O O Ø O O O O
Saga of an OpenBSD Upgrade - 2.7 to 3.0
Because with Remote Upgrades, slip o' the finger means Road Trip!
This document chronicles the remote upgrade of an OpenBSD firewall box from 2.7 to 3.0.
Major changes from 2.7 to 3.0
This list was compiled by reviewing the upgrade minifaq and my list of detailled /etc changes.
If you're reading this, you'll realize it's quite a bit out of date. You might want to go check out Paul Pruett's upgrade tips.
- New users: proxy, smmsp, popa3d
- New groups: auth, proxy smmsp, popa3d
- root now part of group daemon
- Console changes to wscons
- ipf replaced with pf, meaning firewall rules must be rewritten
-
sendmail is no longer suid root. Its initialization mechanism is now quite different
- uucp removed
- New login.conf mechanism, largely replaces passwd.conf
- Long (31-character) user and group names now permitted
- KerberosV added
- Audio Device naming has changed in some cases
- Additions to /etc/services and /etc/protocols
General Upgrade Steps
Using some of the unallocated space on the drive, configure an /upgrade partition to contain the backups and upgrade files. (The rest of this document assumes that /upgrade exists.) This is a good reason to always leave unallocated space when partioning. For reference, here's my disk layout
Filesystem 512-blocks Used Avail Capacity Mounted on /dev/wd0a 126334 37840 82178 32% / /dev/wd0d 253342 2 240674 0% /tmp /dev/wd0e 594878 8802 556334 2% /var /dev/wd0f 2974554 945728 1880100 33% /usr /dev/wd0h 395902 17372 358736 5% /home /dev/wd0i 3965416 0 3965416 0% /upgrade
Backup the entire system:
# tar Xcvzf /upgrade/backup-YYMMDD.tgz / /usr /var
This leaves /home and /tmp untouched, assuming they are on separate mount points.
In hindsight, /usr/src and /usr/obj should be on separate mount points too, as there's little need to back them up.
-
Archive the old ipf rules and switch to a permissive ruleset (pass all in, pass all out), just in case.
# cp /etc/ipf.rules /etc/ipf.backup # cp /etc/ipnat.rules /etc/ipnat.backup (create permissive ipf.rules, empty ipnat.rules) # ipf -Fa -f /etc/ipf.rules
FTP the latest distfiles:
$ ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/base30.tgz $ ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/comp30.tgz $ ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/man30.tgz $ ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/bsd
Fetch the reference (2.7) and latest (3.0) /etc files
$ ftp ftp://ftp.openbsd.org/pub/OpenBSD/2.7/i386/etc27.tgz $ ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.0/i386/etc31.tgz
Fetch the latest mtree and MAKEDEV files:
$ export CVS_RSH=/usr/bin/ssh $ cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs get -d dev src/etc/etc.i386/MAKEDEV $ cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs get -d mtree src/etc/mtree
-
Unpack the reference 2.7 /etc to a temporary location (say, /tmp/etc27). Compare your /etc files with the reference ones and save the differences to a file. Note: Make sure you are root for the comparison.
# cd /tmp # tar xvzf etc27.tgz ./etc # mv etc etc27 # diff -r -u etc27 /etc >etc-changes.diff
To make upgrades easier next time, move all rc.conf changes to rc.conf.local as you go.
Unpack the 3.1 /etc files to a third location (/tmp/etc31), reapply all the local changes.
Make sure the files are all root owned (or have the correct permissions, at least)
-
Copy the new kernel into place
# cp /bsd /bsd.old # cp bsd /bsd
-
Un-tar the new files:
# cd / # tar xvzpf wherever/base31.tgz # tar xvzpf wherever/comp31.tgz # tar xvzpf wherever/man31.tgz
-
Create the new devices:
# cp upgrade/dev/MAKEDEV /dev # cd /dev # ./MAKEDEV all
-
Drop this new /etc directory into place.
Note: This can be tricky, as there is a chance you will make a mistake, and be stuck without a password file. Keep a root shell open during this step to head off potential disaster.
# cd / # cp -rp /etc /etc.27 # mv /tmp/etc31 /etc
-
Verify your file layout is correct:
# cd upgrade/mtree # install -c -o root -g wheel -m 444 4.4BSD.dist /etc/mtree # mtree -qdef /etc/mtree/
-
Reboot, and cross your fingers.
If all goes well, the remote machine will now be happily running 3.1. Of course, if you're using the box as a firewall, you'll have to drop in your new firewall ruleset at this point. Migrating IPF rules to PF, thankfully, is a subject for another day.
(Ahem. This page looks much prettier with a standards-compliant browser. Please see the FAQ.)