OpenBSD Upgrade Guide: 3.8 to 3.9

[FAQ Index] | [3.7 -> 3.8] | [3.9 -> 4.0]

Note: Upgrades are only supported from one release to the release immediately following it. Do not skip releases.

It is highly recommended that you read through and fully understand this process before attempting it. If you are doing it on a critical or physically remote machine, it is recommended that you test this process on an identical, local system to verify its success before attempting on a critical or remote computer.

Upgrading is a convenient way to bring your OpenBSD system up to the most recent version. However, the results are not intended to precisely match the results of a wipe-and-reload installation. Old library files in particular are not removed in the upgrade process, as they may be required by older applications that may or may not be upgraded at this time. If you REALLY wish to get rid of all these old files, you are probably better off reinstalling from scratch.

Table of Contents:

• Before upgrading
• The upgrade process
• Final steps

Before upgrading

Due to the addition of debugging symbols, the size of library files has increased very significantly. For instance, on the i386 platform, the size taken up by the /usr/lib directory went up from 47.7MB in 3.8 to 209MB in 3.9. Make sure you have sufficient space available before starting the upgrade.

Check whether you have made any modifications to your kernel. For example, you might have modified your network device to use a non-default setting using config(8). Note your changes, so you can repeat them for the new 3.9 kernel.

pfsync(4) has changed format, so it can not keep state between a 3.8 and a 3.9 box. Mismatched systems will lose all connections when you switch which box is master, as states will not be transferred between systems. You can minimize the impact of this by upgrading your backup boxes first, so there is only one loss of active states.

carp(4) users with more than one address on a single carp(4) interface may experience another bump when upgrading: interfaces are sorted by address now, so having aliases in exactly the same order is not as critical as it was in the past. It does mean, however, there may be problems between old and new systems. You can sort aliases manually on the old systems to work around this problem if necessary.

ftp-proxy(8) has changed, as detailed below, so your pf.conf(5) file may need to be updated.

ancontrol(8) has been replaced by additional functionality in ifconfig(8). This may impact how you configure your wireless interfaces.

The upgrade process

Upgrading by install media

Upgrading without install media

Sometimes, one needs to do an upgrade of a machine when one can't easily use the normal upgrade process. One can usually do this by carefully following a process similar to building the system from source:

• Place install files in a "good" location. Make sure you have sufficient space!
• Stop any "insecure" applications from starting at boot: There will be a time when PF will be unlikely to be running during this upgrade process, but your applications may still start and run properly. Any application dependent upon PF for security should be disabled before this happens, and should not be re-enabled until proper PF operation is verified after upgrade. There may be other applications which you wish to keep from running during the upgrade, stop and disable them as well.
• Check the kernel: Although most people can skip this step, if you had a modified kernel in 3.8, it is likely you will need to modify the stock kernel of 3.9. Especially when you are performing the upgrade process remotely, now is the time to make sure the new kernel will work upon rebooting the machine. If any changes must be made to the kernel, the safest thing to do is to make those changes on a local 3.9 system. This can be as simple as modifying a specific device using config(8), or it can involve a recompilation if the option you need is not included in the GENERIC kernel. Please consult FAQ 5 - Building the system from source before considering to recompile your kernel.
• Install new kernel(s)

  export RELEASEPATH=/yourpath
  cd ${RELEASEPATH}
  rm /obsd ; ln /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd
  cp bsd.rd bsd.mp /
  

  Note the extra steps for copying over the primary kernel: those are done to ensure that there is always a valid copy of the kernel on the disk that the system can boot from should there be a really badly timed power outage or system crash.
• Install new /etc/firmware files: Due to the fact that some uploaded "firmware" blobs were relocated from the kernel to files in the /etc/firmware directory, there are a few drivers which will break if there is no uploadable firmware file available when the new kernel boots. This will impact users of only a few devices, though all users can use this step without harm. To extract the firmware files from base39.tgz, use the following as root:

  cd /
  tar xzpf ${RELEASEPATH}/base39.tgz "*etc/firmware/*"
  

• Reboot on the new kernel: This might be a tempting step to skip, but it should be done now, as usually, the new kernel will run old userland apps (such as the soon to be important reboot!), but often a new userland will NOT work on the old kernel.
• Install new userland applications. Do NOT install etc39.tgz and xetc39.tgz now, because that will overwrite your current configuration files!

