Kjell Wooding
<kjell@openbsd.org>
Updated:
$OpenBSD: upgrade-minifaq.html,v 1.180 2003/11/11 00:01:31 margarida Exp $
This Mini-FAQ is an attempt to address the most common issues encountered when upgrading between OpenBSD releases, or from the releases to -current. Though hardly Mini anymore, this document retains the Mini-FAQ moniker for historical and/or consistency reasons. Information on older versions can be found in a separate document.
The Upgrade-MiniFAQ is intended for Advanced Users. If you are a beginner, or are not completely confident with your compiler and toolchain, then upgrading via source is not for you. Install a binary release or snapshot instead, then apply any relevant instructions below for upgrading /etc.
1.1: Terminology. What is -current?
What are Snapshots? What is -stable?
1.2: What is the easiest way to upgrade to
-current?
1.3: I looked, but didn't see any snapshots on
the FTP site. Where did they go?
1.4: How do I get the latest source?
1.5: Okay, I have the tree. How do I build
it?
1.6: My make build stopped halfway. Do I have
to redo the whole thing?
1.7: I'm getting errors during the build. What
do I do?
1.8: Is there a standard way of
upgrading the compiler, gcc?
1.9: What is the best way to upgrade
/etc, /var, and /dev?
1.10: How do I clean all the cruft out of my
existing source tree?
1.11: Do I have to be root to do a make
build?
1.12: Why am I not seeing any new
devices?
1.13: Is there an easy way to make all the
file hierarchy changes?
1.14: After an upgrade, ps now reports
"proc size mismatch."
1.15: How can I upgrade to the latest snapshot?
3.4.1: svnd device minor numbers changed
3.4.2: New user and group _pflogd
3.3.1: i386 W^X support
3.3.2: mquery syscall change
3.3.3: i386 flag day, exe addr/MAXDSIZ change
3.3.4: Removal of KerberosIV authentication
3.3.5: config change
3.3.6: Use __attribute__((bounded)) on certain
functions
3.3.7: New user and group _syslogd
3.3.8: New format attribute __kprintf__ in kernel
headers
3.2.1: New Perl
3.2.2: New groups _radius, _token and _shadow
3.2.3: Important compiler changes
3.2.4: New user and group _spamd
3.2.5: Alias for ipv6-icmp
3.2.6: New group _lkm
3.2.7: New libpthread
3.2.8: Linker changes for ELF architectures
3.2.9: Removal of /var/at and crontab changes
3.1.1: New users/groups
3.1.2: New group for crontab(1) and at(1)
3.1.3: New Binutils
3.1.4: New S/Key configuration
3.1.5: New permissions for lp*
3.1.6: atrun(8) no longer needed
3.1.7: nat.conf merged into pf.conf
3.1.8: New fbtab entry needed for xdm
3.1.9: Use __attribute__((sentinel)) on certain
functions
3.0.1: New keyword supported by mtree(8)
3.0.2: Removal of libdl on ELF platforms
3.0.3: New regression framework
3.0.4: ssh config files moved to /etc/ssh/
2.9.1: New users/groups - proxy,
smmsp and popa3d
2.9.2: New packet filter: pf
2.9.3: Changes to make
2.9.4: Build fails because of KerberosV
errors
2.9.5: New sendmail version
2.9.6: /etc/primes Moved
Information on upgrading from OpenBSD 2.3 to 2.8 has been moved to a separate document. This document was getting just too darn big.
Prior to OpenBSD 2.7, OpenBSD development happened from a single, unbranched source tree. As of 2.7, a patch branch was introduced.
At approximately six-month intervals, OpenBSD releases are produced. These are numbered in the conventional (2.x, 3.x) manner. The current OpenBSD release is indicated at the top of this document.
-current, short for openbsd-current, refers to the up-to-the-minute version of the source tree contained in the CVS repository. This is the tree most commonly used by OpenBSD developers. The -current tree contains all the code that is planned for the next release. From time to time, brave souls will abandon the formal releases and run openbsd-current, usually to take advantage of features that have not yet made it into the formal releases. Because of its uncertain nature, however, upgrading to -current is not recommended for non-technical users.
