Software update is an important part of maintaining high security in your network. Update packages are released some time after each major OpenBSD release (X.X) and are complete system images that are downloaded by the "recovery firmware" directly to the (normally read-only) system disk (CF, USB, etc). The advantage of "complete system image" updates (that overwrites the entire system disk) is that every system is known to be exactly identical after an update, and the drawback is that any modifications such as installed packages, need to be re-installed.
To update the OpenBSD system, use syspatch:
- Login as root (by enabling root access)
- If the root partition is less than 1 GB, grow the system partition
- If the /tmp partition is less than 400 MB, run mkdir -p /tmp2 && export TMPDIR=/tmp2
- mount -uw /
- /usr/libexec/reorder_kernel && echo success (only needed once)
Security router package updates
There are two types of software update methods for the "security router" distribution; cached and streaming. There are three ways of initialising an update.
- From the web administration's System > Software update page
- On boot, by pressing "f" (generally any key) when prompted, and then in the recovery OS console type "update" and follow the instructions
- From the CLI using the syntax:
|software-update storage||software-update storage|
|software-update stream interface dhcp-client||software-update em0 dhcp-client|
|software-update stream interface address gateway dns||software-update em0 188.8.131.52/24 184.108.40.206 220.127.116.11|
Standard (cached) update
If your system disk (CompactFlash, USB stick or virtual disk) is at least 1 GB, or you've attached a storage (USB or virtual) disk, it's possible to pre-download the system image before booting into the recovery OS. This is the recommended update method, especially for setups that use eg. PPPoE or other connection methods which are not available in the recovery OS.
If you're unable to use the normal (cached) update method, you can perform a streaming update. The system will reboot to the "recovery firmware" partition, erase the system partition (leaving the configuration partition intact), downloading and writing the image to the system partition while verifying its SHA256 checksum, and finally rebooting back to the newly created system partition when done, resuming normal operations.
In order to be prepared for the unexpected, following the guidelines below are recommended (in case something breaks).
- Make an external backup (export; copy-paste for example) of your configuration before updating
- Dedicate a possible maintenance window of at least an hour, even though the process typically takes 5 minutes
- If you're running in a virtualised environment, take a snapshot of the machine, and merge the snapshot after verifying that it works
- Be prepared to access the video/serial console in case of failure