openbsd-autoinstall.html - www.codemadness.org - www.codemadness.org saait content files
(HTM) git clone git://git.codemadness.org/www.codemadness.org
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
openbsd-autoinstall.html (12273B)
---
1 <!DOCTYPE html>
2 <html dir="ltr" lang="en">
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
5 <meta http-equiv="Content-Language" content="en" />
6 <meta name="viewport" content="width=device-width" />
7 <meta name="keywords" content="openbsd, autoinstall, autoupgrade" />
8 <meta name="description" content="OpenBSD: setup a local auto-installation server" />
9 <meta name="author" content="Hiltjo" />
10 <meta name="generator" content="Static content generated using saait: https://codemadness.org/saait.html" />
11 <title>OpenBSD: setup a local auto-installation server - Codemadness</title>
12 <link rel="stylesheet" href="style.css" type="text/css" media="screen" />
13 <link rel="stylesheet" href="print.css" type="text/css" media="print" />
14 <link rel="alternate" href="atom.xml" type="application/atom+xml" title="Codemadness Atom Feed" />
15 <link rel="alternate" href="atom_content.xml" type="application/atom+xml" title="Codemadness Atom Feed with content" />
16 <link rel="icon" href="/favicon.png" type="image/png" />
17 </head>
18 <body>
19 <nav id="menuwrap">
20 <table id="menu" width="100%" border="0">
21 <tr>
22 <td id="links" align="left">
23 <a href="index.html">Blog</a> |
24 <a href="/git/" title="Git repository with some of my projects">Git</a> |
25 <a href="/releases/">Releases</a> |
26 <a href="gopher://codemadness.org">Gopherhole</a>
27 </td>
28 <td id="links-contact" align="right">
29 <span class="hidden"> | </span>
30 <a href="feeds.html">Feeds</a> |
31 <a href="pgp.asc">PGP</a> |
32 <a href="mailto:hiltjo@AT@codemadness.DOT.org">Mail</a>
33 </td>
34 </tr>
35 </table>
36 </nav>
37 <hr class="hidden" />
38 <main id="mainwrap">
39 <div id="main">
40 <article>
41 <header>
42 <h1>OpenBSD: setup a local auto-installation server</h1>
43 <p>
44 <strong>Last modification on </strong> <time>2020-04-30</time>
45 </p>
46 </header>
47
48 <p>This guide describes how to setup a local mirror and installation/upgrade
49 server that requires little or no input interaction.</p>
50 <h2>Setup a local HTTP mirror</h2>
51 <p>The HTTP mirror will be used to fetch the base sets and (optional) custom sets.
52 In this guide we will assume <strong>192.168.0.2</strong> is the local installation server
53 and mirror, the CPU architecture is amd64 and the OpenBSD release version is
54 6.5. We will store the files in the directory with the structure:</p>
55 <pre><code>http://192.168.0.2/pub/OpenBSD/6.5/amd64/
56 </code></pre>
57 <p>Create the www serve directory and fetch all sets and install files
58 (if needed to save space *.iso and install65.fs can be skipped):</p>
59 <pre><code>$ cd /var/www/htdocs
60 $ mkdir -p pub/OpenBSD/6.5/amd64/
61 $ cd pub/OpenBSD/6.5/amd64/
62 $ ftp 'ftp://ftp.nluug.nl/pub/OpenBSD/6.5/amd64/*'
63 </code></pre>
64 <p>Verify signature and check some checksums:</p>
65 <pre><code>$ signify -C -p /etc/signify/openbsd-65-base.pub -x SHA256.sig
66 </code></pre>
67 <p>Setup <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> for simple file serving:</p>
68 <pre><code># $FAVORITE_EDITOR /etc/httpd.conf
69 </code></pre>
70 <p>A minimal example config for <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>:</p>
71 <pre><code>server "*" {
72 listen on * port 80
73 }
74 </code></pre>
75 <p>The default www root directory is: /var/www/htdocs/</p>
76 <p>Enable the httpd daemon to start by default and start it now:</p>
77 <pre><code># rcctl enable httpd
78 # rcctl start httpd
79 </code></pre>
80 <h2>Creating an installation response/answer file</h2>
81 <p>The installer supports loading responses to the installation/upgrade questions
82 from a simple text file. We can do a regular installation and copy the answers
83 from the saved file to make an automated version of it.</p>
84 <p>Do a test installation, at the end of the installation or upgrade when asked the
85 question:</p>
86 <pre><code>Exit to (S)hell, (H)alt or (R)eboot?
87 </code></pre>
88 <p>Type S to go to the shell. Find the response file for an installation and copy
89 it to some USB stick or write down the response answers:</p>
90 <pre><code>cp /tmp/i/install.resp /mnt/usbstick/
91 </code></pre>
92 <p>A response file could be for example:</p>
93 <pre><code>System hostname = testvm
94 Which network interface do you wish to configure = em0
95 IPv4 address for em0 = dhcp
96 IPv6 address for em0 = none
97 Which network interface do you wish to configure = done
98 Password for root account = $2b$10$IqI43aXjgD55Q3nLbRakRO/UAG6SAClL9pyk0vIUpHZSAcLx8fWk.
99 Password for user testuser = $2b$10$IqI43aXjgD55Q3nLbRakRO/UAG6SAClL9pyk0vIUpHZSAcLx8fWk.
100 Start sshd(8) by default = no
101 Do you expect to run the X Window System = no
102 Setup a user = testuser
103 Full name for user testuser = testuser
104 What timezone are you in = Europe/Amsterdam
105 Which disk is the root disk = wd0
106 Use (W)hole disk MBR, whole disk (G)PT, (O)penBSD area or (E)dit = OpenBSD
107 Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout = a
108 Location of sets = http
109 HTTP proxy URL = none
110 HTTP Server = 192.168.0.2
111 Server directory = pub/OpenBSD/6.5/amd64
112 Unable to connect using https. Use http instead = yes
113 Location of sets = http
114 Set name(s) = done
115 Location of sets = done
116 Exit to (S)hell, (H)alt or (R)eboot = R
117 </code></pre>
118 <p>Get custom encrypted password for response file:</p>
119 <pre><code>$ printf '%s' 'yourpassword' | encrypt
120 </code></pre>
121 <h2>Changing the RAMDISK kernel disk image</h2>
122 <p><a href="https://man.openbsd.org/rdsetroot.8">rdsetroot(8)</a> is publicly exposed now in base since 6.5. Before 6.5 it is
123 available in the /usr/src/ tree as elfrdsetroot, see also the <a href="https://man.openbsd.org/rd.4">rd(4)</a> man page.</p>
124 <pre><code>$ mkdir auto
125 $ cd auto
126 $ cp pubdir/bsd.rd .
127 $ rdsetroot -x bsd.rd disk.fs
128 # vnconfig vnd0 disk.fs
129 # mkdir mount
130 # mount /dev/vnd0a mount
131 </code></pre>
132 <p>Copy the response file (install.resp) to: mount/auto_install.conf
133 (installation) <strong>or</strong> mount/auto_upgrade.conf (upgrade), but not both. In this
134 guide we will do an auto-installation.</p>
135 <p>Unmount, detach and patch RAMDISK:</p>
136 <pre><code># umount mount
137 # vnconfig -u vnd0
138 $ rdsetroot bsd.rd disk.fs
139 </code></pre>
140 <p>To test copy bsd.rd to the root of some testmachine like /bsd.test.rd then
141 (re)boot and type:</p>
142 <pre><code>boot /bsd.test.rd
143 </code></pre>
144 <p>In the future (6.5+) it will be possible to copy to a file named "/bsd.upgrade"
145 in the root of a current system and automatically load the kernel:
146 <a href="https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/stand/boot/boot.c?rev=1.46&content-type=text/x-cvsweb-markup">See the script bsd.upgrade in CVS.</a>
147 Of course this is possible with PXE boot or some custom USB/ISO also.
148 As explained in the <a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a> man page: create either an
149 auto_upgrade.conf <strong>or</strong> an auto_install.conf, but not both.</p>
150 <h2>Create bootable miniroot</h2>
151 <p>In this example the miniroot will boot the custom kernel, but fetch all the
152 sets from the local network.</p>
153 <p>We will base our miniroot of the official version: miniroot65.fs.</p>
154 <p>We will create a 16MB miniroot to boot from (in this guide it is assumed the
155 original miniroot is about 4MB and the modified kernel image fits in the new
156 allocated space):</p>
157 <pre><code>$ dd if=/dev/zero of=new.fs bs=512 count=32768
158 </code></pre>
159 <p>Copy first part of the original image to the new disk (no truncation):</p>
160 <pre><code>$ dd conv=notrunc if=miniroot65.fs of=new.fs
161 # vnconfig vnd0 new.fs
162 </code></pre>
163 <p>Expand disk OpenBSD boundaries:</p>
164 <pre><code># disklabel -E vnd0
165 > b
166 Starting sector: [1024]
167 Size ('*' for entire disk): [8576] *
168 > r
169 Total free sectors: 1168.
170 > c a
171 Partition a is currently 8576 sectors in size, and can have a maximum
172 size of 9744 sectors.
173 size: [8576] *
174 > w
175 > q
176 </code></pre>
177 <p>or:</p>
178 <pre><code># printf 'b\n\n*\nc a\n*\nw\n' | disklabel -E vnd0
179 </code></pre>
180 <p>Grow filesystem and check it and mark as clean:</p>
181 <pre><code># growfs -y /dev/vnd0a
182 # fsck -y /dev/vnd0a
183 </code></pre>
184 <p>Mount filesystem:</p>
185 <pre><code># mount /dev/vnd0a mount/
186 </code></pre>
187 <p>The kernel on the miniroot is GZIP compressed. Compress our modified bsd.rd and
188 overwrite the original kernel:</p>
189 <pre><code># gzip -c9n bsd.rd > mount/bsd
190 </code></pre>
191 <p>Or to save space (+- 500KB) by stripping debug symbols, taken from bsd.gz target
192 <a href="https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/amd64/iso/Makefile">in this Makefile</a>.</p>
193 <pre><code>$ cp bsd.rd bsd.strip
194 $ strip bsd.strip
195 $ strip -R .comment -R .SUNW_ctf bsd.strip
196 $ gzip -c9n bsd.strip > bsd.gz
197 $ cp bsd.gz mount/bsd
198 </code></pre>
199 <p>Now unmount and detach:</p>
200 <pre><code># umount mount/
201 # vnconfig -u vnd0
202 </code></pre>
203 <p>Now you can <a href="https://man.openbsd.org/dd.1">dd(1)</a> the image new.fs to your bootable (USB) medium.</p>
204 <h2>Adding custom sets (optional)</h2>
205 <p>For patching <a href="https://man.openbsd.org/rc.firsttime.8">/etc/rc.firsttime</a> and other system files it is useful to use a
206 customized installation set like siteVERSION.tgz, for example: site65.tgz. The
207 sets can even be specified per host/MAC address like
208 siteVERSION-$(hostname -s).tgz so for example: site65-testvm.tgz</p>
209 <p>When the installer checks the base sets of the mirror it looks for a file
210 index.txt. To add custom sets the site entries have to be added.</p>
211 <p>For example:</p>
212 <pre><code>-rw-r--r-- 1 1001 0 4538975 Oct 11 13:58:26 2018 site65-testvm.tgz
213 </code></pre>
214 <p>The filesize, permissions etc do not matter and are not checked by the
215 installer. Only the filename is matched by a regular expression.</p>
216 <h2>Sign custom site* tarball sets (optional)</h2>
217 <p>If you have custom sets without creating a signed custom release you will be
218 prompted for the messages:</p>
219 <pre><code>checksum test failed
220 </code></pre>
221 <p>and:</p>
222 <pre><code>unverified sets: continue without verification
223 </code></pre>
224 <p>OpenBSD uses the program <a href="https://man.openbsd.org/signify.1">signify(1)</a> to cryptographically sign and
225 verify filesets.</p>
226 <p>To create a custom public/private keypair (ofcourse make sure to store the
227 private key privately):</p>
228 <pre><code>$ signify -G -n -c "Custom 6.5 install" -p custom-65-base.pub -s custom-65-base.sec
229 </code></pre>
230 <p>Create new checksum file with filelist of the current directory (except SHA256*
231 files):</p>
232 <pre><code>$ printf '%s\n' * | grep -v SHA256 | xargs sha256 > SHA256
233 </code></pre>
234 <p>Sign SHA256 and store as SHA256.sig, embed signature:</p>
235 <pre><code>$ signify -S -e -s /privatedir/custom-65-base.sec -m SHA256 -x SHA256.sig
236 </code></pre>
237 <p>Verify the created signature and data is correct:</p>
238 <pre><code>$ signify -C -p /somelocation/custom-65-base.pub -x SHA256.sig
239 </code></pre>
240 <p>Copy <strong>only</strong> the <strong>public</strong> key to the RAMDISK:</p>
241 <pre><code>$ cp custom-65-base.pub mount/etc/signify/custom-65-base.pub
242 </code></pre>
243 <p>Now we have to patch the install.sub file to check our public key. If you know
244 a better way without having to patch this script, please let me know.</p>
245 <p>Change the variable PUB_KEY in the shellscript mount/install.sub from:</p>
246 <pre><code>PUB_KEY=/etc/signify/openbsd-${VERSION}-base.pub
247 </code></pre>
248 <p>To:</p>
249 <pre><code>PUB_KEY=/etc/signify/custom-${VERSION}-base.pub
250 </code></pre>
251 <p>And for upgrades from:</p>
252 <pre><code>$UPGRADE_BSDRD &&
253 PUB_KEY=/mnt/etc/signify/openbsd-$((VERSION + 1))-base.pub
254 </code></pre>
255 <p>To:</p>
256 <pre><code>$UPGRADE_BSDRD &&
257 PUB_KEY=/mnt/etc/signify/custom-$((VERSION + 1))-base.pub
258 </code></pre>
259 <h2>Ideas</h2>
260 <ul>
261 <li>Patch <a href="https://man.openbsd.org/rc.firsttime.8">rc.firsttime(8)</a>: and run syspatch, add ports, setup xenodm etc.</li>
262 <li>Custom partitioning scheme, see <a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a> "URL to autopartitioning
263 template for disklabel = url".</li>
264 <li>Setup <a href="https://man.openbsd.org/pxeboot.8">pxeboot(8)</a> to boot and install over the network using
265 <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> and
266 <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> then not even some USB stick is required.</li>
267 </ul>
268 <h2>References</h2>
269 <ul>
270 <li>Main OpenBSD installation and upgrade shellscript:
271 <a href="https://cvsweb.openbsd.org/src/distrib/miniroot/install.sub">/usr/src/distrib/miniroot/install.sub</a></li>
272 </ul>
273
274 </article>
275 </div>
276 </main>
277 </body>
278 </html>