OpenBSD Following -current and using snapshots [FAQ Index]

Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots.

Aggressive changes are sometimes pushed in this branch, and complications can arise when building the latest code or upgrading from a previous point in time. Some of the steps for getting over these hurdles are explained on this page. Make sure you've read and understand how to build the system from source before using -current and the instructions below.

In general, it's far easier to use snapshots, as developers will have gone through much of the trouble for you already.

You should always use a snapshot as the starting point for running -current. This process typically consists of downloading (and verifying) the appropriate bsd.rd file from the /snapshots/ directory of your preferred mirror, booting from it, and choosing (U)pgrade at the prompt. Any installed packages should then be upgraded after booting into the new system.

Upgrading to -current by compiling your own source code is not supported.

Most of these changes will have to be performed as root.

2018/04/04 - PF_TRANS_ALTQ removed

The obsolete PF_TRANS_ALTQ has been removed from net/pfvar.h. Several userland programs will need to be recompiled together with the kernel. Using a snapshot is highly recommended. To update from source, the following steps are needed:
  1. Build and install the kernel but do NOT reboot.
  2. Rebuild the affected programs:
    # cd /usr/src && make includes
    # cd /usr/src/sbin/pfctl && make clean && make && make install
    # cd /usr/src/usr.sbin/authpf && make clean && make && make install
    # cd /usr/src/usr.sbin/ftp-proxy && make clean && make && make install
    # cd /usr/src/usr.sbin/relayd && make clean && make && make install
    # cd /usr/src/usr.sbin/tftp-proxy && make clean && make && make install
  3. Reboot.

2018/04/11 - meaning of listen on * port 80 changed in httpd(8)

The meaning of listen on * port 80 changed from "listen on all IPv4 addresses" to "listen on all IPv4 and all IPv6 addresses". If listen on * port 80 is present, listen on :: port 80 needs to be removed. For example,
listen on * port 80
listen on :: port 80
must be changed to:
listen on * port 80

2018/04/20 - [packages] security/kc storage format change

The storage format of keychains has changed in a backward incompatible way. Dump all your keychains to xml before updating:
$ kc -k ~/.kc/default.kcd
<example_chain% > dump kcdump
Dump OK
<example_chain% > quit
After updating follow the instructions in /usr/local/share/doc/kc/Changelog.

2018/05/03 - [packages] sysutils/apcupsd has SMTP client removed

The ${PREFIX}/sbin/smtp was removed from apcupsd package in favor of smtp(1). The programs are not option-compatible, so any scripts using "smtp" command require adjustment.

2018/05/22 - [packages] PHP default version changed

With a few exceptions, most packages using PHP have switched to using PHP 7.0 dependencies by default. Because extension modules (now including PECL modules) are packaged for multiple PHP versions, most existing PHP programs will work as-is, but to avoid confusion and benefit from improvements to PHP you should switch your system across:
  1. Merge local configuration changes from /etc/php-5.6.ini to /etc/php-7.0.ini. It may be useful to diff(1) against the original file in /usr/local/share/examples/php-5.6/php.ini-production.
  2. Create new symlinks for extension modules as described in the "extension modules" section of /usr/local/share/doc/pkg-readmes/php-7.0*.
  3. Switch to running the new version. If using php-fpm:
      # rcctl disable php56_fpm; rcctl enable php70_fpm
      # rcctl stop php56_fpm; rcctl start php70_fpm
    If using the module for Apache httpd, update the symlink for /var/www/conf/modules/php.conf as shown in the pkg-readme.

2018/05/24 - smtpd.conf(5) grammar has changed in smtpd(8)

The smtpd.conf(5) file needs to be adapted to use the new grammar.

The change is mostly mechanical and requires splitting current rules into actions and matching patterns, examples are available in the man page.

Authenticated users are no longer considered as local users, if your configuration file allows remote users to authenticate and send mail, an explicit rule must be written to match these.

smtpd(8) supported LMTP both as a relaying protocol and as a local delivery method. The local delivery method was implemented within the daemon and not as an MDA, it no longer does and must be used through the 'mda' action:

action lmtp-local mda "/usr/libexec/mail.lmtp [...]"
The mail.lmtp(8) MDA provides all the features that used to be supported interally by smtpd(8).

2018/05/27 - [packages] PHP packaging changes

The PHP module for Apache HTTPD has moved from the main PHP package into a separate "php-apache" package. If you use this module, install the relevant version (pkg_add php-apache%7.0 or pkg_add php-apache%5.6). FPM and CLI remain in the main PHP package.

