romanzolotarev.com: support and follow me on Mastodon and Twitter

DISCLAIMER
I'm just a happy customer of OpenBSD Amsterdam. Mischa Peters runs the place. When you sign up, Mischa donates 16.7% to OpenBSD Foundation.

Tested on OpenBSD 6.3

Deploy VM on OpenBSD Amsterdam

OpenBSD in Amsterdam is running dedicated vmd(8) servers to host opinionated VMs.

Send your name, email address, hostname, username, and public SSH key to OpenBSDAms via contact form, Twitter, or Mastodon, before you pay.

For example:

Roman Zolotarev
hi@romanzolotarev.com
www.romanzolotarev.com
romanzolotarev
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqh7BmO... 1500469202

Please allow few hours for your VM to be started. You'll get a IPv4 and IPv6 address as soon as your VM is deployed. Login to the VM (assuming your private SSH key is in its default location):

$ ssh username@XXX.XXX.XXX.XXX
OpenBSD 6.3 (GENERIC) #100: Sat Mar 24 14:17:45 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating
system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the
latest version of the code. With bug reports, please try to
ensure that enough information to reproduce the problem is
enclosed, and if a known fix for it exists, include that as
well.
$

Get the password from ~/.ssh/authorized_keys and switch to root.

$ head -1 ~/.ssh/authorized_keys| tr ' ' '\n'|tail -1
XXXXXXXXXXXXXXXXXXXXXXXXXX
$ su -
password:
#

Add your username to /etc/doas.conf:

# echo 'permit username' > /etc/doas.conf
#

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no

Verify the new config and restart sshd:

# sshd -t
# rcctl restart sshd
sshd(ok)
sshd(ok)
#

Run sysctl to set the time counter then run ntpd to set the local clock and terminate it by pressing ^C.

# echo 'kern.timecounter.hardware=tsc' >> /etc/sysctl.conf
# sysctl kern.timecounter.hardware=tsc
kern.timecounter.hardware: i8254 -> tsc
# rcctl set ntpd flags -s
# ntpd -sd
/var/db/ntpd.drift is empty
ntp engine ready
...
sensor vmmci0: offset 44.961541
set local clock to Sat Jun 30 21:15:05 CEST 2018 (offset 44.961541s)
...
^Cntp engine exiting
Terminating
#

It has been reported by some users that IPv6 needs -soii in order to work properly. In that case you can edit /etc/hostname.vio0:

dhcp
inet6 2a03:6000:9xxx::xxx 64 -soii

When you don't want the IPv4 address to be provided by dhcpd you can change /etc/hostname.vio0 to:

inet 46.23.xx.xx 255.255.255.0
inet6 2a03:6000:9xxx::xxx 64 -soii

When you do, make sure to edit /etc/mygate:

46.23.xx.1
2a03:6000:9xxx::1

Reinitialize the network:

# sh /etc/netstart vio0
#

Update /etc/pf.conf, test, and load it:

# echo 'pass in quick proto { icmp, icmp6 } all' >> /etc/pf.conf
# pfctl -nf /etc/pf.conf
# pfctl -f /etc/pf.conf
# pfctl -sr
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55
pass in quick proto icmp all
pass in quick proto ipv6-icmp all
#

Stop and disable sndiod:

# rcctl stop sndiod
sndiod(ok)
# rcctl disable sndiod
#

Check 6.3 errata and apply available patches.

# syspatch
Get/Verify syspatch63-001_perl.tgz 100% |**************|  4922 KB 00:00
Installing patch 001_perl
...
Get/Verify syspatch63-018_vmml1tf... 100% |************| 38639 KB 00:11
Installing patch 018_vmml1tf
Relinking to create unique kernel... done.
# reboot
Connection to XXX.XXX.XXX.XXX closed.

Now you may want to setup a web server.


Thanks to Mischa Peters for reading drafts of this, to Mike Larkin, Bryan Steele, h3artbl33d, and Jeff Neitzel for tips and hints.