OpenBSD Upgrade Guide: 5.5 to 5.6

[FAQ Index] | [5.4 -> 5.5] | [5.6 -> 5.7]

Note: Upgrades are only supported from one release to the release immediately following it. Do not skip releases. If you got lucky skipping releases in the past, you may not this time.

It is highly recommended that you read through and fully understand this process before attempting it. If you are doing it on a critical or physically remote machine, it is recommended that you test this process on an identical, local system to verify its success before attempting on a critical or remote computer.

Table of Contents:

Before upgrading
The upgrade process
Final steps

Before upgrading: things to think about and be aware of

This is not a complete list of the changes that took place between 5.5 and 5.6, but rather some of the important things that will impact users in the upgrade process. For a more complete list of changes, see plus56.html and the CVS change logs.

Releases signed
OpenBSD releases are now cryptographically signed using the new signify(1) utility. However, the install media with all file sets (install56.fs, install56.iso) cannot self-check, nor should they. After all, if someone has delivered a compromised install set to you, they would probably have set it to say "all is well."
Instead, you should verify your install media file separately, then install without further concern.
FTP is no longer an install option
The installer will now use HTTP as its file transfer protocol. All public mirrors will support this, of course, but if you have a local mirror, make sure it can serve files via HTTP.
Kerberos, Apache httpd, lynx, rmail, uucpd have been removed from base
Though these applications are all available as a packages if their use is required.
Other changes
- rc.conf.local is no longer a shell script. Variables (notably pkg_scripts) must now be on single lines.
- pf.conf: altq backwards compatibility has been removed. Remove "oldqueue" entries from pf.conf(5) if present, otherwise PF rules will not be loaded.
- MACs, modes and ciphers permitted by sshd have been tightened. Some clients (notably Paramiko and old versions of PuTTY) may not be able connect after upgrade without sshd_config changes.
- IPv6 autoconfiguration overhaul. Link-local addresses are no longer configured on every network interface by default - an explicit step to enable an IPv6 address must be taken in order to enable this. Configuring a static IPv6 address or using "rtsol" automatically adds the necessary link-local address so in many cases no changes are needed, but IPv6 pppoe(4) users must add "inet6 eui64" to their /etc/hostname.pppoe* files.
- /etc/rc and /etc/rc.conf have moved from etc*.tgz to base56.tgz so will be replaced at upgrade time. If you have made local changes to these files, save a copy before upgrading.
Advanced notice: Big changes coming for future releases!
There are some big changes coming up in OpenBSD 5.7 (NOT 5.6!) that you may wish to think about and plan for.
- OpenBSD's version of nginx will be removed from base in favor of an internally developed httpd server in 5.7. nginx will be available as a package for those with applications dependent upon it.
- BIND (named) will be removed from base in 5.7 in favor of nsd(8) (authoritative DNS) and unbound(8) (recursive resolver). Packages will exist for BIND.

The upgrade process

Upgrading by install kernel

If you have access to the system's console, the easiest and safest way to upgrade is to boot from the install kernel by boot media or bsd.rd and follow the upgrade steps, which are very similar to the install process.

Afterwards, complete the upgrade by following the final steps as detailed below.

One easy way to boot from the install kernel is to place the 5.6 version of bsd.rd in the root of your boot drive, then instruct the boot loader to boot using this new bsd.rd file. On amd64 and i386, you do this by entering "boot bsd.rd" at the initial boot> prompt.

Upgrading without install kernel

This is NOT the recommended process. Use the install kernel method if at all possible!

Sometimes, one needs to do an upgrade of a machine when one can't easily use the normal upgrade process. The most common case is when the machine is in a remote location and you don't have easy access to the system console. One can usually do this by carefully following this process:

Place install files in a "good" location. Make sure you have sufficient space! Running out of space on a remote upgrade could be...unfortunate. Note that using softdeps can exaggerate the situation as deleted and overwritten files do not release their space immediately. Having at least 200MB free on /usr would be recommended.
Become root with ksh(1): While using sudo(8) before each command is generally a good practice, the sudo(8) command will be broken by the last steps, so you should be root before starting this process. Also, the use of the OpenBSD ksh(1) shell is assumed.
Stop and/or disable any appropriate applications: During this process, all the userland applications will be replaced but may not be runnable, and strange things may happen as a result. You may also have issues with DNS resolution during the first reboot, so PF rules and NFS mounts dependent upon DNS may cause boot-up problems. There may be other applications which you wish to keep from running immediately after the upgrade, stop and disable them as well.
Install new boot blocks: This should actually be done at the end of any upgrade, but we will assume this has been neglected. Failure to do this may break serial console or other things, depending on platform.
```
installboot -v sd0
```
Install new kernel(s):
- If you are using the multiprocessor kernel:
```
export RELEASEPATH=/usr/rel   # where you put the files
cd ${RELEASEPATH}
rm /obsd ; ln /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd
cp bsd.rd /
cp bsd /bsd.sp
```
- If using a single processor kernel:
```
export RELEASEPATH=/usr/rel   # where you put the files
cd ${RELEASEPATH}
rm /obsd ; ln /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
cp bsd.rd bsd.mp /
```
  (note: you will get a harmless error message if your platform doesn't have a bsd.mp):
Note the extra steps for copying over the primary kernel: those are done to ensure that there is always a valid copy of the kernel on the disk that the system can boot from should there be a really badly timed power outage or system crash.
Save a copy of reboot(8), install new userland applications. You are still running the old kernel, it is possible the new reboot command will not run on the old kernel, so we will start by saving a copy of the old reboot command. Do NOT install etc56.tgz and xetc56.tgz now, because that will overwrite your current configuration files! Note that we are installing base56.tgz LAST, because it will include a new tar(1) utility, which may or may not run on the old kernel. We reboot immediately, as the system is probably barely runnable after the unpacking of all the new files.
```
cp /sbin/reboot /sbin/oreboot
tar -C / -xzphf xserv56.tgz
tar -C / -xzphf xfont56.tgz
tar -C / -xzphf xshare56.tgz
tar -C / -xzphf xbase56.tgz
tar -C / -xzphf game56.tgz
tar -C / -xzphf comp56.tgz
tar -C / -xzphf man56.tgz
tar -C / -xzphf base56.tgz # Install last!
/sbin/oreboot
```
Not all file sets will need to be installed for all applications, however if you installed a file set originally, you should certainly upgrade it with the new file set now.
Again, the files in /etc are handled separately below, so etc56.tgz and xetc56.tgz are NOT unpacked here.
After reboot completes, upgrade /dev. The new MAKEDEV file was copied to /dev by the installation of base56.tgz, so you simply need to do the following:
```
cd /dev
./MAKEDEV all
```
Install the upgraded boot loader: installboot(8) has been "unified" across platforms, so a common (and simplified!) syntax can be used:
```
installboot -v sd0
```
assuming "sd0" is your boot disk.

Final steps

Whether you upgrade by using an install kernel and doing a formal "upgrade" process, or do a "in-place" binary upgrade, you need to do a few final steps to complete the upgrade.

1. Merging changed files via sysmerge(8)

The sysmerge(8) utility will compare the files that are actually on your system with those that would be installed in a fresh install, and assist you in merging the changes into your system. There are no assumptions made about what is actually on your system, so you can use sysmerge(8) to move between more arbitrary points in the development process, such as from an earlier 5.5-current to 5.6-release or from one -current to a later one. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and what would have been there from the last run of sysmerge. Usually, it can figure out what to do to update your files. If it has difficulty, it will give you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff.

Please read the sysmerge(8) manual page before using it on your system. You are also advised to read the diff(1), sdiff(1) and even review more(1) manual pages before continuing. A wide terminal window (i.e., significantly more than 80 characters), if available, will make sdiff(1) easier to use.

Assuming the SHA256.sig, etc56.tgz and xetc56.tgz files exists in your ${RELEASEPATH} (which can be an http:// URL!), run it with:

sysmerge -s ${RELEASEPATH}/etc56.tgz -x ${RELEASEPATH}/xetc56.tgz

(if you don't have SHA256.sig available, use the -S option to skip the signature check) For the files sysmerge(8) can't resolve on its own, it will show you a unified diff(1), run through your favorite $PAGER (i.e., more(1)) and ask you if you wish to:

  Use 'd' to delete the temporary ./var/www/htdocs/index.html
  Use 'i' to install the temporary ./var/www/htdocs/index.html
  Use 'm' to merge the temporary and installed versions
  Use 'v' to view the diff results again

  Default is to leave the temporary file to deal with by hand

If you wish to retain your existing file, delete the temporary file. If you wish to replace your existing file with the new version, install the temporary file. If you wish to merge the two together, choosing 'm' will put you into sdiff(1), where you can manually merge the file. The default is to come back and deal with the file later, manually.

Sysmerge(8) saves all your replaced files into a temporary directory, similar to /var/tmp/sysmerge.24959/backups, so if you accidentally clobber something that was probably not such a good idea, you have a chance to recover it. Note that daily(8) cleans old files from this directory, but it will survive a reboot.

2. Files to delete and move

Some files should be deleted from your system, and others must be moved or updated. Note that some of these may not exist on all systems; that's ok. The list of commands to run is broken up into modest size blocks; some slower hardware will have trouble keeping up with one large copy/paste.


rm -f /usr/sbin/spray
rm -f /usr/libexec/rpc.sprayd
rm -f /usr/share/man/man8/{,rpc.}spray{,d}.8
rm -rf /usr/lib/apache
rm -rf /usr/share/doc/html/httpd
rm -f /usr/bin/{dbmmanage,htdigest}
rm -f /usr/sbin/{apachectl,apxs,logresolve,rotatelogs,suexec}
rm -f /usr/share/man/man1/{dbmmanage.1,htdigest.1}
rm -f /usr/share/man/man8/{apachectl.8,apxs.8,logresolve.8}
rm -f /usr/share/man/man8/{rotatelogs.8,suexec.8}
rm -f /usr/include/sys/agpio.h
rm -f /etc/ppp/ppp.{conf,linkdown,linkup,secret}.sample
rm -f /usr/sbin/ppp /usr/share/man/man8/ppp.8
rm -f /usr/sbin/pppctl /usr/share/man/man8/pppctl.8
rm -f /usr/sbin/pppoe /usr/share/man/man8/pppoe.8

rm -f /bin/rcp /usr/share/man/man1/rcp.1
rm -f /usr/lib/librt{,_p}.a
rm -f /usr/include/bm.h
rm -f /usr/include/md4.h
rm -f /usr/lib/libwrap{,_p}.*
rm -f /usr/libexec/tcpd
rm -f /usr/include/tcpd.h
rm -f /usr/sbin/tcpd{chk,match}
rm -f /usr/share/man/man3/hosts_access.3
rm -f /usr/share/man/man5/hosts.{allow,deny}.5
rm -f /usr/share/man/man5/hosts_{access,options}.5
rm -f /usr/share/man/man8/tcpd{,chk,match}.8
rm -f /etc/hosts.{allow,deny}
rm -f /bin/rmail
rm -f /usr/share/man/man8/rmail.8

rm -f /usr/libexec/uucpd
rm -f /usr/share/man/man8/uucpd.8
rm -rf /usr/include/altq
rm -rf /etc/kerberosV/
rm -f /etc/rc.d/{kadmind,kdc,kpasswdd,ipropd_master,ipropd_slave}
rm -f /usr/bin/asn1_compile
rm -f /usr/bin/compile_et
rm -f /usr/bin/kcc
rm -f /usr/bin/kdestroy
rm -f /usr/bin/kf
rm -f /usr/bin/kgetcred
rm -f /usr/bin/kinit
rm -f /usr/bin/klist
rm -f /usr/bin/krb5-config
rm -f /usr/bin/slc

rm -f /usr/bin/string2key
rm -f /usr/bin/verify_krb5_conf
rm -rf /usr/include/kerberosV/
rm -f /usr/lib/libasn1{,_p}.*
rm -f /usr/lib/libcom_err{,_p}.*
rm -f /usr/lib/libgssapi{,_p}.*
rm -f /usr/lib/libhdb{,_p}.*
rm -f /usr/lib/libheimbase{,_p}.*
rm -f /usr/lib/libkadm5clnt{,_p}.*
rm -f /usr/lib/libkadm5srv{,_p}.*
rm -f /usr/lib/libkafs{,_p}.*
rm -f /usr/lib/libkdc{,_p}.*
rm -f /usr/lib/libkrb5{,_p}.*
rm -f /usr/lib/libroken{,_p}.*
rm -f /usr/lib/libwind{,_p}.*

rm -rf /usr/libdata/perl5/site_perl/*-openbsd/kerberosV/
rm -f /usr/libexec/auth/login_krb5{,-or-pwd}
rm -f /usr/libexec/hprop{,d}
rm -f /usr/libexec/ipropd-{master,slave}
rm -f /usr/libexec/kadmind
rm -f /usr/libexec/kdc
rm -f /usr/libexec/kfd
rm -f /usr/libexec/kpasswdd
rm -f /usr/sbin/iprop-log
rm -f /usr/sbin/kadmin
rm -f /usr/sbin/kimpersonate
rm -f /usr/sbin/kstash
rm -f /usr/sbin/ktutil
rm -f /usr/share/info/heimdal.info
rm -f /usr/share/man/man1/kdestroy.1

rm -f /usr/share/man/man1/kf.1
rm -f /usr/share/man/man1/kgetcred.1
rm -f /usr/share/man/man1/kinit.1
rm -f /usr/share/man/man1/klist.1
rm -f /usr/share/man/man1/krb5-config.1
rm -f /usr/share/man/man1/kswitch.1
rm -f /usr/share/man/man3/ecalloc.3
rm -f /usr/share/man/man3/getarg.3
rm -f /usr/share/man/man3/{gss,krb5,krb}_*.3
rm -f /usr/share/man/man3/gssapi.3
rm -f /usr/share/man/man3/gsskrb5_extract_authz_data_from_sec_context.3
rm -f /usr/share/man/man3/gsskrb5_register_acceptor_identity.3
rm -f /usr/share/man/man3/k_afs_cell_of_file.3
rm -f /usr/share/man/man3/k_hasafs.3
rm -f /usr/share/man/man3/k_hasafs_recheck.3

rm -f /usr/share/man/man3/k_pioctl.3
rm -f /usr/share/man/man3/k_setpag.3
rm -f /usr/share/man/man3/k_unlog.3
rm -f /usr/share/man/man3/kadm5_pwcheck.3
rm -f /usr/share/man/man3/kafs*.3
rm -f /usr/share/man/man3/krb524_*.3
rm -f /usr/share/man/man3/parse_time.3
rm -f /usr/share/man/man3/rtbl.3
rm -f /usr/share/man/man5/krb5.conf.5
rm -f /usr/share/man/man5/mech.5
rm -f /usr/share/man/man8/hprop{,d}.8
rm -f /usr/share/man/man8/iprop{,-log}.8
rm -f /usr/share/man/man8/ipropd-{master,slave}.8
rm -f /usr/share/man/man8/kadmin{,d}.8
rm -f /usr/share/man/man8/kdc.8

rm -f /usr/share/man/man8/kerberos.8
rm -f /usr/share/man/man8/kfd.8
rm -f /usr/share/man/man8/kimpersonate.8
rm -f /usr/share/man/man8/kpasswdd.8
rm -f /usr/share/man/man8/kstash.8
rm -f /usr/share/man/man8/ktutil.8
rm -f /usr/share/man/man8/login_krb5{,-or-pwd}.8
rm -f /usr/share/man/man8/string2key.8
rm -f /usr/share/man/man8/verify_krb5_conf.8
rm -f /usr/bin/lynx
rm -f /usr/share/man/man1/lynx.1
rm -rf /usr/share/doc/html/lynx_help
rm -f /etc/lynx.cfg

rm -f /usr/bin/{rsh,ruptime,rwho}
rm -f /usr/sbin/rwhod
rm -f /etc/rc.d/rwhod
rm -f /usr/libexec/rshd
rm -f /usr/share/man/man1/{rwho,ruptime,rsh}.1
rm -f /usr/share/man/man8/{rwhod,rshd}.8
rm -rf /var/rwho

chown -R _smtpq /var/spool/smtpd/{corrupt,incoming,purge,queue,temporary}

The following files are associated with httpd(8) and can be deleted in some cases, but may have been replaced with user content or configuration. Warning: On systems which currently or have previously used any http daemon, care must be taken and files analyzed case by case to avoid accidental deletion of user content or important configuration files. In particular, users moving to package apache-httpd-openbsd will want to keep many of these files.

rm -rf /var/www/icons
rmdir /var/www/conf/{modules,modules.sample}
rmdir /var/www/users
rm -f /var/www/cgi-bin/{printenv,test-cgi}
rm -f /var/www/conf/{httpd.conf,magic,mime.types}
rm -f /var/www/htdocs/{apache_pb.gif,blowfish.jpg,bsd_small.gif,index.html}
rm -f /var/www/htdocs/{lock.gif,logo23.jpg,logo24.jpg,mod_ssl_sb.gif}
rm -f /var/www/htdocs/{openbsd_pb.gif,openbsdpower.gif,openssl_ics.gif}
rm -f /var/www/htdocs/smalltitle.gif

Sendmail is now deprecated in the base OS, and will move to packages in 5.7. The standard MTA is now smtpd(8). To switch to smtpd, make sure that no important mail is waiting in Sendmail's queue, remove the sendmail crontab entry from root's crontab, edit /etc/mailer.conf to make sure only smtpd is run, and run newaliases.

3. Upgrading packages

If you installed any packages on your system, you should upgrade them after completing the upgrade of the base system. Be aware, however, many packages will require further setup before and/or after upgrading the package. Check with the application's upgrade guide for details.

The following packages are known to have significant upgrade issues that will impact users. The fact that a package is not on this list doesn't mean it will have a trivial upgrade. You must do some homework on the applications YOU use.

unbound(8) moved to the base OS.
If the package is installed, remove it before upgrading to avoid a conflict in /etc/rc.d/unbound, and edit rc.conf.local to remove "unbound" from "pkg_scripts=..." lines, and add "unbound_flags=" instead.
```
pkg_delete unbound
vi /etc/rc.conf.local
```
Roundcube configuration files have been rearranged.
If upgrading an existing system you will need to migrate your settings from old config files (db.inc.php and main.inc.php) to the new file (config.inc.php).
Bacula has been split into subpackages for different database backends.
Users of the recommended PostgreSQL backend won't need to make any changes; users of other backends should run uninstall Bacula and then add it again with pkg_add, selecting the preferred database backend from the list offered.
Increased file descriptor use in KDE4
Some KDE4 components (kded4, Akonadi, Digikam database and others) now monitor directories for changes via kqueue(2). This saves CPU time, but kqueue requires one file descriptor per monitored file. Thus limits for system (kern.maxfiles sysctl) and/or process (openfiles in login.conf(5)) need to be adjusted:
- about 3500 descriptors will be always eaten by kded4;
- one file descriptor per message in each local maildir used by Akonadi;
- one file descriptor per picture in Digikam database;
- one file descriptor per file in each folder view window;
- one file descriptor per each folder being monitored itself;
- and so on.
apache-httpd-openbsd and apache-httpd rc scripts renamed
The rc scripts of the apache-httpd-openbsd and apache-httpd packages have been renamed. In rc.conf.local, replace "httpd" with "apache" in pkg_scripts, and replace "httpd_flags" with "apache_flags" (likewise for httpd2 and apache2). You may also need to adapt cronjobs or scripts if they use the rc script to restart Apache (e.g. for log rotation).
Upgrading the apache-httpd-openbsd package will cause a conflict. To fix, reinstate the rc script of base httpd, and remove the partial package:
```
        mv -i /etc/rc.d/httpd.* /etc/rc.d/httpd
        pkg_delete partial-apache-httpd-openbsd
```
nagios-plugins replaced with monitoring-plugins
The various nagios-plugins packages have been renamed to monitoring-plugins. Updates from a previous version with "pkg_add -u" will pick up the replacements, but if making a clean installation you will need to use the new names.

The package tools support in-place updating using pkg_add -u. For instance, to update all your packages, make sure PKG_PATH is pointing to the 5.6 packages directory on your CD or nearest FTP mirror, and use something like

pkg_add -u

where the -u indicates update mode; pkg_add will prompt you for input when it encounters some ambiguity. Read the pkg_add(1) manual page and the package management chapter of the FAQ for more information.

[FAQ Index] | [5.4 -> 5.5] | [5.6 -> 5.7]

$OpenBSD: upgrade56.html,v 1.28 2019/05/28 01:53:11 bentley Exp $