2018/05/30 - smtpd.conf(5) LMTP action introduced

With the recent grammar change, LMTP support was re-implemented as an external mail delivery agent and required being configured using the 'mda' action:
action lmtp-local mda "/usr/libexec/mail.lmtp [...]"
The grammar has been extended to provide an LMTP action hiding the details behind the mail.lmtp(8) MDA. The LMTP action is documented in smtpd.conf(5) and looks as follow:
action lmtp-local lmtp localhost:25
In addition, the unix: and inet: prefixes which were used in LMTP destinations to distinguish between a UNIX socket or a network socket have been removed.

2018/06/01 - smtpd.conf(5) 'set' and 'limit' removed as main keywords

The grammar allowed setting options of components with the 'set' keyword:
set queue compression
set mta max-deferred 100
The keyword brought no value and was dropped in favor of component namespaces:
queue compression
mta max-deferred 100
In addition, the 'limit' option which could be used with mta:
limit mta session-transaction-delay 0
is now an option within the 'mta' namespace:
mta limit session-transaction-delay 0

2018/06/04 - New sysctl/mixerctl settings to control audio recording

Due to privacy concerns from some, audio recording has been disabled by default. It may be reenabled system-wide like this:
# sysctl # enable at runtime
# echo >> /etc/sysctl.conf # set at boot
Finer-grained controls are available using mixerctl(1) which allows setting record.enable for each mixer device to off (always off), on (always on), or sysctl (default: follow state of the sysctl).

2018/06/06 - [amd64] New clang compiler feature

The retguard compiler feature has been implemented on the amd64 platform. Using a snapshot is highly recommended. To update from source, first verify if your clang is recent enough to understand the -fno-ret-protector flag:
$ echo 'int main() {return 0;}' | cc -fno-ret-protector -x c -
If there is no error in the output, then proceed with a normal source upgrade as usual. If the output includes the error cc: error: unknown argument: '-fno-ret-protector' then follow the procedure below.
  1. Build and install the kernel. Reboot.
  2. Edit /usr/src/gnu/usr.bin/clang/ and comment out the -fno-ret-protector option:
    # cd /usr/src/gnu/usr.bin/clang
    # sed -i.head s/-fno-ret-protector/'#-fno-ret-protector'/
  3. Build and install clang:
    # cd /usr/src/gnu/usr.bin/clang
    # make
    # make install
  4. Restore the original clang
    # cd /usr/src/gnu/usr.bin/clang
    # mv
  5. Build the system as usual.

2018/06/13 - bgpd configuration change

By default bgpd(8), without explicit policy configuration, will deny both incoming and outgoing UPDATES. See RFC 8212 for more information.

The following configuration directives have been deprecated (but will be accepted for backwards compatibility) announce all, announce none, and announce default-route. Furthermore the announce self directive has been removed. Explicit use of announce self will result in a syntax error preventing bgpd(8) from starting. Users are advised to review and update /etc/bgpd.conf before upgrading.

It is possible to write configuration files that are valid and functionally the same both before and after the update.

Before updating:

  1. Mimic the new behavior of the updated bgpd(8) by adding deny from any and deny to any to the top of the filter ruleset. (After the update these rules are implicitly added to the filter)
  2. Replace all instances of announce self with announce all.
  3. Ensure that the filter ruleset only allows correct announcements to and from EBGP neighbors by explicitly specifying the prefixes to be imported from and exported to EBGP neighbors using prefix-set and large-community (or community).
  4. Add announce all to all neighbors for which neither announce none nor announce default-route is specified (the implicit default for EBGP peers was announce self). You can confirm that you haven't missed any:
    # bgpd -nvf /etc/bgpd.conf | grep -B4 'announce self'
The resulting config should now be ready for the upgrade. It is recommended to review /etc/examples/bgpd.conf for an example how BGP communities and prefix-set can be used in simple network designs.


  1. Remove all announce all directives from the configuration
  2. The deny from all and deny to any rules at the top of the ruleset filter are redundant after the update (and as such could be removed), but leaving those may improve readability of the configuration.

2018/06/13 - httpd.conf(5) 'root strip' option renamed

To be semantically correct, the 'root strip' option has been renamed to 'request strip'. For example, the following configuration block is needed for acme-client(1):
location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2

2018/06/18 - slaacd(8) fully pledged

slaacd(8)'s main process is now pledged and uses the new "wroute;" promise. Make sure to have a current kernel or update via snapshots.
$OpenBSD: current.html,v 1.917 2018/06/18 17:07:03 sthen Exp $