Customizing OpenBSD Installations
Many of us follow a set of steps when installing a machine. All freshly installed hosts of a specific operating system revision have a common SSH server configuration. My machines all have tcsh installed and attach to the central authentication system. You probably have your own list. These tasks can be done by hand after installation, but it’s much easier to let OpenBSD do them for you during the installation process.
Installations can be customized by adding files during installation or by running commands after the installation.
Custom File Sets
A custom file set includes files that you want copied to your new installation. I use custom file sets to install the default /etc/sudoers, a SSH server configuration, my company’s default pf.conf, and similar files. As I’m the lead sysadmin, I also include dotfiles in my home directory and other personal touches to make my life easier. Some people include several home directories, including authorized_keys files for SSH.
Bundle these files together as a siteXX.tgz file, which the installer can extract in the root directory of the new installation. (Be sure to replace the XX with the OpenBSD version you’re installing on; for example, name a siteXX.tgz file for OpenBSD 5.4 site54.tgz.)
Start by installing an OpenBSD machine of the exact same version and platform that you want to customize. Make your changes and add your files to this system, verify that this template system works exactly as you desire, and then copy the changed files to a tar file.
Note
You could make a directory hierarchy and copy the files you want to it, but I find that to be more error-prone. A small virtual machine will let you build a siteXX.tgz file more reliably.
The following example creates a site54.tar file containing one file, /etc/ssh/sshd_config. Note that I start by creating a plain tar file. Since I can’t easily add files to a compressed tar file, I’ll need to compress the file after it’s complete.
# cd / # tar -cf site54.tar etc/ssh/sshd_config
Now that I have the initial file, I can add additional files. I’ve customized a few files on the system, as well as added new ones, all of which I add to the site54.tar file. The -r flag tells tar to add a file to an archive.
# tar -rf site54.tar etc/sudoers # tar -rf site54.tar etc/pf/mgmt-hosts.conf # tar -rf site54.tar etc/pf.conf
Here’s how to compress the tar file:
# gzip site54.tar # mv site54.tar.gz site54.tgz
I’ve built my own custom release of OpenBSD, so I have a local FTP server that contains all of the release files. If you’re using the official OpenBSD release, but you’re installing enough OpenBSD machines to warrant making a siteXX.tgz file, you can copy the official release to a local FTP or HTTP mirror. Copy your siteXX.tgz file to this directory and update the index.txt file.
# ls -l > index.txt
Now start your installation. Tell the installer to use your local release mirror rather than an official OpenBSD mirror. You should see the following sets:
Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-' to the set name, file name pattern or 'all'. Selected
sets are labelled '[X]'.
[X] bsd [X] etc54.tgz [X] xbase54.tgz [X] xserv54.tgz
[X] bsd.rd [X] comp54.tgz [X] xetc54.tgz [ ] site54.tgz
[ ] bsd.mp [X] man54.tgz [X] xshare54.tgz
[X] base54.tgz [X] game54.tgz [X] xfont54.tgz
Set name(s)? (or 'abort' or 'done') [done] site52.tgz
Your site54.tgz file should now be available as a file set. Add it because the installer won’t automatically include it. Once the installation finishes, you should find your customized and added files on the new system.
Post-Install Shell Scripts
Some tasks can be accomplished by copying files, but that’s annoying. For example, I want the shell tcsh installed on all of my OpenBSD servers. I could put all the files in the tcsh package, as well as the contents of /var/db/pkg/tcsh, in siteXX.tgz, but I know I’m likely to mess that up somehow. It would be much easier to run pkg_add tcsh after the installation, and let OpenBSD do what it’s supposed to do. That’s where the install.site script comes in.
After completing the installation, but before giving you the final command prompt, OpenBSD checks for /install.site. If this file exists, the installer runs it. The script is run chrooted into the new installed system, so you don’t need to worry about changing any paths. The script does need to run on a minimal kernel, however, so it’s best to wait for low-level kernel twiddling until the first real boot.
Here’s a sample install.site script that installs the two packages tcsh and python:
#/bin/sh
export PKG_PATH=ftp://ftp13.usa.openbsd.org/pub/OpenBSD/snapshots/packages/i386/
pkg_add -v tcsh
pkg_add -v python-2.7.3p1
When working with install.site scripts, if a package’s name could be ambiguous, be sure to give the full package name. There’s only one tcsh package, but Python comes in several versions. I specify the full package name, rather than using plain python.
Also note that while you’re running in a chroot that contains a full userland, that userland isn’t fully initialized. When dropping into the chroot, OpenBSD doesn’t do a full multiuser startup of that chroot. The environment is roughly equivalent to single-user mode. The install.site script is not where you initialize your database.
When you have a real userland ready to go, to automatically run commands on the system’s first real boot, append the commands to /etc/rc.firsttime. This file runs once, at the system’s first boot after installation, and then deletes itself.