Between formal releases, a series of snapshot releases are made available. Snapshots are test releases of the -current source tree. Because they reflect the current state of development, there is no guarantee that snapshot releases will work correctly (or even at all). Snapshots are quite useful when moving from a formal release (or older version of -current) to the current tree. If you happen to run -current it is strongly recommended to follow the source-changes mailing list. The commit messages often contain valuable information about the latest and greatest features added.
As of OpenBSD 2.7, a patch branch (called -stable) was introduced. This branch contains the base release, and any important patches or fixes (important being the errata patches, plus others that are obvious and simple, but do not deserve an errata entry).
The ports tree is an integral part of the system. You should upgrade the ports tree at the same time as the rest of the system, following the same rules as for upgrading everything else; i.e., you should run -stable ports on a -stable system, and -current ports only on a -current system.
Due to changes in the underlying libraries, moving directly from a release to -current is not always easy. The most painless way to move up to -current is to first upgrade to the latest snapshot. Once the snapshot is installed, the latest source can be fetched and built. This procedure should eliminate most toolchain and library problems.
Snapshots may be removed as they become old (or no longer relevant). If no snapshot is available, you should upgrade to the most recent release and build the remainder of the way from source.
Short answer: http://www.openbsd.org/anoncvs.html
For example. To retrieve the entire tree via CVS: (using the ksh shell. Others substitute setenv for export)
# export CVSROOT=anoncvs@anoncvs.ca.openbsd.org:/cvs # export CVS_RSH=/usr/bin/ssh # cd /usr # cvs -q get -P src
Note that this gets you -current. You probably don't want that. For example, to retrieve 3.2-stable, use
# cvs -q get -rOPENBSD_3_2 -P src
Basic instructions are in /usr/src/Makefile. This is a slightly expanded version.
Clean out the old object files.
If you created a separate /usr/obj directory, clean that, and rebuild the symbolic links:
# rm -rf /usr/obj/* # cd /usr/src # make obj
If you find yourself performing this step a lot, you may find it faster to place /usr/obj onto its own partition, and use newfs instead of rm. For example, I do a:
# umount /usr/obj # newfs wd0h # mount /usr/obj # make obj
If you're worried there are object files in your source tree, do this:
# cd /usr/src # find . -type l -name obj | xargs rm # make cleandir # rm -rf /usr/obj/* # make obj
Perform any version-specific configuration changes. For example, 2.3 users must add the named user and group before moving to 2.4 or later. See the specific Mini-FAQ section for your version.
Make sure all the appropriate directories are created. This is especially important when upgrading from older versions, but is sometimes necessary in other cases. The easiest way to do this is:
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
Compile a new kernel.
# cd /usr/src/sys/arch/`machine`/conf
Most users will want to use GENERIC:
# config GENERIC # cd ../compile/GENERIC
NOTE: The truly masochistic in the crowd may want to compile a custom kernel instead. In these cases, it's usually best to start with GENERIC and trim from there. Do the following procedure instead:
# cp GENERIC MYKERNEL # vi MYKERNEL (edit MYKERNEL to your liking) # config MYKERNEL # cd ../compile/MYKERNEL
In either case,
# make clean && make depend && make (arc architecture only) copy bsd.ecoff to your FAT partition # cp /bsd /bsd.old && cp bsd /bsd # chown root:wheel /bsd (if you compiled as someone else) (reboot)
Compile the system.
# cd /usr/src # make build
Update /etc and /dev by hand. These are not updated automatically. Choose a directory with enough space to hold /, /dev, /var, and /etc. Here I'll use /home/newroot
# mkdir /home/newroot # export DESTDIR=/home/newroot # cd /usr/src/etc && make distribution-etc-root-var
Now compare the files in /home/newroot with their installed counterparts. Replace or update the files as necessary.
# rm -rf /home/newroot (when done)
Reboot to make sure the new /etc files are correct
I would, but if you really want to pick up where you left off, do a:
# cd /usr/src # make -n build
This will show you what make build is doing. For example, mine tells me:
(cd /usr/src/share/mk && make install) (cd /usr/src/include; make prereq; make includes) make cleandir (cd /usr/src/lib && make depend && make && make install) (cd /usr/src/gnu/lib && make depend && make && make install) (cd /usr/src/kerberosIV/lib && make depend && make && make install) (cd /usr/src/gnu/usr.bin/perl && make -f Makefile.bsd-wrapper config.sh && make -f Makefile.bsd-wrapper depend && make -f Makefile.bsd-wrapper perl.lib && make -f Makefile.bsd-wrapper install.lib) make depend && make && make install
To pick up where you left off, just reissue the commands from the point where the compile died.
If you do this procedure a lot, you may want to create a new target in your makefile. Simply copy the entry for build (to build-noclean, for example), and remove the make cleandir reference.
If your make build ends with an error, chances are it is because you failed to delete your old objects before rebuilding. See 1.5 for details on cleaning out these objects.
If you are sure your tree is clean of old object cruft, and you are still receiving a build error, one of three things has probably happened:
If you have tried all of the alternatives above, and your problem persists for more than a couple of days, post your problem to misc@openbsd.org. Make sure to include the relevant error messages, and any peculiarities of your setup.
Because upgrading a compiler is a bit of a chicken-and-egg problem, changes to the in-tree compiler require a little extra attention. In general, you'll want to perform the following procedure:
(and yes, you are building it twice)
# rm -r /usr/obj/gnu/egcs/gcc/* # cd /usr/src/gnu/egcs/gcc # make -f Makefile.bsd-wrapper clean # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install # make -f Makefile.bsd-wrapper clean # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install
And then run a normal make build.
You may be able to speed this process up by using the BOOTSTRAP procedure:
# cd /usr/src/gnu/egcs/gcc # make -f Makefile.bsd-wrapper clean # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper -DBOOTSTRAP # make -f Makefile.bsd-wrapper -DBOOTSTRAP install # make -f Makefile.bsd-wrapper clean # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install
Short Answer: By Hand.
Long answer:
As a policy, software in the OpenBSD tree does not modify files in /etc automatically. This means it is always up to the administrator to make the necessary modifications there. Upgrades are no exception. To update files in these directories, first determine what changes have occurred to the base (distribution) files, and then manually reapply these changes.
For example, to see the files in the tree that have changed most recently, do a:
# cd /usr/src/etc # ls -lt |more
To see all the changes in /etc between arbitrary versions of OpenBSD, you can use CVS. For example, to see the changes between 3.1 and 3.2, do a:
# cd /usr/src/etc # cvs diff -u -rOPENBSD_3_1 -rOPENBSD_3_2
Once you have identified the changes, reapply them to your local tree, preserving any local configuration you may have done.
Typical /etc changes to watch out for between releases include:
The most important thing you can do is to clean out your obj directories. Here's a procedure to update source and kill any leftover objects:
# cd /usr/src # cvs -q -d anoncvs@some.anon.server:/cvs up -Pd # find . -type l -name obj | xargs rm # make -k cleandir # rm -rf /usr/obj/* # make obj
If you're still having trouble, you may want to try adding -I ! -I CVS -I obj to your CVS updates. This will identify any extra cruft in your source tree.
Though certain steps of the make build process require root privileges, the build process includes hooks to the sudo(8) command that make this process relatively painless.
If your /etc/sudoers file is configured correctly, you can use the sudo hooks in the following manner:
The /dev/MAKEDEV script is not updated automatically as part of the make build process. As a general rule, it is a good idea to copy and run this script from your source tree when performing an upgrade:
# cd /dev # cp /usr/src/etc/etc.`machine`/MAKEDEV ./ # ./MAKEDEV all
From time to time, files or directories are added to, or removed from the file hierarchy. Also, ownership information for portions of the filesystem may change. An easy way to ensure that your file hierarchy is up-to-date is to use the mtree(8) utility.
