DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th September 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default OpenBSD 5.7 Update Process

Hello to all,

I had been urged by jggmi to update my OpenBSD 5.7 release to OpenBSD 5.7 stable.

Thus, I'm open up this thread to discuss the how-to on update process. I'm hope some experience users can share their experiences.

Update Steps:

1. Get Source Code from AnonCVS Server
Code:
cd /usr
cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_7 -p src
Answer yes to accept the SSL certificates

Update source tree:
Code:
cd /usr/src
cvs -q up -rOPENBSD_5_7 -Pd
2. Rebuild Kernel
Code:
cd /usr/src/sys/arch/i386/conf
/usr/sbin/config GENERIC
cd /usr/src/sys/arch/i386/compile/GENERIC
make clean && make
3. Reboot the new kernel
Code:
cd /usr/src/sys/arch/i386/compile/GENERIC
make install 
reboot
4. Rebuild System binaries
Code:
rm -rf /usr/obj/*
cd /usr/src
make obj
cd /usr/src/etc && env DESTDIR =/ make distrib-dirs
cd /usr/src/
make build
Questions:
1. What is the System binary and when need to build system binaries?
2. AFAIK, kernel, packages and system binary must be in sync. After update to stable, is it fine to continue install from packages?
3. In which steps, I can backup my old kernel?
4. Is it mandatory to get the source code for Ports?

Please share some thought. Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 8th September 2015
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

My understanding, but I am not OpenBSD expert. Read my comments, but wait for others to comment.

1.
It is not cvs over SSL/TLS used in fetching source code. It is cvs over SSH.

I don't know if this cvs server is mirror or master cvs server. If it is master, try using mirror.

2. It depends on arch you are using. If you are using amd64, change accordingly yours commands.

Questions:
2. If it is from release to stable (the same version) : Yes.
3. At the beginning before any other commands.
Code:
cp /bsd /bsd.originalBackup
cp /bsd.mp /bsd.mp.originalBackup
4. No.
Reply With Quote
  #3   (View Single Post)  
Old 8th September 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by Peter_APIIT View Post
I had been urged by jggmi to update my OpenBSD 5.7 release to OpenBSD 5.7 stable.
While I am not jggimi, this is not what was said in the following thread:

http://daemonforums.org/showthread.p...hlight=patches

What he advocated was simply to patch OpenBSD-release. This can be done in two ways:
  • Apply relevant patches found on the project's errata page to 5.7-release, or...
  • optionally, upgrade from 5.7-release to 5.7-stable.
The differences are as follows:
  • Selectively patching -release simply means that only those patches which are important to your particular environment are applied to a -release installation.
  • If all publicly released patches are applied to -release, this will approximate -stable, but the two are not equal.
The relationship between a fully patched version of -release & -stable is:
-release + applying all patches < -stable
The additional content of -stable over a fully patched version of -release consists of changes which have no security implications. Frequently, these changes are merely cosmetic.

Stating that patching requires moving from -release to -stable is not correct, & it is important to future readers that this is clarified.

Last edited by ocicat; 8th September 2015 at 03:58 PM. Reason: clarity
Reply With Quote
  #4   (View Single Post)  
Old 8th September 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Peter_APIIT View Post
I had been urged by jggmi to update my OpenBSD 5.7 release to OpenBSD 5.7 stable.
Not quite. I recommended either a) applying the published errata patches, or b) updating to -stable. For the latter, I recommended M:Tier's service as a simple, easy solution.
Quote:
1. Get Source Code from AnonCVS Server...
I'd use a server much closer to you than Canada. Based on your IP address you've posted previously in netstat(8) logs, I expect the closest server will either be in Australia or Japan. You may wish to ping(1) these two servers to see which is more responsive for you.
Quote:
1. What is the System binary and when need to build system binaries?
"Binary" executable files contain CPU instructions, which have been assembled or compiled, and then link-edited, so that the file can be correctly loaded into memory and a CPU can be directed to execute the instructions within.

For the Following -stable FAQ, the "binaries" referred to are the hundreds of executable programs stored in /bin, /sbin, /usr/bin, /usr/sbin, and /usr/libexec, as well as the thousands of functions stored in libraries under /usr/lib.

Building a -stable system recreates and replaces these binaries. Every one.
Quote:
2. AFAIK, kernel, packages and system binary must be in sync. After update to stable, is it fine to continue install from packages?
Good question! For -stable, there are NEVER any architectural changes (such as to /usr/lib), so -release and -stable packages are safe to intermix on -release and -stable systems.
Quote:
4. Is it mandatory to get the source code for Ports?
Only if you need to build -stable packages. As I stated here, the Project makes security updates to -stable ports, but does not build -stable packages. M:Tier does build them, and many people use their services. You can build them yourself, if you have sufficient skills. Doing so can be complicated, due to dependency management.

I have developed a "keeping -stable HOWTO," because I do this myself for my -stable systems. It's not quite ready to publish; hanzer tested a first draft and found some gaps I will need to address. When it's ready, I'll post it at this forum.
Quote:
Originally Posted by e1-531g View Post
It is not cvs over SSL/TLS....It is cvs over SSH.
Correct.
Quote:
Originally Posted by ocicat View Post
...If all publicly released patches are applied to -release, this will approximate -stable, but the two are not equal.
Correct. Sometimes they are equivalent. Though this time, I recall one -stable patch which did not get published as errata -- a fix to pty management for SSH that was not deemed to be critical.

