OpenBSD 5.0
Released Nov 1, 2011
Copyright 1997-2011, Theo de Raadt.
ISBN 978-0-9784475-8-8
5.0 Song: "What Me Worry?"
- Order a CDROM from our ordering system.
- See the information on The FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/5.0/ directory on
one of the mirror sites.
- Briefly read the rest of this document.
- Have a look at The 5.0 Errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
4.9 and 5.0 releases.
All applicable copyrights and credits can be found in the applicable
file sources found in the files src.tar.gz, sys.tar.gz,
xenocara.tar.gz, or in the files fetched via ports.tar.gz. The
distribution files used to build packages from the ports.tar.gz file
are not included on the CDROM because of lack of space.
What's New
This is a partial list of new features and systems included in OpenBSD 5.0.
For a comprehensive list, see the changelog leading
to 5.0.
- Improved hardware support, including:
- MSI interrupts for many devices, on those architectures which can
support them (amd64, i386, sparc64 only so far).
- A new dma_alloc(9) API makes it easier for kernel code to allocate
dma-safe memory. Many drivers (especially network drivers) and
subsystems (in particular scsi and the buffer cache) were adapted
to use this.
- As a result, big-memory support has been enabled on all possible
architectures.
- The rather rare bce(4) driver now copies mbufs all the time, to cope
with the hardware having a 1GB limit.
- Added hds(4), a driver for Hitachi Modular Storage SCSI devices.
- Added myx(4), a driver for the Myricom Myri-10G 10GB Ethernet devices.
- Added dfs(4), a driver for Dynamic Frequency Switching on some macppc
systems.
- cardbus(4) and pcmcia(4) support on sgi.
- Suspend/resume support on Loongson Yeelong laptops.
- Generic network stack improvements:
- Added support for sending Wake on Lan packets using arp(8).
- Permit turning Wake on Lan support on/off using ifconfig(8).
- Added Wake on Lan support to xl(4), re(4), and vr(4).
- Allow ftp-proxy(8) to proxy across rdomains.
- The IPv4 stack will no longer accept ICMP redirects when
acting as a router.
- By default the IPv6 stack will not process ICMP6 redirects.
rtsol(8) will turn it back if -F is used.
- Reworked large parts of the dhclient(8) options processing for better
interoperability.
- Fixed carp(4) to work in IPv6 only setups.
- Make it possible to bind(2) to the local network broadcast address
on datagram and raw sockets.
- The default multicast reject route is now ignored if the UDP socket
uses the IP_MULTICAST_IF socket option.
- Make gre(4) work between systems in the same LAN.
- Removed the link1 mode special addressing mode on lo(4).
- Kernel randomization speed and quality improved substantially.
- Routing daemons and other userland network improvements:
- bgpd(8) no longer bumps the rlimits: the rc.d framework respects
login classes which is a much better solution.
- Correctly set the network filtersets on reload in bgpd(8).
- The routing socket is now sending RTM_DESYNC messages if the
socketbuffer overflows.
- Allow ospfd(8) to send out LS updates and other messages
larger than the MTU.
- Fixed nexthop calculation in ospfd(8) for directly connected P2P links.
- First bits to support opaque LSA in ospfd(8). Only basic redistribute
logic and LSDB handling for now.
- Creating new interfaces will no longer cause a fatal error in ospf6d(8).
- ospf6d(8) handles link-state changes better.
- Better loopback handling in ospf6d(8).
- No longer install extra multicast routes in ripd(8) and ldpd(8).
- Make kqueue(2) work with sosplice(9).
- Enabled sosplice(9) in relayd(8) for TCP.
- Added support for divert-to which provides some benefits over
rdr-to in relayd(8).
- Fixed trap sending in snmpd(8).
- Make ping6(8) compare minimum amount of bytes between what
was received and what was sent out.
- Make traceroute(8) with type-of-service setted (-t) display
a message if the returned packet has a different tos type.
- Added the socket splicing fields of struct socket to netstat -vP output.
- pf(4) improvements:
- Make pf(4) reassemble IPv6 fragments. In the forward case, pf
refragments the packets with the same maximum size.
- Allow pf(4) to filter on the rdomain a packet belongs to.
- Make pf(4) allow userland proxies to establish cross rdomain
proxy sessions.
- Added IPv6 ACK prioritization in pf(4).
- Change 'set skip on <...>' to work with interface groups.
- pfsync(4) supports IPv6 as network protocol.
- Switched ftp-proxy(8) over to divert-to instead of rdr-to.
- tftp-proxy(8) uses 'divert-to' as well.