First, fetch the latest source, then do the following:
# cd /usr/src/etc/mtree # install -c -o root -g wheel -m 600 special /etc/mtree # install -c -o root -g wheel -m 444 4.4BSD.dist /etc/mtree # mtree -qdef /etc/mtree/4.4BSD.dist -p / -u
Your file hierarchy should now be up to date.
Your userland and kernel are out of sync. They must both be compiled from the same sources, as certain dependencies exist between them. Rebuild your kernel and userland from the same sources to correct the problem.
Since you've already made one mistake, now is an ideal time to reread this document in its entirety, to catch any other things you may have missed.
Installing snapshot is a good way to keep up to date. We want you to test snapshots, especially at beta-time, to make sure the next release is of superior quality. And it is much less difficult than building the whole tree.
The easiest way to get -current is to grab a boot image and prepare as described in the FAQ. Once booted, you choose "(U)pgrade" and follow the instructions.
There are several opportunities to start the upgrade program. Usually, the easiest methods are booting from floppy or CD-ROM or place a -current bsd.rd on your / and boot that instead of /bsd. Other options include booting over the network and booting from tape. Not all methods are available for all architectures, refer to the installation instructions for more information.
While in-place upgrades sometimes work, this is not recommended. The only safe way to upgrade is booting from a new install/upgrade media as described above.
In all cases, you must upgrade /etc, /var and /dev by hand.
The device minor numbers of svnd devices have changed, so you will need to run the updated /dev/MAKEDEV after installing the new kernel:
# cp /usr/src/etc/etc.`machine`/MAKEDEV /dev
# cd /dev
# rm svnd* rsvnd*
# ./MAKEDEV vnd
The pflogd(8) daemon now runs in privilege separated mode, and requires a new user and group _pflogd. Add the group by running
# groupadd -g 74 _pflogdas root, and add the user entry using vipw(8):
_pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin
To enable i386 Writable xor eXecute support, OpenBSD/i386 has changed from a.out executable format to ELF. The flexibility of ELF allows better control over the executable layout which allows for W^X support. a.out compatibility is only available in a limited form. Static a.out binaries will work as before, dynamic a.out binaries ARE NOT SUPPORTED.
SOURCE UPGRADES FROM a.out -> ELF WILL NOT BE SUPPORTED. INSTALL A SNAPSHOT and then you can rebuild from source. This is i386-only, other architectures are NOT affected by this change.
The parameters to the mquery systemcall were changed to match mmap(). This requires the system to be upgraded in the correct order:
1. Build and boot new kernel.
2. (cd /usr/src && sudo make includes)
3. (cd /usr/src/libexec/ld.so && make && sudo make install)
4. 'make build'
Only i386 uses mquery, so other architectures do not need to
follow this strict build order.
To allow MAXDSIZ to be changed back to 1G, the base address of all executables changes from 0 to 0x1c000000. The combination of these changes requires updating from snapshot. Updating from source is not supported. This only affects i386.
KerberosIV-based authentication has been removed. As a result, you will need to remove all references to krb4 in /etc/login.conf.
Moving swapgeneric.c required a change to config(8). Before building a new kernel, you must first build and install the updated config(8):
# cd /usr/src/usr.sbin/config # make clean # make obj # make # make installNow, config your kernel configuration and run "make depend" in your kernel compile directory as detailed above.
__attribute__((bounded)) is now used to detect incorrect arguments
for functions which take buffer lengths as one of their parameters.
You will need to rebuild gcc according to section
1.8
of the Mini-FAQ before proceeding with make build.
The syslogd(8) daemon now runs in privilege separated mode, and requires a new user and group _syslogd. Add the group by running
# groupadd -g 73 _syslogdas root, and add the user entry using vipw(8):
_syslogd:*:73:73::0:0:Syslog Daemon:/var/empty:/sbin/nologin
A new format attribute __kprintf__ is now used in kernel header files to
make gcc aware of the format extensions in the kernel
printf(9).
