openbsd-autoinstall.md - www.codemadness.org - www.codemadness.org saait content files
(HTM) git clone git://git.codemadness.org/www.codemadness.org
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
openbsd-autoinstall.md (9010B)
---
1 This guide describes how to setup a local mirror and installation/upgrade
2 server that requires little or no input interaction.
3
4
5 ## Setup a local HTTP mirror
6
7 The HTTP mirror will be used to fetch the base sets and (optional) custom sets.
8 In this guide we will assume **192.168.0.2** is the local installation server
9 and mirror, the CPU architecture is amd64 and the OpenBSD release version is
10 6.5. We will store the files in the directory with the structure:
11
12 http://192.168.0.2/pub/OpenBSD/6.5/amd64/
13
14 Create the www serve directory and fetch all sets and install files
15 (if needed to save space *.iso and install65.fs can be skipped):
16
17 $ cd /var/www/htdocs
18 $ mkdir -p pub/OpenBSD/6.5/amd64/
19 $ cd pub/OpenBSD/6.5/amd64/
20 $ ftp 'ftp://ftp.nluug.nl/pub/OpenBSD/6.5/amd64/*'
21
22 Verify signature and check some checksums:
23
24 $ signify -C -p /etc/signify/openbsd-65-base.pub -x SHA256.sig
25
26 Setup [httpd(8)](https://man.openbsd.org/httpd.8) for simple file serving:
27
28 # $FAVORITE_EDITOR /etc/httpd.conf
29
30 A minimal example config for [httpd.conf(5)](https://man.openbsd.org/httpd.conf.5):
31
32 server "*" {
33 listen on * port 80
34 }
35
36 The default www root directory is: /var/www/htdocs/
37
38 Enable the httpd daemon to start by default and start it now:
39
40 # rcctl enable httpd
41 # rcctl start httpd
42
43 ## Creating an installation response/answer file
44
45 The installer supports loading responses to the installation/upgrade questions
46 from a simple text file. We can do a regular installation and copy the answers
47 from the saved file to make an automated version of it.
48
49 Do a test installation, at the end of the installation or upgrade when asked the
50 question:
51
52 Exit to (S)hell, (H)alt or (R)eboot?
53
54 Type S to go to the shell. Find the response file for an installation and copy
55 it to some USB stick or write down the response answers:
56
57 cp /tmp/i/install.resp /mnt/usbstick/
58
59 A response file could be for example:
60
61 System hostname = testvm
62 Which network interface do you wish to configure = em0
63 IPv4 address for em0 = dhcp
64 IPv6 address for em0 = none
65 Which network interface do you wish to configure = done
66 Password for root account = $2b$10$IqI43aXjgD55Q3nLbRakRO/UAG6SAClL9pyk0vIUpHZSAcLx8fWk.
67 Password for user testuser = $2b$10$IqI43aXjgD55Q3nLbRakRO/UAG6SAClL9pyk0vIUpHZSAcLx8fWk.
68 Start sshd(8) by default = no
69 Do you expect to run the X Window System = no
70 Setup a user = testuser
71 Full name for user testuser = testuser
72 What timezone are you in = Europe/Amsterdam
73 Which disk is the root disk = wd0
74 Use (W)hole disk MBR, whole disk (G)PT, (O)penBSD area or (E)dit = OpenBSD
75 Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout = a
76 Location of sets = http
77 HTTP proxy URL = none
78 HTTP Server = 192.168.0.2
79 Server directory = pub/OpenBSD/6.5/amd64
80 Unable to connect using https. Use http instead = yes
81 Location of sets = http
82 Set name(s) = done
83 Location of sets = done
84 Exit to (S)hell, (H)alt or (R)eboot = R
85
86 Get custom encrypted password for response file:
87
88 $ printf '%s' 'yourpassword' | encrypt
89
90
91 ## Changing the RAMDISK kernel disk image
92
93 [rdsetroot(8)](https://man.openbsd.org/rdsetroot.8) is publicly exposed now in base since 6.5. Before 6.5 it is
94 available in the /usr/src/ tree as elfrdsetroot, see also the [rd(4)](https://man.openbsd.org/rd.4) man page.
95
96 $ mkdir auto
97 $ cd auto
98 $ cp pubdir/bsd.rd .
99 $ rdsetroot -x bsd.rd disk.fs
100 # vnconfig vnd0 disk.fs
101 # mkdir mount
102 # mount /dev/vnd0a mount
103
104 Copy the response file (install.resp) to: mount/auto\_install.conf
105 (installation) **or** mount/auto_upgrade.conf (upgrade), but not both. In this
106 guide we will do an auto-installation.
107
108 Unmount, detach and patch RAMDISK:
109
110 # umount mount
111 # vnconfig -u vnd0
112 $ rdsetroot bsd.rd disk.fs
113
114 To test copy bsd.rd to the root of some testmachine like /bsd.test.rd then
115 (re)boot and type:
116
117 boot /bsd.test.rd
118
119 In the future (6.5+) it will be possible to copy to a file named "/bsd.upgrade"
120 in the root of a current system and automatically load the kernel:
121 [See the script bsd.upgrade in CVS.](https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/stand/boot/boot.c?rev=1.46&content-type=text/x-cvsweb-markup)
122 Of course this is possible with PXE boot or some custom USB/ISO also.
123 As explained in the [autoinstall(8)](https://man.openbsd.org/autoinstall.8) man page: create either an
124 auto_upgrade.conf **or** an auto\_install.conf, but not both.
125
126
127 ## Create bootable miniroot
128
129 In this example the miniroot will boot the custom kernel, but fetch all the
130 sets from the local network.
131
132 We will base our miniroot of the official version: miniroot65.fs.
133
134 We will create a 16MB miniroot to boot from (in this guide it is assumed the
135 original miniroot is about 4MB and the modified kernel image fits in the new
136 allocated space):
137
138 $ dd if=/dev/zero of=new.fs bs=512 count=32768
139
140 Copy first part of the original image to the new disk (no truncation):
141
142 $ dd conv=notrunc if=miniroot65.fs of=new.fs
143 # vnconfig vnd0 new.fs
144
145 Expand disk OpenBSD boundaries:
146
147 # disklabel -E vnd0
148 > b
149 Starting sector: [1024]
150 Size ('*' for entire disk): [8576] *
151 > r
152 Total free sectors: 1168.
153 > c a
154 Partition a is currently 8576 sectors in size, and can have a maximum
155 size of 9744 sectors.
156 size: [8576] *
157 > w
158 > q
159
160 or:
161
162 # printf 'b\n\n*\nc a\n*\nw\n' | disklabel -E vnd0
163
164 Grow filesystem and check it and mark as clean:
165
166 # growfs -y /dev/vnd0a
167 # fsck -y /dev/vnd0a
168
169 Mount filesystem:
170
171 # mount /dev/vnd0a mount/
172
173 The kernel on the miniroot is GZIP compressed. Compress our modified bsd.rd and
174 overwrite the original kernel:
175
176 # gzip -c9n bsd.rd > mount/bsd
177
178 Or to save space (+- 500KB) by stripping debug symbols, taken from bsd.gz target
179 [in this Makefile](https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/amd64/iso/Makefile).
180
181 $ cp bsd.rd bsd.strip
182 $ strip bsd.strip
183 $ strip -R .comment -R .SUNW_ctf bsd.strip
184 $ gzip -c9n bsd.strip > bsd.gz
185 $ cp bsd.gz mount/bsd
186
187 Now unmount and detach:
188
189 # umount mount/
190 # vnconfig -u vnd0
191
192 Now you can [dd(1)](https://man.openbsd.org/dd.1) the image new.fs to your bootable (USB) medium.
193
194
195 ## Adding custom sets (optional)
196
197 For patching [/etc/rc.firsttime](https://man.openbsd.org/rc.firsttime.8) and other system files it is useful to use a
198 customized installation set like siteVERSION.tgz, for example: site65.tgz. The
199 sets can even be specified per host/MAC address like
200 siteVERSION-$(hostname -s).tgz so for example: site65-testvm.tgz
201
202 When the installer checks the base sets of the mirror it looks for a file
203 index.txt. To add custom sets the site entries have to be added.
204
205 For example:
206
207 -rw-r--r-- 1 1001 0 4538975 Oct 11 13:58:26 2018 site65-testvm.tgz
208
209 The filesize, permissions etc do not matter and are not checked by the
210 installer. Only the filename is matched by a regular expression.
211
212
213 ## Sign custom site* tarball sets (optional)
214
215 If you have custom sets without creating a signed custom release you will be
216 prompted for the messages:
217
218 checksum test failed
219
220 and:
221
222 unverified sets: continue without verification
223
224 OpenBSD uses the program [signify(1)](https://man.openbsd.org/signify.1) to cryptographically sign and
225 verify filesets.
226
227 To create a custom public/private keypair (ofcourse make sure to store the
228 private key privately):
229
230 $ signify -G -n -c "Custom 6.5 install" -p custom-65-base.pub -s custom-65-base.sec
231
232 Create new checksum file with filelist of the current directory (except SHA256*
233 files):
234
235 $ printf '%s\n' * | grep -v SHA256 | xargs sha256 > SHA256
236
237 Sign SHA256 and store as SHA256.sig, embed signature:
238
239 $ signify -S -e -s /privatedir/custom-65-base.sec -m SHA256 -x SHA256.sig
240
241 Verify the created signature and data is correct:
242
243 $ signify -C -p /somelocation/custom-65-base.pub -x SHA256.sig
244
245 Copy **only** the **public** key to the RAMDISK:
246
247 $ cp custom-65-base.pub mount/etc/signify/custom-65-base.pub
248
249 Now we have to patch the install.sub file to check our public key. If you know
250 a better way without having to patch this script, please let me know.
251
252 Change the variable PUB_KEY in the shellscript mount/install.sub from:
253
254 PUB_KEY=/etc/signify/openbsd-${VERSION}-base.pub
255
256 To:
257
258 PUB_KEY=/etc/signify/custom-${VERSION}-base.pub
259
260 And for upgrades from:
261
262 $UPGRADE_BSDRD &&
263 PUB_KEY=/mnt/etc/signify/openbsd-$((VERSION + 1))-base.pub
264
265 To:
266
267 $UPGRADE_BSDRD &&
268 PUB_KEY=/mnt/etc/signify/custom-$((VERSION + 1))-base.pub
269
270
271 ## Ideas
272
273 * Patch [rc.firsttime(8)](https://man.openbsd.org/rc.firsttime.8): and run syspatch, add ports, setup xenodm etc.
274 * Custom partitioning scheme, see [autoinstall(8)](https://man.openbsd.org/autoinstall.8) "URL to autopartitioning
275 template for disklabel = url".
276 * Setup [pxeboot(8)](https://man.openbsd.org/pxeboot.8) to boot and install over the network using
277 [dhcpd(8)](https://man.openbsd.org/dhcpd.8) and
278 [tftpd(8)](https://man.openbsd.org/tftpd.8) then not even some USB stick is required.
279
280
281 ## References
282
283 * Main OpenBSD installation and upgrade shellscript:
284 [/usr/src/distrib/miniroot/install.sub](https://cvsweb.openbsd.org/src/distrib/miniroot/install.sub)