  export RELEASEPATH=/yourpath
  cd /
  tar xzpf ${RELEASEPATH}/base39.tgz
  tar xzpf ${RELEASEPATH}/comp39.tgz
  tar xzpf ${RELEASEPATH}/game39.tgz
  tar xzpf ${RELEASEPATH}/man39.tgz
  tar xzpf ${RELEASEPATH}/misc39.tgz
  tar xzpf ${RELEASEPATH}/xbase39.tgz
  tar xzpf ${RELEASEPATH}/xfont39.tgz
  tar xzpf ${RELEASEPATH}/xserv39.tgz
  tar xzpf ${RELEASEPATH}/xshare39.tgz
  

  Note: not all file sets will need to be installed for all applications, however if you installed a file set originally, you should certainly upgrade it with the new file set now.

  Note: the files in /etc are handled separately below, so etc39.tgz and xetc39.tgz are NOT unpacked here.

• Upgrade /dev. The new MAKEDEV file will be copied to /dev by the installation of base39.tgz, so you simply need to do the following:

  cd /dev
  ./MAKEDEV all
  

• Upgrade /etc as below.
• Reboot

    Nov 1 12:47:05 puffy sm-mta[16733]: filesys_update failed: No such file or directory, fs=., avail=-1, blocksize=380204

Final steps

1. Upgrading /etc

1.1. New users and groups

• no new users or groups

1.2. Operational changes

• ftp-proxy ftp-proxy(8) was replaced by what was previously called pftpx. The new ftp-proxy runs stand-alone and not from inetd.conf(5) as it used to. You will have to update /etc/inetd.conf to no longer invoke ftp-proxy(8), and update /etc/rc.conf and /etc/rc to run the new one. Edit rc.conf or rc.conf.local to invoke the new program, for example:

  echo 'ftpproxy_flags=""' >> /etc/rc.conf.local
  

  The new proxy uses anchors to allow data connections, which means that your existing /etc/pf.conf must be adapted. In the NAT section you need:

  nat-anchor "ftp-proxy/*"
  rdr-anchor "ftp-proxy/*"
  

  They are mandatory, even if you don't use NAT otherwise. The following rule, that is probably already there for the old ftp-proxy, must stay:

  rdr pass on $int_if proto tcp from $lan to any port 21 -> \
      127.0.0.1 port 8021
  

  In the rules section, this is needed:

  anchor "ftp-proxy/*"
  

  Rules that allow the proxy to make FTP control connections (destination port 21/tcp) must stay. Rules that allow FTP data connections are no longer needed. Those rules may contain "user proxy" or "to port > 49151". Care has been taken to keep the command line switches similar, but some differ. See the ftp-proxy(8) man page.

  One case warrants special mention: if you have old clients that rely on active mode data connections which use 20/tcp as a source port, you need the '-r' switch (for this you had to run the old proxy with "-u root").

  Run ftp-proxy with "-d -D7" if you run into trouble and want to diagnose what's happening.

1.3. /etc file changes

cd /tmp
tar xzpf ${RELEASEPATH}/etc39.tgz

daily
ipsec.conf
magic
monthly
netstart
rc
security
services
weekly
mtree/*

cd /tmp/etc
cp daily ipsec.conf magic monthly netstart rc security services weekly /etc
cp mtree/* /etc/mtree/

Files that must be manually merged, respecting any local changes made to them, if they were modified from the default, otherwise, just copy them over, too:

changelist
inetd.conf
lynx.cfg
rc.conf
ssh/ssh_config
ssh/sshd_config
sysctl.conf

cd /
patch -C -p0 < upgrade39.patch

The following files have had changes which should be looked at, but it is unlikely they should be directly copied or merged (i.e., if you are using pf.conf, look at the suggested change of strategy, and decide if it is appropriate for your use).

hostapd.conf
pf.conf
spamd.conf

rm /usr/lib/libresolv*

mtree -qdef /etc/mtree/4.4BSD.dist -p / -u

2. Checking the kernel

If you followed the instructions for the upgrade process without install media, you have already completed this step. However, if you used the install media, and if you had a modified kernel in 3.8, it is likely you will need to modify the stock kernel of 3.9. This can be as simple as modifying a specific device using config(8), or it can involve a recompilation if the option you need is not included in the GENERIC kernel. Please consult FAQ 5 - Building the system from source before considering to recompile your kernel.

3. Upgrading packages

# pkg_add -ui -F update -F updatedepends

[FAQ Index] | [3.7 -> 3.8] | [3.9 -> 4.0]