- SCSI improvements:
- most SCSI hardware drivers now use the new iopools infrastructure.
- scsi(4) devices are now all provided with a unique devid, which
is displayed during the probe process.
- ASC/ASCQ error codes and verbiage now in sync with
http://www.t10.org/lists/asc-num.txt.
- progress on iSCSI includes better login, better logout, preliminary
FSM support in iscsid(8), and improved logging and debug information.
- uk(4) can now safely and reliably detach an unknown SCSI device.
- mpath(4) device and kernel support is improved.
- vscsi(4) now ensures output always goes to the correct connection.
- vscsi(4) connections can now be reset gracefully.
- scsi(4) devices on fibre channel fabrics no longer inherit the adapter's
address.
- Assorted improvements:
- For additional security, security(8) was rewritten in Perl.
- Mandoc 1.11.4: Now accepts eqn(7) input (no fancy formatting yet)
and supports -Tutf8 output (but no utf8 input yet).
- Removed a variety of OS-compat emulation code, leaving just the Linux
support.
- Small improvements to Linux compat (only available on i386).
- Improved our own pkg-config(1) implementation with extended comparison
scheme and implementing various new options.
- The math library, libm, was fully fleshed out to support all C99 required
parts. Many bugs for various architectures were fixed along the way.
- malloc(3) is a lot faster and has a few further security features (more
randomization, as well as the 'S' flag to enable all paranoia checks).
- 'make depend' is no longer neccessary in kernel compilation directories
since the dependencies are calculated automatically.
- Increased the default size of the buffer cache.
- kqueue(2) now works on /dev/random and spliced sockets
- On MBR-based disks, scan through up to 256 extended partition tables
when looking for an OpenBSD partition table.
- Added POSIX 2008 fdopendir(3) and openat(2) functions, as well as the
O_CLOEXEC, O_DIRECTORY, and F_DUPFD_CLOEXEC flags.
- Improved lint format string checks and added a few other checks.
- kdump(1) now dumps stat and sockaddr structures, sysctl mib
strings, and decodes syscall flags and operation bits.
- Improved kernel pool debug checking.
- Improved correctness of signals and various syscalls when rthreads
are in use.
- Kernel malloc(9) space and stacks moved to non-dma memory.
- Fixed some shutdown/reboot hangs on NFS clients.
- UNIX-domain socket paths are now guaranteed to be NUL-terminated.
- Added support for *wprintf(3), wcs{,n}casecmp(3), and wcsdup(3).
- NULL is now a (void *).
- Install/Upgrade process changes:
- Completed support for DUID disk installs, and enabled it fully.
- Tried to make sysmerge(8) work in the installer, but ran into small
problems and decided to disable it.
- Install non-free firmwares from the internet upon first boot, based on a
question in the installer.
- svnd(4)-like behaviour became the default for vnd(4) devices. This is
what is used to build the media.
- rc.d(8) framework improvements:
- rc.d(8) is now also used for the base system daemons.
- Backward compatible with the historic way of starting daemons.
- Notify the user by appending (ok) or (failed) in interactive mode.
- Better diagnostics with the introduction of RC_DEBUG.
- OpenSSH 5.9:
- New features:
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5)
"UsePrivilegeSeparation=sandbox" mode that enables mandatory
restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in
ssh(1)
and
sshd(8).
- The pre-authentication
sshd(8)
privilege separation slave process now logs via a socket shared with
the master process, avoiding the need to maintain /dev/log inside the
chroot.
- ssh(1)
now warns when a server refuses X11 forwarding.
- sshd_config(5)'s
AuthorizedKeysFile now accepts multiple paths, separated by whitespace.
The undocumented AuthorizedKeysFile2 option is deprecated (though the
default for AuthorizedKeysFile includes .ssh/authorized_keys2).
- sshd_config(5):
similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by
making UserKnownHostsFile and GlobalKnownHostsFile accept multiple
options and default to include known_hosts2.
- sshd_config(5)'s
ControlPath option now expands %L to the host portion of the
destination host name.
- sshd_config(5)
"Host" options now support negated Host matching.
- sshd_config(5):
a new RequestTTY option provides control over when a TTY is requested
for a connection, similar to the existing -t/-tt/-T
ssh(1)
commandline options.
- ssh-keygen(1):
Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for
which host keys do not exist, generate the host keys with the default
key file path, an empty passphrase, default bits for the key type, and
default comment. This is useful for system initialisation scripts.
- ssh(1):
Allow graceful shutdown of multiplexing: request that a mux server
removes its listener socket and refuse future multiplexing requests but
don't kill existing connections. This may be requested using
"ssh -O stop ...".
- ssh-add(1):
now accepts keys piped from standard input.
- The following significant bugs have been fixed in this release:
- Retain key comments when loading v.2 keys. These will be visible in
"ssh-add -l" and other places. (bz#439)
- ssh(1)
and
sshd(8):
set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). (bz#1855)
- sshd(8):
allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against
MaxAuthTries. (bz#1244)
- ssh-keysign(8):
now signs hostbased authentication challenges correctly using ECDSA
keys. (bz#1858)
- sftp(1):
document that sftp accepts square brackets to delimit addresses
(useful for IPv6). (bz#1847a)
- ssh(1):
when using session multiplexing, the master process will change its
process title to reflect the control path in use and when a
ControlPersist-ed master is waiting to close. (bz#1883 and bz#1911)
- Other minor bugs fixed: bz#1849, bz#1861, bz#1862, bz#1869, bz#1875,
bz#1878, bz#1879, bz#1892, bz#1900, bz#1905, and bz#1913.
- Over 7,200 ports, major robustness and speed improvements in package tools.
- Many pre-built packages for each architecture:
- i386: 7008
- sparc64: 6456
- alpha: 6046
|
- sh: 3721
- amd64: 6960
- powerpc: 6691
|
- sparc: 3277
- arm: 2963
- hppa: 6125
|
- vax: 1409
- mips64: 5689
- mips64el: 5709
|
- Some highlights:
- Gnome 2.32.2
- KDE 3.5.10
- Xfce 4.8.0
- MySQL 5.1.54
- PostgreSQL 9.0.5
- Postfix 2.8.4
- OpenLDAP 2.3.43 and 2.4.25
- Mozilla Firefox 3.5.19, 3.6.18 and 5.0
- Mozilla Thunderbird 5.0
- GHC 7.0.4
- LibreOffice 3.4.1.3
- Emacs 21.4, 22.3 and 23.3
- Vim 7.3.154
- PHP 5.2.17 and 5.3.6
- Python 2.4.6, 2.5.4 and 2.7.1
- Ruby 1.8.7.352 and 1.9.2.200
- Tcl 8.5.9
- Jdk 1.7
- Mono 2.10.2
- Chromium 12.0.742.122
- Groff 1.21
- As usual, steady improvements in manual pages and other documentation.
- Base system and Xenocara manuals are now installed as source code,
making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
- If both formatted and source versions of manuals are installed,
man(1) automatically displays the newer version of each page.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.6 with xserver 1.9 + patches,
freetype 2.4.5, fontconfig 2.8.0, Mesa 7.8.2, xterm 270,
xkeyboard-config 2.3 and more)
- Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+patches)
- Perl 5.12.2 (+ patches)
- Our improved and secured version of Apache 1.3, with
SSL/TLS and DSO support
- OpenSSL 1.0.0a (+ patches)
- Sendmail 8.14.5, with libmilter
- Bind 9.4.2-P2 (+ patches)
- Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
- Sudo 1.7.2p8
- Ncurses 5.7
- Heimdal 0.7.2 (+ patches)
- Arla 0.35.7
- Binutils 2.15 (+ patches)
- Gdb 6.3 (+ patches)
How to install
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an FTP (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
Please refer to the following files on the three CDROMs or FTP mirror for
extensive details on how to install OpenBSD 5.0 on your machine:
- CD1:5.0/i386/INSTALL.i386
- CD2:5.0/amd64/INSTALL.amd64
- CD2:5.0/macppc/INSTALL.macppc
- CD3:5.0/sparc64/INSTALL.sparc64
- FTP:.../OpenBSD/5.0/alpha/INSTALL.alpha
- FTP:.../OpenBSD/5.0/armish/INSTALL.armish
- FTP:.../OpenBSD/5.0/hp300/INSTALL.hp300
- FTP:.../OpenBSD/5.0/hppa/INSTALL.hppa
- FTP:.../OpenBSD/5.0/landisk/INSTALL.landisk
- FTP:.../OpenBSD/5.0/loongson/INSTALL.loongson
- FTP:.../OpenBSD/5.0/mvme68k/INSTALL.mvme68k
- FTP:.../OpenBSD/5.0/mvme88k/INSTALL.mvme88k
- FTP:.../OpenBSD/5.0/sgi/INSTALL.sgi
- FTP:.../OpenBSD/5.0/socppc/INSTALL.socppc
- FTP:.../OpenBSD/5.0/sparc/INSTALL.sparc
- FTP:.../OpenBSD/5.0/vax/INSTALL.vax
- FTP:.../OpenBSD/5.0/zaurus/INSTALL.zaurus
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
OpenBSD/i386:
Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
release is on CD1. If your BIOS does not support booting from CD, you will need
to create a boot floppy to install from. To create a boot floppy write
CD1:5.0/i386/floppy50.fs to a floppy and boot via the floppy drive.
Use CD1:5.0/i386/floppyB50.fs instead for greater SCSI controller
support, or CD1:5.0/i386/floppyC50.fs for better laptop support.
If you can't boot from a CD or a floppy disk,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at CD1:5.0/tools/rawrite.exe. To make the boot floppy under a Unix OS,
use the
dd(1)
utility. The following is an example usage of
dd(1),
where the device could be "floppy", "rfd0c", or
"rfd0a".
# dd if=<file> of=/dev/<device> bs=32k
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or
your install will most likely fail. For more information on creating a boot
floppy and installing OpenBSD/i386 please refer to
FAQ 4.3.2.
OpenBSD/amd64:
The 5.0 release of OpenBSD/amd64 is located on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
If you can't boot from the CD, you can create a boot floppy to install from.
To do this, write CD2:5.0/amd64/floppy50.fs to a floppy, then
boot from the floppy drive.
If you can't boot from a CD or a floppy disk,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/macppc:
Put CD2 in your CDROM drive and poweron your machine while holding down the
C key until the display turns on and shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/5.0/macppc/bsd.rd
OpenBSD/sparc64:
Put CD3 in your CDROM drive and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write
CD3:5.0/sparc64/floppy50.fs or CD3:5.0/sparc64/floppyB50.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
You can also write CD3:5.0/sparc64/miniroot50.fs to the swap partition on
the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64.
OpenBSD/alpha:
Write FTP:5.0/alpha/floppy50.fs or
FTP:5.0/alpha/floppyB50.fs (depending on your machine) to a diskette and
enter boot dva0. Refer to INSTALL.alpha for more details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/armish:
After connecting a serial port, Thecus can boot directly from the network
either tftp or http. Configure the network using fconfig, reset,
then load bsd.rd, see INSTALL.armish for specific details.
IOData HDL-G can only boot from an EXT-2 partition. Boot into linux
and copy 'boot' and bsd.rd into the first partition on wd0 (hda1)
then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition.
More details are available in INSTALL.armish.
OpenBSD/hp300:
OpenBSD/hppa:
OpenBSD/landisk:
Write miniroot50.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
Write miniroot50.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/mvme68k:
You can create a bootable installation tape or boot over the network.
The network boot requires a MVME68K BUG version that supports the NIOT
and NBO debugger commands. Follow the instructions in INSTALL.mvme68k
for more details.
OpenBSD/mvme88k:
You can create a bootable installation tape or boot over the network.
The network boot requires a MVME88K BUG version that supports the NIOT
and NBO debugger commands. Follow the instructions in INSTALL.mvme88k
for more details.
OpenBSD/sgi:
To install on an O2, burn cd50.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu.
On other systems, or if your machine doesn't have a CD drive, you can
setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using
the kernel matching your system type.
Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/socppc:
After connecting a serial port, boot over the network via DHCP/tftp.
Refer to the instructions in INSTALL.socppc for more details.
OpenBSD/sparc:
Boot from one of the provided install ISO images, using one of the two
commands listed below, depending on the version of your ROM.
ok boot cdrom 5.0/sparc/bsd.rd
or
> b sd(0,6,0)5.0/sparc/bsd.rd
If your SPARC system does not have a CD drive, you can alternatively boot from floppy.
To do so you need to write floppy50.fs to a floppy.
For more information see FAQ 4.3.2.
To boot from the floppy use one of the two commands listed below,
depending on the version of your ROM.
ok boot floppy
or
> b fd()
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
If your SPARC system doesn't have a floppy drive nor a CD drive, you can either
setup a bootable tape, or install via network, as told in the
INSTALL.sparc file.
OpenBSD/vax:
Boot over the network via mopbooting as described in INSTALL.vax.
OpenBSD/zaurus:
Using the Linux built-in graphical ipkg installer, install the
openbsd50_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
for a few important details.
Notes about the source code:
src.tar.gz contains a source archive starting at /usr/src. This file
contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
How to upgrade
If you already have an OpenBSD 4.9 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
# cd ports
The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go
read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via anoncvs. So, in
order to keep current with it, you must make the ports/ tree
available on a read-write medium and update the tree with a command
like:
# cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_0
[Of course, you must replace the local directory and server name here
with the location of your ports collection and a nearby anoncvs
server.]
Note that most ports are available as packages through FTP. Updated
packages for the 5.0 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list ports@openbsd.org is a good
place to know.