You will need to rebuild gcc according to section 1.8
of the Mini-FAQ before proceeding with make build. You only need to rebuild
gcc once from current sources to also support the __bounded__ attribute described
in section 3.3.5.
Perl has been updated to version 5.8.0.
In Perl 5.8.0, the XS module API has changed due to a switch
from stdio to PerlIO (see the perldelta manual page for more information).
This means that any XS modules (perl .so files) you have installed
must be rebuilt. If you encounter an error such as
Undefined symbol "perl_get_sv" this is your problem. If the
only modules you have installed were installed as packages or via the
ports system, you can check your system for XS modules by running:
# grep '\.so' /var/db/pkg/p5-*/+CONTENTS | cut -d: -f1 | sort -u
You can then remove the offending modules with pkg_delete -f
and rebuild/install them from the ports tree.
Several new groups have been added:
# groupadd -g 63 _radius # chgrp _radius /etc/raddb /etc/raddb/servers # chmod g+x /etc/raddb # chmod g+r /etc/raddb/servers # groupadd -g 64 _token # chgrp _token /etc/activ.db /etc/crypto.db /etc/snk.db # chmod 0640 /etc/activ.db /etc/crypto.db /etc/snk.db # groupadd -g 65 _shadow # chgrp _shadow /etc/spwd.db # chmod 0640 /etc/spwd.dbDon't worry about error messages indicating that a file was not found. That just means you haven't setup token or radius authentication.
The propolice stack protection extension has been merged into gcc. This requires a slightly different upgrade scenario:
# cd /usr/src
# make obj
For ELF platforms (alpha, macppc, sparc, sparc64):
# cd /usr/src/libexec/ld.so
# make depend && make && make install
For a.out platforms (amiga, hp300, i386, mac68k, mvme68k):
# cd /usr/src/gnu/usr.bin/ld/rtld
# make depend && make && make install
# cd /usr/src/include
# make prereq && make includes
# cd /usr/src/lib/libc
# make depend && make NOMAN=1 && make NOMAN=1 install
Note that, if your compiler is too old, it will not be able to build
libc. In this case, you'll have to do a binary upgrade from a snapshot.
A new user and a new group _spamd for the spamd(8) daemon have been added. Add the group by running
# groupadd -g 62 _spamdas root, and add the user entry using vipw(8):
_spamd:*:62:62::0:0:Spam daemon:/var/empty:/sbin/nologin
A new alias for ipv6-icmp, icmp6 , has been added to /etc/protocols. If you wish to use the icmp6 alias (used in the pfctl(8) regression tests) you must modify the ipv6-icmp line in /etc/protocols, adding the icmp6 keyword before the #. The line should read as follows:
ipv6-icmp 58 IPv6-ICMP icmp6 # ICMP for IPv6
The _lkm group controls access to /dev/lkm. modstat(8) is now setgid _lkm.
You will need to add this group and adjust the permissions on /dev/lkm before running a "make build". The following commands, run as root, will do this:
# groupadd -g 61 _lkm # chgrp _lkm /dev/lkm
libc_r and libnpthread have been removed and replaced by libpthread. Threaded programs should still be compiled using the -pthread option; the compiler does the right thing.
Before removing libc_r and libnpthread threaded applications must be re-compiled using libpthread. The recommended build sequence is:
build gcc according to section 1.8.
re-build the system according to section 1.5.
re-build all threaded ports.
remove the now unused libraries:
# rm /usr/lib/libc_r* /usr/lib/libnpthread*
Binutils/ld have been changed to introduce a new security feature to ELF executables. Instead of allowing the data section of executables and shared libraries to be marked executable by the linker, the layout has been changed to only mark the appropriate sections of the program image as executable. This change only affects ELF based architectures: alpha, sparc, sparc64, macppc.
It is recommended that binutils be rebuilt before the rest of the system.
