Quick and Dirty OpenBSD Version Upgrade on a Running System

I probably should have checked the mailing lists before writing my last two blog posts on how I install and “beautify” an OpenBSD bare-metal install on a laptop because sure as I was done with the second one and shared it to my friends on Reddit, I saw the announcement that 6.8 was available. Well, probably a good time to show how I do an in-place upgrade of a running system. I heavily leverage this post from the main site, so I thought I should give it a shout out for its helpfulness!

First things first, I make sure I have patched up to the latest and greatest kernel of what I’ll now be calling the “old version” of OpenBSD:

# syspatch

I then make sure my firmware is fully upgraded:

# fw_update

Then, just for double-dog-sure’edness (I just made that compound word up on the spot), I reboot:

# reboot

By the way, I always have my laptop set to boot into Windows by default so that if it is “checked” at a border crossing (I always approach security with all of my devices powered down) it boots into a benign and mostly unused install of Windows. I know, it’s a bit “security through obscurity” but what the heck, right?

If this is the first upgrade for the system, I create a directory called /root/upgrade and then within it create subdirectories for the versions where I copy the files. I generally clean out the old one when I’m setting up a new one just to preserve a little disk space:

# mkdir /root/upgrade
# cd /root/upgrade
# mkdir 6.8
# cd 6.8

I now download all of the install files from the CDN using the built-in ftp client (I used to use wget but why install another port if you don’t need it <grin>):

# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/base68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/comp68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/game68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/man68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/xbase68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/xfont68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/xserv68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/xshare68.tgz
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/bsd
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/bsd.mp
# ftp https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/bsd.rd

For those who are extra paranoid like me, I always make sure I have a total of 11 files in this directory. Remember the name of the blog after all… <grin>

Now, you are about TO DO SOMETHING DANGEROUS to your system so don’t blame me if it goes awry. The sequence is very critical because you need to preserve an “old kernel” reboot command and only update the “base” install last. Otherwise you will get in a situation where you have the wrong userland files for the kernel you are running and things will get messy. So, here goes everything in the correct sequence:

# ln -f bsd obsd && cp bsd.mp /nbsd && mv /nbsd /bsd
# cp bsd.rd /
# cp bsd /bsd.sp
# sha256 -h /var/db/kernel.SHA256 /bsd
# cp /sbin/reboot /sbin/oreboot
# tar -C / -zxphf xshare68.tgz
# tar -C / -zxphf xserv68.tgz
# tar -C / -zxphf xfont68.tgz
# tar -C / -zxphf xbase68.tgz
# tar -C / -zxphf man68.tgz
# tar -C / -zxphf game68.tgz
# tar -C / -zxphf comp68.tgz
# tar -C / -zxphf base68.tgz

I then comment out all of my cool stuff in /etc/rc.conf.local and reboot using the old reboot command:

# /sbin/oreboot

You then need to update some other things as root:

# cd /dev
# ./MAKEDEV all
# installboot sd1
# sysmerge
# fw_update

I typically reboot (just to be safe) and then log in as root and update my packages:

# pkg_add -u

Finally, remove the old reboot command:

# rm /sbin/oreboot

Uncomment all of the cool stuff in your /etc/rc.conf.local and reboot. At this point you should be AOK and running the new kernel, userland and packages from the release version!

If you get stuck somewhere along the way, remember you can boot into single-user mode with:

boot> boot -s

You can then manually mount your filesystem and poke around to see what you need to fix. This should serve to reinforce why having physical possession of a machine trumps most of your security preparations and also reinforce the need to run a full-disk encryption (if you aren’t already).

I hope you found this post helpful!

6 thoughts on “Quick and Dirty OpenBSD Version Upgrade on a Running System

  1. Did you know that OpenBSD has a wonderful tool for this, called sysupgrade? First run syspatch, then sysupgrade and you are good to go!

    Updating the packages is ofcourse still required.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s