[OpenBSD]

[FAQ Index]

Following -current

Table of Contents

Introduction

This document is for people who wish to follow -current. It contains information about changes from 5.5-release to -current, and should NOT be used by anyone upgrading from 5.4 or earlier, or people wishing to follow -stable.

If you wish to upgrade to 5.5-release or 5.5-stable from previous versions, see the upgrade guide.

Make sure you have read and understood FAQ 5 - Building the System from Source before using -current and the instructions below.

You should ALWAYS use a snapshot as the starting point for running -current. Upgrading by compiling your own source code is not supported.

Most of these changes will have to be performed as root.

2014/03/12 - smtpd becomes default MTA

The default system MTA is now smtpd. If you are running sendmail with anything other than the default configuration, please exercise caution and care when upgrading. The sendmail cronjob should be disabled, /etc/mailer.conf and /etc/rc.conf{,local} should be checked to verify one and only one MTA is enabled, and newaliases run. 
    crontab -e
    vi /etc/mailer.conf
    vi /etc/rc.conf
    vi /etc/rc.conf.local
    newaliases

2014/03/12 - spray removed

/usr/sbin/spray and the associated rpc daemon have been removed. 
    rm -f /usr/sbin/spray
    rm -f /usr/libexec/rpc.sprayd
    rm -f /usr/share/man/man8/{,rpc.}spray{,d}.8
    vi /etc/inetd.conf

2014/03/13 - _smtpq user added

A new _smtpq user and group have been added to support privilege separation in smtpd. Add the following passwd line using vipw. 
    _smtpq:*:103:103::0:0:SMTP Daemon:/var/empty:/sbin/nologin
Add the following line to /etc/group. 
    _smtpq:*:103:
If you have previously started smtpd, you will need to change the owner of the queue subdirectories. 
    cd /var/spool/smtpd
    chown -R _smtpq corrupt incoming purge queue temporary

2014/03/13 - httpd(8) removed

/usr/sbin/httpd and the associated tools and files have been removed. Consider using nginx(8) for your http serving needs, but note that nginx is not a drop-in replacement. If you need the old httpd(8) or tools (e.g. logresolve, htdigest, etc) and cannot switch at this time, see the port www/apache-httpd-openbsd (if using modules, note that LoadModule configuration lines will need to be adjusted). All users need to remove the following files and directories: 
    rm -rf /usr/lib/apache
    rm -rf /usr/share/doc/html/httpd
    rm -f /usr/bin/{dbmmanage,htdigest}
    rm -f /usr/sbin/{apachectl,apxs,httpd,logresolve,rotatelogs,suexec}
    rm -f /usr/share/man/man1/{dbmmanage.1,htdigest.1}
    rm -f /usr/share/man/man8/{apachectl.8,apxs.8,httpd.8,logresolve.8}
    rm -f /usr/share/man/man8/{rotatelogs.8,suexec.8}
    rm -f /etc/rc.d/httpd
The following files are associated with httpd(8) and can be deleted in some cases, but may have been replaced with user content or configuration. Warning: On systems which currently or have previously used any http daemon, care must be taken and files analyzed case by case to avoid accidental deletion of user content or important configuration files. In particular, users moving to apache-httpd-openbsd will want to keep many of these files. 
    rm -rf /var/www/icons
    rmdir /var/www/conf/{modules,modules.sample}
    rmdir /var/www/users
    rm -f /var/www/cgi-bin/{printenv,test-cgi}
    rm -f /var/www/conf/{httpd.conf,magic,mime.types}
    rm -f /var/www/htdocs/{apache_pb.gif,blowfish.jpg,bsd_small.gif,index.html}
    rm -f /var/www/htdocs/{lock.gif,logo23.jpg,logo24.jpg,mod_ssl_sb.gif}
    rm -f /var/www/htdocs/{openbsd_pb.gif,openbsdpower.gif,openssl_ics.gif}
    rm -f /var/www/htdocs/smalltitle.gif
Many PHP applications will work under nginx with few or minimal changes; in most cases php-fpm is the preferred method of running PHP under nginx.

2014/03/16 - [ports] unbound(8) moved to base

Unbound has moved to the base OS.

If the package is installed, remove it before upgrading to avoid a conflict in /etc/rc.d/unbound, and edit rc.conf.local to remove "unbound" from "pkg_scripts=..." lines, and add "unbound_flags=" instead. 

    pkg_delete unbound
    vi /etc/rc.conf.local
The following applies only to those updating from source, or updating from a snapshot without using sysmerge: The _unbound user should be added using vipw (or the UID should be modified if you were previously using Unbound from ports). 
    _unbound:*:53:53::0:0:Unbound Daemon:/var/unbound:/sbin/nologin
And _unbound group. 
    _unbound:*:53:
On or before March 19, sysmerge(8) was unable to do the /etc/group crossing automatically if updating from source. Manual intervention will be required in those situations.

2014/03/17 - ftpd(8) disallows uid < 1000 by default

ftpd(8) now defaults to denying access to user accounts with uid below 1000. See the -m option if you need to change this.

2014/03/17 - userland agp(4) interfaces removed

With the introduction of KMS, userland access to agp(4) is no longer needed. Since these interfaces provided low-level access to the hardware, they have been removed. You should remove the associated header file: 
    rm -f /usr/include/sys/agpio.h

2014/03/17 - userland ppp(8) and pppoe(8) implementations removed

The userland ppp(8) daemon and its associated PPPoE helper, pppoe(8), have been removed. As a result, the old binaries and manual pages should be removed: 
    rm -f /etc/ppp/ppp.{conf,linkdown,linkup,secret}.sample
    rm -f /usr/sbin/ppp /usr/share/man/man8/ppp.8
    rm -f /usr/sbin/pppctl /usr/share/man/man8/pppctl.8
    rm -f /usr/sbin/pppoe /usr/share/man/man8/pppoe.8
Many users will be able to migrate to the kernel implementations: pppoe(4) (for PPPoE), ppp(4) and its associated control program pppd(8) (for modems, mobile data, and some use with userland programs via a pipe).

Another option for some users is npppd(8) which supports L2TP, PPTP and PPPoE (currently server-side, IPv4 only).

2014/03/19 - rcp(1) removed

rcp(1) has been removed. As a result, the binary and manual page should be removed: 
    rm -f /bin/rcp /usr/share/man/man1/rcp.1

2014/03/23 - powerpc is now PIE

The powerpc platform has been switched to PIE (position-independent executables) by default. Everyone is encouraged to update via snapshots (dated after 2014/03/23); if you want to upgrade via sources, follow these instructions:

First, make sure you are running an up-to-date kernel. Second, install the new system Makefiles with the change to PIE_ARCH in bsd.own.mk: 

    cd /usr/src/share/mk && make install
Then, recompile and install gcc and binutils. 
    cd /usr/src/gnu/usr.bin/binutils
    make -f Makefile.bsd-wrapper clean && make -f Makefile.bsd-wrapper obj && \
        make -f Makefile.bsd-wrapper depend && make -f Makefile.bsd-wrapper
    cd /usr/src/gnu/usr.bin/cc
    make clean && make obj && make depend && make && make install
    cd /usr/src/gnu/usr.bin/binutils && make -f Makefile.bsd-wrapper install
Finally, recompile your system by following the procedure outlined in release(8).

2014/03/23 - librt removed

The librt static stub library has been removed. The leftover files must be deleted. 
    rm -f /usr/lib/librt{,_p}.a

2014/03/23 - Miscellaneous functions removed

Miscellaneous functions have been removed from libc. The corresponding header files must be deleted. 
    rm -f /usr/include/bm.h
    rm -f /usr/include/md4.h

2014/03/23 - mount(2) changes for NFS, mfs, msdosfs, and ntfs

Changes to the mount(2) API/ABI means that NFS servers must rebuild mountd(8) against the updated headers and restart it after rebooting to the new kernel.
Similarly, the mount_mfs(8), mount_msdos(8), and mount_ntfs(8) must be recompiled and reinstalled. Installing a new snapshot is—as always—recommended.

2014/03/24 - tcpwrappers removed

libwrap and tcpd have been removed. The leftover remnants must be purged. The entries in /etc/host.{allow,deny} can be converted into filtering rules in /etc/pf.conf. 
    rm -f /usr/lib/libwrap{,_p}.*
    rm -f /usr/libexec/tcpd
    rm -f /usr/include/tcpd.h
    rm -f /usr/sbin/tcpd{chk,match}
    rm -f /usr/share/man/man3/hosts_access.3
    rm -f /usr/share/man/man5/hosts.{allow,deny}.5
    rm -f /usr/share/man/man5/hosts_{access,options}.5
    rm -f /usr/share/man/man8/tcpd{,chk,match}.8
    rm -f /etc/hosts.{allow,deny}

2014/03/26 - rmail(8) and uucpd(8) moved to ports

/bin/rmail and uucpd(8) have been removed from the base system and added to the ports tree. As a result, the old binaries and manual pages should be removed: 
    rm -f /bin/rmail
    rm -f /usr/share/man/man8/rmail.8
    rm -f /usr/libexec/uucpd
    rm -f /usr/share/man/man8/uucpd.8
Users of these programs should install the rmail and uucpd packages instead.

2014/03/29 - pflow(4) pflowproto 9 removed

pflow(4)'s pflowproto 9 has been removed. Consider using pflowproto 10.

2014/04/14 - snmpd(8), snmpctl(8), and relayd(8) now communicate via AgentX protocol

The communications channel over which snmpd(8) accepts trap requests has been converted to the AgentX protocol. Users who have configured relayd(8) to send traps on host status changes will have to modify their configurations for both snmpd(8) and relayd(8):
snmpd.conf(5):
    # listen for AgentX connections
    socket "/var/run/agentx.sock" agentx
relayd.conf(5) syntax has changed, from "send trap" to "snmp trap": 
    # used to be "send trap"
    snmp trap "/var/run/agentx.sock"

2014/04/19 - altq removed

The old queueing subsystem, altq, has been removed. If any pf.conf(5) rules mentioning "altq" or "oldqueue" are still present, loading the ruleset will now fail, so must be removed or migrated to the new queue configuration. Old headers should also be removed: 
    rm -rf /usr/include/altq

2014/04/20 - [ports] roundcubemail update needs config changes

Roundcube configuration files have been rearranged, if upgrading an existing system you will need to migrate your settings from old config files (db.inc.php and main.inc.php) to the new file (config.inc.php).

2014/04/21 - lpd(8): hosts.equiv removed

hosts.equiv usage has been deprecated and lpd(8) does not use it anymore for access control. Users of this file should migrate to use /etc/hosts.lpd.

2014/04/22 - kerberosV removed

kerberosV has been removed. The login methods "krb5" and "krb5-or-pwd" are not supported anymore and should be removed from login.conf(5). Many dependencies and packages have to be updated. The libraries, headers and other related files should be removed from the system. 
	rm -rf /etc/kerberosV/
	rm -f /etc/rc.d/{kadmind,kdc,kpasswdd,ipropd_master,ipropd_slave}
	rm -f /usr/bin/asn1_compile
	rm -f /usr/bin/compile_et
	rm -f /usr/bin/kcc
	rm -f /usr/bin/kdestroy
	rm -f /usr/bin/kf
	rm -f /usr/bin/kgetcred
	rm -f /usr/bin/kinit
	rm -f /usr/bin/klist
	rm -f /usr/bin/krb5-config
	rm -f /usr/bin/slc
	rm -f /usr/bin/string2key
	rm -f /usr/bin/verify_krb5_conf
	rm -rf /usr/include/kerberosV/
	rm -f /usr/lib/libasn1{,_p}.*
	rm -f /usr/lib/libcom_err{,_p}.*
	rm -f /usr/lib/libgssapi{,_p}.*
	rm -f /usr/lib/libhdb{,_p}.*
	rm -f /usr/lib/libheimbase{,_p}.*
	rm -f /usr/lib/libkadm5clnt{,_p}.*
	rm -f /usr/lib/libkadm5srv{,_p}.*
	rm -f /usr/lib/libkafs{,_p}.*
	rm -f /usr/lib/libkdc{,_p}.*
	rm -f /usr/lib/libkrb5{,_p}.*
	rm -f /usr/lib/libroken{,_p}.*
	rm -f /usr/lib/libwind{,_p}.*
	rm -rf /usr/libdata/perl5/site_perl/*-openbsd/kerberosV/
	rm -f /usr/libexec/auth/login_krb5{,-or-pwd}
	rm -f /usr/libexec/hprop{,d}
	rm -f /usr/libexec/ipropd-{master,slave}
	rm -f /usr/libexec/kadmind
	rm -f /usr/libexec/kdc
	rm -f /usr/libexec/kfd
	rm -f /usr/libexec/kpasswdd
	rm -f /usr/sbin/iprop-log
	rm -f /usr/sbin/kadmin
	rm -f /usr/sbin/kimpersonate
	rm -f /usr/sbin/kstash
	rm -f /usr/sbin/ktutil
	rm -f /usr/share/info/heimdal.info
	rm -f /usr/share/man/man1/kdestroy.1
	rm -f /usr/share/man/man1/kf.1
	rm -f /usr/share/man/man1/kgetcred.1
	rm -f /usr/share/man/man1/kinit.1
	rm -f /usr/share/man/man1/klist.1
	rm -f /usr/share/man/man1/krb5-config.1
	rm -f /usr/share/man/man1/kswitch.1
	rm -f /usr/share/man/man3/ecalloc.3
	rm -f /usr/share/man/man3/getarg.3
	rm -f /usr/share/man/man3/{gss,krb5,krb}_*.3
	rm -f /usr/share/man/man3/gssapi.3
	rm -f /usr/share/man/man3/gsskrb5_extract_authz_data_from_sec_context.3
	rm -f /usr/share/man/man3/gsskrb5_register_acceptor_identity.3
	rm -f /usr/share/man/man3/k_afs_cell_of_file.3
	rm -f /usr/share/man/man3/k_hasafs.3
	rm -f /usr/share/man/man3/k_hasafs_recheck.3
	rm -f /usr/share/man/man3/k_pioctl.3
	rm -f /usr/share/man/man3/k_setpag.3
	rm -f /usr/share/man/man3/k_unlog.3
	rm -f /usr/share/man/man3/kadm5_pwcheck.3
	rm -f /usr/share/man/man3/kafs*.3
	rm -f /usr/share/man/man3/krb524_*.3
	rm -f /usr/share/man/man3/parse_time.3
	rm -f /usr/share/man/man3/rtbl.3
	rm -f /usr/share/man/man5/krb5.conf.5
	rm -f /usr/share/man/man5/mech.5
	rm -f /usr/share/man/man8/hprop{,d}.8
	rm -f /usr/share/man/man8/iprop{,-log}.8
	rm -f /usr/share/man/man8/ipropd-{master,slave}.8
	rm -f /usr/share/man/man8/kadmin{,d}.8
	rm -f /usr/share/man/man8/kdc.8
	rm -f /usr/share/man/man8/kerberos.8
	rm -f /usr/share/man/man8/kfd.8
	rm -f /usr/share/man/man8/kimpersonate.8
	rm -f /usr/share/man/man8/kpasswdd.8
	rm -f /usr/share/man/man8/kstash.8
	rm -f /usr/share/man/man8/ktutil.8
	rm -f /usr/share/man/man8/login_krb5{,-or-pwd}.8
	rm -f /usr/share/man/man8/string2key.8
	rm -f /usr/share/man/man8/verify_krb5_conf.8
Remaining users of kerberosV should download and install the software manually or use the kerberos packages when they become available.

2014/05/03 - bcrypt hash advanced to $2b$ mode

The bcrypt(3) hash has been advanced to the new $2b$ mode. Newly created hashes will follow this form. Older systems may not understand this format.

2014/05/27 - route(8) -priority 1 reserved for the kernel

The route(8) priority 1 has been reserved for the kernel and it is no longer possible to set it from userland.

2014/06/03 - sshd(8) change of default MACs, modes, ciphers

This refers to a change made on 2014/03/25. Weak or broken hashes, ciphers and modes were removed from the default sshd(8) configuration. Some clients do not support any of the methods which are now available by default, so will not be able to connect without changes. In those cases, the client should be updated or replaced. If this is impossible, the weak methods can be enabled via sshd_config(5). See /var/log/authlog after a failed connection for information that will help track down these issues.

2014/06/12 - nginx(8) syslog logging config change

The configuration options for logging to syslog in nginx(8) have changed (external patch now replaced by a backported patch from newer nginx). If you have enabled these options in /etc/nginx/nginx.conf (not used by default), you will need to update them; e.g. 
	error_log  syslog:server=unix:/dev/log,severity=notice;
	access_log syslog:server=unix:/dev/log,severity=notice main;

2014/06/13 - changes to minherit(2) and new getentropy(2)

Some upcoming changes are being pushed into the kernel over a few days. Update a new kernel and userland now, to avoid failure.

2014/06/23 - [ports] Bacula packaging changes

Bacula has been split into subpackages for different database backends. Users of the recommended PostgreSQL backend won't need to make any changes; users of other backends should run uninstall Bacula and then add it again with pkg_add, selecting the preferred database backend from the list offered.

2014/06/30 - strict nat-to/rdr-to translation pool checks

pfctl(8) will now raise an error for a range of ambiguous nat-to and rdr-to specifications. In particular, when a translation pool contains entries with different address families such as { 127.0.0.1 ::1 } or entries that when expanded result in similar specifications: for example nat-to em0 may expand to an IPv4 and an IPv6 addresses.

2014/07/09 - relayd(8) filter grammar changed

The ability to filter HTTP connections in relayd(8) has been reimplemented. relayd.conf(5) syntax has changed; the "tag" keyword in the redirect section has been renamed to "pftag" and various HTTP-specific configuration directives in the protocol section have been replaced with new generic filter rules.

The port sysutils/relayd-updateconf is provided to convert the old configuration directives to the new filter grammar. It is provided as a convenience, but the resulting file must be inspected for correctness.

2014/07/10 - ifconfig(8) ABI break

ifconfig(8) now shows whether an encrypted wifi network is using WEP or WPA. Old ifconfig binaries running on a new kernel will not be able to scan for wireless networks: 
	ifconfig: SIOCG80211ALLNODES: Inappropriate ioctl for device
Upgrading from snapshots is recommended. When upgrading from source, ifconfig should be recompiled with new net80211 headers after upgrading the kernel: 
	cd /usr/src
	make includes
	cd /usr/src/sbin/ifconfig
	make clean
	make obj
	make depend
	make
	make install

2014/07/11 - IPv6 autoconf changes

The sysctl to globally accept IPv6 router advertisements has been replaced with a per-interface "AUTOCONF6" flag, set by "ifconfig <if> inet6 autoconf".

This is set automatically on a given interface where rtsol/rtsold is used, so for typical use cases no changes will be needed, however rare configurations which do not use rtsol but just rely on the periodic announcements will need to manually set this flag.

If you upgrade from source and depend on rtsol for network access to work after rebooting the new kernel, then install new headers, rebuild rtsol/rtsold/ifconfig and apply revision 1.141 to /etc/netstart before the reboot.

2014/07/13 - Addition of sendsyslog(2) system call

The syslog_r(3) function has been switched over to rely on the sendsyslog(2) system call introduced around 2014/07/10.

A kernel containing the system call is required perhaps even for getting single user; so use of upgrades is recommended.

2014/07/16 - lynx(1) moved to ports

Lynx has been removed from the base system and has been moved to ports. The following files and directories should be deleted (the latter is optional; if you plan to install Lynx from packages you may prefer to keep it). 
	rm -f /usr/bin/lynx
	rm -f /usr/share/man/man1/lynx.1
	rm -rf /usr/share/doc/html/lynx_help
	rm -f /etc/lynx.cfg
To install Lynx from packages: 
	pkg_add lynx

2014/07/22 - [ports] Increased file descriptor use in KDE4

Some KDE4 components (kded4, Akonadi, Digikam database and others) now monitor directories for changes via kqueue(2). This saves CPU time, but kqueue requires one file descriptor per monitored file. Thus limits for system (kern.maxfiles sysctl) and/or process (openfiles in login.conf(5)) need to be adjusted:

2014/07/23 - Changes to /etc infrastructure

Many sample configuration files have moved from /etc to /etc/examples; if wishing to configure the relevant software on a new system, you could copy the file (use -p to preserve permissions), or create a new file from scratch with correct ownership and permissions. sysmerge will warn when an example file has changed and a matching file under /etc exists, so that the admin can check if the modifications apply to his setup.

Some files which may have local modifications, notably /etc/rc and /etc/netstart, have been moved from the etc*.tgz file set to the base*.tgz file set. If you are reliant on services started from modified versions of these files to login, you will need to take action before upgrading.

The installation instructions with many ports have suggested using the following method to add to the "pkg_scripts" or "syslogd_flags" variables: 

	pkg_scripts="${pkg_scripts} somescript"
This is no longer supported. You must replace these with one long pkg_scripts line - continuation lines are not possible. Recent changes to the syslog(3) function calls have removed the need for additional log sockets in most cases, so in general lines like this can be removed: 
	syslogd_flags="${syslogd_flags} -a /path/to/dev/log"

2014/07/27 - [ports] rc scripts of both apache webservers renamed

The rc scripts of the apache-httpd-openbsd and apache-httpd packages had been renamed from httpd to apache resp. httpd2 to apache2, to avoid conflicts with the base httpd. If you're running one or both of them, you have to replace "httpd" by "apache" in your pkg_scripts and httpd?_flags entries.

After upgrading the apache-httpd-openbsd package, you'll also have to bring the rc script of the base http, which pkg_add(1) has moved out of the way, and you should remove partial package probably left around: 

	mv -i /etc/rc.d/httpd.* /etc/rc.d/httpd
	pkg_delete partial-apache-httpd-openbsd

$OpenBSD: current.html,v 1.533 2014/07/27 10:54:07 kili Exp $