Installing OpenBSD on Netgate's SG-2440

Published

This is documentation on how to install OpenBSD (in this case 6.9 but the procedure hasn't changed for as long as I can remember). Since the SG-2400 only has a serial connection (no monitor output), about half of the is over the serial console and the rest is over SSH. This post is for me to help me remember what did I do last time.

  1. Setting up the serial console

On the laptop:

sudo apt install screen
sudo modprobe cp210x
dmesg --follow

Now connect the cable and watch the dmesg output to see the serial connection being added (should be at /dev/ttyUSB0) and then:

sudo screen /dev/ttyUSB0 115200

Insert the USB drive with the installer and reboot (shutdown -r now). To enable the serial connection in the installer, in the boot prompt run the following commands:

stty com1 115200
set tty com1
boot

The interactive installer prompts and answers:

Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') ns1
Available network interfaces are: em0 em1 em2 em3 em4 em5 vlan0.
Which network interface do you wish to configure? (or 'done') [em0] em5
IPv4 address for em5? (or 'dhcp' or 'none') [dhcp] 192.168.3.1
Netmask for em5? [255.255.255.0]
IPv6 address for em5? (or 'autoconf' or 'none') [none]
Available network interfaces are: em0 em1 em2 em3 em4 em5 vlan0.
Which network interface do you wish to configure? (or 'done') [done]
Default IPv4 route? (IPv4 address or none)
A response is required.
Default IPv4 route? (IPv4 address or none) none
DNS domain name? (e.g. 'example.com') [my.domain] shore.co.il
DNS nameservers? (IP address list or 'none') [none] 9.9.9.9

Password for root account? (will not echo)
Password for root account? (again)
The root password must be set.
Password for root account? (will not echo)
Password for root account? (again)
Start sshd(8) by default? [yes]
Change the default console to com1? [yes]
Available speeds are: 9600 19200 38400 57600 115200.
Which speed should com1 use? (or 'done') [115200]
Setup a user? (enter a lower-case loginname, or 'no') [no] nimrod
Full name for user nimrod? [nimrod] Nimrod Adar
Password for user nimrod? (will not echo)
Password for user nimrod? (again)
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no] yes

Available disks are: sd0 sd1 sd2.
Which disk is the root disk? ('?' for details) [sd0] ?
sd0: ATA, Micron_M600_MTFD, MU04 naa.500a0751122dae7a (119.2G)
sd1: SanDisk, Cruzer Blade, 1.26 serial.07815567071025103004 (3.7G)
sd2: Generic, Ultra HS-COMBO, 1.98 serial.04242240000000225001 (28.5G)
Available disks are: sd0 sd1 sd2.
Which disk is the root disk? ('?' for details) [sd0] sd2
Disk: sd2       Usable LBA: 64 to 59768768 [59768832 Sectors]
   #: type                                 [       start:         size ]
------------------------------------------------------------------------
   1: EFI Sys                              [          64:          960 ]
   3: OpenBSD                              [        1024:     59767745 ]
Use (W)hole disk MBR, whole disk (G)PT, (O)penBSD area or (E)dit? [OpenBSD] w
Setting OpenBSD MBR partition to whole sd2...done.
The auto-allocated layout for sd2 is:
#                size           offset  fstype [fsize bsize   cpg]
  a:          1024.0M               64  4.2BSD   2048 16384     1 # /
  b:          1919.9M          2097216    swap
  c:         29184.0M                0  unused
  d:          1591.9M          6029088  4.2BSD   2048 16384     1 # /tmp
  e:          2471.8M          9289248  4.2BSD   2048 16384     1 # /var
  f:          3339.8M         14351488  4.2BSD   2048 16384     1 # /usr
  g:           936.0M         21191488  4.2BSD   2048 16384     1 # /usr/X11R6
  h:          3783.8M         23108320  4.2BSD   2048 16384     1 # /usr/local
  i:          1668.0M         30857472  4.2BSD   2048 16384     1 # /usr/src
  j:          5855.9M         34273472  4.2BSD   2048 16384     1 # /usr/obj
  k:          6589.5M         46266432  4.2BSD   2048 16384     1 # /home
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] a
/dev/rsd2a: 1024.0MB in 2097152 sectors of 512 bytes
6 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2k: 6589.5MB in 13495360 sectors of 512 bytes
33 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2d: 1591.9MB in 3260160 sectors of 512 bytes
8 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2f: 3339.8MB in 6840000 sectors of 512 bytes
17 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2g: 936.0MB in 1916832 sectors of 512 bytes
5 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2h: 3783.8MB in 7749152 sectors of 512 bytes
19 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2j: 5855.9MB in 11992960 sectors of 512 bytes
29 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2i: 1668.0MB in 3416000 sectors of 512 bytes
9 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
/dev/rsd2e: 2471.8MB in 5062240 sectors of 512 bytes
13 cylinder groups of 202.50MB, 12960 blocks, 25920 inodes each
Available disks are: sd0 sd1.
Which disk do you wish to initialize? (or 'done') [done]
/dev/sd2a (46c9b63f83d3fd95.a) on /mnt type ffs (rw, asynchronous, local)
/dev/sd2k (46c9b63f83d3fd95.k) on /mnt/home type ffs (rw, asynchronous, local, nodev, nosuid)
/dev/sd2d (46c9b63f83d3fd95.d) on /mnt/tmp type ffs (rw, asynchronous, local, nodev, nosuid)
/dev/sd2f (46c9b63f83d3fd95.f) on /mnt/usr type ffs (rw, asynchronous, local, nodev)
/dev/sd2g (46c9b63f83d3fd95.g) on /mnt/usr/X11R6 type ffs (rw, asynchronous, local, nodev)
/dev/sd2h (46c9b63f83d3fd95.h) on /mnt/usr/local type ffs (rw, asynchronous, local, nodev)
/dev/sd2j (46c9b63f83d3fd95.j) on /mnt/usr/obj type ffs (rw, asynchronous, local, nodev, nosuid)
/dev/sd2i (46c9b63f83d3fd95.i) on /mnt/usr/src type ffs (rw, asynchronous, local, nodev, nosuid)
/dev/sd2e (46c9b63f83d3fd95.e) on /mnt/var type ffs (rw, asynchronous, local, nodev, nosuid)

Let's install the sets!
Location of sets? (disk http nfs or 'done') [http] disk
Is the disk partition already mounted? [yes] no
Available disks are: sd0 sd1 sd2.
Which disk contains the install media? (or 'done') [sd0] sd1
  a:          1358848             1024  4.2BSD   2048 16384 16142
  i:              960               64   MS-DOS
Available sd1 partitions are: a i.
Which sd1 partition has the install sets? (or 'done') [a]
Pathname to the sets? (or 'done') [6.9/amd64]

Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
    [X] bsd           [X] base69.tgz    [X] game69.tgz    [X] xfont69.tgz
    [X] bsd.mp        [X] comp69.tgz    [X] xbase69.tgz   [X] xserv69.tgz
    [X] bsd.rd        [X] man69.tgz     [X] xshare69.tgz
Set name(s)? (or 'abort' or 'done') [done] -x*
    [X] bsd           [X] base69.tgz    [X] game69.tgz    [ ] xfont69.tgz
    [X] bsd.mp        [X] comp69.tgz    [ ] xbase69.tgz   [ ] xserv69.tgz
    [X] bsd.rd        [X] man69.tgz     [ ] xshare69.tgz
Set name(s)? (or 'abort' or 'done') [done] -game*
    [X] bsd           [X] base69.tgz    [ ] game69.tgz    [ ] xfont69.tgz
    [X] bsd.mp        [X] comp69.tgz    [ ] xbase69.tgz   [ ] xserv69.tgz
    [X] bsd.rd        [X] man69.tgz     [ ] xshare69.tgz
Set name(s)? (or 'abort' or 'done') [done]
Directory does not contain SHA256.sig. Continue without verification? [no] yes
Installing bsd          100% |**************************| 20423 KB    00:01
Installing bsd.mp       100% |**************************| 20515 KB    00:01
Installing bsd.rd       100% |**************************|  4107 KB    00:00
Installing base69.tgz   100% |**************************|   291 MB    00:54
Extracting etc.tgz      100% |**************************|   254 KB    00:00
Installing comp69.tgz   100% |**************************| 85958 KB    00:26
Installing man69.tgz    100% |**************************|  7560 KB    00:06
Location of sets? (disk http nfs or 'done') [done]

What timezone are you in? ('?' for list) [Canada/Mountain] Israel
Saving configuration files... done.
Making all device nodes... done.
Multiprocessor machine; using bsd.mp instead of bsd.
Exit to (S)hell, (H)alt or (R)eboot? [reboot]

With this part done, I should be able to login as the root account over SSH (or over the serial console). Now I should bootstrap the instance in the following ways: setting up doas for the regular user, setting up the internet connection and adding the SSH public keys for the regular user. Then I can run Ansible and setup everything else.

For the internet connection, I don't have any nice way of doing it, so I just copy the connection details from the router role in the homelab repository (get the password from the Keepass password database with ph show --field Password 'Web Sites/Bezeq International').

Add the public SSH keys:

ssh 192.168.3.1 'mkdir -p .ssh; chmod 700 .ssh; touch .ssh/authorized_keys; chmod 600 .ssh/authorized_keys'
{ ssh-keygen -yf ~/.ssh/shore_ecdsa; ssh-keygen -yf ~/.ssh/shore_ed25519; } | ssh 192.168.3.1 'tee .ssh/authorized_keys'

Bootstrap the instance (in the homelab repository):

ansible-playbook bootstrap.yaml -l ns1 -u root -k -e 'ansible_host=192.168.3.1'

Setup the router (still in the homelab repository):

ansible-playbook router.yaml -e 'ansible_host-192.168.3.1'
ansible-playbook update.yaml -l ns1

Boom! Done.