From Segfault
Jump to: navigation, search





The FQDN is set in /etc/myname:

$ cat /etc/myname


A dynamic network configuration[1] may look as simple as:

$ cat /etc/hostname.gem0                                                                                                                                                 


For wireless connections[2], the setup is similar:

$ cat /etc/hostname.bwi0
nwid "Guest WLAN"
wpakey "s3cr3t"
# down                                                         # Don't automatically start this interface.

Because the network key is stored in this file, we should adjust the permissions accordingly:

$ ls -l /etc/hostname.bwi0                                                                                                                                               
-rw-r-----  1 root  wheel  61 Jun 28 16:26 /etc/hostname.bwi0

Start the interface:

$ sh /etc/netstart bwi0
WARNING: /etc/hostname.bwi0 is insecure, fixing permissions
DHCPDISCOVER on bwi0 - interval 1
DHCPDISCOVER on bwi0 - interval 2
DHCPDISCOVER on bwi0 - interval 4
DHCPOFFER from (aa:bb:cc:dd:ee:22)
DHCPREQUEST on bwi0 to
DHCPACK from (aa:bb:cc:dd:ee:22)
bound to -- renewal in 21600 seconds.

This is how it may look like once connectd:

$ ifconfig bwi0 media    
       lladdr 00:11:22:33:44:55
       index 1 priority 4 llprio 3
       groups: wlan
       media: IEEE802.11 autoselect (OFDM36 mode 11g)
       status: active
       ieee80211: nwid Guest WLAN chan 11 bssid aa:bb:cc:dd:ee:22 -44dBm wpakey 0xc7a428d85... \
                           wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
       supported media:
               media autoselect
               media autoselect mediaopt monitor
               media autoselect mode 11b
               media autoselect mode 11b mediaopt monitor
               media autoselect mode 11g
               media autoselect mode 11g mediaopt monitor
       inet netmask 0xffffff00 broadcast


For a static network configuration[1], use something like this:

$ cat /etc/hostname.em0
!/sbin/route add default

$ grep ^name /etc/resolv.conf


OpenBSD ships with pdksh[3][4], which is already pretty neat (tab completion, history, incremental search-history), let's use all that:

$ tail -1 .profile                                                                                                                                                       
export ENV=$HOME/.kshrc

$ grep -v ^\# .kshrc
export PS1="$USER@$(hostname -s)# "
export HISTFILE=$HOME/.history
export HISTSIZE=10000


We're using a virtual filesystem[5] for /tmp:

$ cat /etc/fstab
/dev/sd0a  /      ffs    rw,softdep,noatime           1 1
swap       /tmp   mfs    rw,nosuid,nodev,-s=262144    0 0
# swap     /tmp   tmpfs  rw,-s128M,-m1777             0 0
# proc     /proc  procfs rw,nosuid,nodev,noexec,linux 0 0
nfs0:/home /home  nfs    rw,nosuid,nodev              0 0


  • tmpfs has been disabled with OpenBSD 6.0[6][7] because it is no longer maintained.
  • procfs has been removed with OpenBSD 5.7[8]
  • Encrypted swap is enabled by default since OpenBSD 3.8[9] and vm.swapencrypt.enable is set to 1 by default.


Instead of sudo, OpenBSD uses doas now[10][11] to elevate user privileges.

Example doas.conf:

$ cat /etc/doas.conf
permit keepenv persist dummy as root
permit keepenv persist :wheel
$ id; doas id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy), 9(wsrc), 21(wobj)
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)


The ports system[12] holds packages that are not included in the base installation. Both binary and source packages are available.


With installurl set during installation, we will be able to install packages right away, w/o setting PKG_PATH[13] explicitly:

pkg_add bash bzip2 cvsync git iftop pv rsync vim vnstat xz

Enable and start vnstat:

rcctl enable vnstatd && rcctl start vnstatd

Adjust vnstat.conf to point to the correct network interface when called interactively:

$ grep ^Int /etc/vnstat.conf
Interface "gem0"

If the ports tree[12] is installed, we can install packages too:

$ cd /usr/ports/games/cowsay
$ make build
Fatal: building ports requires correctly installed X11 (in games/cowsay)
Fatal: /usr/local/lib/X11/app-defaults should exist and be a symlink
*** Error 1 in /usr/ports/games/cowsay (/usr/ports/infrastructure/mk/ '.BEGIN': @exit 1)

Uh, oh - for some reason we need X11 installed to build (command line) packages?[14] Let's fix that:

doas mkdir -p /usr/X11R6/man && doas touch /usr/X11R6/man/mandoc.db
doas mkdir -p /usr/local/lib/X11 && doas ln -s /tmp /usr/local/lib/X11/app-defaults

And try again:

$ make build
$ doas make install
$ sha256 $(which cowsay) | cowsay 
/ SHA256 (/usr/local/bin/cowsay) =        \
| 75aee1ca97b479fa1afb3b9f9d90c1f70ef9f0f |
\ 0402a7e2d91b90629a49d758b               /
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||



Binary updates can be applied via syspatch on some architectures:

$ doas syspatch
Get/Verify syspatch63-011_perl.tgz 100% |*************************************|  4922 KB    00:03
Installing patch 011_perl
Relinking to create unique kernel... done.
   1m31.20s real     0m22.25s user     0m09.33s system
$ ls -hgo /var/syspatch/63-011_perl
total 52
-r--r--r--  1 bin    -  1.9K Jun 21 02:01 011_perl.patch.sig
-rw-r--r--  1 wheel  - 22.8K Jul 18 15:00 rollback.tgz



Before updating, we'll need the source sets:

Tarball CVS CVS size Git Git size
src.tar.gz userland ~1000 MB src.git 2000 MB
sys.tar.gz kernel ~100 MB included in the src Git tree -
ports.tar.gz ports ~450 MB ports.git ~650 MB
xenocara.tar.gz X11 ? MB xenocara.git 950 MB

Retrieving the source packages from one of the mirror servers[15] can be done as a mere user[16], given that all permissions are set correctly:

$ ls -ld /usr/{obj,ports,src{,/sys}}
drwxrwx---   2 build  wobj   512 Jun 28 02:22 /usr/obj
drwxrwxr-x  47 root   wsrc  1024 Jun 28 03:27 /usr/ports
drwxrwxr-x  17 root   wsrc   512 Jun 28 03:42 /usr/src
drwxr-xr-x  26 dummy  wsrc  1024 Jun 28 03:41 /usr/src/sys

$ id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy), 9(wsrc), 21(wobj)


Fetch the source packages from a mirror server:

MIRROR=$(uname -r)/
ftp $MIRROR/{ports,src,sys,xenocara}.tar.gz 
ftp $MIRROR/SHA256{,.sig}


signify -C -p /etc/signify/openbsd-$(uname -r | tr -d .) -x SHA256.sig *tar.gz
sha256 -C SHA256 *tar.gz


cd /usr/src
tar -xzf ~/src.tar.gz
tar -xzf ~/sys.tar.gz

cd ../                                                                       # We should be in /usr now.
tar -xzf ~/ports.tar.gz
tar -xzf ~/xenocara.tar.gz                                                   # If X11 is needed.


Use CVS to checkout the sources from a nearby mirror[17]

REL=$(uname -r | tr . _)                                                                          # Make the release name match the CVS tag                                                     # Use a nearby mirror!

cd /usr
cvs -qd $CVSROOT get -rOPENBSD_${REL} -P src                           # ~?? minutes
cvs -qd $CVSROOT get -rOPENBSD_${REL} -P ports                         # ~?? minutes
cvs -qd $CVSROOT get -rOPENBSD_${REL} -P xenocara                      # ~?? minutes

If the tree has already been checked out (via CVS or via tarball), use the following to update the local copy (of both src and src/sys):

cd /usr/src
cvs -qd $CVSROOT up  -rOPENBSD_${REL}                                  #  ~7 minutes

The same for the ports tree:

cd /usr/ports
cvs -qd $CVSROOT up  -rOPENBSD_${REL}                                  # ~15 minutes

And X11:

cd /usr/xenocara
cvs -qd $CVSROOT up  -rOPENBSD_${REL}                                  # ~15 minutes


Apparently, CVS trees can be synchronized with CVSync. Let's look at the available repositories first:

$ cvsync cvsync://
Connecting to port 7777
Connected to port 7777
Name: openbsd, Release: rcs
 Comment: OpenBSD CVS Repository
Name: openbsd-cvsroot, Release: rcs
Name: openbsd-ports, Release: rcs
Name: openbsd-src, Release: rcs
Name: openbsd-www, Release: rcs
Name: openbsd-xenocara, Release: rcs
Finished successfully

We're just interested in openbsd-src for now:

$ cat /etc/cvsync_openbsd.conf
config {
       base-prefix /cvs

       collection {
               name openbsd-src release rcs
               umask 002

The initial sync took well over 3 hours to complete, but successive runs tend to complete in a few minutes, much less than updating with plain cvs.

TODO: the result is unusable though, as important files are NOT fetched:

$ find /cvs/src/sys/arch/$(machine)/compile/             


There's also a Git repository, mirroring OpenBSD's official CVS trees:

git clone     src-git                     # ~30 minutes
git clone ports-git                     #  ~8 minutes


Now that our sources have been updated, let's start by rebuilding the kernel:[18]

cd /sys/arch/$(machine)/compile/GENERIC.MP                                   # Use GENERIC for uniprocessor systems
make obj && make config
make                                                                         # ~40 minutes

We can also build a custom[19] kernel:

cd /sys/arch/$(machine)/conf

Edit CUSTOM, then:

config CUSTOM
cd ../compile/CUSTOM

Let's see what we have built:

$ ls -lhtr /usr/obj/sys/arch/$(machine)/compile/*/bsd /bsd*
-rw-r--r--  1 root   wheel   7.6M Jun 28 02:21 /bsd
-rw-r--r--  1 root   wheel   8.2M Jun 28 02:21 /bsd.rd
-rwxr-xr-x  1 dummy  wobj    7.6M Jun 28 18:47 /usr/obj/sys/arch/macppc/compile/GENERIC/bsd

$ sysctl -n kern.version                    
OpenBSD 6.1 (GENERIC) #4: Sat Apr  1 16:06:17 MDT 2017

$ echo exit | config -o /dev/null -e /usr/obj/sys/arch/$(machine)/compile/GENERIC/bsd 
OpenBSD 6.1-stable (GENERIC) #0: Wed Jun 28 18:47:32 PDT 2017
Enter 'help' for information
ukc> exit

Install the new kernel:

doas make install                                                            # The current kernel will copied to /obsd
doas reboot


With the new kernel running, we'll rebuild the userland:[20]

rm -rf /usr/obj/*                                                            # Only needed on the first build
cd /usr/src 
make obj
doas make -j$(sysctl -n hw.ncpu) build                                       # ~4 hours
                                                                             # FIXME - is there a way to build as a normal user?

Update /etc, /var and /dev:

doas sysmerge 
cd /dev && doas ./MAKEDEV all

Now that everything has been rebuilt, we can reboot:

doas shutdown -r now


Technically, xenocara is userland too, but we shall build it independently:

cd /usr/xenocara 
doas make bootstrap 
make obj
doas make -j$(sysctl -n hw.ncpu) build



With installurl set during installation, setting setting PKG_PATH[21] to a nearby mirror[15] may be omitted:

export PKG_PATH=$(uname -r)/packages/$(machine)/

Install a package:

doas pkg_add -r rsync                                                        # -r Replace existing packages

Update all installed packages:

doas pkg_add -Uuv                                                            # -U Update dependencies
                                                                             # -u Update all installed packages
                                                                             # -v Verbose


According to the FAQ[22], binary packages for -release and -stable are not updated and we have to manually pull for updates. Either update the whole tree or update only specific packages and reinstall the package:

cd /usr/ports/games/cowsay
cvs -d up  -rOPENBSD_6_1

doas make reinstall


Upgrading from one release to another is described in OpenBSD Upgrade Guide (pick your correct upgrade path!) and is only supported from one release to the release immediately following it - skipping releases is not supported.

Install media

This is the recommended method for system upgrades. Boot from the install media, then choose Upgrade, not Install. You can also fetch the distributions sets and upgrade as described in the Installation Guide

One could also boot the new installation kernel from disk:

$ uname -r

$ ftp$(machine)/{bsd.rd,SHA256.sig}
$ signify -C -p /etc/signify/ -x SHA256.sig bsd.rd              # Verify[23] the signature
Signature Verified
bsd.rd: OK

$ sha256 -C SHA256.sig bsd.rd
(SHA256) bsd.rd: OK

Install to the root disk:

doas mv bsd.rd /bsd.rd

Reboot, then boot with:

> boot /bsd.rd

...and choose Upgrade. Select http to upgrade over the network, be sure to choose a nearby mirror server[15] that holds the desired target release.

After the sets have been selected and installed, the machine should be rebooted and sysmerge(8) should be run to update the configuration:

$ doas sysmerge
===> Output log available at /var/tmp/sysmerge.tmp/sysmerge.log

$ doas cat /var/tmp/sysmerge.tmp/sysmerge.log  
===> Automatically installed file(s)

===> Manually merged/installed file(s)

===> Backup of replaced file(s) can be found under

Reboot once again and see if the system comes up again :-)

In-place upgrade

While not recommended, the system can also be upgraded w/o installing a newer kernel first.

$ uname -r

$ ftp$(machine)/ 
ftp> mget SHA256.sig bsd.rd base58.tgz comp58.tgz man58.tgz

Note: choose a nearby mirror[15]!

Verify[23] the packages:

$ signify -C -p /etc/signify/ -x SHA256.sig bsd* *.tgz
Signature Verified
base58.tgz: OK OK
bsd.rd: OK
comp58.tgz: OK
man58.tgz: OK

Install the kernel (as root):

doas mv /bsd /obsd && doas mv /bsd && doas mv bsd.rd /

Save the reboot binary:

doas cp /sbin/reboot /sbin/oreboot

Install the distribution sets (as root):

tar -C / -vxzphf comp58.tgz                   # -h follow symbolic links
                                              # -p preserve ownership & permissions
tar -C / -vxzphf man58.tgz
tar -C / -vxzphf base58.tgz                   # Extract last!

Reboot the system, possibly engaging /sbin/oreboot at that point. After the reboot, finish the installation with:

cd /dev && doas ./MAKEDEV all
doas installboot -v wd0                   # Or sd0 or whatever the boot disk is called.

We still have to run sysmerge(8) to update the system's configuration:

script ~/upgrade.log
doas sysmerge

Reboot once again and see if the system comes up again :-)