# cd /usr/src/gnu/usr.bin/binutils # make -f Makefile.bsd-wrapper cleandir # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install
Then re-build the system according to section 1.5
The contents of /var/at have been merged into /var/cron now that at has been integrated into cron. Furthermore, the cron allow and deny files have been renamed cron.allow and cron.deny for POSIX compliance and consistency with at.allow and at.deny.
First re-build the system according to section 1.5 Then move the existing files and restart cron as follows:
# mv /var/at/* /var/cron # mv /var/cron/jobs /var/cron/atjobs # mv /var/cron/allow /var/cron/cron.allow # mv /var/cron/deny /var/cron/cron.deny # rm -rf /var/at # kill `cat /var/run/cron.pid` # /usr/sbin/cron
Disregard any warnings about missing allow or deny files. Not all of them are part of the default installation.
If you do not already have a cron.deny file (it was not installed prior to OpenBSD 3.3) you will need one to run crontab as a user other than the superuser.
# install -c -o root -g crontab -m 660 /dev/null /var/cron/cron.deny
Several new users/groups have been added. In support of authpf(8), a new group is required. Also, to support sshd(8)'s privilege separation feature, a new user and group named sshd have been added to the system. More new users for system services have been added, they are prefixed with "_". Add the following user entries using vipw(8):
sshd:*:27:27::0:0:sshd privsep:/var/empty:/sbin/nologin _portmap:*:28:28::0:0:portmap:/var/empty:/sbin/nologin _identd:*:29:29::0:0:identd:/var/empty:/sbin/nologin _rstatd:*:30:30::0:0:rpc.rstatd:/var/empty:/sbin/nologin _rusersd:*:32:32::0:0:rpc.rusersd:/var/empty:/sbin/nologin _fingerd:*:33:33::0:0:fingerd:/var/empty:/sbin/nologin _x11:*:35:35::0:0:X server:/var/empty:/sbin/nologin
Add the following to /etc/group:
sshd:*:27: _portmap:*:28: _identd:*:29: _rstatd:*:30: _rusersd:*:32: _fingerd:*:33: _sshagnt:*:34: _x11:*:35: authpf:*:72:
The crontab(1) and at(1) commands are no longer setuid root, they are now setgid crontab.
Before you run "make build", you will need to add the crontab group. Add a line like the following to your /etc/group file:
crontab:*:66:
The "make build" will update some, but not all, permissions for you. After "make build" finishes, you must run following by hand (assumes /bin/csh):
# chgrp crontab /var/at/at.{allow,deny} /var/cron/{allow,deny}
# chmod 0640 /var/at/at.{allow,deny} /var/cron/{allow,deny}
# foreach f ( /var/cron/tabs/* )
set u=`basename $f`
chown $u:crontab $f
end
Note that you probably will not have all of the allow/deny files; this is not a problem.
A new binutils (2.11.2) has gone into the tree, requiring an updated libiberty. To build this library, follow these steps:
# cd /usr/src/gnu/egcs/libiberty # make -f Makefile.bsd-wrapper cleandir # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install
The old S/Key database file, /etc/skeykeys, has been replaced by a directory, /etc/skey, where each record is an individual file owned by the user it describes. You can convert /etc/skeykeys to the new format by running (as root):
# skeyinit -C # mv /etc/skeykeys /etc/skeykeys.OLD
Note that any third-party programs that utilize S/Key directly will need to be recompiled.
The spool directories used by lpd must now be writable by group daemon in order for lpr to be able to spool files. Additionally, the files within the spool directories must be owned by user and group daemon. This can be accomplished as follows:
# find /var/spool/output /var/spool/lpd -type d \
-execdir chgrp daemon {} \; -execdir chmod g+rwx {} \;
# find /var/spool/output /var/spool/lpd -type f \
-execdir chown daemon:daemon {} \;
The atrun(8) command is no longer needed. Its functionality has been incorporated into cron(8). You should remove the /usr/libexec/atrun job from root's crontab by running the following as root:
# crontab -e
You may also wish to remove /usr/libexec/atrun, /usr/share/man/cat8/atrun.0 and the /var/at/spool directory.
/etc/nat.conf is now merged into /etc/pf.conf. You need to insert your NAT rules in pf.conf after scrub rules and before filter rules.
pfctl(8) has a new option to load the ruleset, -f, and the -R and -N options have new meanings now. Make sure to check the manpage and to update your /etc/rc.
login(1) needs to chown /dev/wsmouse to the new _x11 user that is used by xdm for privilege revocation purposes on many architectures. The change to /etc/fbtab needed is architecture dependent. The file is created via this process (assuming sources in /usr/src):
# cat /usr/src/etc/fbtab.head > /etc/fbtab # cat /usr/src/etc/etc.`uname -m`/fbtab >> /etc/fbtab # cat /usr/src/etc/fbtab.tail >> /etc/fbtab
If you had custom changes to /etc/fbtab, you will have to merge them back into the new file manually.
__attribute__((sentinel)) is now employed to warn when certain
exec(3)
functions are used without a terminating NULL pointer.
You will need to rebuild gcc according to section
1.8
of the Mini-FAQ before proceeding with make build.
You must build and install a new version of the mtree(8) utility before "make build" will succeed.
# cd /usr/src/usr.sbin/mtree # make cleandir # make obj # make depend # make # make install
ELF-based platforms (alpha, macppc and sparc64) do not use libdl anymore. The upgrade from a libdl system to a non-libdl is best done following these steps:
Recompile your system:
# cd /usr/src # make build
If your "make build" completed successfully, you can step ahead and remove libdl. Note that packages that have been linked against it should be reinstalled after that. If you are not ready for this, you can skip this step for now. Snapshots with correct packages will be made available.
# rm -f /usr/lib/libdl.* /usr/lib/libdl_pic.a
With libdl removed, regenerate your shared libraries cache:
# ldconfig -R
A new infrastructure for regression tests has been introduced and bsd.regress.mk has been added. You will need to install this file before running make obj.
# cd /usr/src/share/mk # make install
You need to create /etc/ssh/ first, see section 1.13
Recompile your system:
# cd /usr/src # make build
Move your /etc/ssh*_* files into the newly created /etc/ssh/ directory:
# cd /etc # mv ssh*_* ssh/
You will need to change your rc scripts to reflect these changes as well.
Update any HostKey lines in your sshd_config to reflect the new location. For example:
HostKey /etc/ssh_host_key
should be changed to:
HostKey /etc/ssh/ssh_host_key
After this, you can restart the sshd daemon.
First, with the addition of the pf(4) firewalling package, and its ftp-proxy(8) suite, a new user and group named proxy were added to the system. To support this addition, add the following user entry using vipw(8):
proxy:*:71:71::0:0:Proxy Services:/nonexistent:/sbin/nologin
Also add the proxy group to /etc/group:
proxy:*:71:
Second, as part of the Sendmail 8.12 upgrade, sendmail no longer runs setuid root. Both a new user and a new group, named smmsp, have been added to the system. Add a line like the following to your /etc/group:
smmsp:*:25:
Then, run vipw(8) and add the following line for the smmsp user:
smmsp:*:25:25::0:0:Sendmail Message Submission Program:/nonexistent:/sbin/nologin
Make sure this line appears before any yp(8) settings line.
Finally, a new user and group were added for Solar Designer's popa3d server, now part of the core system. Add the following to /etc/group:
popa3d:*:26:
And using vipw(8), add
popa3d:*:26:26::0:0:POP3 server:/var/empty:/sbin/nologin
The IPF firewalling package that has been part of previous OpenBSD releases has been replaced with an all-new firewalling suite called pf(4). As a result, a number of changes need to be made.
First, pf depends on a new device file. To ensure that this special device is created, do the following:
# cd /dev # cp /usr/src/etc/etc.`machine`/MAKEDEV ./ # ./MAKEDEV all
Second, a number of filesystem change have occurred. For your reference, the following binaries have been replaced:
OLD: /sbin/ipf /sbin/ipfstat /sbin/ipnat /usr/sbin/ipfs /usr/sbin/ipftest /usr/sbin/ipmon /usr/sbin/ipresend /usr/sbin/ipsend /usr/sbin/iptest NEW: /sbin/pfctl /usr/libexec/ftp-proxy
Similarly, for the devices:
OLD: /dev/ipl /dev/ipnat /dev/ipstate /dev/ipauth NEW: /dev/pf
And finally, the filter configuration files:
OLD: /etc/ipf.rules /etc/ipnat.rules NEW: /etc/pf.conf /etc/nat.conf
The old ipfilter sample configuration files may be removed:
# rm -rf /usr/share/ipf
A mechanism for safely enabling pf has been added to the /etc/rc and /etc/rc.conf files. You will need to update these files to include the new hooking mechanism. If you wish to enable pf, set PF=YES in /etc/rc.conf.
There have been changes to make(1) and its data files which may cause difficulties in the build process. This usually manifests as errors from bsd.own.mk during the build. To avoid these issues, first update the data files:
# cd /usr/src/share/mk # make install
Then build and install the new make.
# cd /usr/src/usr.bin/make # make clean && make obj && make depend && make # make install
Now proceed with your upgrade.
Before you try building the whole system, you need to first build KerberosV.
First, there is a new KerberosV configuration directory in /etc. If you have not already done so, use the mtree(8) procedure described in section 1.13 to create it:
Now, build KerberosV
# cd /usr/src/kerberosV # make obj # cd lib/roken # make # cd ../../usr.bin/asn1_compile # make # make install
You may also need to update your /etc/login.conf, to reflect that the file /usr/libexec/auth/login_krb-or-pwd has been renamed to login_krb4-or-pwd.
sendmail(8) has been upgraded to version 8.12. As this version of sendmail no longer runs setuid root, significant changes have resulted.
Add the following to root's crontab(1). This is necessary since sendmail is no longer setuid root, and relies on this entry to do parts of its job:
# sendmail clientmqueue runner */30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
Upgrade sendmail:
# cd /usr/src/gnu/usr.sbin/sendmail # make clean && make obj && make depend && make && make install
Note: The files submit.cf and localhost.cf have been installed to your /etc/mail directory. The first of these, submit.cf (referred to as the "client" configuration file in current sendmail documentation) is used by mail user agents that want to submit mail locally for delivery via sendmail. Due to the permissions changes described above, this does not require root privileges; the sendmail binary is set-groupid to group smmsp. The second file, localhost.cf, is an OpenBSD-ism that runs sendmail only listening on the localhost interface to accept mail from the local host but not accept connections from the network (you almost certainly want this if you also use e.g., smtpd(8) listening on the SMTP port on your outside interface). For more details, see the file SECURITY in /usr/src/gnu/usr.sbin/sendmail/sendmail.
It is highly recommended that you regenerate and update your sendmail configuration files in /etc/mail. You can find some working configuration files in /usr/share/sendmail/cf. Note that localhost.cf is generated from openbsd-localhost.mc.
If you were running sendmail without the -bd option in /etc/rc.conf, as the default installation settings do, you will need to use localhost.cf. Edit rc.conf to use the following:
# For normal use: "-L sm-mta -bd -q30m" sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
Once your configuration file is ready, kill(1) the existing sendmail:
kill `sed 1q /var/run/sendmail.pid`
Restart the new sendmail with the appropriate options, for example:
/usr/sbin/sendmail -L sm-mta -bd -q30m
for a configuration accepting mail from outside, or
/usr/sbin/sendmail -L sm-mta -C/etc/mail/localhost.cf -bd -q30m
for a local mail-only configuration.
Note: the -bd flag is now needed in both cases.
The new sendmail should now be running.
/etc/primes has been renamed to /etc/moduli. Simply copy this file from its old location or from /usr/src/etc.
$OpenBSD: upgrade-minifaq.html,v 1.180 2003/11/11 00:01:31 margarida Exp $
Copyright © 1998-2003, Kjell Wooding.
Please send any comments, questions, or suggestions to kjell@openbsd.org