Title: How to trigger services restart after OpenBSD update

	Title: How to trigger services restart after OpenBSD update
	Author: Solène
	Date: 25 September 2022
	Tags: openbsd security deployment
	Description:

	# Introduction

	Keeping an OpenBSD system up-to-date requires two daily operation:

	* updating the base system with the command: `/usr/sbin/syspatch`
	* updating the packages (if any) with the command: `/usr/sbin/pkg_add
	-u`

	However, OpenBSD isn't very friendly with regard to what to do after
	upgrading: modified binaries should be restarted to use the new code,
	and a new kernel requires an upgrade

	It's not useful to update if the newer binaries are never used.

	# Syspatch reboot

	I wrote a small script to automatically reboot if syspatch deployed a
	new kernel. Instead of running syspatch from a cron job, you can run a
	script with this content:

	```
	#!/bin/sh

	OUT=$(/usr/sbin/syspatch)
	SUCCESS=$?

	if [ "$SUCCESS" -eq 0 ]
	then
	if echo "$OUT" \| grep reboot >/dev/null
	then
	reboot
	fi
	fi
	```

	It's not much, it runs syspatch and if the output contains "reboot",
	then a reboot of the system is done.

	# Binaries restart

	It's getting more complicated when a running program is updated,
	whether it's a service with a rc.d script, or a program currently in
	use.

	This would be nice to see something to help to restart them
	appropriately, I currently use the program `checkrestart` in a script
	like this:

	```
	checkrestart \| grep smtpd && rcctl restart smtpd
	checkrestart \| grep httpd && rcctl restart httpd
	checkrestart \| grep dovecot && rcctl restart dovecot
	checkrestart \| grep lua && rcctl restart prosody
	```

	This works well for system services, except when the binary is
	different from the service name like for prosody, in which case you
	must know the exact name of the binary.

	But for long-lived commands like a 24/7 emacs or an IRC client, there
	isn't any mechanism to handle it. At best, you can email you
	checkrestart output, or run checkrestart upon SSH login.