OpenBSD OS Distribution
OpenBSD is an open-source Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Research Unix derivative developed at the University of California, Berkeley. In late 1995, Theo de Raadt forked it from NetBSD. Besides the operating system as a whole, the project maintains portable versions of many subsystems, most notably OpenSSH, which are available as packages in other operating systems.1
Tornado VPS provides OpenBSD as a
netboot install. When ordering, select
None (HVM)
as the ‘Pre-installed distribution’ during checkout.
Starting the Installer
- Start by logging into the VPS console.
- Select set bootloader, rescue mode, or netboot installer.
- Select BSD installers. If this option is not available, please contact support for assistance.
- Select OpenBSD. If this option is not available, please contact support for assistance.
- Return to the main menu.
- Select shutdown.
- Select create/start.
Installing
The OpenBSD project has their own installation guide.
At the initial question (I)nstall, (U)pgrade, (A)utoinstall or (S)hell, if you have an autoinstall script available, type A
when prompted. Otherwise, type I
and press enter. Answer the prompted questions, typing enter without any other input to leave the answer at the default. The following list of selections is a guide:
- Terminal type? Use the default,
vt220
. You may change this. - System hostname? By default, use the hostname for the VPS. You may change this. Fix mistakes here post-install by editing
/etc/myname
. - Which network interface do you wish to configure? Use the default,
xnf0
. It will not work with anything different. - IPv4 address for xnf0? Use the default,
dhcp
. A static IP will be configured later. - IPv6 address for xnf0? Use the default,
none
. A static IP will be configured later. - DNS domain name? If you don’t have another domain to use, use ‘.vm.tornadovps.net’. It will be combined with the system hostname to form the Fully Qualified Domain Name (FQDN.) Fix mistakes here post-install by editing
/etc/myname
. - Change the default console to com0? Use the default,
yes
. It will not work with anything different. - Which speed should com0 use? Use
115200
. It should still work with the default9600
. - Which disk is the root disk? Use the default,
sd0
. It will not work with anything different. - Use (W)hole disk MBR, whole disk (G)PT or (E)dit? - If you do not wish to configure this, use
whole
. - Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? If you do not wish to configure this, use
a
. - Location of sets? Use the default,
cd0
. You may change this. - Set name(s)? You can use the default.
If you selected cd0
as the set location, you will be prompted by: Directory does not contain SHA256.sig. Continue without verification? Per the OpenBSD FAQ, the install ISOs do not include a signature file. You may safely use yes
here. Alternately, use an http mirror.
The actual installation will occur at this point. The stage Relinking to create unique kernel… may take a long time to complete.
At the prompt Exit to (S)hell, (H)alt or (R)eboot? [reboot] Use h
to halt, then press any key.
When the installation is complete, you will be returned to the VPS console main menu. Next:
- Select set bootloader, rescue mode, or netboot installer.
- Select Boot from disk.
- Return to the main menu.
- Select shutdown.
- Select system details and record the list of IPs returned.
- Select create/start.
The VPS should boot into a brand new installation of OpenBSD, and you will eventually be greeted by a login prompt.
Installing OpenBSD With Full-Disk Encryption
Installing OpenBSD with full disk encryption is well-documented for regular non-virtual machines. Unfortunately, when we tried the standard procedures, we did not get a passphrase prompt from the bootloader when booting the fresh installation. There appears to be no obvious way to boot from an OpenBSD softraid – such as an encrypted disk – and have it use our serial console. Here is a description of how we kludged it. Some familiarity with OpenBSD terminology is expected.
We will make two OpenBSD slices. One will contain a tiny filesystem with a bootloader configuration file, and the other will contain the encrypted part of the disk. At boot, the OpenBSD bootloader looks for /etc/boot.conf in the first slice, sd0a. That file contains 3 instructions: set serial baud rate, use a serial console, and set the real boot device. The bootloader then boots from the real encrypted boot device, with output going to the serial console.
Installation Procedure
Pre-Configure OpenBSD
We will boot the OpenBSD installer, but select the shell option at the prompt, rather than the install option. We are going to need to do some pre-configuration before performing an install. Note that any line starting with a #
is a shell prompt, and others are output.
-
In the VPS console main menu, select option 6 (set bootloader, rescue mode, or netboot installer).
-
In the Set Boot Options menu, select option 6 (BSD Installers).
-
Under BSD Installers, selection option 3 (OpenBSD 6.7 - 64 bit), then select 0 twice to return to the main menu.
-
In the main menu, select option 3 (shutdown (requests clean shutdown, forces off after 4 min)).
-
When your VPS is shut down, select option 2 to restart.
-
The OpenBSD Installation program should appear. Select S at the prompt to open a shell.
Welcome to the OpenBSD/amd64 6.6 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
First, we’ll make the devices that we will need for the hard disk and the softraid.
-
Rewrite the master boot record for the hard disk with
fdisk
.# cd /dev # sh MAKEDEV sd0 sd1 # fdisk -iy sd0 Writing MBR at offset 0./
We can optionally overwrite the disk with random data to hide which part of the disk has been written to:
# dd if=/dev/urandom of=/dev/rsd0c bs=1M
-
Now, using
disklabel
, we will make two slices on the raw disk. The first,sd0a
, is going to contain a tiny filesystem with just one file in it:/etc/boot.conf
The second slice will be the softraid slice for the encrypted disk. In order to keep things simple, we don’t add a swap slice. If you want one, you should add it as another slice to
sd0
, rather than to the softraid. OpenBSD already encrypts swap, so there is no point in doubly-encrypting it.# disklabel -E sd0 Label editor (enter ‘?’ for help at any prompt) sd0> a partition: [a] a offset: [64] 8192 size: [62902348] 8192 FS type: [4.2BSD] sd0> a partition: [b] b offset: [16384] size: [62894156] FS type: [swap] raid sd0> w sd0> q No label changes. #
We use an offset of 8192 for the first partition because we want partitions aligned on a 4 MiB boundary, in order to reduce the possibility of write amplification when using solid state storage.
