name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0.

  Interfaces cloned at runtime (e.g. lo, trunk, vlan, pppoe, carp, gif, mpe and others) default to being in a group named after the interface type, so for these interfaces there will be no change in behaviour unless you have deliberately changed groups, e.g. with 'ifconfig carp456 -group carp'.

  The pf.conf(5) set require-order option has been removed: You must remove it from any ruleset which uses it or the ruleset will not load. This option was used to relax requirements on ruleset ordering; these have not been enforced by default for some time.

• New security(8) script If you have added code to the file /etc/security, move that code to /etc/daily.local. The file /etc/security will be deleted, it has been replaced by the file /usr/libexec/security now contained in the base file set.

• vnd(4) removed, svnd(4) renamed to vnd(4):
  The traditional vnd(4) that bypasses the buffer cache has been removed, and svnd(4) has been renamed to vnd(4). It is also no longer possible to swap to vnds. Users running current will notice that the kernel will treat svndX and vndX as the same device from now, so older svnd device nodes will continue to function.

• Xenocara switched to xkeyboard-config Keyboard definition files from the old xkb-data package in /etc/X11/xkb have been replaced by files from xkeyboard-config, which are now installed in /usr/X11R6/share/X11/xkb. If you have an /etc/X11/xorg.conf file that exists mainly to set keyboard type and nationality that file should be removed, otherwise you may find yourself without keyboard functionality in X.

• timed(8) removed timed has been removed. Switch your timekeeping over to ntpd(8). Also, rdate(8) as an rc startup option has been removed, you can use ntpd(8) with appropriate flags if desired.

• Modified kernel:
  Check whether you have made any modifications to your kernel. For example, you might have modified your network device to use a non-default setting using config(8). Note your changes, so you can repeat them for the new 5.0 kernel.

The upgrade process

Upgrading by install kernel

Afterwards, complete the upgrade by following the final steps as detailed below.

One easy way to boot from the install kernel is to place the 5.0 version of bsd.rd in the root of your boot drive, then instruct the boot loader to boot using this new bsd.rd file. On amd64 and i386, you do this by entering "boot bsd.rd" at the initial boot> prompt.

Upgrading without install kernel

Sometimes, one needs to do an upgrade of a machine when one can't easily use the normal upgrade process. The most common case is when the machine is in a remote location and you don't have easy access to the system console. One can usually do this by carefully following this process:

• Place install files in a "good" location. Make sure you have sufficient space!

• Become root with ksh(1): While using sudo(8) before each command is generally a good practice, the sudo(8) command will be broken by the last steps, so you should be root before starting this process. Also, the use of the OpenBSD ksh(1) shell is assumed.

• Stop any appropriate applications: During this process, all the userland applications will be replaced but may not be runnable, and strange things may happen as a result. If this is a concern to you, shut down any applications that may be impacted. There may be other applications which you wish to keep from running immediately after the upgrade, stop and disable them as well.

• Check the kernel: Although most people can skip this step, if you had a modified kernel in 4.9, it is likely you will need to modify the stock kernel of 5.0. Especially when you are performing the upgrade process remotely, now is the time to make sure the new kernel will work upon rebooting the machine. If any changes must be made to the kernel, the safest thing to do is to make those changes on a local 4.9 system. This can be as simple as modifying a specific device using config(8), or it can involve a recompilation if the option you need is not included in the GENERIC kernel. Please consult FAQ 5 - Building the system from source before deciding to recompile your kernel.

• Install new kernel(s):
  • If using a single processor kernel:

    export RELEASEPATH=/usr/rel   # where you put the files
    cd ${RELEASEPATH}
    rm /obsd ; ln /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
    cp bsd.rd bsd.mp /
    

    (note: you will get a harmless error message if your platform doesn't have a bsd.mp):

  • If you are using the multiprocessor kernel:

    export RELEASEPATH=/usr/rel   # where you put the files
    cd ${RELEASEPATH}
    rm /obsd ; ln /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd
    cp bsd.rd /
    cp bsd /bsd.sp
    

  Note the extra steps for copying over the primary kernel: those are done to ensure that there is always a valid copy of the kernel on the disk that the system can boot from should there be a really badly timed power outage or system crash.

