A couple of months ago, I scored a pretty good deal on a server rental (hexa-core Xeon-D, 32G DDR4, two 250GB SSDs) for 22 pops each month. Ideal for tinkering and hacking with geographical redundancy, as this server is located in Paris. There were some challenges to overcome first and foremost.

Puffy lamp image source

Jailbreaking

After the provider has kicked the server online, the user is supposed to select the desired OS that is automatically installed. That list does not include OpenBSD. Even though the provider offers on-demand access to IPMI/BMC (and thus KVM over IP), there wasn't an option to mount a custom image, either locally or remotely. The same scenario goes for a number of cloud providers (like Hetzner and Gandi) and cloud platforms (like OpenStack).

Fortunately, this can be worked around by (what I call) jailbreaking the machine. The basic idea is simple: install one of the supported OSes, slap the ramdisk installer somewhere and make the machine boot to it. Bringing this into practice may seem a little daunting at first - but it is not that difficult.

You will first need to install an OS to the machine. Ever since the inception of systemd it has been assimilating everything in such a way that the Borg envy. It has been consuming much more than just the init system - nowadays there is systemd-boot too. For this to work, I recommend picking a Linux distro that uses GRUB. Debian 11 (or earlier) is a solid choice. Whether the distribution is EOL is irrelevant, as we put Linux to full utilization: a mere bootloader for the OpenBSD installer.

Continuing, you will need the UUID of the root device. The partitions and the UUIDs can be easily listed issuing:

lsblk --fs

Write down the UUID of the root partition (the one with the / mountpoint) and make sure to have it ready. Also write down any and all network settings (IPv4 & IPv6 addressing, subnets, gateways, etc). Make sure to get root permissions for the next steps (either su - or sudo -i).

Lets switch to the root and throw the ramdisk image there:

cd / && curl -O https://cdn.openbsd.org/pub/OpenBSD/7.6/amd64/bsd.rd

Now we have to edit the GRUB config, which is twofold. Open /etc/grub.d/40_custom with your favorite text editor (mg, vi, ed, nano, etc) and add the following lines, replacing $UUID with the actual UUID of the root partition on two occassions:

menuentry "free-the-fish" {
    load_video
    insmod gzio
    if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
    insmod part_gpt
    insmod ext2
    if [ x$feature_platform_search_hint = xy ]; then
        search --no-floppy --fs-uuid --set=root  $UUID
    else
        search --no-floppy --fs-uuid --set=root $UUID
    fi
    kopenbsd /bsd.rd
}

Save the file and exit your favorite editor. Now, repeat the process for /etc/default/grub and add or edit the GRUB_DEFAULT parameter:

GRUB_DEFAULT="free-the-fish"

The last step is to update GRUB to reach the full potential of Linux: boot to OpenBSD. This is easily done with:

upgrade-grub

Or, if it doesn't know that command:

grub-mkconfig -o /boot/grub/grub.cfg

I was actually incorrect there for a moment - that wasn't the actual last step. The last step: grab yourself a nice cup of coffee and reboot the machine. The OpenBSD installer will be greeting you once it it rebooted.

Installing OpenBSD

Now, I won't hold your hand through the OpenBSD installer, because it is relatively foolproof and there is already enough documentation. I will add this: always encrypt all data and the storage holding it. Especially so if you are not the owner of the machine - which is the case with rentals and the cloud.

Setting up IPv6 on Scaleway

One of the challenges I ran into was that the IPv6 stack of Scaleway only permits addressing through DHCP. Setting a static IPv6 address won't work unfortunately. If you require this: consider going with OpenBSD.Amsterdam with is a way better choice regardless. If you are anything like me and love to have some infra running in every corner of the world, then read on :)

Since static addressing won't work, we'll need something to handle the IPv6 DHCP for us. The easiest would be to use DHCPCd. Install it with a simple:

pkg_add dhcpcd

Configure the client daemon by adding the following options to /etc/dhcpcd.conf:

ipv6only
noipv6rs
allowinterfaces em0
duid
slaac hwaddr
interface em0
    ipv6rs
    iaid 1
    dhcp6
        ia_na 1

Make sure that your /etc/hostname.em0 does not have any lines with inet6 (as that would cause both OpenBSD itself and DHCPCd fetching an IPv6 address). Set some flags for DHCPCd:

rcctl set dhcpcd flags -C resolv.conf -c /etc/dhcpcd_up.sh

This makes DHCPcd ignore resolv.conf and hooks in our script after getting an IPv6 lease. Ofcourse, we will need to create that script. Open /etc/dhcpcd_up.sh with your text editor and throw in (replacing $IP6 with your actual IPv6 address):

route sourceaddr -inet6 $IP6

Make the script executable:

chmod +x /etc/dhcpcd_up.sh

Enable and start DHCPCd:

rcctl enable dhcpcd
rcctl start dhcpcd

Now you should have a working IPv6 configuration. Congratulations! If you have customized pf.conf you'll need the following rules:

# Allow ICMP6 traffic; utterly insecure allowing all ICMP6 traffic, you should narrow this down
pass on any inet6 proto icmp6 all

# Allow the provider to send DHCPv6 packets
pass in on em0 inet6 proto udp from fe80::/10 port dhcpv6-server \
  to fe80::/10 port dhcpv6-client no state

Closing thoughts

Hopefully either you or someone else benefits from this how-to. In case it has helped even one person, it was well worth writing it. As always, you can reach out to me through the Fediverse or through mail. Have a lovely day - until we meet again in the next blogpost!