Difference between revisions of "OpenBSD"

From PrgmrWiki
(initial edit)
 
(Run OpenBSD Installer)
 
(17 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Prerequisites ==
+
__FORCETOC__
  
In order to install OpenBSD on a Prgmr.com VPS, your VPS must already use HVM virtualization. If you do not know what type of virtualization you have, you can discover it via the management console. Guests on legacy systems are all PV (paravirtualized). If the management console for your VPS does not have a menu option named "system details", then you are on a legacy system, and thus your VPS is PV. For customers not on legacy hosts, use the system details option to determine your guest's virtualization type. The management console for an HVM VPS will display something similar the following on the "system details" screen:
+
prgmr.com officially supports installing OpenBSD via the installer ISO.
  
<pre>Command result:
+
= Ordering =
    Virtualization mode: HVM
 
    Memory: 1280 MiB
 
    VCPUs: 1
 
    Total disk: 15 GiB
 
    IPs: 71.19.155.12 2605:2700:0:3:a800:ff:fe00::1234
 
    Last installed OS: Ubuntu Bionic 18.04 - 64 bit
 
    Boot option: Linux Live Rescue, 64 bit
 
    Boot arguments: root=LABEL=RESCUE console=ttyS0 ro rootflags=barrier=0 fastboot aufs=tmpfs</pre>
 
If your VPS uses PV instead of HVM, please write support@prgmr.com, and ask us to convert it to HVM.
 
  
You should also write down your static IP addresses. These are also on the system details screen.
+
Select ''None (HVM)'' as the 'Pre-installed distribution' during checkout.
  
== Getting Started ==
+
= Starting the Installer =
  
First, shut down your VPS with option 3 (&quot;shutdown&quot;) from the management console. Next, use the option named &quot;set bootloader or rescue mode&quot;; this is presently menu option 6. This option also allows you to access our various netboot installers. The menu you get contains an item named &quot;BSD installers&quot;; choose it. A new menu will appear; choose &quot;OpenBSD&quot;. Once the boot image is set, use option 0 several times to back up to the main menu. Start the VPS; it should boot using an OpenBSD ISO.
+
# Start by logging into the [[Management Console]].
 +
# Select '''set bootloader, rescue mode, or netboot installer'''.
 +
# Select '''BSD installers'''. If this option is not available, please contact support for assistance.
 +
# Select '''OpenBSD'''. If this option is not available, please contact support for assistance.
 +
# Return to the main menu.
 +
# Select '''shutdown'''.
 +
# Select '''create/start'''.
  
== Installing ==
+
= Installing =
  
OpenBSD's installation procedure is mostly straightforward. If you've never been through it before, it is a series of question-answer interactions, where the installer displays a question and prompts for a response. End the response by pressing enter. Here, I'll just discuss the sections which require answers specific to a Prgmr.com VPS.
+
The OpenBSD project has their own [https://www.openbsd.org/faq/faq4.html installation guide].
  
You'll be asked which interface to configure. Choose xnf0. For the install process, choose dhcp when asked for the IPV4 address, and none when asked for the IPv6 address. You could set your static addresses here, but due to special configuration necessary for IPv6, it is better to set them by editing configuration files after you have booted into the newly installed system. For the hostname, use the VPS hostname (label) you selected when signing up. The domain can be left blank.
+
At the initial question '''(I)nstall, (U)pgrade, (A)utoinstall or (S)hell''', if you have an [https://man.openbsd.org/autoinstall autoinstall] script available, type ''A'' when prompted. Otherwise, type ''I'' and press enter. Answer the prompted questions, typing enter without any other input to leave the answer at the default. The following list of selections is a guide:
  
One of the questions the installer asks is whether the default console should be set to com0, and the answer is yes. HVM guests use the first serial port as the console device. The default speed of 9600 would work, but I always use 115200.
+
* '''Terminal type?''' Use the default, ''vt220''. You may change this.
 +
* '''System hostname?''' By default, use the hostname for the VPS. You may change this. Fix mistakes here post-install by editing <code>/etc/myname</code>.
 +
* '''Which network interface do you wish to configure?''' Use the default, ''xnf0''. It will not work with anything different.
 +
* '''IPv4 address for xnf0?''' Use the default, ''dhcp''. A static IP will be configured later.
 +
* '''IPv6 address for xnf0?''' Use the default, ''none''. A static IP will be configured later.
 +
* '''DNS domain name?''' If you don't have another domain to use, use '.xen.prgmr.com'. It will be combined with the system hostname to form the Fully Qualified Domain Name (FQDN.) Fix mistakes here post-install by editing <code>/etc/myname</code>.
 +
* '''Change the default console to com0?''' Use the default, ''yes''. It will not work with anything different.
 +
* '''Which speed should com0 use?''' Use ''115200''. It should still work with the default ''9600''.
 +
* '''Which disk is the root disk?''' Use the default, ''sd0''. It will not work with anything different.
 +
* '''Use (W)hole disk MBR, whole disk (G)PT or (E)dit?''' - If you do not wish to configure this, use ''whole''.
 +
* '''Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout?''' If you do not wish to configure this, use ''a''.
 +
* '''Location of sets?''' Use the default, ''cd0''. You may change this.
 +
* '''Set name(s)?''' You can use the default.
  
You are also prompted to select your disk layout. Just type w (for &quot;whole disk MBR&quot;) here. OpenBSD will automatically install the code necessary to bootstrap the system.
+
If you selected ''cd0'' as the set location, you will be prompted by: '''Directory does not contain SHA256.sig. Continue without verification?''' Per the [https://www.openbsd.org/faq/faq4.html OpenBSD FAQ], the install ISOs do not include a signature file. You may safely use ''yes'' here. Alternately, use an [https://www.openbsd.org/ftp.html http mirror].
  
Once you've selected sets, the installer downloads them and performs the rest of the installation procedure with no further questions. When you get to the reboot prompt, do not reboot the VPS, because it will reboot into the CD image. Instead, select h for &quot;halt&quot;. After some seconds, you'll be told to press any key to reboot the system. At this point, back out of the out-of-band console with <code>^]</code> (ctrl + right-bracket), without pressing any other key. Select &quot;shutdown&quot; from the main menu, and wait. It will take a while (minutes) for the system to shut down, because OpenBSD has some kind of issue where it does not accept the shutdown signal delivered by Xen. Once the system has shut down, go back to the &quot;set bootloader or rescue mode&quot; menu, and choose the option to boot from disk. At the main menu, select &quot;start&quot;. Shortly, your VPS should boot into a brand new installation of OpenBSD, and you will eventually be greeted by a login prompt.
+
The actual installation will occur at this point. The stage '''Relinking to create unique kernel...''' may take a long time to complete.
  
== Post-installation Network Configuration ==
+
At the prompt '''Exit to (S)hell, (H)alt or (R)eboot? [reboot]''' Use ''h'' to halt, then press any key.
  
This step is optional, but highly recommended. You've just booted into a fresh installation. It is using dhcp for IPv4 and no IPv6 address. Let's add both a static IPv4 and static IPv6 address. With your favorite text editor, open the file <code>/etc/hostname.xnf0</code>. Right now, it likely contains just one line:
+
When the installation is complete, you will be returned to the management console main menu. Next:
  
<pre>dhcp</pre>
+
# Select '''set bootloader, rescue mode, or netboot installer'''.
Remove that, and replace it with the following, where MY_IPV4_ADDRESS and MY_IPV6_ADDRESS are the addresses you got from the system details screen of the management console:
+
# Select '''Boot from disk'''.
 +
# Return to the main menu.
 +
# Select '''shutdown'''.
 +
# Select '''system details''' and record the list of IPs returned.
 +
# Select '''create/start'''.
  
<pre>inet MY_IPV4_ADDRESS prefixlen 24
+
The VPS should boot into a brand new installation of OpenBSD, and you will eventually be greeted by a login prompt.
inet6 MY_IPV6_ADDRESS prefixlen 64
+
 
 +
= Installing OpenBSD With Full-Disk Encryption =
 +
 
 +
[Installing OpenBSD with full disk encryption][https://www.openbsd.org/faq/faq14.html#softraidFDE] is well-documented for regular non-virtual machines. Unfortunately, when we tried the standard procedures, we did not get a passphrase prompt from the bootloader when booting the fresh installation. There appears to be no obvious way to boot from an OpenBSD softraid – such as an encrypted disk – and have it use our serial console. Here is a description of how we kludged it. Some familiarity with OpenBSD terminology is expected.
 +
 
