OpenBSD Upgrade Guide: 6.4 to 6.5

Upgrades are only supported from one release to the release immediately following it. Read through and understand this process before attempting it. For critical or physically remote machines, test it on an identical, local system first.

Start by performing the pre-upgrade steps. Next, boot from the install kernel, bsd.rd: use bootable install media, or place the 6.5 version of bsd.rd in the root of your filesystem and instruct the boot loader to boot this kernel. Once this kernel is booted, choose the (U)pgrade option and follow the prompts. Apply the configuration changes and remove the old files. Finish up by upgrading the packages: pkg_add -u.

Alternatively, you can use the manual upgrade process.

You may wish to check the errata page or upgrade to the stable branch to get any post-release fixes.

Before rebooting into the install kernel

Get and verify bsd.rd. Download the ramdisk kernel and the cryptographically signed checksum file for your architecture.

bsd.rd

[alpha] [amd64] [arm64] [armv7] [i386] [hppa] [landisk] [loongson] [luna88k] [macppc] [octeon] [sparc64]

SHA256.sig

[alpha] [amd64] [arm64] [armv7] [i386] [hppa] [landisk] [loongson] [luna88k] [macppc] [octeon] [sparc64]

Verify them using signify(1):
```
  $ signify -C -p /etc/signify/openbsd-65-base.pub -x SHA256.sig bsd.rd
  Signature Verified
  bsd.rd: OK
```
Read configuration and syntax changes and the package upgrade instructions. There were several configuration changes and changes in packages that may require planning before starting the upgrade.

Configuration and syntax changes

bgpd.conf(5). In OpenBSD 6.4, the announce keyword was deprecated in bgpd.conf(5). It has now been removed and must be replaced with export.
bgpd.conf(5). The MPLS VPN (L3VPN) configuration syntax in bgpd.conf(5) has changed. The rdomain sections in bgpd.conf need to be replaced with vpn "description" on mpeX sections. Both descr and depend on mpeX need to be removed from the VPN configuration. A possible configuration is now:
```
  vpn "description" on mpe1 {
	rd 65002:1
	import-target rt 65002:42
	export-target rt 65002:42
	network 192.168.1/24
  }
```
iked.conf(5). When curve25519 was added to iked, it was based on the internet-draft with a private-use group number. This has now changed to the group number assigned in RFC8031 as used in other implementations. If you have configured curve25519 in iked.conf(5) (it is not the default), switch to another group before updating. Configure the responder to allow both curve25519 and another PFS group, e.g.
```
  ...
    ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group curve25519 \
    ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group brainpool512 \
  ...
```
Then switch the initiators to the other group, then upgrade and switch back as wanted.
malloc.conf(5). The malloc(3) family of functions no longer read options from the /etc/malloc.conf symbolic link. Instead, the new sysctl(8) variable vm.malloc_conf is used. This makes processes no longer dependent on the file system for their malloc options. Set it at boot time by adding a line such as:
```
  vm.malloc_conf=CF
```
to your /etc/sysctl.conf, or at runtime with sysctl(8).
sysctl(8). The kern.witnesswatch sysctl variable has been renamed to kern.witness.watch.
tmux(1). A syntax change was introduced in the tmux(1) configuration file. In case a tmux.conf file contains style lines, it should be updated.
An old configuration might look like this:
```
  set-window-option -g window-status-fg color244
  set-window-option -g window-status-bg color222
  set-window-option -g window-status-attr bold
```
The new format uses a standard variable name ending with -style and takes a list of attributes and values. The updated version of the previous example would look like this:
```
  set-window-option -g window-status-style "fg=color244 bg=color222 bold"
```
vlan(4). Replace use of the link0 flag with txprio. Forcing the priority field in the vlan(4) and svlan(4) protocol headers is now configured with the ifconfig(8) txprio configuration option. This replaces the use of the link0 flag which used the llprio in the packet priority field instead.
Xorg(1). The Xorg binary is no longer installed setuid, so startx(1) can no longer be used by non-root users. The xenodm(1) display manager has to be used instead.
To set it up:
```
  # rcctl enable xenodm
  # rcctl start xenodm
```
If you wish to customize X you need to create an executable .xsession file.

Files to remove

Remove /usr/include/openssl/asn1_mac.h.
```
  rm /usr/include/openssl/asn1_mac.h
```

Remove files no longer included in the current release of perl(1):

  rm /usr/bin/c2ph \
	/usr/bin/pstruct \
	/usr/libdata/perl5/Locale/Codes/API.pod \
	/usr/libdata/perl5/Module/CoreList/TieHashDelta.pm \
	/usr/libdata/perl5/Unicode/Collate/Locale/bg.pl \
	/usr/libdata/perl5/Unicode/Collate/Locale/fr.pl \
	/usr/libdata/perl5/Unicode/Collate/Locale/ru.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Cham.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Ethi.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Hebr.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Hmng.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Khar.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Khmr.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Lana.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Lao.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Talu.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Tibt.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Xsux.pl \
	/usr/libdata/perl5/unicore/lib/Sc/Zzzz.pl \
	/usr/share/man/man1/c2ph.1 \
	/usr/share/man/man1/pstruct.1 \
	/usr/share/man/man3p/Locale::Codes::API.3p

