Difference between revisions of "Update"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
Line 1: Line 1:
Software update is an important part of maintaining high security in your network. Updates are released on regular basis with no strict schedule to allow fast updates when possible threats arise. Updates are complete system images that are downloaded by the "recovery firmware" directly to the (normally read-only) system disk (CF, USB, etc) from our update servers (account for an estimate download size of 100MB). The advantage of "complete system image" updates (that overwrites the entire system disk) is that every appliance is known to be exactly identical.
+
Software update is an important part of maintaining high security in your network. Update packages are released some time after a OpenBSD major release (X.X) and are complete system images that are downloaded by the "recovery firmware" directly to the (normally read-only) system disk (CF, USB, etc). The advantage of "complete system image" updates (that overwrites the entire system disk) is that every system is known to be exactly identical after an update, and the drawback is that any modifications such as installed packages, need to be re-installed.
 
 
All that is necessary to update is a working Internet connection, and the process typically takes 5-10 minutes depending on internet connection speed and update method.
 
 
 
== Before you update ==
 
I practice, performing an update is no more complicated than pressing a button in the web administration, and waiting. However, in order to be prepared for the unexpected, following the guidelines below are recommended (in case something breaks).
 
 
 
* Make an external backup (export; copy-paste for example) of your configuration before updating
 
* Dedicate a possible maintenance window of at least an hour, even though the process typically takes 5 minutes
 
* If you're running in a virtualised environment, take a snapshot of the machine, and merge the snapshot after verifying that it works
 
* Be prepared to access the video/[[serial console]] in case of failure
 
  
 
== OpenBSD updates ==
 
== OpenBSD updates ==
Line 44: Line 34:
 
=== Streaming update ===
 
=== Streaming update ===
 
If you're unable to use the normal (cached) update method, you can perform a ''streaming'' update. The system will reboot to the "recovery firmware" partition, erase the system partition (leaving the configuration partition intact), downloading and writing the image to the system partition while verifying its SHA256 checksum, and finally rebooting back to the newly created system partition when done, resuming normal operations.
 
If you're unable to use the normal (cached) update method, you can perform a ''streaming'' update. The system will reboot to the "recovery firmware" partition, erase the system partition (leaving the configuration partition intact), downloading and writing the image to the system partition while verifying its SHA256 checksum, and finally rebooting back to the newly created system partition when done, resuming normal operations.
 +
 +
== General recommendations ==
 +
In order to be prepared for the unexpected, following the guidelines below are recommended (in case something breaks).
 +
 +
* Make an external backup (export; copy-paste for example) of your configuration before updating
 +
* Dedicate a possible maintenance window of at least an hour, even though the process typically takes 5 minutes
 +
* If you're running in a virtualised environment, take a snapshot of the machine, and merge the snapshot after verifying that it works
 +
* Be prepared to access the video/[[serial console]] in case of failure

Revision as of 14:45, 29 March 2018

Software update is an important part of maintaining high security in your network. Update packages are released some time after a OpenBSD major release (X.X) and are complete system images that are downloaded by the "recovery firmware" directly to the (normally read-only) system disk (CF, USB, etc). The advantage of "complete system image" updates (that overwrites the entire system disk) is that every system is known to be exactly identical after an update, and the drawback is that any modifications such as installed packages, need to be re-installed.

OpenBSD updates

To update the OpenBSD system, use syspatch:

  1. Login as root (by enabling root access)
  2. If the root partition is less than 1 GB, grow the system partition
  3. If the /tmp partition is less than 400 MB, run mkdir -p /tmp2 && export TMPDIR=/tmp2
  4. Run
    • /usr/libexec/reorder_kernel && syspatch
    • reboot

SR package updates

There are two types of software update methods for the SR (securityrouter.org) distribution; cached and streaming. There are three ways of initialising an update.

  • From the web administration's System > Software update page
  • On boot, by pressing "f" (generally any key) when prompted, and then in the recovery OS console type "update" and follow the instructions
  • From the CLI using the syntax:
Syntax Example
software-update storage software-update storage
software-update stream interface dhcp-client software-update em0 dhcp-client
software-update stream interface address gateway dns software-update em0 1.2.3.4/24 1.2.3.1 8.8.8.8

Standard (cached) update

If your system disk (CompactFlash, USB stick or virtual disk) is at least 1 GB, or you've attached a storage (USB or virtual) disk, it's possible to pre-download the system image before booting into the recovery OS. This is the recommended update method, especially for setups that use eg. PPPoE or other connection methods which are not available in the recovery OS.

Streaming update

If you're unable to use the normal (cached) update method, you can perform a streaming update. The system will reboot to the "recovery firmware" partition, erase the system partition (leaving the configuration partition intact), downloading and writing the image to the system partition while verifying its SHA256 checksum, and finally rebooting back to the newly created system partition when done, resuming normal operations.

General recommendations

In order to be prepared for the unexpected, following the guidelines below are recommended (in case something breaks).

  • Make an external backup (export; copy-paste for example) of your configuration before updating
  • Dedicate a possible maintenance window of at least an hour, even though the process typically takes 5 minutes
  • If you're running in a virtualised environment, take a snapshot of the machine, and merge the snapshot after verifying that it works
  • Be prepared to access the video/serial console in case of failure