A couple of months ago, I scored a pretty good deal on a server rental (hexa-core Xeon-D, 32G DDR4, two 250GB SSDs) for 22 pops each month. Ideal for tinkering and hacking with geographical redundancy, as this server is located in Paris. There were some challenges to overcome first and foremost.
Jailbreaking
After the provider has kicked the server online, the user is supposed to select the desired OS that is automatically installed. That list does not include OpenBSD. Even though the provider offers on-demand access to IPMI/BMC (and thus KVM over IP), there wasn't an option to mount a custom image, either locally or remotely. The same scenario goes for a number of cloud providers (like Hetzner and Gandi) and cloud platforms (like OpenStack).
Fortunately, this can be worked around by (what I call) jailbreaking the machine. The basic idea is simple: install one of the supported OSes, slap the ramdisk installer somewhere and make the machine boot to it. Bringing this into practice may seem a little daunting at first - but it is not that difficult.
You will first need to install an OS to the machine. Ever since the inception of systemd
it has been assimilating everything in such a way that the Borg envy. It has been consuming much more than just the init system - nowadays there is systemd-boot
too. For this to work, I recommend picking a Linux distro that uses GRUB. Debian 11 (or earlier) is a solid choice. Whether the distribution is EOL is irrelevant, as we put Linux to full utilization: a mere bootloader for the OpenBSD installer.
Continuing, you will need the UUID of the root device. The partitions and the UUIDs can be easily listed issuing:
lsblk --fs
Write down the UUID of the root partition (the one with the /
mountpoint) and make sure to have it ready. Also write down any and all network settings (IPv4 & IPv6 addressing, subnets, gateways, etc). Make sure to get root permissions for the next steps (either su -
or sudo -i
).
Lets switch to the root and throw the ramdisk image there:
cd / && curl -O https://cdn.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd
Now we have to edit the GRUB config, which is twofold. Open /etc/grub.d/40_custom
with your favorite text editor (mg, vi, ed, nano, etc) and add the following lines, replacing $UUID
with the actual UUID of the root partition on two occassions:
menuentry "free-the-fish" {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root $UUID
else
search --no-floppy --fs-uuid --set=root $UUID
fi
kopenbsd /bsd.rd
}
Save the file and exit your favorite editor. Now, repeat the process for /etc/default/grub
and add or edit the GRUB_DEFAULT
parameter:
GRUB_DEFAULT="free-the-fish"
The last step is to update GRUB to reach the full potential of Linux: boot to OpenBSD. This is easily done with:
upgrade-grub
Or, if it doesn't know that command:
grub-mkconfig -o /boot/grub/grub.cfg
I was actually incorrect there for a moment - that wasn't the actual last step. The last step: grab yourself a nice cup of coffee and reboot the machine. The OpenBSD installer will be greeting you once it it rebooted.
Installing OpenBSD
Now, I won't hold your hand through the OpenBSD installer, because it is relatively foolproof and there is already enough documentation. I will add this: always encrypt all data and the storage holding it. Especially so if you are not the owner of the machine - which is the case with rentals and the cloud.
Setting up IPv6 on Scaleway
One of the challenges I ran into was that the IPv6 stack of Scaleway only permits addressing through DHCP. Setting a static IPv6 address won't work unfortunately. If you require this: consider going with OpenBSD.Amsterdam with is a way better choice regardless. If you are anything like me and love to have some infra running in every corner of the world, then read on :)
Since static addressing won't work, we'll need something to handle the IPv6 DHCP for us. The easiest would be to use DHCPCd. Install it with a simple:
pkg_add dhcpcd
Configure the client daemon by adding the following options to /etc/dhcpcd.conf
:
ipv6only
noipv6rs
allowinterfaces em0
duid
slaac hwaddr
interface em0
ipv6rs
iaid 1
dhcp6
ia_na 1
Make sure that your /etc/hostname.em0
does not have any lines with inet6 (as that would cause both OpenBSD itself and DHCPCd fetching an IPv6 address). Set some flags for DHCPCd:
rcctl set dhcpcd flags -C resolv.conf -c /etc/dhcpcd_up.sh
This makes DHCPcd ignore resolv.conf and hooks in our script after getting an IPv6 lease. Ofcourse, we will need to create that script. Open /etc/dhcpcd_up.sh
with your text editor and throw in (replacing $IP6
with your actual IPv6 address):
route sourceaddr -inet6 $IP6
Make the script executable:
chmod +x /etc/dhcpcd_up.sh
Enable and start DHCPCd:
rcctl enable dhcpcd
rcctl start dhcpcd
Now you should have a working IPv6 configuration. Congratulations! If you have customized pf.conf
you'll need the following rules:
# Allow ICMP6 traffic; utterly insecure allowing all ICMP6 traffic, you should narrow this down
pass on any inet6 proto icmp6 all
# Allow the provider to send DHCPv6 packets
pass in on em0 inet6 proto udp from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client no state
Closing thoughts
Hopefully either you or someone else benefits from this how-to. In case it has helped even one person, it was well worth writing it. As always, you can reach out to me through the Fediverse or through mail. Have a lovely day - until we meet again in the next blogpost!