OpenBSD Following -current and using snapshots [FAQ Index]

Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots.

Aggressive changes are sometimes pushed in this branch, and complications can arise when building the latest code or upgrading from a previous point in time. Some of the steps for getting over these hurdles are explained on this page. Make sure you've read and understand how to build the system from source before using -current and the instructions below.

In general, it's far easier to use snapshots, as developers will have gone through much of the trouble for you already.

You should always use a snapshot as the starting point for running -current. This process typically consists of downloading (and verifying) the appropriate bsd.rd file from the /snapshots/ directory of your preferred mirror, booting from it, and choosing (U)pgrade at the prompt. Any installed packages should then be upgraded after booting into the new system.

Upgrading to -current by compiling your own source code is not supported.

Most of these changes will have to be performed as root.

2018/04/04 - PF_TRANS_ALTQ removed

The obsolete PF_TRANS_ALTQ has been removed from net/pfvar.h. Several userland programs will need to be recompiled together with the kernel. Using a snapshot is highly recommended. To update from source, the following steps are needed:
  1. Build and install the kernel but do NOT reboot.
  2. Rebuild the affected programs:
    # cd /usr/src && make includes
    # cd /usr/src/sbin/pfctl && make clean && make && make install
    # cd /usr/src/usr.sbin/authpf && make clean && make && make install
    # cd /usr/src/usr.sbin/ftp-proxy && make clean && make && make install
    # cd /usr/src/usr.sbin/relayd && make clean && make && make install
    # cd /usr/src/usr.sbin/tftp-proxy && make clean && make && make install
  3. Reboot.

2018/04/11 - meaning of listen on * port 80 changed in httpd(8)

The meaning of listen on * port 80 changed from "listen on all IPv4 addresses" to "listen on all IPv4 and all IPv6 addresses". If listen on * port 80 is present, listen on :: port 80 needs to be removed. For example,
listen on * port 80
listen on :: port 80
must be changed to:
listen on * port 80

2018/04/20 - [packages] security/kc storage format change

The storage format of keychains has changed in a backward incompatible way. Dump all your keychains to xml before updating:
$ kc -k ~/.kc/default.kcd
<example_chain% > dump kcdump
Dump OK
<example_chain% > quit
After updating follow the instructions in /usr/local/share/doc/kc/Changelog.

2018/05/03 - [packages] sysutils/apcupsd has SMTP client removed

The ${PREFIX}/sbin/smtp was removed from apcupsd package in favor of smtp(1). The programs are not option-compatible, so any scripts using "smtp" command require adjustment.

2018/05/22 - [packages] PHP default version changed

With a few exceptions, most packages using PHP have switched to using PHP 7.0 dependencies by default. Because extension modules (now including PECL modules) are packaged for multiple PHP versions, most existing PHP programs will work as-is, but to avoid confusion and benefit from improvements to PHP you should switch your system across:
  1. Merge local configuration changes from /etc/php-5.6.ini to /etc/php-7.0.ini. It may be useful to diff(1) against the original file in /usr/local/share/examples/php-5.6/php.ini-production.
  2. Create new symlinks for extension modules as described in the "extension modules" section of /usr/local/share/doc/pkg-readmes/php-7.0*.
  3. Switch to running the new version. If using php-fpm:
      # rcctl disable php56_fpm; rcctl enable php70_fpm
      # rcctl stop php56_fpm; rcctl start php70_fpm
    If using the module for Apache httpd, update the symlink for /var/www/conf/modules/php.conf as shown in the pkg-readme.

2018/05/24 - smtpd.conf(5) grammar has changed in smtpd(8)

The smtpd.conf(5) file needs to be adapted to use the new grammar.

The change is mostly mechanical and requires splitting current rules into actions and matching patterns, examples are available in the man page.

Authenticated users are no longer considered as local users, if your configuration file allows remote users to authenticate and send mail, an explicit rule must be written to match these.

smtpd(8) supported LMTP both as a relaying protocol and as a local delivery method. The local delivery method was implemented within the daemon and not as an MDA, it no longer does and must be used through the 'mda' action:

action lmtp-local mda "/usr/libexec/mail.lmtp [...]"
The mail.lmtp(8) MDA provides all the features that used to be supported interally by smtpd(8).