• Save yourself a copy of the old reboot(1) command: You are still running the old kernel, it is possible the new reboot command will not run on the old kernel.

  cp /sbin/reboot /sbin/oreboot
  

• Install new userland applications. Do NOT install etc50.tgz and xetc50.tgz now, because that will overwrite your current configuration files! Note that we are installing base50.tgz LAST, because it will include a new tar(1) utility, which may or may not run on the old kernel. We reboot immediately, as the system is probably barely runnable now.

  tar -C / -xzphf xserv50.tgz
  tar -C / -xzphf xfont50.tgz
  tar -C / -xzphf xshare50.tgz
  tar -C / -xzphf xbase50.tgz
  tar -C / -xzphf game50.tgz
  tar -C / -xzphf comp50.tgz
  tar -C / -xzphf man50.tgz
  tar -C / -xzphf base50.tgz # Install last!
  /sbin/oreboot
  

  Not all file sets will need to be installed for all applications, however if you installed a file set originally, you should certainly upgrade it with the new file set now.

  Again, the files in /etc are handled separately below, so etc50.tgz and xetc50.tgz are NOT unpacked here.

• After reboot completes, upgrade /dev. The new MAKEDEV file was copied to /dev by the installation of base50.tgz, so you simply need to do the following:

  cd /dev
  ./MAKEDEV all
  

Final steps

1a. Merging locally changed files via sysmerge(8)

Who should use sysmerge(8):
People running highly modified systems or systems that didn't start out at the previous release (for example, a snapshot part way between releases), who are upgrading to a snapshot or who have not carefully upgraded their system in the past will find sysmerge vastly superior to using the patches, as it works with what is actually on your system, instead of what we expected was on your system. It will also give you much greater control over your upgrade process, and will involve you in it more closely.

Who may wish to NOT use sysmerge(8):
With recent improvements in sysmerge, we hope that relatively few people have reason not to use sysmerge(8)! However, people with a large quantity of similar machines to upgrade may find the "patchfile" process faster, and perhaps the basis of a customized upgrade script.

Using sysmerge(8) for the first time:
If you have a system that's been upgraded in the past via the patchfile process you will probably find the FIRST time you upgrade by sysmerge, you have a LOT of manual file changes to make. This is because the patch file process only attempted to achieve functional compatibility on the upgraded system, and did not respect the version control information sysmerge(8) uses to identify "unchanged" files. Rest assured, later runs of sysmerge will be far less painful, and often completely effortless.

The sysmerge(8) utility will compare the files that are actually on your system with those that would be installed in a fresh install, and assist you in merging the changes into your system. Note that unlike the patch file, there are no assumptions made about what is actually on your system, so you can use sysmerge(8) to move between more arbitrary points in the development process, such as from an earlier 4.9-current to 5.0-release or from one -current to a later one. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and what would have been there from the last run of sysmerge. Usually, it can figure out what to do to update your files, but if it has difficulty, it will give you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff.

Please read the sysmerge(8) manual page before using it on your system. You are also advised to read the diff(1), sdiff(1) and even review more(1) manual pages before continuing.

Assuming the etc50.tgz and xetc50.tgz files exists in your $RELEASEPATH, run it with:

sysmerge -s $RELEASEPATH/etc50.tgz -x $RELEASEPATH/xetc50.tgz

For the files sysmerge(8) can't resolve on its own, it will show you a unified diff(1), run through your favorite $PAGER (i.e., more(1)) and ask you if you wish to:

  Use 'd' to delete the temporary ./var/www/htdocs/index.html
  Use 'i' to install the temporary ./var/www/htdocs/index.html
  Use 'm' to merge the temporary and installed versions
  Use 'v' to view the diff results again

  Default is to leave the temporary file to deal with by hand

If you wish to retain your existing file, delete the temporary file, if you wish to replace your existing file with the new version, install the temporary file. If you wish to merge the two together, choosing 'm' will put you into sdiff(1), where you can manually merge the file. The default is to come back and deal with the file later, manually.

Sysmerge(8) saves all your replaced files into a temporary directory, similar to /var/tmp/sysmerge.24959/backups, so if you accidentally clobber something that was probably not such a good idea, you have a chance to recover it. Note that daily(8) cleans old files from this directory.

Sysmerge notes for 4.9 -> 5.0:

• /etc/dhclient.conf: Due to changes in the default, you will be presented with dhclient.conf as a file to deal with in sysmerge. Most users will want to simply delete the proposed replacement file and stick with your current dhclient.conf file.
• /etc/rc.d/rc.subr: You will almost certainly want to install the new rc.subr file.
• /etc/sysctl.conf: The changes to sysctl.conf are all commented out items, so installing the changed file will not directly change your system behavior. Blindly installing the new default over your old, customized file will often cause significant annoyance. However, the new file shows the defaults and common options that are available, so you may wish to manually merge the changes into your file, or install the new file and put your changes back into the new file.

1b. Merging locally changed files via a patch file

This process makes a lot of assumptions about what files you have and have not modified, and that you are upgrading from 4.9-release to 5.0-release. Before following this, make sure your system matches the assumptions, and alter the process accordingly if needed -- or just use the above sysmerge process.

No new users and groups need to be created for 5.0.

You will want to extract the etc50.tgz files to a temporary location:

export RELEASEPATH=/usr/rel
tar -C /tmp -xzphf ${RELEASEPATH}/etc50.tgz

Files that can probably be copied from etc50.tgz "as is":

etc/daily
etc/lynx.cfg
etc/ksh.kshrc
etc/netstart
etc/rc
etc/rc.conf
etc/weekly
etc/ypldap.conf
etc/rc.d/*
etc/mail/localhost.cf
etc/mail/sendmail.cf
etc/mail/submit.cf
var/named/etc/root.hint

Note that it IS possible to locally modify these files; if this has been done, do NOT simply copy over those files, and consider using the sysmerge(8) process instead. Pay special attention to mail/* if you are using something other than the default Sendmail(8) configuration.

These two files should be reworked to use the rc.d startup and shutdown process, but the details will vary considerably. We suggest you save a copy of your old files, copy over the new ones, and manually verify that all things that were being started and stopped in these files:

etc/rc.local
etc/rc.shutdown

Here are copy/paste lines for copying these files, assuming you unpacked etc50.tgz in the above recommended place:

cd /tmp/etc
mv /etc/rc.local /etc/rc.local.o
mv /etc/rc.shutdown /etc/rc.shutdown.o
cp daily lynx.cfg ksh.kshrc netstart rc rc.conf rc.local rc.shutdown weekly ypldap.conf /etc/
cp rc.d/* /etc/rc.d/
cp ../var/named/etc/root.hint /var/named/etc/
cp mail/*.cf /etc/mail/ # Use with care!

These files likely have local changes, but should be updated for 5.0. IF you have not altered these files, you can copy over the new version, otherwise the changes should be merged with your files:

etc/changelist
etc/login.conf
etc/man.conf
etc/newsyslog.conf
etc/sysctl.conf

The changes to these files are in this patch file. Please test this process before relying on it for a machine you can not easily get to. You can attempt to use this by executing the following as root:

cd /
patch -C -p0 < upgrade50.patch

This will test the patch to see how well it will apply to YOUR system; to actually apply it, leave off the "-C" option. Note that it is likely that if you have customized files or not kept them closely updated, or are upgrading from a snapshot of 4.9, they may not accept the patch cleanly. Make sure all file changes are attempted; patch(1) may quit prematurely if it gets too confused in one file, which may happen if your machine was originally installed from a snapshot or otherwise has some interim changes. The last file to be changed here should be sysctl.conf. Deleting the file sections that fail from the patch file may permit the rest to be applied. You will need to manually apply the changes that are skipped.

The following files have had changes which should be looked at, but it is unlikely they should be directly copied or merged (i.e., if you are using pf.conf, look at the suggested change of strategy, and decide if it is appropriate for your use).

etc/pf.conf
etc/relayd.conf
etc/remote
etc/ssh/sshd_config

Finally, use newaliases(8) to update the aliases database, mtree(8) create any new directories:

newaliases
mtree -qdef /etc/mtree/4.4BSD.dist -p / -u

All upgraders, whether merging via sysmerge(8) or patch file should continue the upgrade process with these steps:

2. Files to delete

rm /etc/security
rm -rf /etc/X11/xkb
rm -rf /usr/lib/gcc-lib/$(arch -s)-unknown-openbsd4.?
rm -rf /usr/bin/perl5.10.1
rm -rf /usr/libdata/perl5/$(arch -s)-openbsd/5.10.1

3. Checking the kernel

If you followed the instructions for the upgrade process without install kernel, you have already completed this step. However, if you used the install kernel, and if you had a modified kernel in 4.9, it is likely you will need to modify the stock kernel of 5.0. This can be as simple as modifying a specific device using config(8), or it can involve a recompilation if the option you need is not included in the GENERIC kernel. Please consult FAQ 5 - Building the system from source before considering to recompile your kernel.

4. Upgrading packages

The following packages are known to have significant upgrade issues that will impact a large number of users. The fact that a package is not on this list doesn't mean it will have a trivial upgrade. You must do some homework on the applications YOU use.

• kqemu: Must be kept in sync with the kernel. pkg_delete prior to the upgrade, then pkg_add the new package once the upgrade has been completed.