 +
=== Summary ===
 +
We will make two OpenBSD slices. One will contain a tiny filesystem with a bootloader configuration file, and the other will contain the encrypted part of the disk. At boot, the OpenBSD bootloader looks for /etc/boot.conf in the first slice, sd0a. That file contains 3 instructions: set serial baud rate, use a serial console, and set the real boot device. The bootloader then boots from the real encrypted boot device, with output going to the serial console.
 +
 
 +
=== Installation Procedure ===
 +
==== Pre-Configure OpenBSD ====
 +
We will boot the OpenBSD installer, but select the shell option at the prompt, rather than the install option. We are going to need to do some pre-configuration before performing an install. Note that any line starting with a <code>#</code> is a shell prompt, and others are output.
 +
 
 +
# In the management console main menu, select option 6 (set bootloader, rescue mode, or netboot installer).
 +
# In the Set Boot Options menu, select option 6 (BSD Installers).
 +
# Under BSD Installers, selection option 3 (OpenBSD 6.7 - 64 bit), then select 0 twice to return to the main menu.
 +
# In the main menu, select option 3 (shutdown (requests clean shutdown, forces off after 4 min)).
 +
# When your VPS is shut down, select option 2 to restart.
 +
# The OpenBSD Installation program should appear. Select S at the prompt to open a shell.
 +
<pre>Welcome to the OpenBSD/amd64 6.6 installation program.
 +
(I)nstall, (U)pgrade, (A)utoinstall or ('''S''')hell? '''s'''</pre>
 +
 
 +
First, we’ll make the devices that we will need for the hard disk and the softraid.
 +
# Rewrite the master boot record for the hard disk with <code>fdisk</code>.
 +
<pre># cd /dev
 +
# sh MAKEDEV sd0 sd1
 +
#  fdisk -iy sd0
 +
'''Writing''' MBR at offset 0.</pre>
 +
We can optionally overwrite the disk with random data to hide which part of the disk has been written to:
 +
<pre># dd '''if'''=/dev/urandom of=/dev/rsd0c bs=1M</pre>
 +
# Now, using <code>disklabel</code>, we will make two slices on the raw disk. The first, <code>sd0a</code>, is going to contain a tiny filesystem with just one file in it: <pre>/etc/boot.conf</pre>. The second slice will be the softraid slice for the encrypted disk. In order to keep things simple, we don’t add a swap slice. If you want one, you should add it as another slice to <code>sd0</code>, rather than to the softraid. OpenBSD already encrypts swap, so there is no point in doubly-encrypting it.
 +
<pre># disklabel -E sd0
 +
Label editor (enter '?' for '''help''' '''at''' '''any''' '''prompt''')
 +
sd0> a
 +
'''partition''': [a] a
 +
'''offset''': [64] 8192
 +
'''size''': [62902348] 8192
 +
FS '''type''': [4.2BSD]
 +
sd0*> a
 +
'''partition''': [b] b
 +
'''offset''': [16384]
 +
'''size''': [62894156]
 +
FS '''type''': [swap] raid
 +
sd0*> w
 +
sd0> q
 +
'''No''' label changes.
 +
#</pre>
 +
We use an offset of 8192 for the first partition because we want partitions aligned on a 4 MiB boundary, in order to reduce the possibility of write amplification when using solid state storage.
 +
 
 +
==== Set Up OpenBSD Softraid ====
 +
Next, we initialize the softraid. There are other options for the bioctl command that might be interesting or useful here, including <code>-r</code> for specifying the number of rounds of the key derivation function. However, we’ll keep it simple.
 +
<pre># bioctl -c C -l /dev/sd0b softraid0
 +
'''New''' passphrase:
 +
Re-type passphrase:
 +
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
 +
sd1: 30709MB, 512 bytes/sector, 62893628 sectors
 +
softraid0: CRYPTO volume attached '''as''' sd1</pre>
 +
We need to make the filesystem on <code>sd0a</code> and put <code>/etc/boot.conf</code> there:
 +
<pre># newfs /dev/rsd0a
 +
/dev/rsd0a: 4.0MB '''in''' 8192 sectors '''of''' 512 bytes
 +
4 cylinder groups '''of''' 1.00MB, 64 blocks, 128 inodes each
 +
'''super'''-block backups ('''for''' fsck -b #) at:
 +
  32, 2080, 4128, 6176,
 +
# mount /dev/sd0a /mnt
 +
# mkdir /mnt/etc
 +
# echo 'stty com0 115200 set tty com0 set device sr0a' > /mnt/etc/boot.conf
 +
# umount /dev/sd0a</pre>
 +
 