Last edited by jggimi; 8th September 2015 at 05:25 PM. Reason: clarity
Reply With Quote
  #5   (View Single Post)  
Old 8th September 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by Peter_APIIT View Post
Thus, I'm open up this thread to discuss the how-to on update process.
As I attempted to point out above, the update process is not limited to compilation of -stable. Unfortunately, much of the outline later stated in your initial post is incorrect & needs further explanation.
  • The ultimate build how-to for OpenBSD can be found in Section 5.3 of the official FAQ. If building is too daunting, users have the choice of using https://stable.mtier.org which has several OpenBSD developers involved in the creation of that third-party service.
  • In addtion, users interested in building the OpenBSD system should read through and understand the information found on the release(8) manpage.
What follows is some explanatory remarks detailing errors in Peter_APIIT's posted instructions.
  • Quote:
    1. Get Source Code from AnonCVS Server
    Code:
    cd /usr
    cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_7 -p src
    Going to the project's primary AnonCVS server is not advocated. For one reason, it is slow. I actually downloaded the repository from this site a few times, & it took hours to download the entire tree. The project recommends using a mirror site. The list of available mirrors can be found at the following:

    www.openbsd.org/ftp.html

    Choosing a closer mirror can improve the time needed to download the repository to an hour or less -- depending upon where your mirror is located relative to you. How can one find what close through the Internet? Use traceroute(8).
  • Quote:
    Answer yes to accept the SSL certificates
    e1-531g already covered this point.
  • Quote:
    Update source tree:
    Code:
    cd /usr/src
    cvs -q up -rOPENBSD_5_7 -Pd
    Recognize that this only updates the src repository. If the ports & xenocara trees are desired, these trees will need to be downloaded as well. Further, if ports are ever compiled locally, the ports & xenocara trees are required.

    Also, if the trees are checked out for the first time, there is no need to update immediately afterwards. This tree doesn't get updated that often. Doing an update within half an hour of doing the initial checkout is wasted effort.
  • Quote:
    Rebuild Kernel
    ...
    Rebuild System binaries
    Note that your instructions do not specify when commands need to be issued as root. This is done in FAQ 5.3, & users are highly recommended to refer to that source for what is considered correct.
  • Quote:
    Code:
    cd /usr/src/etc && env DESTDIR =/ make distrib-dirs
    The spacing quoted here is wrong. Please refer to FAQ 5.3 for what is correct.
Now for your follow-up questions:
  • Quote:
    What is the System binary and when need to build system binaries?
    Please clarify.
  • Quote:
    After update to stable, is it fine to continue install from packages?
    Ports from -release & -stable are binary compatible. Updates checked into the -stable tree may or may not be built & made available on the mirror sites. If you use a port which has been updated in CVS, but not updated on the mirror sites, you may need to build locally.
  • Quote:
    In which steps, I can backup my old kernel?
    The old kernel will be copied to /obsd when the following command is executed:

    # make install
  • Quote:
    Is it mandatory to get the source code for Ports?
    If ports are built locally, the /usr/ports tree will be required & the /usr/xenocara tree will need to be already built & installed. Some ports require Xenocara libraries to be in place.
Again, FAQ 5.3 details all of these steps & has already been vetted. Creating yet another how-to serves little purpose & will need to be continually updated to stay correct. Why not simply go to the source which is known to be correct & updated as changes are made in the process?

Last edited by ocicat; 8th September 2015 at 06:45 PM. Reason: clarity
Reply With Quote
  #6   (View Single Post)  
Old 8th September 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by jggimi View Post
Sometimes they are equivalent.
One of the cosmetic differences can be seen in the output of:

$ sysctl kern.version

Even a fully patched OpenBSD 5.7-release system will still display "OpenBSD 5.7" while OpenBSD 5.7-stable will display "OpenBSD 5.7-stable".

...but -release with all patches applied will be equivalent to a current -stable build with respect to security implications. I suspect this is how you mean "equivalent".

Reply With Quote
  #7   (View Single Post)  
Old 8th September 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by ocicat View Post
I suspect this is how you mean "equivalent".

Yes, Sir.

Just to be clear, my planned HOWTO is specific to managing the complexities of dependency chains for -stable package building. The Following -stable FAQ and FAQ 5.3 together with release(8) cover how to maintain a -stable OS.
Reply With Quote
  #8   (View Single Post)  
Old 9th September 2015
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

jggimi,

the M:Tier's service is reliable in a production environment?
Also use it.
Reply With Quote
  #9   (View Single Post)  
Old 9th September 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Christian,

I maintain my own -stable systems, and do not use M:Tier. However, I have a degree of trust in the company's services. The company has a long and very public history of providing commercial OpenBSD services and their senior staff includes several active OpenBSD developers.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Installed OpenBSD 5.7.Need update help Itproman OpenBSD Installation and Upgrading 18 19th August 2015 02:57 PM
PhotoRec process bug LeFrettchen General software and network 4 1st July 2014 11:15 PM
OpenBSD/pf without compiler HOWTO update? zazen OpenBSD Installation and Upgrading 6 26th June 2011 06:47 AM
Apache HTTP Server update fixes remote DoS issue - Update J65nko News 0 12th May 2011 07:21 PM
how update openbsd 4.8 craze OpenBSD Installation and Upgrading 6 6th March 2011 03:20 PM


All times are GMT. The time now is 07:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick