syspatch

syspatch helps provide binary patches to OpenBSD. It brings your system up-to-date from -release to -stable. These patches do not include feature updates and should be safe to apply to production servers immediately.

$ doas syspatch

System patching can be automated by setting up a cronjob:

$ doas crontab -e

At the bottom, add this line:

~      ~      *       *       *       /usr/sbin/syspatch

The system update will start at a random minute and hour of the day. This prevents all machines from running the exact same job at the exact same time, which would slow down a server running multiple jobs.

Troubleshooting

$ doas syspatch
syspatch: Error retrieving https://cdn.openbsd.org/pub/OpenBSD/syspatch/7.1/amd64/SHA256.sig: 404 Not Found

If you see this message, then the server is missing the patches for this version of the OS. Switch mirrors by editing /etc/installurl.

$ doas syspatch
syspatch: cdn.openbsd.org: no address associated with name

If you see this message, then DNS resolution is not working properly.

Double check /etc/resolv.conf to make sure nameservers are specified. You may want to configure unbound.