You should be using OpenBSD's /upgrade.site

Whenever you run sysupgrade -r or sysupgrade -s, /upgrade.site is executed every time in upgrade mode and with one CPU core active.

I use the same upgrade.site on every single system, so we includes checks to only run when needed. Even if you only have one system, you can benefit from this feature.

Get that CPU

Certain tasks may benefit from being run later, when the system is running bsd.mp.

Hence, the first and last lines of my file simply append the entire thing to rc.firsttime:

cat >> /etc/rc.firsttime << __EOF

  [ file contents go here ]

__EOF

Re-apply local diffs

Some of my systems have src checked out because I test or maintain local diffs. Recompile those on every upgrade.

if [ -f /usr/src/Makefile ]; then
  echo "Rebuilding local diffs" | ts %FT%T
  (cd /usr/src/games/grdc && make && make install)
  (cd /usr/src/usr.bin/ts && make && make install)
  (cd /usr/src/usr.sbin/httpd && make && make install)
fi

Automate the confusing fixes

Some systems have ports checked out. I only know enough about ports to be dangerous and sometimes I mess up permissions. This saves me time:

if [ -f /usr/ports/Makefile ]; then
  echo "Setting ports permissions" | ts %FT%T
  (cd /usr/ports && make fix-permissions)
fi

Upgrade non-interactive packages

Upgrade non-interactive packages, always. I use timestamps here because pkg_add -u sometimes hangs and I don’t yet have data to figure out why.

The PKG_OPT variable is a local invention of mine that is set early in the script, so that -stable systems always run pkg_add -uI but -current systems always run pkg_add -Dsnap -uI.

The -I prevents hanging forever waiting for input on systems that run postgresql-server. I modified the

echo "Upgrading non-interactive packages on first boot" | ts %FT%T
time pkg_add ${PKG_OPT} -uI
echo "Cleaning up old packages on first boot" | ts %FT%T
time pkg_delete -a

Upgrading directly from ports

While the Unifi controller software is in ports, it is not available as package for licensing reasons, so every time we upgrade the OS, we also want systems with installed controllers to upgrade to whatever latest version is in ports.

This approach has worked great for several years.

rcctl get unifi && if [ -f /usr/ports/net/unifi/main/Makefile ]; then
  echo "Upgrading Unifi Controller on first boot" | ts %FT%T
  cd /usr/ports/net/unifi/main
  make clean package update 
fi

Auto-update PostgreSQL across major versions

I also run many other actions as part of upgrade.site, but some are objectively questionably ideas that just happen to work in my case.

One of those questionable ideas is abusing the PostgreSQL Upgrade Howto in README-server instructions just enough so my systems can do unattended upgrades across major PostgreSQL versions.

Backups and redundancy ensure that any failures do not effect the world. There is quite a bit of zen in watching automatic upgrades of -current systems, because by the time -release systems are upgraded, I typically caught all the problems weeks or months ago.

Your turn

Now, tell us what YOU run in upgrade.site.