OpenBSD

From Segfault
Jump to navigation Jump to search

Installation

TBD

Postinstall

Network

The FQDN is set in /etc/myname:

$ cat /etc/myname
bob.example.com

Dynamic

A dynamic network configuration[1] may look as simple as:

$ cat /etc/hostname.gem0                                                                                                                                                 
dhcp
up
rtsol

WiFi

For wireless connections[2], the setup is similar:

$ cat /etc/hostname.bwi0
nwid "Guest WLAN"
wpakey "s3cr3t"
dhcp
# down                                                         # Don't automatically start this interface.

Because the network key is stored in this file, we should adjust the permissions accordingly:

$ ls -l /etc/hostname.bwi0                                                                                                                                               
-rw-r-----  1 root  wheel  61 Jun 28 16:26 /etc/hostname.bwi0

Start the interface:

$ sh /etc/netstart bwi0
WARNING: /etc/hostname.bwi0 is insecure, fixing permissions
DHCPDISCOVER on bwi0 - interval 1
DHCPDISCOVER on bwi0 - interval 2
DHCPDISCOVER on bwi0 - interval 4
DHCPOFFER from 10.0.0.1 (aa:bb:cc:dd:ee:22)
DHCPREQUEST on bwi0 to 255.255.255.255
DHCPACK from 10.0.0.1 (aa:bb:cc:dd:ee:22)
bound to 10.0.0.123 -- renewal in 21600 seconds.

This is how it may look like once connectd:

$ ifconfig bwi0 media    
bwi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:11:22:33:44:55
       index 1 priority 4 llprio 3
       groups: wlan
       media: IEEE802.11 autoselect (OFDM36 mode 11g)
       status: active
       ieee80211: nwid Guest WLAN chan 11 bssid aa:bb:cc:dd:ee:22 -44dBm wpakey 0xc7a428d85... \
                           wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
       supported media:
               media autoselect
               media autoselect mediaopt monitor
               media autoselect mode 11b
               media autoselect mode 11b mediaopt monitor
               media autoselect mode 11g
               media autoselect mode 11g mediaopt monitor
       inet 10.0.0.123 netmask 0xffffff00 broadcast 10.0.0.255

Static

For a static network configuration[1], use something like this:

$ cat /etc/hostname.em0
inet 10.0.0.234 255.255.255.0
!/sbin/route add default 10.0.0.1

$ grep ^name /etc/resolv.conf
nameserver 10.0.0.1

fstab

We're using a virtual filesystem[3] for /tmp:

$ cat /etc/fstab
/dev/sd0a  /      ffs    rw,softdep,noatime           1 1
swap       /tmp   mfs    rw,nosuid,nodev,-s=262144    0 0
# swap     /tmp   tmpfs  rw,-s128M,-m1777             0 0
# proc     /proc  procfs rw,nosuid,nodev,noexec,linux 0 0
nfs0:/home /home  nfs    rw,nosuid,nodev              0 0

Notes:

  • tmpfs has been disabled with OpenBSD 6.0[4][5] because it is no longer maintained.
  • procfs has been removed with OpenBSD 5.7[6]
  • Encrypted swap is enabled by default since OpenBSD 3.8[7] and vm.swapencrypt.enable is set to 1 by default.

doas

Instead of sudo, OpenBSD uses doas now[8][9] to elevate user privileges.

Example doas.conf:

$ cat /etc/doas.conf
permit keepenv persist :wheel
permit keepenv nopass dummy as root
$ id; doas id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy), 9(wsrc), 21(wobj)
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

Packages

The ports system[10] holds packages that are not included in the base installation. Both binary and source packages are available.

pkg_add

With installurl set during installation, we will be able to install packages right away, w/o setting PKG_PATH[11] explicitly:

$ cat /etc/installurl
https://cdn.openbsd.org/pub/OpenBSD

$ doas pkg_add bash bzip2 cvsync git iftop pv rsync vim vnstat xz

Enable and start vnstat:

rcctl enable vnstatd && rcctl start vnstatd

Adjust vnstat.conf to point to the correct network interface when called interactively:

$ grep ^Int /etc/vnstat.conf
Interface "gem0"

bsd.port.mk

If the ports tree[10] is installed, we can install packages too:

$ cd /usr/ports/games/cowsay
$ make build
Fatal: building ports requires correctly installed X11 (in games/cowsay)
Fatal: /usr/local/lib/X11/app-defaults should exist and be a symlink
*** Error 1 in /usr/ports/games/cowsay (/usr/ports/infrastructure/mk/bsd.port.mk:3415 '.BEGIN': @exit 1)

Uh, oh - for some reason we need X11 installed to build (command line) packages?[12] Let's fix that:

doas mkdir -p /usr/X11R6/man && doas touch /usr/X11R6/man/mandoc.db
doas mkdir -p /usr/local/lib/X11 && doas ln -s /tmp /usr/local/lib/X11/app-defaults

And try again:

$ make build
$ doas make install
$ sha256 $(which cowsay) | cowsay 
 _________________________________________ 
/ SHA256 (/usr/local/bin/cowsay) =        \
| 75aee1ca97b479fa1afb3b9f9d90c1f70ef9f0f |
\ 0402a7e2d91b90629a49d758b               /
 ----------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Update

Binary

Binary updates can be applied via syspatch on some architectures:

$ doas syspatch
Get/Verify syspatch63-011_perl.tgz 100% |*************************************|  4922 KB    00:03
Installing patch 011_perl
[...]
Relinking to create unique kernel... done.
   1m31.20s real     0m22.25s user     0m09.33s system
$ ls -hgo /var/syspatch/63-011_perl
total 52
-r--r--r--  1 bin    -  1.9K Jun 21 02:01 011_perl.patch.sig
-rw-r--r--  1 wheel  - 22.8K Jul 18 15:00 rollback.tgz

Source

Prerequisites

Tarball CVS CVS size Git Git size
src.tar.gz userland 1.0 GB src.git 2.5 GB
sys.tar.gz kernel 200 MB included in the src Git tree 200 MB
ports.tar.gz ports 600 MB ports.git 800 MB
xenocara.tar.gz X11 ? xenocara.git ?


Extracting the source packages from one of the mirror servers[13] can be done as a mere user[14], given that all permissions are set correctly:

$ doas chown -R build:wobj /usr/{x,}obj
$ doas chown -R root:wsrc /usr/{ports,src}

$ ls -Lld /usr/{{x,}obj,ports,src{,/sys}}
drwxrwx---   2 build  wobj   512 Jun 28 02:22 /usr/obj                        # 2 GB
drwxrwx---   2 build  wobj   512 Feb 25 13:12 /usr/xobj                       # ?
drwxrwxr-x  47 root   wsrc  1024 Jun 28 03:27 /usr/ports
drwxrwxr-x  17 root   wsrc   512 Jun 28 03:42 /usr/src
drwxrwxr-x  26 root   wsrc  1024 Jun 28 03:41 /usr/src/sys

$ id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy), 9(wsrc), 21(wobj)

HTTP

Fetch the source packages from a mirror server. Skip xenocara if no X11 is needed.

REL=$(uname -r | tr -d .)

ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/{SHA256{,.sig},{ports,src,sys,xenocara}.tar.gz}
signify -C -p /etc/signify/openbsd-${REL}-base.pub -x SHA256.sig *tar.gz
sha256 -C SHA256 *tar.gz

cd /usr/src
for p in src sys ports xenocara; do ls -lh ~/${p}.tar.gz && tar -xzf ~/${p}.tar.gz; done
mv ports xenocara ../

CVS

Use CVS to checkout the sources from a nearby mirror[15]

REL=$(uname -r | tr . _)                                                      # Make the release name match the CVS tag
CVSROOT=anoncvs@anoncvs3.usa.openbsd.org:/cvs                                 # Use a nearby mirror!

cd /usr
cvs -qd $CVSROOT get -rOPENBSD_${REL} -P src                                  # ~?? minutes
cvs -qd $CVSROOT get -rOPENBSD_${REL} -P ports                                # ~?? minutes
cvs -qd $CVSROOT get -rOPENBSD_${REL} -P xenocara                             # ~?? minutes

If the tree has already been checked out (via CVS or via tarball), use the following to update the local copies:

cd /usr/src
cvs -qd $CVSROOT up  -rOPENBSD_${REL}                                         #  ~7 minutes

cd /usr/ports
cvs -qd $CVSROOT up  -rOPENBSD_${REL}                                         # ~15 minutes

cd /usr/xenocara
cvs -qd $CVSROOT up  -rOPENBSD_${REL}                                         # ~15 minutes

Git

There's also a Git repository, mirroring OpenBSD's official CVS trees:

cd /usr
git clone https://github.com/openbsd/src.git                                  # ~2.5 GB
cd src
git checkout OPENBSD_6_0-RELEASE

cd ../
git clone https://github.com/openbsd/ports.git                                # ~1.0 GB
cd ports
git checkout OPENBSD_6_0-RELEASE

Note: the checkout isn't working yet as the branches are missing from the git mirrors :(

Kernel

Now that our sources have been updated, let's start by rebuilding the kernel:[16]

cd /sys/arch/$(machine)/compile/GENERIC.MP                                    # Use GENERIC for uniprocessor systems
make obj && make config
make -j$(sysctl -n hw.ncpu)

We can also build a custom[17] kernel:

cd /sys/arch/$(machine)/conf
cp GENERIC.MP CUSTOM

Edit CUSTOM, then:

config CUSTOM
cd ../compile/CUSTOM
make -j$(sysctl -n hw.ncpu)

Let's see what we have built:

$ ls -lhtrd /usr/obj/sys/arch/$(machine)/compile/*/bsd /bsd*
-rw-r--r--  1 root   wheel   7.6M Jun 28 02:21 /bsd
-rw-r--r--  1 root   wheel   8.2M Jun 28 02:21 /bsd.rd
-rwxr-xr-x  1 dummy  wobj    7.6M Jun 28 18:47 /usr/obj/sys/arch/macppc/compile/GENERIC/bsd

$ sysctl -n kern.version
OpenBSD 6.1 (GENERIC) #4: Sat Apr  1 16:06:17 MDT 2017
    deraadt@macppc.openbsd.org:/usr/src/sys/arch/macppc/compile/GENERIC

$ echo exit | config -o /dev/null -e /usr/obj/sys/arch/$(machine)/compile/*/bsd
OpenBSD 6.1-stable (GENERIC) #0: Wed Jun 28 18:47:32 PDT 2017
    dummy@alice.example.net:/usr/src/sys/arch/macppc/compile/GENERIC
Enter 'help' for information
ukc> exit

Install the new kernel (the current kernel will copied to /obsd):

doas make install
doas reboot

Userland

FIXME - is there a way to build as a normal user?

With the new kernel running, we'll rebuild the userland,[18]:

doas rm -rf /usr/obj/*                                                             # Only needed on the first build
cd /usr/src 
doas make obj
doas make -j$(sysctl -n hw.ncpu) build

Update /etc, /var and /dev:

doas sysmerge 
cd /dev && doas ./MAKEDEV all

Now that everything has been rebuilt, we can reboot:

doas shutdown -r now

Xenocara

Technically, xenocara is userland too, but we shall build it independently:

cd /usr/xenocara 
doas make bootstrap 
make obj
doas make -j$(sysctl -n hw.ncpu) build

Ports

Binary

With installurl set during installation, setting setting PKG_PATH[19] to a nearby mirror[13] may be omitted:

export PKG_PATH=https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(machine)/

Install a package:

doas pkg_add -r rsync                                                         # -r Replace existing packages

Update all installed packages:

doas pkg_add -Uuv                                                             # -U Update dependencies
                                                                              # -u Update all installed packages
                                                                              # -v Verbose

Source

According to the FAQ[20], binary packages for -release and -stable are not updated and we have to manually pull for updates. Either update the whole tree or update only specific packages and reinstall the package:

cd /usr/ports/games/cowsay
cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs up  -rOPENBSD_6_1

make
doas make reinstall

Upgrade

Upgrading from one release to another is described in OpenBSD Upgrade Guide (pick your correct upgrade path!) and is only supported from one release to the release immediately following it - skipping releases is not supported.

Install media

This is the recommended method for system upgrades. Boot from the install media, then choose Upgrade, not Install. You can also fetch the distributions sets and upgrade as described in the Installation Guide

One could also boot the new installation kernel from disk:

$ uname -r
6.0

$ ftp https://ftp.openbsd.org/pub/OpenBSD/6.1/$(machine)/{bsd.rd,SHA256.sig}
$ signify -C -p /etc/signify/openbsd-61-base.pub -x SHA256.sig bsd.rd              # Verify[21] the signature
Signature Verified
bsd.rd: OK

$ sha256 -C SHA256.sig bsd.rd
(SHA256) bsd.rd: OK

Install to the root disk:

doas mv bsd.rd /bsd.rd

Reboot, then boot with:

> boot /bsd.rd

...and choose Upgrade. Select http to upgrade over the network, be sure to choose a nearby mirror server[13] that holds the desired target release.

After the sets have been selected and installed, the machine should be rebooted and sysmerge(8) should be run to update the configuration:

$ doas sysmerge
[...]
===> Output log available at /var/tmp/sysmerge.tmp/sysmerge.log

$ doas cat /var/tmp/sysmerge.tmp/sysmerge.log  
===> Automatically installed file(s)
/etc/ppp/options.sample
/etc/ppp/chatscript.sample
/etc/rpc

===> Manually merged/installed file(s)
/etc/nginx/mime.types
/etc/rc.d/rc.subr
/etc/rc.d/httpd
/etc/rc.d/nsd
/etc/rc.d/spamd
/etc/rc.d/syslogd
/etc/netstart
/etc/protocols
/etc/rc
/etc/services
/etc/sysctl.conf

===> Backup of replaced file(s) can be found under
/var/tmp/sysmerge.tmp/backups

Reboot once again and see if the system comes up again :-)

In-place upgrade

While not recommended, the system can also be upgraded to a newer release w/o booting into a newer kernel first.[22]

$ uname -r
5.7

Adjust as needed and choose a nearby mirror:[13]

REL=5.8 VER=58
ftp https://cdn.openbsd.org/pub/OpenBSD/${REL}/$(machine)/{SHA256.sig,bsd.mp,bsd.rd,base${VER}.tgz,comp${VER}.tgz,man${VER}.tgz}

If X11 is installed, fetch {xshare,xserv,xfont,xbase}${VER}.tgz as well!

Verify[21] the packages:

$ signify -C -p /etc/signify/openbsd-${VER}-base.pub -x SHA256.sig bsd* *.tgz
Signature Verified
base58.tgz: OK
bsd.mp: OK
bsd.rd: OK
comp58.tgz: OK
man58.tgz: OK

Install the kernel:

doas mv /bsd /obsd && doas mv bsd.mp /bsd && doas mv bsd.rd /
doas chown root:wheel /bsd /bsd.rd

Save the reboot binary:

doas cp -p /sbin/reboot /sbin/oreboot

Install the distribution sets:

doas tar -C / -vxzphf comp*.tgz                                   # -h follow symbolic links; -p preserve ownership & permissions
doas tar -C / -vxzphf man*.tgz
doas tar -C / -vxzphf base*.tgz                                   # Extract last!

Reboot the system, possibly engaging /sbin/oreboot at that point. After the reboot, finish the installation with:

cd /dev && doas ./MAKEDEV all
doas installboot -v wd0                                       # Or sd0 or whatever the boot disk is called.

We still have to run sysmerge(8) to update the system's configuration:

script ~/upgrade.log
doas sysmerge
[...]

If the kernel relinking failed (see /usr/share/relink/kernel/GENERIC.MP/relink.log) we can generate a checksum and relinking (KARL)[23] may succeed on the next reboot:

doas sha256 -h /var/db/kernel.SHA256 /bsd

Reboot once more and see if the system comes up again :-)

Links


References