OpenBSD 5.1

Released May 1, 2012
Copyright 1997-2012, Theo de Raadt.
ISBN 978-0-9784475-9-5
5.1 Song: "Bug Busters"

• Order a CDROM from our ordering system.
• See the information on The FTP page for a list of mirror machines.
• Go to the pub/OpenBSD/5.1/ directory on one of the mirror sites.
• Briefly read the rest of this document.
• Have a look at The 5.1 Errata page for a list of bugs and workarounds.
• See a detailed log of changes between the 5.0 and 5.1 releases.

All applicable copyrights and credits can be found in the applicable file sources found in the files src.tar.gz, sys.tar.gz, xenocara.tar.gz, or in the files fetched via ports.tar.gz. The distribution files used to build packages from the ports.tar.gz file are not included on the CDROM because of lack of space.

What's New

This is a partial list of new features and systems included in OpenBSD 5.1. For a comprehensive list, see the changelog leading to 5.1.

• Improved hardware support, including:
  • umsm(4) supports additional mobile broadband devices.
  • Non-GigE ale(4) devices can now establish link to a GigE link partner.
  • Support for Intel 82580 has been added to em(4).
  • Support for MegaRAID 9240 has been added to mfi(4).
  • Support for Nuvoton NCT6776F has been added to lm(4).
  • Support for Centrino Advanced-N 6205 has been added to iwn(4).
  • Support for SiS 1182/1183 SATA has been added to pciide(4).
  • Support for Synaptics touch pads through the synaptics(4) X.Org input driver is now enabled by default.
  • Support for Intel Sandy Bridge integrated graphics cards has been added to the intel(4) X.Org driver.
  • Assembler implementation of the AES-GCM mode for new Intel and future AMD CPUs has been added.
  • usb(4) probes bus after resume, improves functionality for some laptops.

• Generic network stack improvements:
  • RFC4638 MTU negotiation for pppoe(4).
  • npppdctl(8) replaced with npppctl(8), written from scratch. Includes support for IPv6 as tunnel source address.
  • Improve performance (throughput and loss rate) for PPTP, pppd(8) or L2TP(/IPsec) on unstable latency networks (eg mobile).
  • Improved IPv6 fragment handling.
  • Many robustness improvements for IEEE 802.11 (particularly hostap).
  • Improved vlan priority support, including mapping to interface queues.
  • Initial rdomains support for IPv6.
  • Robustness improvements for carp(4).
  • Various IPv6 and rdomain related improvements for carp(4).

• Routing daemons and other userland network improvements:
  • fstat(8) now displays routing table ID and socket-splicing information and ps can display routing table ID.
  • traceroute(8) and traceroute6(8) can look up ASNs for each hop.
  • snmpd(8) adds a MIB to show statistics for carp(4) interfaces.
  • bgpctl(8) parses and display MRT routing table dumps.
  • ntpd(8) supports multiple rdomains.
  • When ospfd(8) detects route socket overflow, it now delays before it reloads the fib.
  • Improved and more consistent ToS support in various network tools (tcpbench(8), nc(8), ping(8), traceroute(8)).
  • Initial import of login_yubikey(8) for logging in using yubikeys.

• pf(4) improvements:
  • One-shot rule support for pf(4), for use with proxies via anchors.
  • NAT64 support in PF using the af-to keyword.
  • Much improved IPv6 fragment handling.
  • Various enhancements with ICMP and especially ICMPv6 states
  • Improved IPv6 Neighbor Discovery and Multicast Listener Discovery handling.
  • pfctl(8) now prints port numbers instead of service names by default.
  • Netflow v9 and ipfix support for pflow(4).
  • Many pfsync(4) fixes and improvements including jumbo frames and automatically requesting a bulk update after a physical interface comes online.

• Assorted improvements:
  • Improved locale support.
  • Support for MSG_NOSIGNAL.
  • KERN_PROC_CWD sysctl(3) for fetching the path to a process's working directory.
  • Improved fnmatch(3), glob(3), and regcomp(3) implementations to resist DoS attacks.
  • Lots of HISTORY and AUTHORS information added to manpages.
  • Improved checking of file-offset wraparound.
  • pwrite(2)/pwritev(2) now correctly by ignored O_APPEND.
  • Improved conformance of header files with standards.
  • Improved cancelation support in both user-threads (libpthread) and rthreads.
  • Improved correctness of execing, coredumping, signal delivery, alternate signal stacks, blocking socket accepts(), mutexes and condition variables, per-thread errno, symbol binding, and ktracing when rthreads are in use.
  • Architecture-independent kernel support for thread-control-block handling for rthreads.
  • Small improvements to Linux compat (only available on i386).
  • Multiple bugs have been fixed in the Intel 10Gb driver ix(4).
  • softraid(4) now supports a concatenating discipline.
  • On amd64, i386, and sparc64, the root filesystem can reside in a softraid(4) volume. The kernel needs to be booted from a non-softraid partition.
  • On amd64, the system can be booted from a softraid(4) RAID1 volume.
  • aucat(1) adds a "device number" component in sndio(7) device names, allowing a single aucat instance to handle all audio and MIDI services.
  • Built-in sndiod(1) sound daemon now uses default rate 48kHz and the default block size 10ms. These settings ensure video players and programs using MTC are smooth by default.
  • Many updates to smtpd(8): a new scheduler_backend API introduced, more MIME 1.0 support added, new filter callbacks for network events, improved DNS error reporting and envelope handling, and the purge/ directory is now cleared via a privilege-separated child.
  • tmux(1) is extended to support a larger history, minimizes redundant log messages and does some code reordering for more local and less global variables. Support is added for the ESC[s and ESC[u save/restore cursor-position key sequences. $HOME (or ~) may now be used as default-path in tmux.conf.
  • Enhanced cwm(1) event support, added {r,}cycleingroup to cycle through clients belonging to the same group as the active client, simplified color initialization.
  • The mg(1) emacs-like editor: now uses absolute filenames while pushing and popping off the stack. In dired mode: corrected cursor movements and added missing keybindings.

• OpenSSH 6.0:
  • New features:
    • ssh-keygen(1): add optional checkpoints for moduli screening.
    • ssh-add(1): new -k option to load plain keys (skipping certificates).
    • sshd(8): add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". (bz#1857)
    • ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use "ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings.
    • support cancellation of local/dynamic forwardings from ~C commandline.
  • The following significant bugs have been fixed in this release:
    • ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games.
    • ssh(1): unbreak remote port forwarding with dynamic allocated listen ports.
    • scp(1): suppress adding '--' to remote commandlines when the first argument does not start with '-'. Saves breakage on some difficult-to-upgrade embedded/router platforms.
    • ssh(1) and sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class.
    • ssh(1) and sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying.
    • ssh(1): skip attempting to create ~/.ssh when -F is passed.
    • sshd(8): unbreak stdio forwarding when ControlPersist is in use. (bz#1943)
    • sshd(8): send tty break to pty master instead of (probably already closed) slave side. (bz#1859)
    • sftp(1): silence error spam for "ls */foo" in directory with files. (bz#1683)
    • Fixed a number of memory and file descriptor leaks.

• Over 7,000 ports, major performance and stability improvements in the package build process
  • Downloading of distfiles is simpler, can resume interrupted download, discover file moves, and expire old files. Distfiles mirror sites now use the new and improved method.
  • Dependency handling during ports build and package creation is at least twice as fast, twenty times as fast in pathological cases. This also affects user scripts such as out-of-date
  • More checks are done during package builds, for increased user friendliness
  • The long term process of documenting the infrastructure is now 100% done.
  • The distributed ports builder (dpb) can now clean up old dependencies, thus helping package builds be more reproducible. This found tens of hidden build dependencies in the ports tree already.
  • The semantics of pkg_add -a have been nailed down and a few minor bugs have been fixed.
  • The arch-dependent issues are better classified, leading to better builds on old architectures in some complicated cases. In particular, dpb explicitly purges from memory info about packages it cannot build and stuff that depends on it, leading to better life on sparc and vax which have very small data-size limits.
  • dpb recognizes full builds and trims some duplicate package builds

• Many pre-built packages for each architecture:

  i386: 7229 sparc64: 6599 alpha: 5943

  sh: 2459 amd64: 7181 powerpc: 6852

  sparc: 4152 arm: 5536 hppa: 6159

  vax: 2199 mips64: 5785 mips64el: 5807

• Some highlights:
  • GNOME 3.2.1 (fallback mode)
  • KDE 3.5.10
  • Xfce 4.8.3
  • MySQL 5.1.60
  • PostgreSQL 9.1.2
  • Postfix 2.8.8
  • OpenLDAP 2.3.43 and 2.4.26
  • Mozilla Firefox 3.5.19, 3.6.25 and 9.0.1
  • Mozilla Thunderbird 9.0.1
  • GHC 7.0.4
  • LibreOffice 3.4.5.2
  • Emacs 21.4, 22.3 and 23.4
  • Vim 7.3.154
  • PHP 5.2.17 and 5.3.10
  • Python 2.5.4, 2.7.1 and 3.2.2
  • Ruby 1.8.7.357 and 1.9.3.0
  • Tcl/Tk 8.5.11
  • Jdk 1.7
  • Mono 2.10.6
  • Chromium 16.0.912.77
  • Groff 1.21

• As usual, steady improvements in manual pages and other documentation.
• Base system and Xenocara manuals are now installed as source code, making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
• If both formatted and source versions of manuals are installed, man(1) automatically displays the newer version of each page.

• The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.6 with xserver 1.11.4 + patches, freetype 2.4.8, fontconfig 2.8.0, Mesa 7.10.3, xterm 276, xkeyboard-config 2.5 and more)
  • Gcc 4.2.1 (+patches), 3.3.5 (+ patches) and 2.95.3 (+ patches)
  • Perl 5.12.2 (+ patches)
  • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
  • OpenSSL 1.0.0f (+ patches)
  • Sendmail 8.14.5, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Heimdal 0.7.2 (+ patches)
  • Arla 0.35.7
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)
  • Less 444 (+ patches)
  • Awk Aug 10, 2011 version

How to install

Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an FTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.

• CD1:5.1/i386/INSTALL.i386

• CD2:5.1/amd64/INSTALL.amd64
• CD2:5.1/macppc/INSTALL.macppc

• CD3:5.1/sparc64/INSTALL.sparc64

• FTP:.../OpenBSD/5.1/alpha/INSTALL.alpha
• FTP:.../OpenBSD/5.1/armish/INSTALL.armish
• FTP:.../OpenBSD/5.1/hp300/INSTALL.hp300
• FTP:.../OpenBSD/5.1/hppa/INSTALL.hppa
• FTP:.../OpenBSD/5.1/landisk/INSTALL.landisk
• FTP:.../OpenBSD/5.1/loongson/INSTALL.loongson
• FTP:.../OpenBSD/5.1/luna88k/INSTALL.luna88k
• FTP:.../OpenBSD/5.1/mvme68k/INSTALL.mvme68k
• FTP:.../OpenBSD/5.1/mvme88k/INSTALL.mvme88k
• FTP:.../OpenBSD/5.1/sgi/INSTALL.sgi
• FTP:.../OpenBSD/5.1/socppc/INSTALL.socppc
• FTP:.../OpenBSD/5.1/sparc/INSTALL.sparc
• FTP:.../OpenBSD/5.1/vax/INSTALL.vax
• FTP:.../OpenBSD/5.1/zaurus/INSTALL.zaurus

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!

OpenBSD/i386:

Play with your BIOS options to enable booting from a CD. The OpenBSD/i386 release is on CD1. If your BIOS does not support booting from CD, you will need to create a boot floppy to install from. To create a boot floppy write CD1:5.1/i386/floppy51.fs to a floppy and boot via the floppy drive.

Use CD1:5.1/i386/floppyB51.fs instead for greater SCSI controller support, or CD1:5.1/i386/floppyC51.fs for better laptop support.

If you can't boot from a CD or a floppy disk, you can install across the network using PXE as described in the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.