• SOGo update: SOGo has been updated to 1.3.6. The new session handling requires a new configuration default named OCSSessionsFolderURL. For more information consult the package README file or the general SOGo Installation Guide installed with the package.

• www/opera-flashplugin removed: www/opera-flashplugin has been removed. You can install GNU Gnash as a replacement.

• Dovecot update: Dovecot has had a major update, needing some changes in configuration files. The dovecot.conf configuration file has moved from /etc to /etc/dovecot. See the notes on upgrading from 1.1 to 2.0 on Dovecot's wiki for more information about how to handle this.

  The database support has been moved from flavoured versions of Dovecot (dovecot-1.2.16p5-ldap, -mysql, -postgresql, -sqlite, etc) to plugins in subpackages (dovecot-ldap-2.0.13, etc). All older versions will be upgraded to the new main package; if you're using a flavoured version for database support, you will need to add the relevant subpackage/s yourself. Berkeley DB is no longer supported, if you're using this you will need to switch to a SQL database instead.

• pstoraster moved to its own package: The pstoraster print filter has moved out of ghostscript into the gstoraster package. If you use a CUPS print filter that requires pstoraster to run, you need to install the new package manually:

  # pkg_add gstoraster
  

• PHP: support for multiple versions: Multiple PHP versions are now supported in packages.
  php.ini moved
  The directory layout of the PHP port has been adjusted. /var/www/conf/php.ini has been replaced by /etc/php-$VERSION.ini. If you have made changes to /var/www/conf/php.ini file, make sure they are carried across to the relevant file for whichever version you will be running (/etc/php-5.2.ini or /etc/php-5.3.ini).
  
  php5.conf renamed to php-5.2.conf
  If you are currently using PHP with the web server in base, you will need to adjust your configuration:

  cd /var/www/conf/modules
  rm php5.conf
  ln -s /var/www/conf/modules.sample/php-5.2.conf /var/www/conf/modules/php.conf
  

  php module changes
  The various PHP modules (for example gd, mysql, postgresql, xcache, and various other modules which are part of PHP or from PECL) had their configuration files in /var/www/conf/php5.sample; symbolic links for active modules were placed in /var/www/conf/php5. These have moved to /etc/php-5.2.sample and /etc/php-5.2 respectively. You will need to check for existing links in /var/www/conf/php5 and create equivalent links in /etc/php-5.2. Note that mbstring is now part of the main php-5.2 package so an existing mbstring.ini symbolic link can be ignored.

• Change in startup procedure for Postfix and exim: The base OS has moved to using scripts in /etc/rc.d to start all daemons. The script for sendmail does not function fully for alternative MTAs (in particular it will display "failed" at startup, although the daemon will still be started, and "/etc/rc.d/sendmail reload" or "...stop" will not work as expected). If you were using Postfix or exim and starting it using the standard method of setting sendmail_flags in rc.conf.local, you should set sendmail_flags=NO and start the relevant daemon via pkg_scripts, e.g.

  pkg_scripts="${pkg_scripts} postfix"
  

• Amavisd-new update: Amavisd-new has had a major update, needing some changes in sql schema. See the notes on upgrading from 2.6 to 2.7 on Amavisd-new's web site for more information about how to handle this.

• pecl-imagick needs pthread ImageMagick has been updated to a version which now requires threads support.

  Due to the current userland threading mechanism in OpenBSD it is necessary that programs calling libraries needing threads do themselves load the thread library to ensure that i/o wrapper functions are used.

  This can be done by linking the programs with the -pthread compiler flag, which is commonly done in ports, but can't always be done so sometimes extra configuration is needed - common examples are Perl and httpd in the base OS.

  The typical symptom is a failure of the program to start, with complaints about missing pthread-related library functions. In those cases you can run the program with LD_PRELOAD=libpthread.so set in the environment which has the desired effect. For pecl-imagick (notably required by Horde/IMP), the simplest way is to create a login(1) class under /etc/login.conf(5) named after the Apache rc.d(8) script, i.e. "httpd":

   httpd:\
  	:setenv=LD_PRELOAD=/usr/lib/libpthread.so:\
  	:tc=daemon:
  

  and ensure that /etc/rc.d/httpd is used to start/restart the server (N.B. log rotation scripts might need to be adjusted).

The package tools support in-place updating using pkg_add -u. For instance, to update all your packages, make sure PKG_PATH is pointing to the 50 packages directory on your CD or nearest FTP mirror, and use something like

pkg_add -ui

[FAQ Index] | [4.8 -> 4.9] | [5.0 -> 5.1]