From securityrouter.org, an OpenBSD-based firewall
Revision as of 14:45, 29 March 2018 by Anders (talk | contribs)
Jump to: navigation, search

Software update is an important part of maintaining high security in your network. Update packages are released some time after a OpenBSD major release (X.X) and are complete system images that are downloaded by the "recovery firmware" directly to the (normally read-only) system disk (CF, USB, etc). The advantage of "complete system image" updates (that overwrites the entire system disk) is that every system is known to be exactly identical after an update, and the drawback is that any modifications such as installed packages, need to be re-installed.

OpenBSD updates

To update the OpenBSD system, use syspatch:

  1. Login as root (by enabling root access)
  2. If the root partition is less than 1 GB, grow the system partition
  3. If the /tmp partition is less than 400 MB, run mkdir -p /tmp2 && export TMPDIR=/tmp2
  4. Run
    • /usr/libexec/reorder_kernel && syspatch
    • reboot

SR package updates

There are two types of software update methods for the SR (securityrouter.org) distribution; cached and streaming. There are three ways of initialising an update.

  • From the web administration's System > Software update page
  • On boot, by pressing "f" (generally any key) when prompted, and then in the recovery OS console type "update" and follow the instructions
  • From the CLI using the syntax:
Syntax Example
software-update storage software-update storage
software-update stream interface dhcp-client software-update em0 dhcp-client
software-update stream interface address gateway dns software-update em0

Standard (cached) update

If your system disk (CompactFlash, USB stick or virtual disk) is at least 1 GB, or you've attached a storage (USB or virtual) disk, it's possible to pre-download the system image before booting into the recovery OS. This is the recommended update method, especially for setups that use eg. PPPoE or other connection methods which are not available in the recovery OS.

Streaming update

If you're unable to use the normal (cached) update method, you can perform a streaming update. The system will reboot to the "recovery firmware" partition, erase the system partition (leaving the configuration partition intact), downloading and writing the image to the system partition while verifying its SHA256 checksum, and finally rebooting back to the newly created system partition when done, resuming normal operations.

General recommendations

In order to be prepared for the unexpected, following the guidelines below are recommended (in case something breaks).

  • Make an external backup (export; copy-paste for example) of your configuration before updating
  • Dedicate a possible maintenance window of at least an hour, even though the process typically takes 5 minutes
  • If you're running in a virtualised environment, take a snapshot of the machine, and merge the snapshot after verifying that it works
  • Be prepared to access the video/serial console in case of failure