To make a boot floppy under MS-DOS, use the "rawrite" utility located at CD1:5.1/tools/rawrite.exe. To make the boot floppy under a Unix OS, use the dd(1) utility. The following is an example usage of dd(1), where the device could be "floppy", "rfd0c", or "rfd0a".

# dd if=<file> of=/dev/<device> bs=32k

Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to FAQ 4.3.2.

OpenBSD/amd64:

The 5.1 release of OpenBSD/amd64 is located on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first. If you can't boot from the CD, you can create a boot floppy to install from. To do this, write CD2:5.1/amd64/floppy51.fs to a floppy, then boot from the floppy drive.

If you can't boot from a CD or a floppy disk, you can install across the network using PXE as described in the included INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.

OpenBSD/macppc:

Put CD2 in your CDROM drive and poweron your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /5.1/macppc/bsd.rd

OpenBSD/sparc64:

Put CD3 in your CDROM drive and type boot cdrom.

If this doesn't work, or if you don't have a CDROM drive, you can write CD3:5.1/sparc64/floppy51.fs or CD3:5.1/sparc64/floppyB51.fs (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

You can also write CD3:5.1/sparc64/miniroot51.fs to the swap partition on the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.

OpenBSD/alpha:

Write FTP:5.1/alpha/floppy51.fs or FTP:5.1/alpha/floppyB51.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

OpenBSD/armish:

After connecting a serial port, Thecus can boot directly from the network either tftp or http. Configure the network using fconfig, reset, then load bsd.rd, see INSTALL.armish for specific details. IOData HDL-G can only boot from an EXT-2 partition. Boot into linux and copy 'boot' and bsd.rd into the first partition on wd0 (hda1) then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition. More details are available in INSTALL.armish.

OpenBSD/hp300:

Boot over the network by following the instructions in INSTALL.hp300.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.

OpenBSD/landisk:

Write miniroot51.fs to the start of the CF or disk, and boot normally.

OpenBSD/loongson:

Write miniroot51.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.

OpenBSD/luna88k:

Copy bsd.rd to a Mach or UniOS partition, and boot it from the PROM. Alternatively, you can create a bootable tape and boot from it. Refer to the instructions in INSTALL.luna88k for more details.

OpenBSD/mvme68k:

You can create a bootable installation tape or boot over the network.
The network boot requires a MVME68K BUG version that supports the NIOT and NBO debugger commands. Follow the instructions in INSTALL.mvme68k for more details.

OpenBSD/mvme88k:

You can create a bootable installation tape or boot over the network.
The network boot requires a MVME88K BUG version that supports the NIOT and NBO debugger commands. Follow the instructions in INSTALL.mvme88k for more details.

OpenBSD/sgi:

To install on an O2, burn cd51.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu.

On other systems, or if your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details.

OpenBSD/socppc:

After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details.

OpenBSD/sparc:

Boot from one of the provided install ISO images, using one of the two commands listed below, depending on the version of your ROM.

ok boot cdrom 5.1/sparc/bsd.rd
or
> b sd(0,6,0)5.1/sparc/bsd.rd

If your SPARC system does not have a CD drive, you can alternatively boot from floppy. To do so you need to write floppy51.fs to a floppy. For more information see FAQ 4.3.2. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.

ok boot floppy
or
> b fd()

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

If your SPARC system doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file.

OpenBSD/vax:

Boot over the network via mopbooting as described in INSTALL.vax.

OpenBSD/zaurus:

Using the Linux built-in graphical ipkg installer, install the openbsd51_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details.

Notes about the source code:

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.

How to upgrade

If you already have an OpenBSD 5.0 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.

Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr
# tar xvfz /tmp/ports.tar.gz
# cd ports

The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.

The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via anoncvs. So, in order to keep current with it, you must make the ports/ tree available on a read-write medium and update the tree with a command like:

# cd [portsdir]/; cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_1

[Of course, you must replace the local directory and server name here with the location of your ports collection and a nearby anoncvs server.]

Note that most ports are available as packages through FTP. Updated packages for the 5.1 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list ports@openbsd.org is a good place to know.