Set Up OpenBSD Softraid
Next, we initialize the softraid. There are other options for the bioctl command that might be interesting or useful here, including -r
for specifying the number of rounds of the key derivation function. However, we’ll keep it simple.
# bioctl -c C -l /dev/sd0b softraid0
New passphrase:
Re-type passphrase:
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd1: 30709MB, 512 bytes/sector, 62893628 sectors
softraid0: CRYPTO volume attached as sd1
We need to make the filesystem on sd0a
and put /etc/boot.conf
there:
# newfs /dev/rsd0a
/dev/rsd0a: 4.0MB in 8192 sectors of 512 bytes
4 cylinder groups of 1.00MB, 64 blocks, 128 inodes each
super-block backups (for fsck -b #) at:
32, 2080, 4128, 6176,
# mount /dev/sd0a /mnt
# mkdir /mnt/etc
# echo 'stty com0 115200 set tty com0 set device sr0a' > /mnt/etc/boot.conf
# umount /dev/sd0a
Run OpenBSD Installer
You can now start the OpenBSD installer by invoking /install
at the shell prompt. From this point forward, you can just do a fairly standard installation process. Use the disk sd1
for the install. The installer should leave sd0
alone, since we set it up manually. You also probably do not want to use the auto
disk layout with a swap slice, since your system would be swapping to something on sd1
. Here are the relevant bits from our interactive session with the installer; yours will likely be a bit different.
Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0] sd1
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] w
Setting OpenBSD MBR partition to whole sd1...done.
The auto-allocated layout for sd1 is:
# size offset fstype [fsize bsize cpg]
a: 1024.0M 64 4.2BSD 2048 16384 1 # /
b: 1264.0M 2097216 swap
c: 30709.8M 0 unused
d: 1713.6M 4685888 4.2BSD 2048 16384 1 # /tmp
e: 2669.6M 8195392 4.2BSD 2048 16384 1 # /var
f: 2496.0M 13662816 4.2BSD 2048 16384 1 # /usr
g: 981.6M 18774656 4.2BSD 2048 16384 1 # /usr/X11R6
h: 4012.0M 20784992 4.2BSD 2048 16384 1 # /usr/local
i: 1698.4M 29001664 4.2BSD 2048 16384 1 # /usr/src
j: 5916.8M 32480000 4.2BSD 2048 16384 1 # /usr/obj
k: 8926.2M 44597632 4.2BSD 2048 16384 1 # /home
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c
Label editor (enter '?' for help at any prompt)
sd1> a
partition: [a] a
offset: [64] 8192
size: [62870218]
FS type: [4.2BSD]
mount point: [none] /
sd1*> w
sd1> q
No label changes.
/dev/rsd1a: 30698.3MB in 62870208 sectors of 512 bytes
152 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
Available disks are: sd0.
Which disk do you wish to initialize? (or 'done') [done] done
/dev/sd1a (cd70684e3d78d3b3.a) on /mnt type ffs (rw, asynchronous, local)
Once you’re done with the installer, that’s it. You should have an encrypted installation of OpenBSD that prompts for the password on the serial console.
Final Notes
There are two areas of your disk that are not encrypted. One is the slice containing /etc/boot.conf
, and the other is the unencrypted area of the softraid, where the bootloader is stored.
Post-Installation Network Configuration
This step is optional, but highly recommended. As configured above, the installation is using dhcp for IPv4 and no IPv6 address. Instead, it can use both a static IPv4 and static IPv6 address.
IP Addresses
With a text editor such as vi or nano (pkg_add nano
), open the file /etc/hostname.xnf0
. Remove the line dhcp
and replace it with the following, where MY_IPV4_ADDRESS
and MY_IPV6_ADDRESS
are the IP addresses recorded earlier:
inet MY_IPV4_ADDRESS 255.255.255.0
inet6 MY_IPV6_ADDRESS 64
-autoconf
-autoconfprivacy
-soii
The last two lines prevent OpenBSD from using randomized link-local addresses. Without them, IPv6 will either completely fail to work or performance will be negatively impacted.
Save the file and exit.
Routes
Open the file /etc/mygate
in a text editor. Right now it is empty. Here we’ll add the IPv4 and IPv6 gateways.
The IPv4 gateway is the first three octets of the IPv4 address combined with ‘.1’ at the end. For example, for an IP address of A.B.C.D
, the IPv4 gateway is A.B.C.1
.
The IPv6 gateway is the first 4 segments of the IPv6 address combined with with ‘::1’ at the end. For example, for an IP address of A:B:C:D:E:F:G:H
, the IPv6 gateway is A:B:C:D::1
.
Add the following lines, where MY_IPV4_GATEWAY
and MY_IPV6_GATEWAY
are the IPv4 and IPv6 gateway addresses:
MY_IPV4_GATEWAY
MY_IPV6_GATEWAY
Save the file and exit.
DNS Resolvers
You may edit the file /etc/resolv.conf
, but it is not necessary. Here is a sample file:
nameserver 71.19.145.215
nameserver 71.19.155.120
lookup file bind
Finalizing
Apply the new network configuration:
$ sh /etc/netstart
Test with:
$ ping -c1 he.net
$ ping6 -c1 he.net
Rescue
The shell in the installer may be used to rescue an OpenBSD install.