Title: How to trigger services restart after OpenBSD update
Author: Solène
Date: 25 September 2022
Tags: openbsd security deployment
Description:
# Introduction
Keeping an OpenBSD system up-to-date requires two daily operation:
* updating the base system with the command: `/usr/sbin/syspatch`
* updating the packages (if any) with the command: `/usr/sbin/pkg_add
-u`
However, OpenBSD isn't very friendly with regard to what to do after
upgrading: modified binaries should be restarted to use the new code,
and a new kernel requires an upgrade
It's not useful to update if the newer binaries are never used.
# Syspatch reboot
I wrote a small script to automatically reboot if syspatch deployed a
new kernel. Instead of running syspatch from a cron job, you can run a
script with this content:
```
#!/bin/sh
OUT=$(/usr/sbin/syspatch)
SUCCESS=$?
if [ "$SUCCESS" -eq 0 ]
then
if echo "$OUT" | grep reboot >/dev/null
then
reboot
fi
fi
```
It's not much, it runs syspatch and if the output contains "reboot",
then a reboot of the system is done.
# Binaries restart
It's getting more complicated when a running program is updated,
whether it's a service with a rc.d script, or a program currently in
use.
This would be nice to see something to help to restart them
appropriately, I currently use the program `checkrestart` in a script
like this:
```
checkrestart | grep smtpd && rcctl restart smtpd
checkrestart | grep httpd && rcctl restart httpd
checkrestart | grep dovecot && rcctl restart dovecot
checkrestart | grep lua && rcctl restart prosody
```
This works well for system services, except when the binary is
different from the service name like for prosody, in which case you
must know the exact name of the binary.
But for long-lived commands like a 24/7 emacs or an IRC client, there
isn't any mechanism to handle it. At best, you can email you
checkrestart output, or run checkrestart upon SSH login.