2018/05/27 - [packages] PHP packaging changes

The PHP module for Apache HTTPD has moved from the main PHP package into a separate "php-apache" package. If you use this module, install the relevant version (pkg_add php-apache%7.0 or pkg_add php-apache%5.6). FPM and CLI remain in the main PHP package.

2018/05/30 - smtpd.conf(5) LMTP action introduced

With the recent grammar change, LMTP support was re-implemented as an external mail delivery agent and required being configured using the 'mda' action:
action lmtp-local mda "/usr/libexec/mail.lmtp [...]"
The grammar has been extended to provide an LMTP action hiding the details behind the mail.lmtp(8) MDA. The LMTP action is documented in smtpd.conf(5) and looks as follow:
action lmtp-local lmtp localhost:25
In addition, the unix: and inet: prefixes which were used in LMTP destinations to distinguish between a UNIX socket or a network socket have been removed.

2018/06/01 - smtpd.conf(5) 'set' and 'limit' removed as main keywords

The grammar allowed setting options of components with the 'set' keyword:
set queue compression
set mta max-deferred 100
The keyword brought no value and was dropped in favor of component namespaces:
queue compression
mta max-deferred 100
In addition, the 'limit' option which could be used with mta:
limit mta session-transaction-delay 0
is now an option within the 'mta' namespace:
mta limit session-transaction-delay 0

2018/06/04 - New sysctl/mixerctl settings to control audio recording

Due to privacy concerns from some, audio recording has been disabled by default. It may be reenabled system-wide like this:
# sysctl # enable at runtime
# echo >> /etc/sysctl.conf # set at boot
Finer-grained controls are available using mixerctl(1) which allows setting record.enable for each mixer device to off (always off), on (always on), or sysctl (default: follow state of the sysctl).

2018/06/06 - [amd64] New clang compiler feature

The retguard compiler feature has been implemented on the amd64 platform. Using a snapshot is highly recommended. To update from source, first verify if your clang is recent enough to understand the -fno-ret-protector flag:
$ echo 'int main() {return 0;}' | cc -fno-ret-protector -x c -
If there is no error in the output, then proceed with a normal source upgrade as usual. If the output includes the error cc: error: unknown argument: '-fno-ret-protector' then follow the procedure below.
  1. Build and install the kernel. Reboot.
  2. Edit /usr/src/gnu/usr.bin/clang/ and comment out the -fno-ret-protector option:
    # cd /usr/src/gnu/usr.bin/clang
    # sed -i.head s/-fno-ret-protector/'#-fno-ret-protector'/
  3. Build and install clang:
    # cd /usr/src/gnu/usr.bin/clang
    # make
    # make install
  4. Restore the original clang
    # cd /usr/src/gnu/usr.bin/clang
    # mv
  5. Build the system as usual.

2018/06/13 - bgpd configuration change

By default bgpd(8), without explicit policy configuration, will deny both incoming and outgoing UPDATES. See RFC 8212 for more information.

The following configuration directives have been deprecated (but will be accepted for backwards compatibility) announce all, announce none, and announce default-route. Furthermore the announce self directive has been removed. Explicit use of announce self will result in a syntax error preventing bgpd(8) from starting. Users are advised to review and update /etc/bgpd.conf before upgrading.

It is possible to write configuration files that are valid and functionally the same both before and after the update.

Before updating:

  1. Mimic the new behavior of the updated bgpd(8) by adding deny from any and deny to any to the top of the filter ruleset. (After the update these rules are implicitly added to the filter)
  2. Replace all instances of announce self with announce all.
  3. Ensure that the filter ruleset only allows correct announcements to and from EBGP neighbors by explicitly specifying the prefixes to be imported from and exported to EBGP neighbors using prefix-set and large-community (or community).
  4. Add announce all to all neighbors for which neither announce none nor announce default-route is specified (the implicit default for EBGP peers was announce self). You can confirm that you haven't missed any:
    # bgpd -nvf /etc/bgpd.conf | grep -B4 'announce self'
The resulting config should now be ready for the upgrade. It is recommended to review /etc/examples/bgpd.conf for an example how BGP communities and prefix-set can be used in simple network designs.


  1. Remove all announce all directives from the configuration
  2. The deny from all and deny to any rules at the top of the ruleset filter are redundant after the update (and as such could be removed), but leaving those may improve readability of the configuration.

2018/06/13 - httpd.conf(5) 'root strip' option renamed

To be semantically correct, the 'root strip' option has been renamed to 'request strip'. For example, the following configuration block is needed for acme-client(1):
location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2

2018/06/18 - slaacd(8) fully pledged

slaacd(8)'s main process is now pledged and uses the new "wroute;" promise. Make sure to have a current kernel or update via snapshots.

2018/06/23 - [packages] buildbot/buildslave switch to python3 & buildslave rc script renaming

Both, buildbot and buildbot-worker are now using python3.

Upstream renamed buildslave to buildbot-worker a while ago. Accordingly, the buildslave rc script was renamed to buildbot_worker. You need to adjust the list of daemons:

# rcctl disable buildslave
# rcctl enable buildbot_worker
Make sure to stop any running buildslave instances before upgrading, otherwise rc.d(8) will lose track of the process.

2018/07/10 - error on bad '-netmask'/'-prefixlen' usage with route(8)

If you have specified these options before the address string in hostname.if(5) or some script, route(8) will now print an error message and exit. Make sure to change
route add -inet6 -prefixlen 56 2001:db8:: ::1 -blackhole
route add -inet6 2001:db8:: -prefixlen 56 ::1 -blackhole
Otherwise, a route for 2001:db8::/64 would be installed as the address string comes last for which a default prefix length of 64 is currently implied. It is best to use proper CIDR notation.
route add -inet6 2001:db8::/56 ::1 -blackhole

2018/07/12 - _rad user and group added; reuses _btd uid/gid

The new _rad user recycles user and group ids of the "Bluetooth Daemon" user (_btd) removed in 2013. If you upgraded your system from all the way back then and never deleted the user and group, sysmerge(8) will complain:
running rc.sysmerge
**** Not adding group _rad, GID 94 already exists
**** Not adding user _rad, UID 94 already exists 
Delete the _btd user and group and run sysmerge again:
# userdel _btd
# groupdel _btd
# sysmerge

2018/07/15 - wpakey and hostname.if(5)

The ifconfig(8) utility encourages users of the wpakey keyword to use it on the same line as any join or nwid keywords. In particular, hostname.if(5) file should be adjusted:
nwid mynwid wpakey mywpakey

2018/07/17 - implicit prefix length removed from route(8)

Unless -prefixlen or CIDR notation is used, route(8) no longer interprets an IPv6 host address as /64 subnet.

Despite the manual page already stating correct behaviour, a route different from the specified destination string would be installed:

# route add 2001:db8:: ::1
add net 2001:db8::: gateway ::1
# route show -inet6 | grep 2001:db8
2001:db8::/64      localhost          UGS        0        0 32768     8 lo0
This behaviour was deprecated in 2003 by RFC 3587 and has now been fixed to take an host address as is:
2001:db8::         localhost          UGHS       0        0 32768     8 lo0

2018/07/20 - resolver renamed to nameserver in rad.conf(5)

The resolver configuration option has been renamed to nameserver in rad.conf(5) to be more in line with resolv.conf(5) and dhclient.conf(5).

2018/07/23 - rtadvd(8) removed; replaced by rad(8)

rtadvd(8) has been removed from the base system. To clean up, execute the following commands:
# userdel _rtadvd
# groupdel _rtadvd
# rm /etc/rc.d/rtadvd /usr/sbin/rtadvd /usr/share/man/man5/rtadvd.conf.5 /usr/share/man/man8/rtadvd.8
If you are running rtadvd(8) for IPv6 router advertisements, please switch to rad(8). First create a /etc/rad.conf configuration file. For example, when you had rtadvd_flags=em0 in /etc/rc.conf.local, /etc/rad.conf would be:
interface em0
For more advanced configurations consult rad.conf(5). With the /etc/rad.conf file in place you can stop rtadvd(8) and start rad(8):
# rcctl stop rtadvd
# rcctl disable rtadvd
# rcctl enable rad
# rcctl start rad

2018/07/26 - build infrastructure for lld as default linker

Build infrastructure was added to make it possible to install ld.lld(1) as the default linker. Before building the system from source, you will need to run the following commands:
# cd /usr/src/share/mk
# make install
The armv7 platform was switched to install lld as the default linker. To complete the switch on that platform, build the system from source twice.

2018/07/28 - sndio session cookie path changed

The new sndio(7) session cookie path is ~/.sndio/cookie. If you allow access to your audio/MIDI hardware to other users or to remote systems, you may want to move your authorization cookie to the new location:
$ mkdir -p ~/.sndio
$ mv ~/.aucat_cookie ~/.sndio/cookie
This is probably simpler than deleting the old cookie, generating a new one and installing it to all appropriate locations.

2018/07/29 - Remove /dev/audio and /dev/audioctl

The /dev/audio and /dev/audioctl symbolic links are not used anymore and can be removed:
# rm /dev/audio /dev/audioctl

2018/08/02 - Error on invalid queue definitions in pf.conf(5)

PF queues can only refer to a single interface, not an interface group. Previously, the pf.conf(5) parser accepted invalid queue definitions (either for an interface group, or for a non-existent interface) and mostly ignored them, though gave an error when displaying queues. These are now rejected and result in the entire ruleset failing to load.

Before updating, use "pfctl -s queue". If you have no output or a list of queues, you should not be affected by this. If you see the following error, adjust your pf.conf(5) accordingly:

# pfctl -s queue
pfctl: DIOCGETQSTATS: Bad file descriptor
Normally you can just specify the relevant interface name, but if you are trying to use interface groups to allow use of the same pf.conf file on multiple systems which have different interface types, you might like to define macros in a separate file that can be different on each system (sharing a common pf.conf):
$ cat /etc/pf.conf.local
egress_if = ix0

$ cat /etc/pf.conf
include "/etc/pf.conf.local"
queue rootq on $egress_if bandwidth 1G default


2018/08/06 - New log options in relayd.conf(5)

The log options log updates and log all in relayd.conf(5) have been superseded by three new options:
log state changes
log host checks
log connection [errors]
The first two set the logging of host checks to either changes in host state only or all check results, and replace log updates and log all. The third option controls connection logging in relays which, until now, was a side effect of log updates. The optional errors will cause only failed connections to be logged.

Use of the old options will result in a warning message and they will be removed in OpenBSD 6.5.

2018/08/09 - Stricter route(8) network syntax

Support for guessing an old-style class A, B, or C netmask from a bare dot-notation IPv4 address by counting trailing zero octets was dropped from route(8), and related option parsing is now stricter. To specify a destination network, use any of the following syntaxes:
route add [-net] ...
route add [-net] -netmask ...
route add -inet [-net] -prefixlen 24 ...
When neither -net nor -netmask nor -prefixlen is given, -host is now assumed.

2018/08/16 - nsd(8) control socket moved from TCP/IP to unix domain socket

If nsd(8) is started with the old config file and then the config file is changed to use the unix domain socket, rc(8) and rcctl(8) cannot restart nsd since they try to communicate over the unix domain socket while nsd(8) still uses TCP/IP. In that case kill nsd(8) and start it again. One way to end up in this situation is when sysmerge needs to be run by hand.

2018/09/03 - smtpd.conf(5) relay host syntax changed

The syntax for the smarthost string in relay rules has been updated. It is documented in smtpd.conf(5). The changes are as follows: Running smtpd(8) without updating the configuration will result in mails being stuck in the queue if the smarthost string is not recognized, or mails being relayed with TLS instead of plain text, for non-updated smtp:// and smtp+tls:// relays.

2018/09/11 - Old xcb libraries removed

As part of the update to xcb 1.13, two obsolete libxcb components (xevie and xprint) have been removed. The corresponding files can be removed:
# rm /usr/X11R6/lib/libxcb-xevie.*
# rm /usr/X11R6/lib/libxcb-xprint.*
# rm /usr/X11R6/lib/pkgconfig/xcb-xevie.pc
# rm /usr/X11R6/lib/pkgconfig/xcb-xprint.pc

$OpenBSD: current.html,v 1.946 2018/09/18 08:04:03 bentley Exp $