Special packages

databases/postgresql. There was a major update to PostgreSQL 11.2. Use pg_upgrade as described in the postgresql-server pkg-readme or do a dump/restore.
editors/libreoffice. A bug was fixed that affects LibreOffice password-protected .od* files. If you use this feature, before updating, open all such files and save a copy with the password removed. After updating to the new package, you can open them and save again with the password re-enabled.
lang/chicken. The chicken binaries csi and csc have been renamed to chicken-csi and chicken-csc to avoid conflicts with lang/mono.
net/dnscrypt-proxy. dnscrypt-proxy received a major update. One of the changes is the configuration. Users are advised to check that /etc/dnscrypt-proxy.toml fits their needs.
net/samba. The AD DC server functionality implemented by the samba(8) daemon is broken at runtime on amd64, arm64, armv7 and i386. The SMB file server (smbd(8)) is not affected.
security/opendnssec. OpenDNSSEC received a major update. Users are advised to read the MIGRATION instructions, also available under /usr/local/share/doc/opendnssec/MIGRATION after the update.
sysutils/ansible. Ansible now uses python3 by default. It might be necessary to install the corresponding FLAVOR of the optional dependencies used by some modules (for example py3-netaddr for the ipaddr filter) and to review the potential uses of ansible_python_interpreter.
www/gitea. The gitea configuration file location changed from /etc/gitea/conf/app.ini to /etc/gitea/app.ini and the GITEA_CUSTOM directory location has changed from /etc/gitea to /var/gitea/custom. Gitea's ROOT_PATH for logs has changed from /var/gitea/log to /var/log/gitea. When upgrading, move /etc/gitea to the new location:
```
  # mv /etc/gitea/conf/app.ini /etc/gitea/app.ini
```
change the ROOT_PATH location in [log] section of /etc/gitea/conf/app.ini:
```
  [log]
  ROOT_PATH  = /var/log/gitea
```
and move custom files from /etc/gitea to /var/gitea/custom, if any.
www/goaccess. Since the previous GeoIP library is end-of-life and databases are no longer updated, goaccess now uses libmaxminddb for geographical lookups of IP addresses. If you are currently using this feature, update your configuration files (~/.goaccessrc or /etc/goaccess.conf) to include one or the other of the following two lines:
```
  geoip-database /var/db/GeoIP/GeoLite2-Country.mmdb # installed by default
  geoip-database /var/db/GeoIP/GeoLite2-City.mmdb    # requires "geolite2-city"
```

Upgrade without the install kernel

This is NOT the recommended process. Use the install kernel method if at all possible!

Sometimes, you need to do an upgrade of a machine for which the normal upgrade process is not possible. The most common case is a machine in a remote location and there is no easy access to the system console.

Preparation

Place install files in a good location. Make sure you have sufficient space! Running out of space on a remote upgrade could be...unfortunate. Note that using softdeps can exaggerate the situation as deleted and overwritten files do not release their space immediately. Consider disabling the softdep mount option in /etc/fstab and rebooting before undertaking a manual upgrade. Having at least 500MB free on /usr would be recommended.
Become root. While using doas(1) before each command is generally a good practice, the command will likely be broken by the last steps, so you should become root before starting this process. It might be good to verify your access to root using a method other than doas at this point, i.e., direct login or using su(1).
Stop and/or disable any appropriate applications. During this process, all the userland applications will be replaced but may not be runnable, and strange things may happen as a result. You may also have issues with DNS resolution during the first reboot, so PF rules and NFS mounts dependent upon DNS may cause boot-up problems. There may be other applications which you wish to keep from running immediately after the upgrade, stop and disable them as well.
Install new boot blocks. This should actually be done at the end of any upgrade. If this has been neglected, then failure to do this now may break serial console or other things, depending on your platform. Use installboot(8), assuming sd0 is your boot disk:
```
    installboot sd0
```

Upgrading manually

Install new kernels. The extra steps for copying over the primary kernel are done to ensure that there is always a valid kernel on the disk.

If using the multiprocessor kernel:

    cd /usr/rel    # where you put the release files
    ln -f /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd
    cp bsd.rd /
    cp bsd /bsd.sp

If using the single processor kernel:

    cd /usr/rel    # where you put the release files
    ln -f /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
    cp bsd.rd bsd.mp /    # may give a harmless warning

Enable KARL. Store the kernel's checksum:

    sha256 -h /var/db/kernel.SHA256 /bsd

Install new userland. Save a copy of reboot(8), extract and install the release tarballs, reboot. Install base65.tgz last, because the new base system, in particular tar(1), gzip(1) and reboot(8), will not work with the old kernel. Either untar the needed filesets manually

    cp /sbin/reboot /sbin/oreboot
    tar -C / -xzphf xshare65.tgz
    tar -C / -xzphf xserv65.tgz
    tar -C / -xzphf xfont65.tgz
    tar -C / -xzphf xbase65.tgz
    tar -C / -xzphf man65.tgz
    tar -C / -xzphf game65.tgz
    tar -C / -xzphf comp65.tgz
    tar -C / -xzphf base65.tgz    # Install last!
    /sbin/oreboot

or, if you use ksh(1), you can do

    cp /sbin/reboot /sbin/oreboot
    for _f in [!b]*65.tgz base65.tgz; do tar -C / -xzphf "$_f" || break; done
    /sbin/oreboot

Note that tar(1) can expand only one archive per invocation, so a simple glob won't work.

After reboot, update /dev. Run MAKEDEV(8):
```
    cd /dev
    ./MAKEDEV all
```
Update boot loader. Still assuming sd0 is your boot disk:
```
    installboot sd0
```
Update system configuration files. Run sysmerge(8):
```
    sysmerge
```
Update firmware. There may be new firmware for your system. Update it with fw_update(1):
```
    fw_update
```
Finish up. Review the console output from boot (using dmesg -s) and correct any failures as necessary. All the steps following configuration changes above also apply to manual upgrades. Finally, remove /sbin/oreboot and update packages: pkg_add -u. Reboot once more to make sure you run on your own kernel generated by KARL.

[FAQ Index] | [6.3 -> 6.4] [6.5 -> 6.6]

$OpenBSD: upgrade65.html,v 1.14 2019/10/17 02:27:39 tj Exp $