 +
=== Run OpenBSD Installer ===
 +
You can now start the OpenBSD installer by invoking <code>/install</code> at the shell prompt. From this point forward, you can just do a fairly standard installation process. Use the disk <code>sd1</code> for the install. The installer should leave <code>sd0</code> alone, since we set it up manually. You also probably do not want to use the <code>auto</code> disk layout with a swap slice, since your system would be swapping to something on <code>sd1</code>. Here are the relevant bits from our interactive session with the installer; yours will likely be a bit different.
 +
<pre>Available disks are: sd0 sd1.
 +
Which disk is the root disk? ('?' for details) [sd0] sd1
 +
No valid MBR or GPT.
 +
'''Use''' (W)hole disk MBR, whole disk ('''G''')PT '''or''' ('''E''')dit? [whole] w
 +
Setting OpenBSD MBR '''partition''' '''to''' whole sd1...done.
 +
The '''auto'''-allocated layout '''for''' sd1 '''is''':
 +
#                '''size'''          '''offset'''  fstype [fsize bsize  cpg]
 +
  a:          1024.0'''M'''              64  4.2BSD  2048 16384    1 # /
 +
  b:          1264.0'''M'''          2097216    swap                   
 +
  '''c''':        30709.8'''M'''                0  '''unused'''                   
 +
  '''d''':          1713.6'''M'''          4685888  4.2BSD  2048 16384    1 # /tmp
 +
  '''e''':          2669.6'''M'''          8195392  4.2BSD  2048 16384    1 # /'''var'''
 +
  '''f''':          2496.0'''M'''        13662816  4.2BSD  2048 16384    1 # /usr
 +
  '''g''':          981.6'''M'''        18774656  4.2BSD  2048 16384    1 # /usr/X11R6
 +
  h:          4012.0'''M'''        20784992  4.2BSD  2048 16384    1 # /usr/'''local'''
 +
  '''i''':          1698.4'''M'''        29001664  4.2BSD  2048 16384    1 # /usr/src
 +
  j:          5916.8'''M'''        32480000  4.2BSD  2048 16384    1 # /usr/obj
 +
  '''k''':          8926.2'''M'''        44597632  4.2BSD  2048 16384    1 # /home
 +
'''Use''' (A)uto layout, ('''E''')dit '''auto''' layout, '''or''' '''create''' ('''C''')ustom layout? [a] '''c'''
 +
Label editor (enter '?' '''for''' '''help''' '''at''' '''any''' '''prompt''')
 +
sd1> a
 +
'''partition''': [a] a
 +
'''offset''': [64] 8192
 +
'''size''': [62870218]
 +
FS '''type''': [4.2BSD]
 +
'''mount''' point: ['''none'''] /
 +
sd1*> w
 +
sd1> q
 +
'''No''' label changes.
 +
/dev/rsd1a: 30698.3MB '''in''' 62870208 sectors '''of''' 512 '''bytes'''
 +
152 cylinder '''groups''' '''of''' 202.47MB, 12958 blocks, 25984 inodes '''each'''
 +
Available disks '''are''': sd0.
 +
Which disk '''do''' you wish '''to''' initialize? ('''or''' 'done') [done] done
 +
/dev/sd1a (cd70684e3d78d3b3.a) '''on''' /mnt '''type''' ffs (rw, '''asynchronous''', '''local''')</pre>
 +
Once you’re done with the installer, that’s it. You should have an encrypted installation of OpenBSD that prompts for the password on the serial console.
 +
 
 +
= Final Notes =
 +
There are two areas of your disk that are not encrypted. One is the slice containing <code>/etc/boot.conf</code>, and the other is the unencrypted area of the softraid, where the bootloader is stored.
 +
 
 +
 
 +
= Post-Installation Network Configuration =
 +
 
 +
This step is optional, but highly recommended. As configured above, the installation is using dhcp for IPv4 and no IPv6 address. Instead, it can use both a static IPv4 and static IPv6 address.
 +
 
 +
== IP Addresses ==
 +
 
 +
With a text editor such as vi or nano (''pkg_add nano''), open the file <code>/etc/hostname.xnf0</code>. Remove the line ''dhcp'' and replace it with the following, where <code>MY_IPV4_ADDRESS</code> and <code>MY_IPV6_ADDRESS</code> are the IP addresses recorded earlier:
 +
 
 +
<pre>
 +
inet MY_IPV4_ADDRESS 255.255.255.0
 +
inet6 MY_IPV6_ADDRESS 64
 +
-autoconf
 
-autoconfprivacy
 
-autoconfprivacy
-soii</pre>
+
-soii
 +
</pre>
 
The last two lines prevent OpenBSD from using randomized link-local addresses. Without them, IPv6 will either completely fail to work or performance will be negatively impacted.
 
The last two lines prevent OpenBSD from using randomized link-local addresses. Without them, IPv6 will either completely fail to work or performance will be negatively impacted.
  
Save the file.
+
Save the file and exit.
 +
 
 +
== Routes ==
  
Now, we're going to determine your IPv4 and IPv6 gateways. Unfortunately, they aren't given on the system details screen of the management console. The easiest way to find your IPv4 gateway would be with the command <code>route get default</code>. There's not a similarly easy method for IPv6, because it hasn't been configured yet. So I'll show how to determine both of them given your addresses and prefix lengths. This procedure only works for Prgmr. Other organizations aren't going to have the same network layout that we do.
+
Open the file <code>/etc/mygate</code> in a text editor. Right now it is empty. Here we'll add the IPv4 and IPv6 gateways.  
  
Let's say that your IPv4 address is <code>71.19.155.12</code>. Your prefix length is 24. Take the first three groups in the dotted quad, and concatenate them with <code>.1</code>. That's your gateway. In our example, the gateway would be <code>71.19.155.1</code>.
+
The IPv4 gateway is the first three octets of the IPv4 address combined with '.1' at the end. For example, for an IP address of <code>A.B.C.D</code>, the IPv4 gateway is <code>A.B.C.1</code>.
  
The procedure is somewhat similar for IPv6. Suppose your IPv6 address is <code>2605:2700:0:3:a800:ff:fe00::1234</code>. If you've never seen an IPv6 address, they're groups of hex digits separated by colons. Take the leftmost four groups from your address, and concatenate <code>::1</code> to get the gateway. In our example, that gives <code>2605:2700:0:3::1</code>.
+
The IPv6 gateway is the first 4 segments of the IPv6 address combined with with '::1' at the end. For example, for an IP address of <code>A:B:C:D:E:F:G:H</code>, the IPv6 gateway is <code>A:B:C:D::1</code>.
  
Now that you've computed your gateways, open the file <code>/etc/mygate</code> in a text editor. Right now, it is empty. Add the following lines, where MY_IPV4_GATEWAY and MY_IPV6_GATEWAY are the IPv4 and IPv6 gateway addresses you just computed.
+
Add the following lines, where <code>MY_IPV4_GATEWAY</code> and <code>MY_IPV6_GATEWAY</code> are the IPv4 and IPv6 gateway addresses:
  
<pre>MY_IPV4_GATEWAY
+
<pre>
MY_IPV6_GATEWAY</pre>
+
MY_IPV4_GATEWAY
Have a look at the file <code>/etc/resolv.conf</code>. It should already contain some lines starting with <code>nameserver</code> with nameserver addresses. Those were fetched from DHCP, before you wrote the static configuration. You shouldn't need to edit this file. Just for reference, it should probably contain the following:
+
MY_IPV6_GATEWAY
 +
</pre>
  
<pre>nameserver 71.19.145.215
+
Save the file and exit.
 +
 
 +
== DNS Resolvers ==
 +
 
 +
You may edit the file <code>/etc/resolv.conf</code>, but it is not necessary. Here is a sample file:
 +
<pre>
 +
nameserver 71.19.145.215
 
nameserver 71.19.155.120
 
nameserver 71.19.155.120
lookup file bind</pre>
+
lookup file bind
Finally, you should take the interface down and bring it back up, so that your new static configuration will be used.
+
</pre>
 +
 
 +
 
 +
== Finalizing ==
 +
 
 +
Apply the new network configuration:
 +
 
 +
<pre>sh /etc/netstart</pre>
 +
 
 +
Test with:
  
<pre>ifconfig xnf0 down
+
<pre>
ifconfig xnf0 up</pre>
+
ping -c1 he.net
At this point, I'd usually do a test with ping:
+
ping6 -c1 he.net
 +
</pre>
  
<pre>ping4 -c1 google.com
+
= Rescue =
ping6 -c1 google.com</pre>
 
== Conclusion ==
 
  
Following this procedure, you should have a fresh OpenBSD install, and both IPv4 and IPv6 networking should be fully configured. We hope you enjoy it.
+
The shell in the installer may be used to rescue an OpenBSD install.

Latest revision as of 00:46, 18 September 2020


prgmr.com officially supports installing OpenBSD via the installer ISO.

Ordering

Select None (HVM) as the 'Pre-installed distribution' during checkout.

Starting the Installer

  1. Start by logging into the Management Console.
  2. Select set bootloader, rescue mode, or netboot installer.
  3. Select BSD installers. If this option is not available, please contact support for assistance.
  4. Select OpenBSD. If this option is not available, please contact support for assistance.
  5. Return to the main menu.
  6. Select shutdown.
  7. Select create/start.

Installing

The OpenBSD project has their own installation guide.

At the initial question (I)nstall, (U)pgrade, (A)utoinstall or (S)hell, if you have an autoinstall script available, type A when prompted. Otherwise, type I and press enter. Answer the prompted questions, typing enter without any other input to leave the answer at the default. The following list of selections is a guide:

  • Terminal type? Use the default, vt220. You may change this.
  • System hostname? By default, use the hostname for the VPS. You may change this. Fix mistakes here post-install by editing /etc/myname.
  • Which network interface do you wish to configure? Use the default, xnf0. It will not work with anything different.
  • IPv4 address for xnf0? Use the default, dhcp. A static IP will be configured later.
  • IPv6 address for xnf0? Use the default, none. A static IP will be configured later.
  • DNS domain name? If you don't have another domain to use, use '.xen.prgmr.com'. It will be combined with the system hostname to form the Fully Qualified Domain Name (FQDN.) Fix mistakes here post-install by editing /etc/myname.
  • Change the default console to com0? Use the default, yes. It will not work with anything different.
  • Which speed should com0 use? Use 115200. It should still work with the default 9600.
  • Which disk is the root disk? Use the default, sd0. It will not work with anything different.
  • Use (W)hole disk MBR, whole disk (G)PT or (E)dit? - If you do not wish to configure this, use whole.
  • Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? If you do not wish to configure this, use a.
  • Location of sets? Use the default, cd0. You may change this.
  • Set name(s)? You can use the default.

If you selected cd0 as the set location, you will be prompted by: Directory does not contain SHA256.sig. Continue without verification? Per the OpenBSD FAQ, the install ISOs do not include a signature file. You may safely use yes here. Alternately, use an http mirror.

The actual installation will occur at this point. The stage Relinking to create unique kernel... may take a long time to complete.

At the prompt Exit to (S)hell, (H)alt or (R)eboot? [reboot] Use h to halt, then press any key.

When the installation is complete, you will be returned to the management console main menu. Next:

  1. Select set bootloader, rescue mode, or netboot installer.
  2. Select Boot from disk.
  3. Return to the main menu.
  4. Select shutdown.
  5. Select system details and record the list of IPs returned.
  6. Select create/start.

The VPS should boot into a brand new installation of OpenBSD, and you will eventually be greeted by a login prompt.

Installing OpenBSD With Full-Disk Encryption

[Installing OpenBSD with full disk encryption][1] is well-documented for regular non-virtual machines. Unfortunately, when we tried the standard procedures, we did not get a passphrase prompt from the bootloader when booting the fresh installation. There appears to be no obvious way to boot from an OpenBSD softraid – such as an encrypted disk – and have it use our serial console. Here is a description of how we kludged it. Some familiarity with OpenBSD terminology is expected.

Summary

We will make two OpenBSD slices. One will contain a tiny filesystem with a bootloader configuration file, and the other will contain the encrypted part of the disk. At boot, the OpenBSD bootloader looks for /etc/boot.conf in the first slice, sd0a. That file contains 3 instructions: set serial baud rate, use a serial console, and set the real boot device. The bootloader then boots from the real encrypted boot device, with output going to the serial console.

Installation Procedure

Pre-Configure OpenBSD

We will boot the OpenBSD installer, but select the shell option at the prompt, rather than the install option. We are going to need to do some pre-configuration before performing an install. Note that any line starting with a # is a shell prompt, and others are output.

  1. In the management console main menu, select option 6 (set bootloader, rescue mode, or netboot installer).
  2. In the Set Boot Options menu, select option 6 (BSD Installers).
  3. Under BSD Installers, selection option 3 (OpenBSD 6.7 - 64 bit), then select 0 twice to return to the main menu.
  4. In the main menu, select option 3 (shutdown (requests clean shutdown, forces off after 4 min)).
  5. When your VPS is shut down, select option 2 to restart.
  6. The OpenBSD Installation program should appear. Select S at the prompt to open a shell.
Welcome to the OpenBSD/amd64 6.6 installation program.
 (I)nstall, (U)pgrade, (A)utoinstall or ('''S''')hell? '''s'''

First, we’ll make the devices that we will need for the hard disk and the softraid.

  1. Rewrite the master boot record for the hard disk with fdisk.
# cd /dev
 # sh MAKEDEV sd0 sd1
 #   fdisk -iy sd0
 '''Writing''' MBR at offset 0.

We can optionally overwrite the disk with random data to hide which part of the disk has been written to:

# dd '''if'''=/dev/urandom of=/dev/rsd0c bs=1M
  1. Now, using disklabel, we will make two slices on the raw disk. The first, sd0a, is going to contain a tiny filesystem with just one file in it:
    /etc/boot.conf
    . The second slice will be the softraid slice for the encrypted disk. In order to keep things simple, we don’t add a swap slice. If you want one, you should add it as another slice to sd0, rather than to the softraid. OpenBSD already encrypts swap, so there is no point in doubly-encrypting it.
# disklabel -E sd0
 Label editor (enter '?' for '''help''' '''at''' '''any''' '''prompt''')
 sd0> a
 '''partition''': [a] a
 '''offset''': [64] 8192
 '''size''': [62902348] 8192
 FS '''type''': [4.2BSD] 
 sd0*> a
 '''partition''': [b] b
 '''offset''': [16384] 
 '''size''': [62894156] 
 FS '''type''': [swap] raid
 sd0*> w
 sd0> q
 '''No''' label changes.
 #

We use an offset of 8192 for the first partition because we want partitions aligned on a 4 MiB boundary, in order to reduce the possibility of write amplification when using solid state storage.

Set Up OpenBSD Softraid

Next, we initialize the softraid. There are other options for the bioctl command that might be interesting or useful here, including -r for specifying the number of rounds of the key derivation function. However, we’ll keep it simple.

# bioctl -c C -l /dev/sd0b softraid0
 '''New''' passphrase: 
 Re-type passphrase: 
 sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
 sd1: 30709MB, 512 bytes/sector, 62893628 sectors
 softraid0: CRYPTO volume attached '''as''' sd1

We need to make the filesystem on sd0a and put /etc/boot.conf there:

# newfs /dev/rsd0a
 /dev/rsd0a: 4.0MB '''in''' 8192 sectors '''of''' 512 bytes
 4 cylinder groups '''of''' 1.00MB, 64 blocks, 128 inodes each
 '''super'''-block backups ('''for''' fsck -b #) at:
   32, 2080, 4128, 6176,
 # mount /dev/sd0a /mnt
 # mkdir /mnt/etc
 # echo 'stty com0 115200 set tty com0 set device sr0a' > /mnt/etc/boot.conf
 # umount /dev/sd0a

Run OpenBSD Installer

You can now start the OpenBSD installer by invoking /install at the shell prompt. From this point forward, you can just do a fairly standard installation process. Use the disk sd1 for the install. The installer should leave sd0 alone, since we set it up manually. You also probably do not want to use the auto disk layout with a swap slice, since your system would be swapping to something on sd1. Here are the relevant bits from our interactive session with the installer; yours will likely be a bit different.

Available disks are: sd0 sd1.
 Which disk is the root disk? ('?' for details) [sd0] sd1
 No valid MBR or GPT.
 '''Use''' (W)hole disk MBR, whole disk ('''G''')PT '''or''' ('''E''')dit? [whole] w
 Setting OpenBSD MBR '''partition''' '''to''' whole sd1...done.
 The '''auto'''-allocated layout '''for''' sd1 '''is''':
 #                '''size'''           '''offset'''  fstype [fsize bsize   cpg]
   a:          1024.0'''M'''               64  4.2BSD   2048 16384     1 # /
   b:          1264.0'''M'''          2097216    swap                    
   '''c''':         30709.8'''M'''                0  '''unused'''                    
   '''d''':          1713.6'''M'''          4685888  4.2BSD   2048 16384     1 # /tmp
   '''e''':          2669.6'''M'''          8195392  4.2BSD   2048 16384     1 # /'''var'''
   '''f''':          2496.0'''M'''         13662816  4.2BSD   2048 16384     1 # /usr
   '''g''':           981.6'''M'''         18774656  4.2BSD   2048 16384     1 # /usr/X11R6
   h:          4012.0'''M'''         20784992  4.2BSD   2048 16384     1 # /usr/'''local'''
   '''i''':          1698.4'''M'''         29001664  4.2BSD   2048 16384     1 # /usr/src
   j:          5916.8'''M'''         32480000  4.2BSD   2048 16384     1 # /usr/obj
   '''k''':          8926.2'''M'''         44597632  4.2BSD   2048 16384     1 # /home
 '''Use''' (A)uto layout, ('''E''')dit '''auto''' layout, '''or''' '''create''' ('''C''')ustom layout? [a] '''c'''
 Label editor (enter '?' '''for''' '''help''' '''at''' '''any''' '''prompt''')
 sd1> a
 '''partition''': [a] a
 '''offset''': [64] 8192
 '''size''': [62870218] 
 FS '''type''': [4.2BSD] 
 '''mount''' point: ['''none'''] /
 sd1*> w
 sd1> q
 '''No''' label changes.
 /dev/rsd1a: 30698.3MB '''in''' 62870208 sectors '''of''' 512 '''bytes'''
 152 cylinder '''groups''' '''of''' 202.47MB, 12958 blocks, 25984 inodes '''each'''
 Available disks '''are''': sd0.
 Which disk '''do''' you wish '''to''' initialize? ('''or''' 'done') [done] done
 /dev/sd1a (cd70684e3d78d3b3.a) '''on''' /mnt '''type''' ffs (rw, '''asynchronous''', '''local''')

Once you’re done with the installer, that’s it. You should have an encrypted installation of OpenBSD that prompts for the password on the serial console.

Final Notes

There are two areas of your disk that are not encrypted. One is the slice containing /etc/boot.conf, and the other is the unencrypted area of the softraid, where the bootloader is stored.


Post-Installation Network Configuration

This step is optional, but highly recommended. As configured above, the installation is using dhcp for IPv4 and no IPv6 address. Instead, it can use both a static IPv4 and static IPv6 address.

IP Addresses

With a text editor such as vi or nano (pkg_add nano), open the file /etc/hostname.xnf0. Remove the line dhcp and replace it with the following, where MY_IPV4_ADDRESS and MY_IPV6_ADDRESS are the IP addresses recorded earlier:

inet MY_IPV4_ADDRESS 255.255.255.0
inet6 MY_IPV6_ADDRESS 64
-autoconf
-autoconfprivacy
-soii

The last two lines prevent OpenBSD from using randomized link-local addresses. Without them, IPv6 will either completely fail to work or performance will be negatively impacted.

Save the file and exit.

Routes

Open the file /etc/mygate in a text editor. Right now it is empty. Here we'll add the IPv4 and IPv6 gateways.

The IPv4 gateway is the first three octets of the IPv4 address combined with '.1' at the end. For example, for an IP address of A.B.C.D, the IPv4 gateway is A.B.C.1.

The IPv6 gateway is the first 4 segments of the IPv6 address combined with with '::1' at the end. For example, for an IP address of A:B:C:D:E:F:G:H, the IPv6 gateway is A:B:C:D::1.

Add the following lines, where MY_IPV4_GATEWAY and MY_IPV6_GATEWAY are the IPv4 and IPv6 gateway addresses:

MY_IPV4_GATEWAY
MY_IPV6_GATEWAY

Save the file and exit.

DNS Resolvers

You may edit the file /etc/resolv.conf, but it is not necessary. Here is a sample file:

nameserver 71.19.145.215
nameserver 71.19.155.120
lookup file bind


Finalizing

Apply the new network configuration:

sh /etc/netstart

Test with:

ping -c1 he.net
ping6 -c1 he.net

Rescue

The shell in the installer may be used to rescue an OpenBSD install.