OpenBSD Upgrade Guide: 5.7 to 5.8

[FAQ Index] | [5.6 -> 5.7] | [5.8 -> 5.9]

Note: Upgrades are only supported from one release to the release immediately following it. Do not skip releases. If you got lucky skipping releases in the past, you may not be lucky this time.

It is highly recommended that you read through and fully understand this process before attempting it. If you are doing it on a critical or physically remote machine, it is recommended that you test this process on an identical, local system to verify its success before attempting on a critical or remote computer.

Before upgrading: things to think about and be aware of

• sudo replaced with doas
  sudo has been replaced by the doas(1) command. Usage is similar, but the program itself is much simpler (thus, hopefully more secure) and the configuration file is also much simpler. However, you should make sure you have direct access to the root account when doing the upgrade, as the old sudo may not work and the new doas won't be configured. For example, some people completely disable the root account and relied on sudo to provide root-level access; this would be bad after this upgrade! Sudo, if desired, is available in ports.

• tip removed
  tip(1) has been removed. cu(1) (in the base install) has the functionality of tip.

• pf_rules and ipsec_rules variables
  rc.conf no longer uses the pf_rules and ipsec_rules variables. If you relied on those to have a different path to those files, you must either move your rules to the standard locations, or create a file in the standard location which "include"s your file.

• spamd rule change
  spamd(8) now uses "divert-to" rules rather than "rdr-to". Simple replacement of "rdr-to" with "divert-to" should work for you.

The upgrade process

Afterwards, complete the upgrade by following the final steps as detailed below. Pick one of the following install processes:

** Upgrade using Install Kernel (RECOMMENDED)

This involves booting from the install kernel, bsd.rd. This can be done by booting from an install floppy, CD, or file system image, or you can place the 5.8 version of bsd.rd in the root of your File system, and instructing the boot loader to boot this kernel instead of your usual kernel (bsd). On amd64 and i386, you do this by entering "boot bsd.rd" at the initial boot> prompt.

Once this kernel is booted, choose the "Upgrade" option, and follow the prompts. The upgrade process is very much like the installation process, though it retains all your configuration info.

This is NOT the recommended process. Use the install kernel method if at all possible!

Sometimes, one needs to do an upgrade of a machine when one can't easily use the normal upgrade process. The most common case is when the machine is in a remote location and you don't have easy access to the system console. One can usually do this by carefully following this process:

• Place install files in a "good" location. Make sure you have sufficient space! Running out of space on a remote upgrade could be...unfortunate. Note that using softdeps can exaggerate the situation as deleted and overwritten files do not release their space immediately. Having at least 200MB free on /usr would be recommended.

• Become root with ksh(1): While using doas(1) or sudo before each command is generally a good practice, the command will likely be broken by the last steps, so you should become root before starting this process. Note that since sudo is replaced by doas(1) in this release, and doas will not be configured, it might be good to verify your access to root using a method OTHER than sudo at this point (i.e., direct login or using su(1). Also, the use of the OpenBSD ksh(1) shell is assumed.

• Stop and/or disable any appropriate applications: During this process, all the userland applications will be replaced but may not be runnable, and strange things may happen as a result. You may also have issues with DNS resolution during the first reboot, so PF rules and NFS mounts dependent upon DNS may cause boot-up problems. There may be other applications which you wish to keep from running immediately after the upgrade, stop and disable them as well.

• Install new boot blocks: This should actually be done at the end of any upgrade, but we will assume this has been neglected. Failure to do this may break serial console or other things, depending on your platform.

  installboot -v sd0
  

• Install new kernel(s):
  • If you are using the multiprocessor kernel:

    export RELEASEPATH=/usr/rel   # where you put the files
    cd ${RELEASEPATH}
    rm /obsd ; ln /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd
    cp bsd.rd /
    cp bsd /bsd.sp
    

  • If using a single processor kernel:

    export RELEASEPATH=/usr/rel   # where you put the files
    cd ${RELEASEPATH}
    rm /obsd ; ln /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
    cp bsd.rd bsd.mp /
    

    (note: you will get a harmless error message if your platform doesn't have a bsd.mp):

  Note the extra steps for copying over the primary kernel: those are done to ensure that there is always a valid copy of the kernel on the disk that the system can boot from should there be a really badly timed power outage or system crash.

• Save a copy of reboot(8), install new userland applications. You are still running the old kernel, it is possible the new reboot command will not run on the old kernel, so we will start by saving a copy of the old reboot command. Note that we are installing base58.tgz LAST, because it will include a new tar(1) utility, which may or may not run on the old kernel. We reboot immediately, as the system is probably barely runnable after the unpacking of all the new files.

  cp /sbin/reboot /sbin/oreboot
  tar -C / -xzphf xserv58.tgz
  tar -C / -xzphf xfont58.tgz
  tar -C / -xzphf xshare58.tgz
  tar -C / -xzphf xbase58.tgz
  tar -C / -xzphf game58.tgz
  tar -C / -xzphf comp58.tgz
  tar -C / -xzphf man58.tgz
  tar -C / -xzphf base58.tgz # Install last!
  /sbin/oreboot
  

  Not all file sets will need to be installed for all applications, however if you installed a file set originally, you should certainly upgrade it with the new file set now.

• After reboot completes, upgrade /dev. The new MAKEDEV file was copied to /dev by the installation of base58.tgz, so you simply need to do the following:

  cd /dev
  ./MAKEDEV all
  

• Install the upgraded boot loader: installboot(8) has been "unified" across platforms, so a common (and simplified!) syntax can be used:

  installboot -v sd0
  

  assuming "sd0" is your boot disk.

• Upgrading firmware: There may be new firmware for your system. Update it with fw_update(1):

  fw_update
  

Final steps

1. ** Run sysmerge(8)

The sysmerge(8) utility will compare the files that are actually on your system with those that would be installed in a fresh install, and assist you in merging the changes into your system. There are no assumptions made about what is actually on your system, so you can use sysmerge(8) to move between more arbitrary points in the development process, such as from an earlier 5.7-current to 5.8-release or from one -current to a later one. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and what would have been there from the last run of sysmerge. Usually, it can figure out what to do to update your files. If it has difficulty, it will give you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff.

Please read the sysmerge(8) manual page before using it on your system. You are also advised to read the diff(1), sdiff(1) and even review more(1) manual pages before continuing. A wide terminal window (i.e., significantly more than 80 characters), if available, will make sdiff(1) easier to use.

Sysmerge(8) is run simply by invoking it as root:

# sysmerge

For the files sysmerge(8) can't resolve on its own, it will show you a unified diff(1), run through your favorite $PAGER (i.e., more(1)) and ask you if you wish to:

  Use 'd' to delete the temporary ./var/www/htdocs/index.html
  Use 'i' to install the temporary ./var/www/htdocs/index.html
  Use 'm' to merge the temporary and installed versions
  Use 'v' to view the diff results again

  Default is to leave the temporary file to deal with by hand

If you wish to retain your existing file, delete the temporary file. If you wish to replace your existing file with the new version, install the temporary file. If you wish to merge the two together, choosing 'm' will put you into sdiff(1), where you can manually merge the file. The default is to come back and deal with the file later, manually.

Sysmerge(8) saves all your replaced files into a temporary directory, similar to /var/tmp/sysmerge.24959/backups, so if you accidentally clobber something that was probably not such a good idea, you have a chance to recover it. Note that daily(8) cleans old files from this directory, but it will survive a reboot.

2. Files to delete and move

rm -f /usr/bin/sudo /usr/bin/sudoedit /usr/sbin/visudo
rm -f /usr/share/man/man8/sudo.8 /usr/share/man/man8/sudoedit.8
rm -f /usr/share/man/man8/visudo.8 /usr/share/man/man5/sudoers.5
rm -f /usr/libexec/sudo_noexec.so

3. Upgrading packages

** Package Upgrade Tips

The following packages are known to have significant upgrade issues that will impact users. The fact that a package is not on this list doesn't mean it will have a trivial upgrade. You must do some homework on the applications YOU use.

• rc script name changes.
  The rc scripts for some ports have changed their name to better match the original upstream names and/or binary name:
  • dbus_daemon -> messagebus
  • puppetmasterd -> puppetmaster
  • puppetd -> puppet
  • radiusd -> freeradius
  Modify /etc/rc.conf.local accordingly:

  perl -pi -e 's/dbus_daemon/messagebus/;' -e 's/puppetmasterd/puppetmaster/;' \
     -e 's/puppetd/puppet/;' -e 's/radiusd/freeradius/;' /etc/rc.conf.local
  

• www/apache-httpd updated to 2.4.12.
  Apache HTTPD is now at 2.4.12. When upgrading from 2.2.x releases manual configuration changes may be required. See the Apache HTTPD 2.4 upgrade guide for details.
  The ap2-mod_fastcgi and ap2-mod_fcgid ports have been superseded by mod_proxy_fcgi which ships with Apache HTTPD 2.4 out of the box.

• CUPS GTK+2 plugin is now in a separate package
  The plugin to allow printer selection from GTK+2 applications, previously in the main GTK+2 package, has now been separated. To be able to use CUPS printers from these applications (including GIMP, Firefox, etc), install the gtk+2-cups package.

• default PHP version switched to 5.6
  The default version of PHP has been switched to 5.6. After updating to new packages, you will need to move the configuration across from 5.5. Check for local changes in /etc/php-5.5.ini and apply them to php-5.6.ini, and create new symbolic links for any required extensions in /etc/php-5.6. For the common case where you would like to keep existing extensions you can do this:

  # cd /etc/php-5.5
  # for i in *; do ln -s ../php-5.6.sample/$i ../php-5.6/; done
  

  Note that pkg_add -u will not move to the newer php-fpm release version; most users will need to manually pkg_delete php-fpm and then pkg_add the new version.

  Additionally note that there have been changes to PHP 5.6's SSL/TLS support. When a PHP script makes an SSL/TLS client connection, peer certificates are now verified by default, which was not the case previously. Since the standard CA certificate bundle is outside the chroot jail frequently used with PHP on OpenBSD, you may need to copy this across to allow client connections to function.

  # mkdir -p /var/www/etc/ssl
  # cp /etc/ssl/cert.pem /var/www/etc/ssl/
  

The package tools support in-place updating using pkg_add -u. For instance, to update all your packages, make sure PKG_PATH is pointing to the 5.8 packages directory on your CD or nearest FTP mirror, and use something like

pkg_add -u

[FAQ Index] | [5.6 -> 5.7] | [5.8 -> 5.9]