OpenBSD Following -current and using snapshots [FAQ Index]

Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots.

Aggressive changes are sometimes pushed in this branch, and complications can arise when building the latest code or upgrading from a previous point in time. Some of the steps for getting over these hurdles are explained on this page. Make sure you've read and understand how to build the system from source before using -current and the instructions below.

In general, it's far easier to use snapshots, as developers will have gone through much of the trouble for you already.

You should always use a snapshot as the starting point for running -current. This process typically consists of downloading (and verifying) the appropriate bsd.rd file from the /snapshots/ directory of your preferred mirror, booting from it, and choosing (U)pgrade at the prompt. Any installed packages should then be upgraded after booting into the new system.

Upgrading to -current by compiling your own source code is not supported.

Most of these changes will have to be performed as root.

2018/04/04 - PF_TRANS_ALTQ removed

The obsolete PF_TRANS_ALTQ has been removed from net/pfvar.h. Several userland programs will need to be recompiled together with the kernel. Using a snapshot is highly recommended. To update from source, the following steps are needed:
  1. Build and install the kernel but do NOT reboot.
  2. Rebuild the affected programs:
    # cd /usr/src && make includes
    # cd /usr/src/sbin/pfctl && make clean && make && make install
    # cd /usr/src/usr.sbin/authpf && make clean && make && make install
    # cd /usr/src/usr.sbin/ftp-proxy && make clean && make && make install
    # cd /usr/src/usr.sbin/relayd && make clean && make && make install
    # cd /usr/src/usr.sbin/tftp-proxy && make clean && make && make install
  3. Reboot.

2018/04/11 - meaning of listen on * port 80 changed in httpd(8)

The meaning of listen on * port 80 changed from "listen on all IPv4 addresses" to "listen on all IPv4 and all IPv6 addresses". If listen on * port 80 is present, listen on :: port 80 needs to be removed. For example,
listen on * port 80
listen on :: port 80
must be changed to:
listen on * port 80

2018/04/20 - [packages] security/kc storage format change

The storage format of keychains has changed in a backward incompatible way. Dump all your keychains to xml before updating:
$ kc -k ~/.kc/default.kcd
<example_chain% > dump kcdump
Dump OK
<example_chain% > quit
After updating follow the instructions in /usr/local/share/doc/kc/Changelog.

2018/05/03 - [packages] sysutils/apcupsd has SMTP client removed

The ${PREFIX}/sbin/smtp was removed from apcupsd package in favor of smtp(1). The programs are not option-compatible, so any scripts using "smtp" command require adjustment.

2018/05/22 - [packages] PHP default version changed

With a few exceptions, most packages using PHP have switched to using PHP 7.0 dependencies by default. Because extension modules (now including PECL modules) are packaged for multiple PHP versions, most existing PHP programs will work as-is, but to avoid confusion and benefit from improvements to PHP you should switch your system across:
  1. Merge local configuration changes from /etc/php-5.6.ini to /etc/php-7.0.ini. It may be useful to diff(1) against the original file in /usr/local/share/examples/php-5.6/php.ini-production.
  2. Create new symlinks for extension modules as described in the "extension modules" section of /usr/local/share/doc/pkg-readmes/php-7.0*.
  3. Switch to running the new version. If using php-fpm:
      # rcctl disable php56_fpm; rcctl enable php70_fpm
      # rcctl stop php56_fpm; rcctl start php70_fpm
    If using the module for Apache httpd, update the symlink for /var/www/conf/modules/php.conf as shown in the pkg-readme.

2018/05/24 - smtpd.conf(5) grammar has changed in smtpd(8)

The smtpd.conf(5) file needs to be adapted to use the new grammar.

The change is mostly mechanical and requires splitting current rules into actions and matching patterns, examples are available in the man page.

Authenticated users are no longer considered as local users, if your configuration file allows remote users to authenticate and send mail, an explicit rule must be written to match these.

smtpd(8) supported LMTP both as a relaying protocol and as a local delivery method. The local delivery method was implemented within the daemon and not as an MDA, it no longer does and must be used through the 'mda' action:

action lmtp-local mda "/usr/libexec/mail.lmtp [...]"
The mail.lmtp(8) MDA provides all the features that used to be supported interally by smtpd(8).

2018/05/27 - [packages] PHP packaging changes

The PHP module for Apache HTTPD has moved from the main PHP package into a separate "php-apache" package. If you use this module, install the relevant version (pkg_add php-apache%7.0 or pkg_add php-apache%5.6). FPM and CLI remain in the main PHP package.

2018/05/30 - smtpd.conf(5) LMTP action introduced

With the recent grammar change, LMTP support was re-implemented as an external mail delivery agent and required being configured using the 'mda' action:
action lmtp-local mda "/usr/libexec/mail.lmtp [...]"
The grammar has been extended to provide an LMTP action hiding the details behind the mail.lmtp(8) MDA. The LMTP action is documented in smtpd.conf(5) and looks as follow:
action lmtp-local lmtp localhost:25
In addition, the unix: and inet: prefixes which were used in LMTP destinations to distinguish between a UNIX socket or a network socket have been removed.

2018/06/01 - smtpd.conf(5) 'set' and 'limit' removed as main keywords

The grammar allowed setting options of components with the 'set' keyword:
set queue compression
set mta max-deferred 100
The keyword brought no value and was dropped in favor of component namespaces:
queue compression
mta max-deferred 100
In addition, the 'limit' option which could be used with mta:
limit mta session-transaction-delay 0
is now an option within the 'mta' namespace:
mta limit session-transaction-delay 0

2018/06/04 - New sysctl/mixerctl settings to control audio recording

Due to privacy concerns from some, audio recording has been disabled by default. It may be reenabled system-wide like this:
# sysctl # enable at runtime
# echo >> /etc/sysctl.conf # set at boot
Finer-grained controls are available using mixerctl(1) which allows setting record.enable for each mixer device to off (always off), on (always on), or sysctl (default: follow state of the sysctl).

2018/06/06 - [amd64] New clang compiler feature

The retguard compiler feature has been implemented on the amd64 platform. Using a snapshot is highly recommended. To update from source, first verify if your clang is recent enough to understand the -fno-ret-protector flag:
$ echo 'int main() {return 0;}' | cc -fno-ret-protector -x c -
If there is no error in the output, then proceed with a normal source upgrade as usual. If the output includes the error cc: error: unknown argument: '-fno-ret-protector' then follow the procedure below.
  1. Build and install the kernel. Reboot.
  2. Edit /usr/src/gnu/usr.bin/clang/ and comment out the -fno-ret-protector option:
    # cd /usr/src/gnu/usr.bin/clang
    # sed -i.head s/-fno-ret-protector/'#-fno-ret-protector'/
  3. Build and install clang:
    # cd /usr/src/gnu/usr.bin/clang
    # make
    # make install
  4. Restore the original clang
    # cd /usr/src/gnu/usr.bin/clang
    # mv
  5. Build the system as usual.

2018/06/13 - bgpd configuration change

By default bgpd(8), without explicit policy configuration, will deny both incoming and outgoing UPDATES. See RFC 8212 for more information.

The following configuration directives have been deprecated (but will be accepted for backwards compatibility) announce all, announce none, and announce default-route. Furthermore the announce self directive has been removed. Explicit use of announce self will result in a syntax error preventing bgpd(8) from starting. Users are advised to review and update /etc/bgpd.conf before upgrading.

It is possible to write configuration files that are valid and functionally the same both before and after the update.

Before updating:

  1. Mimic the new behavior of the updated bgpd(8) by adding deny from any and deny to any to the top of the filter ruleset. (After the update these rules are implicitly added to the filter)
  2. Replace all instances of announce self with announce all.
  3. Ensure that the filter ruleset only allows correct announcements to and from EBGP neighbors by explicitly specifying the prefixes to be imported from and exported to EBGP neighbors using prefix-set and large-community (or community).
  4. Add announce all to all neighbors for which neither announce none nor announce default-route is specified (the implicit default for EBGP peers was announce self). You can confirm that you haven't missed any:
    # bgpd -nvf /etc/bgpd.conf | grep -B4 'announce self'
The resulting config should now be ready for the upgrade. It is recommended to review /etc/examples/bgpd.conf for an example how BGP communities and prefix-set can be used in simple network designs.


  1. Remove all announce all directives from the configuration
  2. The deny from all and deny to any rules at the top of the ruleset filter are redundant after the update (and as such could be removed), but leaving those may improve readability of the configuration.

2018/06/13 - httpd.conf(5) 'root strip' option renamed

To be semantically correct, the 'root strip' option has been renamed to 'request strip'. For example, the following configuration block is needed for acme-client(1):
location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2

2018/06/18 - slaacd(8) fully pledged

slaacd(8)'s main process is now pledged and uses the new "wroute;" promise. Make sure to have a current kernel or update via snapshots.

2018/06/23 - [packages] buildbot/buildslave switch to python3 & buildslave rc script renaming

Both, buildbot and buildbot-worker are now using python3.

Upstream renamed buildslave to buildbot-worker a while ago. Accordingly, the buildslave rc script was renamed to buildbot_worker. You need to adjust the list of daemons:

# rcctl disable buildslave
# rcctl enable buildbot_worker
Make sure to stop any running buildslave instances before upgrading, otherwise rc.d(8) will lose track of the process.

2018/07/10 - error on bad '-netmask'/'-prefixlen' usage with route(8)

If you have specified these options before the address string in hostname.if(5) or some script, route(8) will now print an error message and exit. Make sure to change
route add -inet6 -prefixlen 56 2001:db8:: ::1 -blackhole
route add -inet6 2001:db8:: -prefixlen 56 ::1 -blackhole
Otherwise, a route for 2001:db8::/64 would be installed as the address string comes last for which a default prefix length of 64 is currently implied. It is best to use proper CIDR notation.
route add -inet6 2001:db8::/56 ::1 -blackhole

2018/07/12 - _rad user and group added; reuses _btd uid/gid

The new _rad user recycles user and group ids of the "Bluetooth Daemon" user (_btd) removed in 2013. If you upgraded your system from all the way back then and never deleted the user and group, sysmerge(8) will complain:
running rc.sysmerge
**** Not adding group _rad, GID 94 already exists
**** Not adding user _rad, UID 94 already exists 
Delete the _btd user and group and run sysmerge again:
# userdel _btd
# groupdel _btd
# sysmerge

2018/07/15 - wpakey and hostname.if(5)

The ifconfig(8) utility encourages users of the wpakey keyword to use it on the same line as any join or nwid keywords. In particular, hostname.if(5) file should be adjusted:
nwid mynwid wpakey mywpakey

2018/07/17 - implicit prefix length removed from route(8)

Unless -prefixlen or CIDR notation is used, route(8) no longer interprets an IPv6 host address as /64 subnet.

Despite the manual page already stating correct behaviour, a route different from the specified destination string would be installed:

# route add 2001:db8:: ::1
add net 2001:db8::: gateway ::1
# route show -inet6 | grep 2001:db8
2001:db8::/64      localhost          UGS        0        0 32768     8 lo0
This behaviour was deprecated in 2003 by RFC 3587 and has now been fixed to take an host address as is:
2001:db8::         localhost          UGHS       0        0 32768     8 lo0

$OpenBSD: current.html,v 1.929 2018/07/17 21:01:10 kn Exp $