About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(NixOS BSD OpenBSD Lisp cmdline gaming internet-stuff). I love percent and lambda characters. OpenBSD developer solene@.

Contact me: solene+www at dataswamp dot org or @solene@bsd.network (mastodon). If for some reason you want to support my work, this is my paypal address: donate@perso.pw.

How to trigger services restart after OpenBSD update

Written by Solène, on 25 September 2022.
Tags: #openbsd #security #deployment

Comments on Fediverse/Mastodon

Introduction §

Keeping an OpenBSD system up-to-date requires two daily operation:

  • updating the base system with the command: /usr/sbin/syspatch
  • updating the packages (if any) with the command: /usr/sbin/pkg_add -u

However, OpenBSD isn't very friendly with regard to what to do after upgrading: modified binaries should be restarted to use the new code, and a new kernel requires an upgrade

It's not useful to update if the newer binaries are never used.

Syspatch reboot §

I wrote a small script to automatically reboot if syspatch deployed a new kernel. Instead of running syspatch from a cron job, you can run a script with this content:



if [ "$SUCCESS" -eq 0 ]
    if echo "$OUT" | grep reboot >/dev/null

It's not much, it runs syspatch and if the output contains "reboot", then a reboot of the system is done.

Binaries restart §

It's getting more complicated when a running program is updated, whether it's a service with a rc.d script, or a program currently in use.

This would be nice to see something to help to restart them appropriately, I currently use the program checkrestart in a script like this:

checkrestart | grep smtpd && rcctl restart smtpd
checkrestart | grep httpd && rcctl restart httpd
checkrestart | grep dovecot && rcctl restart dovecot
checkrestart | grep lua && rcctl restart prosody

This works well for system services, except when the binary is different from the service name like for prosody, in which case you must know the exact name of the binary.

But for long-lived commands like a 24/7 emacs or an IRC client, there isn't any mechanism to handle it. At best, you can email you checkrestart output, or run checkrestart upon SSH login.