OpenBSD
Installation
This is best described in the Installation Guide.
Postinstall
Network
The FQDN is set in /etc/myname:
$ cat /etc/myname bob.example.com
Dynamic
A dynamic network configuration[1] may look as simple as:
$ cat /etc/hostname.gem0 dhcp up rtsol
WiFi
For wireless connections[2], the setup is similar:
$ cat /etc/hostname.bwi0 nwid "Guest WLAN" wpakey "s3cr3t" dhcp # down # Don't automatically start this interface.
Because the network key is stored in this file, we should adjust the permissions accordingly:
$ ls -l /etc/hostname.bwi0
-rw-r----- 1 root wheel 61 Jun 28 16:26 /etc/hostname.bwi0
Start the interface:
$ sh /etc/netstart bwi0 WARNING: /etc/hostname.bwi0 is insecure, fixing permissions DHCPDISCOVER on bwi0 - interval 1 DHCPDISCOVER on bwi0 - interval 2 DHCPDISCOVER on bwi0 - interval 4 DHCPOFFER from 10.0.0.1 (aa:bb:cc:dd:ee:22) DHCPREQUEST on bwi0 to 255.255.255.255 DHCPACK from 10.0.0.1 (aa:bb:cc:dd:ee:22) bound to 10.0.0.123 -- renewal in 21600 seconds.
This is how it may look like once connectd:
$ ifconfig bwi0 media
bwi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:11:22:33:44:55
index 1 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect (OFDM36 mode 11g)
status: active
ieee80211: nwid Guest WLAN chan 11 bssid aa:bb:cc:dd:ee:22 -44dBm wpakey 0xc7a428d85... \
wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
supported media:
media autoselect
media autoselect mediaopt monitor
media autoselect mode 11b
media autoselect mode 11b mediaopt monitor
media autoselect mode 11g
media autoselect mode 11g mediaopt monitor
inet 10.0.0.123 netmask 0xffffff00 broadcast 10.0.0.255
Static
For a static network configuration[1], use something like this:
$ cat /etc/hostname.em0 inet 10.0.0.234 255.255.255.0 !/sbin/route add default 10.0.0.1 $ grep ^name /etc/resolv.conf nameserver 10.0.0.1
fstab
We're using a virtual filesystem[3] for /tmp:
$ cat /etc/fstab /dev/sd0a / ffs rw,softdep,noatime 1 1 swap /tmp mfs rw,nosuid,nodev,-s=524288 0 0 # swap /tmp tmpfs rw,-s128M,-m1777 0 0 # proc /proc procfs rw,nosuid,nodev,noexec,linux 0 0 nfs0:/home /home nfs rw,nosuid,nodev 0 0
Notes:
procfshas been removed with OpenBSD 5.7[6]
- Encrypted swap is enabled by default since OpenBSD 3.8[7] and
vm.swapencrypt.enableis set to1by default.
doas
Instead of sudo, OpenBSD uses doas now[8][9] to elevate user privileges.
Example doas.conf:
$ cat /etc/doas.conf permit keepenv persist :wheel permit keepenv nopass dummy as root
$ id; doas id uid=1000(dummy) gid=1000(dummy) groups=1000(dummy), 9(wsrc), 21(wobj) uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
Packages
The ports system[10] holds packages that are not included in the base installation. Both binary and source packages are available.
pkg_add
With installurl set during installation, we will be able to install packages right away, w/o setting PKG_PATH[11] explicitly:
$ cat /etc/installurl https://cdn.openbsd.org/pub/OpenBSD # Use ftp.openbsd.org if necessary.[12] $ doas pkg_add bash bzip2 curl git iftop pv rsync vim vnstat xz
Enable and start vnstat:
doas rcctl enable vnstatd && doas rcctl start vnstatd
Adjust vnstat.conf to point to the correct network interface when called interactively:
$ grep ^Int /etc/vnstat.conf Interface "gem0"
bsd.port.mk
If the ports tree[10] is installed, we can install packages too:
$ cd /usr/ports/games/cowsay $ make build Fatal: building ports requires correctly installed X11 (in games/cowsay) Fatal: /usr/local/lib/X11/app-defaults should exist and be a symlink *** Error 1 in /usr/ports/games/cowsay (/usr/ports/infrastructure/mk/bsd.port.mk:3415 '.BEGIN': @exit 1)
Uh, oh - for some reason we need X11 installed to build (command line) packages?[13] Let's fix that:
doas mkdir -p /usr/X11R6/man && doas touch /usr/X11R6/man/mandoc.db
doas mkdir -p /usr/local/lib/X11 && doas ln -s /tmp /usr/local/lib/X11/app-defaults # One could also use . for the symlink source.
And try again:
$ make build
$ doas make install
$ sha256 $(which cowsay) | cowsay
_________________________________________
/ SHA256 (/usr/local/bin/cowsay) = \
| 75aee1ca97b479fa1afb3b9f9d90c1f70ef9f0f |
\ 0402a7e2d91b90629a49d758b /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Resize partition
This is explain in the FAQ again, but we needed one extra step here:
$ dmesg | grep sd1
sd1 at scsibus3 targ 0 lun 0: <VirtIO, Block Device, >
sd1: 20480MB, 512 bytes/sector, 41943040 sectors
$ disklabel -E sd1
sd1> p m
OpenBSD area: 0-16777216; size: 8192.0M; free: 2.6M
# size offset fstype [fsize bsize cpg]
a: 8189.4M 0 4.2BSD 2048 16384 12958 # /mnt/sd1
c: 20480.0M 0 unused
The OpenBSD area needed to be resized first before we can resize the partition:
sd1> b
Starting sector: [0]
Size ('*' for entire disk): [16777216] *
sd1*> p m
OpenBSD area: 0-41943040; size: 20480.0M; free: 12290.6M
# size offset fstype [fsize bsize cpg]
a: 8189.4M 0 4.2BSD 2048 16384 12958 # /mnt/sd1
c: 20480.0M 0 unused
Now the partition can be resized:
sd1*> m partition to modify: [] a offset: [0] size: [16771840] 41943040 FS type: [4.2BSD] sd1*> p m OpenBSD area: 0-41943040; size: 20480.0M; free: 0.0M # size offset fstype [fsize bsize cpg] a: 20480.0M 0 4.2BSD 2048 16384 12958 # /mnt/sd1 c: 20480.0M 0 unused sd1*> w sd1> q
Resize the file system too, and run fsck afterwards:
growfs sd1a fsck /dev/sd1a
And it worked:
$ mount /dev/sd1a /mnt/sd1/ $ df -h /mnt/sd1/ Filesystem Size Used Avail Capacity Mounted on /dev/sd1a 19.7G 4.6G 14.0G 25% /mnt/sd1
Update
Binary
Binary updates can be applied via syspatch on some architectures:
$ doas syspatch -c 001_x509 002_asn1 003_ukbd 004_expat $ doas syspatch Get/Verify syspatch72-001_x509.tgz 100% |***********************| 14494 KB 00:04 Installing patch 001_x509 Relinking to create unique kernel... done; reboot to load the new kernel Errata can be reviewed under /var/syspatch
Source
Prerequisites
| Tarball | Tarball size | CVS | CVS size | Git | Git size |
|---|---|---|---|---|---|
src.tar.gz
|
1 GB | userland | 1 GB | src.git | 3 GB |
sys.tar.gz
|
600 MB | kernel | 600 MB | included in the src Git tree
|
600 MB |
ports.tar.gz
|
1 GB | ports | 1 GB | ports.git | 1 GB |
xenocara.tar.gz
|
700 MB | X11 | ? | xenocara.git | ? |
Extracting the source packages from one of the mirror servers[14] can be done as a mere user[15], given that all permissions are set correctly:
$ doas chown -R build:wobj /usr/{x,}obj
$ doas chown -R root:wsrc /usr/{ports,src}
$ ls -Lld /usr/{{x,}obj,ports,src{,/sys}}
drwxrwx--- 2 build wobj 512 Jun 28 02:22 /usr/obj # 2 GB
drwxrwx--- 2 build wobj 512 Feb 25 13:12 /usr/xobj # ?
drwxrwxr-x 47 root wsrc 1024 Jun 28 03:27 /usr/ports
drwxrwxr-x 17 root wsrc 512 Jun 28 03:42 /usr/src
drwxrwxr-x 26 root wsrc 1024 Jun 28 03:41 /usr/src/sys
$ id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy), 9(wsrc), 21(wobj)
HTTP
Fetch the source packages from a mirror server. Skip xenocara if no X11 is needed.
REL=$(uname -r | tr -d .)
ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/{SHA256{,.sig},{ports,src,sys,xenocara}.tar.gz}
signify -C -p /etc/signify/openbsd-${REL}-base.pub -x SHA256.sig *tar.gz
sha256 -C SHA256 *tar.gz
cd /usr/src
for p in src sys ports xenocara; do ls -lh ~/${p}.tar.gz && tar -xzf ~/${p}.tar.gz; done
mv ports xenocara ../
CVS
Use CVS to checkout the sources from a nearby mirror[16]
REL=$(uname -r | tr . _) # Make the release name match the CVS tag CVSROOT=anoncvs@anoncvs3.usa.openbsd.org:/cvs # Use a nearby mirror! cd /usr cvs -qd $CVSROOT get -rOPENBSD_${REL} -P src # ~?? minutes cvs -qd $CVSROOT get -rOPENBSD_${REL} -P ports # ~?? minutes cvs -qd $CVSROOT get -rOPENBSD_${REL} -P xenocara # ~?? minutes
If the tree has already been checked out (via CVS or via tarball), use the following to update the local copies:
cd /usr/src cvs -qd $CVSROOT up -rOPENBSD_${REL} # ~7 minutes cd /usr/ports cvs -qd $CVSROOT up -rOPENBSD_${REL} # ~15 minutes cd /usr/xenocara cvs -qd $CVSROOT up -rOPENBSD_${REL} # ~15 minutes
Git
There's also a Git repository, mirroring OpenBSD's official CVS trees:
git clone https://github.com/openbsd/src.git /usr/src cd /usr/srcgit checkout OPENBSD_6_0-RELEASEgit clone https://github.com/openbsd/ports.git /usr/ports cd /usr/portsgit checkout OPENBSD_6_0-RELEASE
Note: the checkout isn't working yet as the branches are missing from the git mirrors :(
ccache
If ccache is installed, we can use that too:
export CC="ccache cc" CXX="ccache c++" CCACHE_DIR=/mnt/ccache # May not work for all build steps!
Kernel
Now that our sources have been updated, let's start by rebuilding the kernel:[17]
cd /sys/arch/$(machine)/compile/GENERIC.MP # Use GENERIC for uniprocessor systems
doas make obj && doas make config
doas make -j$(sysctl -n hw.ncpu)
We can also build a custom[18] kernel:
cd /sys/arch/$(machine)/conf doas cp GENERIC.MP CUSTOM
Edit CUSTOM, then:
doas config CUSTOM cd ../compile/CUSTOM doas make -j$(sysctl -n hw.ncpu)
Let's see what we have built:
$ ls -lhtrd /usr/obj/sys/arch/$(machine)/compile/*/bsd /{o,}bsd
-rwx------ 1 root wheel 24.2M Sep 19 22:40 /obsd
-rwxrwx--- 1 dummy wobj 24.2M Sep 19 23:58 /usr/obj/sys/arch/amd64/compile/GENERIC.MP/bsd
-rwx------ 1 root wheel 24.2M Sep 20 00:06 /bsd
$ sysctl -n kern.version
OpenBSD 6.1 (GENERIC) #4: Sat Apr 1 16:06:17 MDT 2017
deraadt@macppc.openbsd.org:/usr/src/sys/arch/macppc/compile/GENERIC
$ echo exit | config -o /dev/null -e /usr/obj/sys/arch/$(machine)/compile/*/bsd
OpenBSD 6.1-stable (GENERIC) #0: Wed Jun 28 18:47:32 PDT 2017
dummy@alice.example.net:/usr/src/sys/arch/macppc/compile/GENERIC
Enter 'help' for information
ukc> exit
Install the new kernel (the current kernel will copied to /obsd) and reboot:
doas make install doas reboot
Userland
With the new kernel running, we'll rebuild the userland,[19]:
doas rm -rf /usr/obj/* # Only needed on the first build cd /usr/src doas make obj doas make -j$(sysctl -n hw.ncpu) build
Note: we need to build as root, but privileges will be dropped and to the user build whenever possible.[19]
Update /etc, /var and /dev:
doas sysmerge cd /dev && doas ./MAKEDEV all
Now that everything has been rebuilt, we can reboot:
doas shutdown -r now
Xenocara
Technically, xenocara is userland too, but we shall build it independently:
cd /usr/xenocara doas make bootstrap doas make obj doas make -j$(sysctl -n hw.ncpu) build
Release
To build a full release, a few prerequisites must be prepared.[20] Because these builds take up a lot of disk space we'll usually add a second disk to /mnt and create symlinks from there. However, for a release build this is not possible:
> To build a release, it is necessary to prepare a filesystem mounted with the noperm mount(8) option. > The root of this filesystem must have owner build and mode 700. > Warning: DESTDIR and RELEASEDIR must not refer to any directory with /mnt in its path, as /mnt is used > in the release generation process. The vnd(4) device vnd0 is also used and must not be configured.
So, with all that in mind, let's prepare our environment:
doas mkdir /release
doas mount -t ffs -o noperm /dev/sd4a /release # Adjust as needed
doas chmod 0700 /release && doas chown build /release
doas mkdir /release/{dest,release}
Start the build:
export DESTDIR=/release/dest RELEASEDIR=/release/release cd /usr/src/etc && doas make -j$(sysctl -n hw.ncpu) release cd /usr/src/distrib/sets && doas sh checkflist
Once everything is built, RELEASEDIR should contain the new release:
$ doas du -sh ${RELEASEDIR} ${DESTDIR}
519M /release/release
948M /release/dest
Ports
Binary
With installurl set during installation, setting setting PKG_PATH[21] to a nearby mirror[14] may be omitted:
export PKG_PATH=https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(machine)/
Install a package:
doas pkg_add -r rsync # -r Replace existing packages
Update all installed packages:
doas pkg_add -Uuv # -U Update dependencies
# -u Update all installed packages
# -v Verbose
Source
According to the FAQ[22], binary packages for -release and -stable are not updated and we have to manually pull for updates. Either update the whole tree or update only specific packages and reinstall the package:
cd /usr/ports/games/cowsay cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs up -rOPENBSD_6_1 rm -rf /usr/ports/pobj/* # Once in a while stale objects can be cleared up. make doas make reinstall
Upgrade
Upgrading from one release to another is described in OpenBSD Upgrade Guide (pick your correct upgrade path!) and is only supported from one release to the release immediately following it - skipping releases is not supported.
Install media
This is the recommended method for system upgrades. Boot from the install media, then choose Upgrade, not Install. You can also fetch the distributions sets and upgrade as described in the Installation Guide
One could also boot the new installation kernel from disk:
$ uname -r 6.0 $ ftp https://ftp.openbsd.org/pub/OpenBSD/6.1/$(machine)/{bsd.rd,SHA256.sig} $ signify -C -p /etc/signify/openbsd-61-base.pub -x SHA256.sig bsd.rd # Verify[23] the signature Signature Verified bsd.rd: OK $ sha256 -C SHA256.sig bsd.rd (SHA256) bsd.rd: OK
Install to the root disk:
doas mv bsd.rd /bsd.rd
Reboot, then boot with:
> boot /bsd.rd
...and choose Upgrade. Select http to upgrade over the network, be sure to choose a nearby mirror server[14] that holds the desired target release.
After the sets have been selected and installed, the machine should be rebooted and sysmerge(8) should be run to update the configuration:
$ doas sysmerge [...] ===> Output log available at /var/tmp/sysmerge.tmp/sysmerge.log $ doas cat /var/tmp/sysmerge.tmp/sysmerge.log ===> Automatically installed file(s) /etc/ppp/options.sample /etc/ppp/chatscript.sample /etc/rpc ===> Manually merged/installed file(s) /etc/nginx/mime.types /etc/rc.d/rc.subr /etc/rc.d/httpd /etc/rc.d/nsd /etc/rc.d/spamd /etc/rc.d/syslogd /etc/netstart /etc/protocols /etc/rc /etc/services /etc/sysctl.conf ===> Backup of replaced file(s) can be found under /var/tmp/sysmerge.tmp/backups
Reboot once again and see if the system comes up again :-)
In-place upgrade
While not recommended, the system can also be upgraded to a newer release w/o booting into a newer kernel first.[24]
$ uname -r
5.7
Adjust as needed and choose a nearby mirror:[14]
REL=5.8 VER=58 ftp https://cdn.openbsd.org/pub/OpenBSD/${REL}/$(machine)/{SHA256.sig,bsd.mp,bsd.rd,base${VER}.tgz,comp${VER}.tgz,man${VER}.tgz}
If X11 is installed, fetch {xshare,xserv,xfont,xbase}${VER}.tgz as well!
Verify[23] the packages:
$ signify -C -p /etc/signify/openbsd-${VER}-base.pub -x SHA256.sig bsd* *.tgz
Signature Verified
base58.tgz: OK
bsd.mp: OK
bsd.rd: OK
comp58.tgz: OK
man58.tgz: OK
Install the kernel:
doas mv /bsd /obsd && doas mv bsd.mp /bsd && doas mv bsd.rd / doas chown root:wheel /bsd /bsd.rd
Save the reboot binary:
doas cp -p /sbin/reboot /sbin/oreboot
Install the distribution sets:
doas tar -C / -vxzphf comp*.tgz # -h follow symbolic links; -p preserve ownership & permissions doas tar -C / -vxzphf man*.tgz doas tar -C / -vxzphf base*.tgz # Extract last!
Reboot the system, possibly engaging /sbin/oreboot at that point. After the reboot, finish the installation with:
cd /dev && doas ./MAKEDEV all doas installboot -v wd0 # Or sd0 or whatever the boot disk is called.
We still have to run sysmerge(8) to update the system's configuration:
script ~/upgrade.log doas sysmerge [...]
If the kernel relinking failed (see /usr/share/relink/kernel/GENERIC.MP/relink.log) we can generate a checksum and relinking (KARL)[25] may succeed on the next reboot:
doas sha256 -h /var/db/kernel.SHA256 /bsd
Reboot once more and see if the system comes up again :-)
Links
- OpenBSD XEN/PVHVM guest
- OpenBSD support for Xen Project / DomU support in BSDs and other Unix systems
References
- ↑ 1.0 1.1 OpenBSD: Networking
- ↑ OpenBSD FAQ - Networking
- ↑ mount_mfs
- ↑ Re: mounting tmpfs <not supported> ???
- ↑ OpenBSD 6.0 Changelog
- ↑ OpenBSD 5.7 Changelog
- ↑ OpenBSD 3.8 Changelog
- ↑ OpenBSD 5.8 Changelog
- ↑ doas - dedicated openbsd application subexecutor
- ↑ 10.0 10.1 OpenBSD FAQ - Packages and Ports
- ↑ pkg_add(1): PKG_PATH
- ↑ OpenBSD pkg_add didn't work due to ocsp verify failed
- ↑ Fatal: building ports requires correctly installed X11
- ↑ 14.0 14.1 14.2 14.3 Getting the OpenBSD distribution
- ↑ OpenBSD FAQ - Building the System from Source: Avoiding root privileges
- ↑ OpenBSD Anonymous CVS: Available Anonymous CVS servers
- ↑ OpenBSD -stable
- ↑ Custom kernels
- ↑ 19.0 19.1 release — building an OpenBSD release
- ↑ release(8)
- ↑ pkg_add(1): PKG_PATH
- ↑ OpenBSD FAQ - Packages and Ports: Security updates (-stable)
- ↑ 23.0 23.1 Downloading OpenBSD
- ↑ Upgrade without the install kernel
- ↑ kernel relinking