DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default Sysupdate command not working

Hi All,

Having freshly installed OpenBSD 7.2 from a .img file about a week ago I understand its good practice to check for system updates in case there's been any security patches since the release. I also understand from the manual that its just a case of typing syspatch from the command line.

However when I do that nothing obvious seems to happen. There's no error in the xterm console window but then theres no progress indicators for the various patch downloads like I see in the youtube demonstrations of this command in practice. Am I missing something?

FWIW I've got a second user account setup per the installation. I use
Code:
 su
and then
Code:
 dhclient em0
to connect to my router for internet access. This seems to work because if I use the
Code:
 ping
command for 1.1.1.1 I'm getting return packets.

But when I type syspatch and even syspatch -C to get the list of available updates I get nothing.

Similarly, pkg_add -Q or the listing command doesn't do anything other than list some intel drivers etc. that I suspect are already on the system from the base installation..

Thanks in advance for help getting this working!
Reply With Quote
  #2   (View Single Post)  
Old 26th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Be sure you aren't conflating or confusing syspatch(8) with sysupgrade(8). The syspatch utility applies binary versions of any errata patches to -release systems for three architectures: amd64, arm64, and i386. The sysupgrade utility automates upgrading from one release to the next, or to a -current snapshot.

Where did you get the recommendation to use dhclient(8)? It wasn't the OpenBSD Project, as the OpenBSD FAQ no longer mentions this legacy tool. Please use the guidance in the FAQ to provision your network. You'll have much less trouble.

As of today, there are 8 errata patches available for OpenBSD/amd64 at 7.2-release:
Code:
$ syspatch -l
001_x509
002_asn1
003_ukbd
004_expat
005_pixman
006_vmm
007_unwind
008_pfsync
Reply With Quote
  #3   (View Single Post)  
Old 26th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
Be sure you aren't conflating or confusing syspatch(8) with sysupgrade(8). The syspatch utility applies binary versions of any errata patches to -release systems for three architectures: amd64, arm64, and i386. The sysupgrade utility automates upgrading from one release to the next, or to a -current snapshot.

Where did you get the recommendation to use dhclient(8)? It wasn't the OpenBSD Project, as the OpenBSD FAQ no longer mentions this legacy tool. Please use the guidance in the FAQ to provision your network. You'll have much less trouble.
I've checked the FAQ on networking config and it looks like I can use:
Code:
 # ifconfig xl0 inet autoconf
to connect to the internet after connecting the laptop to the router, so I'll give that a try when I'm back on my OpenBSD system and see if it makes any difference. I suspect it won't as the ping command is yielding me returned packets thus confirming my internet is running.

Quote:
As of today, there are 8 errata patches available for OpenBSD/amd64 at 7.2-release:
Code:
$ syspatch -l
001_x509
002_asn1
003_ukbd
004_expat
005_pixman
006_vmm
007_unwind
008_pfsync
Yes, I knew from checking the errata page that there must be a few updates, but as you can see from what I entered in the command line I can't get them to display. So syspatch updates the existing OS with security patches right? So I've got the right command. Why isn't it working noting that regardless of what internet connection command I've used I've clearly got internet access (as demonstrated by the ping results)...
Reply With Quote
  #4   (View Single Post)  
Old 26th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

You can ping a known IP address. Great! That's _half_ the battle for Internet connectivity. The other half is domain name resolution, which, from what you've posted so far, has not yet been tested or confirmed to be provisioned correctly.
Reply With Quote
  #5   (View Single Post)  
Old 26th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
You can ping a known IP address. Great! That's _half_ the battle for Internet connectivity. The other half is domain name resolution, which, from what you've posted so far, has not yet been tested or confirmed to be provisioned correctly.
Ah ok, so if I use
Code:
inet autoconf
followed by
Code:
#ifconfig em0 inet autoconf
I'll get internet via my DHCP enabled router? (as a client). Do I need to use vi to edit any config files for internet beforehand?? If so, which one?

PS: So I'm interpreting these command line (code) instructions correctly: If a given command line is listed without the # at the start, does that mean it doesnt need to be run in root whereas anything starting with # does require root?

Also: does typing
Code:
SU
followed by the secondary username that I setup at the installation (wheel?) get me out of root and back into the non root user? I'd like to do most activities as non root for security purposes you see..
Reply With Quote
  #6   (View Single Post)  
Old 26th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

1. Domain Name Resolution: provisioning guidance is in the networking chapter of the FAQ at this link: http://www.openbsd.org/faq/faq6.html#Setup.resolver

2. su(1): exit the root shell to return to your normal user. You may find the doas(1) command and its configuration file doas.conf(5) to be an easier or more convenient way to become the superuser temporarily. The doas(1) command is mentioned in the afterboot(8) man page.
Reply With Quote
  #7   (View Single Post)  
Old 26th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

My last comment was incomplete. If domain name resolution is not provided by an external source, such as a local DHCP server, and learned through dhcpleased(8) / resolvd(8), then the admin must manually provision nameservers in resolv.conf(5).
Reply With Quote
  #8   (View Single Post)  
Old 27th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
1. Domain Name Resolution: provisioning guidance is in the networking chapter of the FAQ at this link: http://www.openbsd.org/faq/faq6.html#Setup.resolver
2. su(1): exit the root shell to return to your normal user. You may find the doas(1) command and its configuration file doas.conf(5) to be an easier or more convenient way to become the superuser temporarily. The doas(1) command is mentioned in the afterboot(8) man page.[/QUOTE]
Thanks. I'll bear the doas command in mind when I'm just wanting temporary root powers. PS: I just typed
Code:
SU
and it does something but its unclear whether I've exited root.... Has it?
It has the $ sign instead of # at the command line starting prompt so I'm guessing this is proof that I'm out of root now?

Now, regarding internet access. I entered
Code:
 ifconfig em0 inet autoconf
to connect my OpenBSD laptop to the router for it to get auto assigned an IP from the routers DHCP. I then tried syspatch which did something, but then after a few mins nothing appeared so it seems thats still kaput?

I then went ahead and downloaded a package (Firefox) using
Code:
pkg_add firefox
and it spat out this verbose list of things it was downloading and then extracting, but I noticed a few errors. Finally in the tail it shows
"Can't install firefox-107.0. Can't resolve icu4c-71.1v0". I'd like to scroll back up through the verbose output but I can't (in xterm window). How do I scroll back up through the output as FFox was dloaded and installed? There's a up/down bar toggle on the left of the screen but clickign it and then moving it up and down does nothing... Neither does PGUP or PGDWN, or the direction keys! URGGH!

Also, why didn't it install properly given my use of
Code:
 pkg_add firefox
?
Reply With Quote
  #9   (View Single Post)  
Old 27th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Let's start with your network, because that's your most important issue. From what you've posted, I still believe your network is incorrectly provisioned, because the package for icu4c071.1v0 is available for the amd64 architecture 7.2-release in the Project's mirrors.
Issue the ping(1) command with a well known Internet site, such as $ ping -c 1 daemonforums.org. If your resolver is working properly, it should resolve the domain name to an IP address, reach out to the IP address and receive an echo, such as:
Code:
$ ping -c 1 daemonforums.org
PING daemonforums.org (65.109.3.37): 56 data bytes
64 bytes from 65.109.3.37: icmp_seq=0 ttl=236 time=138.874 ms

--- daemonforums.org ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 138.874/138.874/138.874/0.000 ms
If it doesn't resolve, you know your domain name resolution is not provisioned properly. If it resolves but fails to reach the server you'll know you have some sort of network connectivity issue. If resolution is not functioning properly, you should inspect the contents of /etc/resolv.conf for its nameserver entries, if any.
Next, reviewing your console output:
The easiest tool to review prior console output is with Shift-PgUp. Additionally, you can "log" your console session (including all keyboard entries, including backspaces and carriage returns) with the script(1) utility, and the terminal multiplexor tmux(1) can also pipe virtual terminal "pane" output to files. You can also use most shells to pipe standard output and/or standard error output to files. There are many ways to capture this information.
Lastly, exiting root's ksh(1) shell from su(1).
You have it right. When you are in a superuser shell your default prompt includes the pound-sign "#" to warn you of your administrative status. When you then use the "exit" command or CTRL-D to exit from that shell, your default prompt will then show the dollar-sign "$" to inform you that you are functioning as a normal user.
Reply With Quote
Old 29th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Hi jggimi,

Well, here we are a couple days later and I've got FireFox successfully installed (107) after finding out the following silly little error that I needed to fix beforehand. I used this to figure it out:

https://obsd.solutions/en/blog/2022/...led/index.html

After using vi to make it point at ftp.*.* instead of cd.*.* it started drawing down FFox without issue.
As for Syspatch, I'm not sure how it definitely resolved, but I think it just needed more time to connect and do its checking/downloading. I use inet autoconf now instead of dhcclient or whatever it was, but for both I'd still get full ping results for 1.1.1.1.

Now, my new issue is getting ExpressVPN client connected to my OpenBSD system using the .ovpn files I've manually downloaded in readiness. The problem now is that I can't copy (CP) the .ovpn files across to the /etc/openvpn directory that I've created. I'll make a new thread about it since its such a different topic. I'd appreciate any help!
Reply With Quote
Old 29th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

Incorrect system time may cause HTTPS failures when connecting to web servers that validate security certificates via OSCP. I'm glad you discovered your root cause and were able to resolve it.
Reply With Quote
Old 29th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

I can't spell. It's OCSP: https://en.wikipedia.org/wiki/Online...tatus_Protocol.

OpenBSD's built-in web server httpd(8) supports OCSP stapling. Here's an example httpd.conf(5) fragment from one of my servers:
Code:
server "<redacted>" {
        alias "<www.redacted>"
        listen on * tls port https
        hsts
        tls certificate "/etc/ssl/acme/fullchain.pem"
        tls key "/etc/ssl/acme/private/privkey.pem"
        tls ocsp "/etc/ssl/acme/cert.der"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
This server runs OpenBSD's ocspcheck(8) utility daily for certificate validation against the certificate authority's responder.

OSCP stapling is time-dependent and (nearly) correct time is required, which is why incorrect clocks cause failures. https://en.wikipedia.org/wiki/OCSP_stapling

Last edited by jggimi; 29th November 2022 at 03:08 PM. Reason: added time-dependent comment and stapling link
Reply With Quote
Old 30th November 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 60
Default

Quote:
Originally Posted by jggimi View Post
Incorrect system time may cause HTTPS failures when connecting to web servers that validate security certificates via OSCP. I'm glad you discovered your root cause and were able to resolve it.
I'll make a note of that. Do I just run
Code:
ntpd
in root to get the appropriate time/date?
Reply With Quote
Old 30th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,847
Default

In a default installation, ntpd(8) should already be running. But it does not adjust time rapidly, it corrects clock drift, as discussed in the ntpd(8) man page. At the bottom of the man page under SEE ALSO, you will find the rdate(8) utility referenced. It is the rdate(8) utility that can be used to make an immediate correction.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DD command on OpenBsd PapaParrot OpenBSD General 20 9th November 2018 02:56 PM
How to expand who command? guitarscn FreeBSD General 1 27th August 2010 11:53 PM
Mouse:X (not-working) and tty-Console (working), in 8.0 ykt FreeBSD General 1 22nd December 2009 12:26 PM
pkg-get command not found whispersGhost Solaris 2 11th June 2008 01:06 PM
crypt command whispersGhost Solaris 3 9th June 2008 05:37 AM


All times are GMT. The time now is 10:24 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick