OpenBSD Following -current and using snapshots [FAQ Index]


Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots. Active development sometimes pushes aggressive changes, and complications can arise when building the latest code from a previous point in time. Some of the shortcuts for getting over these hurdles are explained on this page. In general, it's far better to use the OpenBSD upgrade procedure with a newer snapshot, as developers will have gone through the trouble for you already.

Make sure you've read and understand how to build the system from source before using -current and the instructions below.

You should always use a snapshot as the starting point for running -current.

In particular, upgrading by compiling from source from OpenBSD 6.0 -release to -current is not supported.

Most of these changes will have to be performed as root.

2016/08/01 - new mandoc.db(5) format

To update all mandoc.db(5) files to the new format, run:
makewhatis

2016/08/08 - mandatory W^X enforcement

W^X violations are now only permitted for binaries marked wxneeded executed from filesystems marked wxallowed.

2016/08/12 - [ports] py-elasticsearch-curator update

With the update of Elasticsearch Curator to the 4.x version, the CLI interface changed. Instead of parameters, yaml configuration files are used to steer actions of curator. Configuration file documentation can be found on the curator reference pages.

2016/08/14 - qabs(3) and qdiv(3) manpages removed

Their content was merged into the labs(3) and lldiv(3) manpages, so the separate files should be removed and and the database updated.
rm -f /usr/share/man/man3/qabs.3 /usr/share/man/man3/qdiv.3
makewhatis

2016/09/01 - [ports] letskencrypt renamed/moved to base

letskencrypt, previously in ports/security, has been imported to base under its new name acme-client. Adjust scripts/cronjobs as necessary.

2016/09/09 - /dev/sound removed

Remove unused device nodes:
rm -f /dev/sound*

2016/09/13 - [ports] Railo replaced with Lucee

Railo has been replaced with Lucee (a fork). Make notes on your existing Railo configuration before updating. You will need to adjust Tomcat configuration, and configure Lucee according to your previous Railo configuration.

2016/09/19 - softraid crypto switched to bcrypt PBKDF

New volumes will be created with bcrypt PBKDF, however existing volumes will continue to use PKCS5 PBKDF2 until a passphrase change is made.

If you're booting from softraid crypto, ensure that your boot loader has been upgraded to a version that supports bcrypt prior to changing your passphrase. That is to say, it should be from a snapshot dated after 2016/09/19. The boot(8) version should be at least 3.33 on amd64 and 3.31 on i386. Also be aware that once the passphrase has been changed, an older version of bioctl(8) (one that does not support bcrypt PBKDF) will not be able to "unlock" the volume.

2016/09/23 - sqlite3 moved back to ports

SQLite has moved from base back to ports. Remove the following files after upgrading the OS and updating the packages, but before building any ports:
rm /usr/bin/sqlite3
rm /usr/include/sqlite3*.h
rm /usr/lib/pkgconfig/sqlite3.pc
rm /usr/libdata/perl5/site_perl/*-openbsd/sqlite3*.ph
rm /usr/share/man/man1/sqlite3.1
rm /usr/lib/libsqlite3*

2016/09/27 - more secure package and firmware signatures

Packages and firmware are now signed with a more secure scheme. If pkg_add(1) and fw_update(1) complain about unsigned packages/firmware, you must upgrade to a more recent snapshot or rebuild the system—involves pieces in libc, signify(1) and pkg_add(1), so following release(8) is the best way.

2016/10/06 - new build infrastructure, noperm release process

The infrastructure to build the base system from source and to make a release has changed. The SUDO variable was removed from the base system makefiles and the make build command now must be issued by root. Whenever possible, the makefiles will de-escalate privileges to BUILDUSER (as specified in mk.conf(5); defaults to USER). Make sure that /usr/obj or /usr/xobj is empty and owned by BUILDUSER before starting a build.

Start the build as follows:

# cd /usr/src/share/mk && make install	# only needed the first time
# cd /usr/src && make obj && make build
To make a release(8), further setup is required: To build a base release, set DESTDIR=/dest/base and to build a xenocara release, set DESTDIR=/dest/xbase.

2016/10/14 - [ports] Ansible copy module change

The copy module of Ansible added a newline to the value of the content attribute in case it was not present. This behaviour is non-standard and was not documented. It has been reverted in the ansible-2.1.2.0p0 package.
If you previously relied on this behaviour you will need to explicitly add \n to your playbooks.

2016/10/14 - kernel builds now need make obj

Kernels now build in an obj directory just like the rest of the source tree. This helps ensuring that the src tree can be read-only during builds. Some cleanup needs to be done before updating your source trees via cvs:
$ cd /sys
$ rm -r arch/*/compile/[GR]*
$ rm arch/*/compile/.cvsignore
$ cvs -q up -Pd
The new way of configuring, building and installing a kernel is:
$ cd /sys/arch/$(machine)/compile/GENERIC.MP
$ doas make obj
$ make config
$ make
$ doas make install

2016/10/24 - uxterm and koi8xterm removed

The uxterm and koi8rxterm shell scripts have been removed, as xterm(1) on OpenBSD is already set up to support UTF-8. Some cleanup needs to be done after upgrading to -current:
cd /usr/X11R6
rm bin/koi8rxterm bin/uxterm
rm share/X11/app-defaults/KOI8RXTerm share/X11/app-defaults/UXTerm
rm man/man1/koi8rxterm.1 man/man1/uxterm.1
If you edited any configuration files to call uxterm, do not forget to change these to call xterm directly. If you defined X resources for UXTerm, consider moving them to XTerm.

2016/11/04 - [ports] sympa update

The mail/sympa mailing list server port was updated to a new version. The upgrade notes explain how to migrate your setup.

2016/11/04 - [ports] nginx dynamic modules

The www/nginx port has been converted to use subpackages with dynamic modules, instead of using FLAVORs. If you previously were using a FLAVORed version of nginx, or the mail or stream modules, you need to install the apropriate subpackage(s). You also need to modify your nginx configuration to use load_module for each dynamic module you want to load.

2016/11/09 - perl headers removed

The perl headers are no longer generated and should be removed:
rm -rf /usr/libdata/perl5/site_perl

2016/11/14 - default lo(4) interface per rdomain

A loopback interface is now created by default for every rdomain(4). Much like lo0 for rdomain 0, it can be used to see and filter local traffic via bpf(4) and pf(4).

If you previously were using an loX in an rdomain other than X, it won't be possible to create rdomain X anymore. You need to either use a different lo(4) unit or rdomain(4) number.

2016/11/19 - new dedicated build user

A dedicated user now does the heavy lifting of make build.

It is recommended that you start from a very recent -current (dated after Nov 15), so you already have a user build and a group wobj, otherwise add them manually.

Clean out the object directories and set correct owners and permissions:

# rm -rf /usr/obj/* /usr/xobj/*
# chown build:wobj /usr/{,x}obj
# chmod 770 /usr/{,x}obj
Developers must add their users to the group wobj, so that they can still write to /usr/{,x}obj. Be sure to remove any custom BUILDUSER from mk.conf(5).

Install the new systemwide makefiles:

# cd /usr/src/share/mk && make install
You can now proceed by making and installing a kernel, rebooting and building the system from source as described in the release(8) man page.

Before making a release, ensure that build can write to DESTDIR and RELEASEDIR: chown the root of the noperm filesystem containing DESTDIR

# chown build /dest
and set ownership and permissions for RELEASEDIR
# chown build $RELEASEDIR 
# chmod u=rwx $RELEASEDIR
To avoid permission issues, it is recommended to start the first release with an empty RELEASEDIR.

Making xenocara needs no extra steps beyond the ones described in the release(8) man page.

2016/12/01 - cwm(1) bind function changes

The configuration syntax for binding functions to keys and mouse buttons has changed, replacing the bind and mousebind keywords with bind-key, bind-mouse, unbind-key and unbind-mouse. See the cwmrc(5) man page for new bind function names.

2016/12/18 - [ports] news/leafnode group change

The _news account used to run leafnode switched from the news group to the _news group. Ensure that you have at least leafnode-1.11.11p0 installed and that no leafnode process is running, then run
usermod -g _news _news
chgrp -R _news /var/spool/news/

2016/12/18 - [ports] net/uucp user change

Starting with uucp-1.07p4, the uucp suite now runs under the _uucp account. Ensure that you have no uucp process running, then adjust the ownership of some files:
find /etc/ /var/spool/ -user uucp -exec chown _uucp {} ';'

2016/12/27 - removal of uucp and news

The uucp user and the news group have been removed from base. Issue
userdel uucp
groupdel news
rm -rf /var/spool/uucp*		# unless you use the net/uucp port

2017/01/03 - https support added to the installer

On amd64, armv7, i386, hppa and macppc, the bsd.rd installer defaults to https. Your autoinstall(8) response file may need the additional line
Unable to connect using https. Use http instead = yes	# "no" is default
between the HTTP Server and Set name(s) responses.

2017/01/04 - RFC5114 MODP groups removed from iked(8)

Support for the additional modular exponential groups specified in RFC5114 was removed from iked(8). As a result, iked(8) will no longer accept proposals with the MODP2048-256 group (grp24) and thus will not be able to act as a responder for clients running OpenBSD 6.0 or earlier. Therefore the configuration on older installations needs to be changed: select a specific MODP group by adding a line such as ikesa group modp2048 childsa group modp2048 to be able to talk to endpoints running newer versions.

For example, if the old configuration in iked.conf(5) looked like this:

ikev2 active esp from 10.3.0.0/24 to 10.1.0.0/24 \
        local 192.168.1.1 peer 192.168.2.1 \
        childsa enc aes-128-gcm \
        psk "secret"
it needs to be amended to look like this:
ikev2 active esp from 10.3.0.0/24 to 10.1.0.0/24 \
        local 192.168.1.1 peer 192.168.2.1 \
	ikesa group modp2048 \
        childsa enc aes-128-gcm group modp2048 \
        psk "secret"

2017/01/21 - acme-client(1) uses config file

The acme-client(1) program now uses acme-client.conf(5).

Copy your account keys to the new location:

cp -p /etc/acme/privkey.pem /etc/acme/letsencrypt-privkey.pem
cp -p /etc/acme/privkey.pem /etc/acme/letsencrypt-staging-privkey.pem
It is recommended that you leave all current content of the new /etc/acme-client.conf untouched and append your domain { } sections. This will make future upgrades easier.

For example, for the domain www.openbsd.org, append this to the file:

domain www.openbsd.org {
        alternative names { openbsd.org ftp.openbsd.org }
        domain key "/etc/ssl/acme/private/privkey.pem"
        domain certificate "/etc/ssl/acme/cert.pem"
        domain chain certificate "/etc/ssl/acme/chain.pem"
        domain full chain certificate "/etc/ssl/acme/fullchain.pem"
        #challengedir "/var/www/acme"
        sign with letsencrypt
}
What was previously achieved with the command acme-client www.openbsd.org openbsd.org ftp.openbsd.org can now be simplified to:
acme-client www.openbsd.org

2017/02/05 - upgrade to perl 5.24.1

The perl distribution in the base system was upgraded to version 5.24.1. A number of files and directories should be removed. On slower architectures, check with perl -v that you do have the new version before removing these files.
# rm -rf \
  /usr/bin/perl5* \
  /usr/libdata/perl5/*-openbsd/5.*/ \
  /usr/bin/a2p \
  /usr/bin/config_data \
  /usr/bin/find2perl \
  /usr/bin/psed \
  /usr/bin/s2p \
  /usr/libdata/perl5/CGI* \
  /usr/libdata/perl5/Locale/Codes/Constants.pod \
  /usr/libdata/perl5/Module/Build* \
  /usr/libdata/perl5/Package \
  /usr/libdata/perl5/inc \
  /usr/libdata/perl5/pod/a2p.pod \
  /usr/libdata/perl5/unicore/lib/Gc/Lt.pl \
  /usr/libdata/perl5/unicore/lib/Hyphen/Y.pl \
  /usr/libdata/perl5/unicore/lib/LOE \
  /usr/libdata/perl5/unicore/lib/NChar \
  /usr/libdata/perl5/unicore/lib/PatWS \
  /usr/libdata/perl5/unicore/lib/Perl/_XExtend.pl \
  /usr/libdata/perl5/unicore/lib/Perl/_XRegula.pl \
  /usr/libdata/perl5/unicore/lib/Perl/_XSpecia.pl \
  /usr/libdata/perl5/unicore/lib/Space \
  /usr/libdata/perl5/version/vpp.pm
To remove any stale manpages, issue rm -rf /usr/share/man before upgrading.
$OpenBSD: current.html,v 1.786 2017/02/11 11:35:51 tb Exp $