About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. Qubes OS core team member, former OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

I'm a freelance OpenBSD, FreeBSD, Linux and Qubes OS consultant, this includes DevOps, DevSecOps, technical writing or documentation work. If you enjoy this blog, you can sponsor my open source work financially so I can write this blog and contribute to Free Software as my daily job.

How to trigger services restart after OpenBSD update

Written by Solène, on 25 September 2022.
Tags: #openbsd #security #deployment

Comments on Fediverse/Mastodon

1. Introduction §

Keeping an OpenBSD system up-to-date requires two daily operation:

  • updating the base system with the command: /usr/sbin/syspatch
  • updating the packages (if any) with the command: /usr/sbin/pkg_add -u

However, OpenBSD isn't very friendly with regard to what to do after upgrading: modified binaries should be restarted to use the new code, and a new kernel requires an upgrade

It's not useful to update if the newer binaries are never used.

2. Syspatch reboot §

I wrote a small script to automatically reboot if syspatch deployed a new kernel. Instead of running syspatch from a cron job, you can run a script with this content:

#!/bin/sh

OUT=$(/usr/sbin/syspatch)
SUCCESS=$?

if [ "$SUCCESS" -eq 0 ]
then
    if echo "$OUT" | grep reboot >/dev/null
    then
        reboot
    fi
fi

It's not much, it runs syspatch and if the output contains "reboot", then a reboot of the system is done.

3. Binaries restart §

It's getting more complicated when a running program is updated, whether it's a service with a rc.d script, or a program currently in use.

This would be nice to see something to help to restart them appropriately, I currently use the program checkrestart in a script like this:

checkrestart | grep smtpd && rcctl restart smtpd
checkrestart | grep httpd && rcctl restart httpd
checkrestart | grep dovecot && rcctl restart dovecot
checkrestart | grep lua && rcctl restart prosody

This works well for system services, except when the binary is different from the service name like for prosody, in which case you must know the exact name of the binary.

But for long-lived commands like a 24/7 emacs or an IRC client, there isn't any mechanism to handle it. At best, you can email you checkrestart output, or run checkrestart upon SSH login.