Installing OpenBSD 7.8
This guide is VirtualBox-centric, but most everything will translate to your hypervisor or bare metal of choice.
Materials#
Installation ISO:
- cd78.iso - you will download packages from network
- install78.iso - self-contained
Hypervisor#
Create a new VM with the required CPU, RAM, and storage specs, and mount the ISO to boot from it and begin installation.
VirtualBox-specific notes:
- Network: If using wifi on host, use NAT mode for the NIC; bridge mode performance tanks (does not apply if host is wired).
- Storage: make “IDE” type PIIX4, attach ISO there, make “ACHI” type ACHI, enable host IO cache, and attach VDI there.
- VDI: Can tick Solid-state drive.
- Don’t be tempted by UEFI mode, you will have boot issues.
- Don’t be tempted by NVMe mode, disk will deadlock during install; ACHI is faster in Vbox anyway!
Installation#
network#
Follow instructions to set autoconf(DHCP) or static IP addressing and gateway, DNS, etc. In this doc, in post-install tasks, instructions given to convert DHCP config to static config
ssh#
You may wish to enable SSH login for root with password and then disable it later.
disk partition table#
MBR vs GPT; choose GPT
disk partitions#
If you accept the (A)uto layout option, note that BSD will create multiple partitions and mountpoints. For small disks <25GB, you may hit a bottleneck on /usr when attempting to sysupgrade. A good way to avoid this bottleneck is use (C)ustom layout and simply create one large / root partition. Otherwise, it’s possible to install a more minimal package set - both initially, and at sysupgrade.
custom layout#
(C) to get into disklabel, “p” prints the layout - check what’s there first. If you only see this:
c: - it is a special autogenerated disklabel representing the entire OpenBSD slice; not a real partition.
i: - MSDOS - this is GPT stuff
Great! Move to create partitions step.
Else, delete every disklabel partition except c and i, with “d a , d b , …” “p” to print layout; you should now only see “c:” (if MBR) or “c: i:” (if GPT). Now we add two partitions; b: for swap (1G), a: for /, giving it the rest of the disk. Worked example below, showing disklabel automatically follows BSD conventions for filesystem a = swap, b = 4.2BSD, and automatically calculates the offsets. Note: specify swap first in units of GB, “1g”, so that / can fill the disk with the automatically suggested value (in sectors). Note: specify mount point of / for partition a.
Eg:
sd0*> a b <enter>
offset: [532544] <enter>
size: [33021855] 1g <enter>
FS type: [swap] <enter>
sd0*> a a <enter>
offset: [2634660] <enter>
size: [30919739] <enter>
FS type: [4.2BSD] <enter>
mount point: [none] / <enter>
Check the layout with “p”. Write to disk with “w”. Exit with “x”.
note on adding storage later#
Because of our order of operations here, root partition ‘a’ is at the end of the disk. This makes it really easy to grow the VM disk (provider does this), and then grow partition ‘a’ into the newly added free space.
NOTE: alternative is to create a new parition and mount point, or several partitions and mounts. I find this more difficult to right-size and no advantage vs single root / partition containing everything.
Current layout:
# disklabel sd0
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: Block Device
duid: e78daa37746fad39
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 3263
total sectors: 52428800
boundstart: 532544
boundend: 52428767
16 partitions:
# size offset fstype [fsize bsize cpg]
a: 49794048 2634688 4.2BSD 2048 16384 12960 # /
b: 2102116 532544 swap # none
c: 52428800 0 unused
i: 532480 64 MSDOS
If I upgraded the disk to 2x size, then to expand / I would use disklabel to modify the SIZE of partition ‘a’, whilst keeping the OFFSET the same.
So let’s say you shutdown, provider expands the disk, then you boot up again. You can’t use the disk space until making disklabel modifications to partition size. So, reboot into single-user mode.
host# reboot
Now at the boot prompt do:
boot> boot -s
Now when it comes up, do:
dmesg | grep sd0 (or disk name)
Then:
disklabel <yourdisk>
Note the offset value just to be doubly-certain. Now edit the size, keeping same offset:
host# disklabel -E sd0
Do ’m a’ to modify partition a. It will guide you through the current values - hit enter to keep offset, and when size: [xxxxx] appears, type ‘* ’ to consume all remaining space.
sd0> m a
offset: [2634688] <enter>
size: [49794048] * <enter>
FS type: [4.2BSD] <enter>
sd0> p <enter> # print and verify
sd0> w <enter> # write if happy
sd0> x <enter> # x to exit
Now you have to grow the filesystem into the remaining space:
host# growfs /
Now you can check inode output again; used capacity of storage will have reduced, inode available remaining the same. Thanks to OpenBSD defaults on newfs, inode density is quite high.
$ df -i /
Filesystem 512-blocks Used Avail Capacity iused ifree %iused Mounted on
/dev/sd0a 48217980 3852320 41954764 9% 29321 3106997 1% /
Reboot back into normal multiuser mode:
host# reboot
sets location#
If using http, enter “?” to choose from list, recommended to always choose cdn.openbsd.org
set name(s) / installation choices#
You can combine this with choosing a more minimal installation, i.e. skip X, and game sets, leaving the barebones set; do:
-all <enter>
bsd* base* comp* man* <enter>
done <enter>
You can always install X later; but if you make it part of the base installation it is less clean to remove later.
disk encryption#
NB: Full disk encryption option can only be unlocked with key disk or password. Note that on VPS provider hosts, this means after every reboot you need to have the key disk mounted for autodecrypt, else use their remote console to enter the password. This means after every reboot, console may be required to complete boot sequence. NB: Dropbear style SSH login to enter password for decryption is NOT supported in OpenBSD. Though you could shoehorn this in, it goes against OpenBSD design philosophy.
Post-installation tasks#
Reboot machine, and login as root.
sysupgrade#
Optional: run sysupgrade, eg: you might be upgrading release from 7.7 to 7.8, 7.8 to 7.9, whatever may apply. The system will reboot, then you will login again.
syspatch#
Best practice: Run syspatch, eg: to check for and install any patch updates for the current running release.
Right after boot, syspatch may not run; this is normal due to KARL kernel randomisation step; just try again after a minute.
eg:
syspatch
syspatch: cannot apply patches while reorder_kernel is running
7.8 bug#
If you used single / partition, it will fail with “syspatch: Read-only filesystem, aborting” The fix for that is to instead do:
sed -e 's/.checkfs/#checkfs/g' /usr/sbin/syspatch > /root/syspatch
ksh /root/syspatch
syspatch # re-run new syspatch command as instructed
rm /root/syspatch
dev_mkdb
Now syspatch will work properly going forward.
reboot to the new kernel#
reboot
login and update regular packages#
pkg_add -u
install your packages#
Examples, not recommendations:
pkg_add nano
pkg_add iperf3
pkg_add btop
pkg_add bash
user#
If you did not add a regular user earlier, do it now.
adduser
Append this to ~/.profile; eg: get btop to work etc:
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
Load it:
. ~/.profile
Grant user “doas” permissions (similar to sudo):
usermod -G wheel <youruser>
# nano /etc/doas.conf
permit persist :wheel
# fix permissions
chmod 600 /etc/doas.conf
Test it:
su - <youruser>
doas whoami <-- prompts for password
<enter password>
doas whoami <-- following commands just run, until timeout for reauth; approx 5mins
If you want to become root for a longer sessions, without the timeout, just do (akin to sudo su):
doas -s
If you want to enforce password every time, remove the ‘persist’ keyword in doas.conf:
permit :wheel
# if you want to permit just a named user, in doas.conf choose one:
permit <username>
permit persist <username>
Congratulations on your new system.
Check my other posts on how to setup sshd, pf firewall, sshguard, httpd, disable unnecessary services, etc.