Dave's OpenBSD Blog #6: VM Setup for future Web hosting
My previous OpenBSD VM was on the host Vultr.com. It was very cool that they had OpenBSD images ready to use.
But more recently, https://openbsd.amsterdam/ caught my eye. What’s really cool about OpenBSD Amsterdam (other than, obviously, specializing in OpenBSD hosting), is that they donate a significant portion of their profits to the OpenBSD Foundation. So when you use them, you’re literally helping to fund OpenBSD development. (To date, they’ve donated €45.340 - which translates to roughly USD $47,900.)
I have found that like OpenBSD itself, the documentation around OpenBSD related projects and websites is almost always excellent. This host is no exception.
Here’s the initial setup documentation for your new openbsd.amsterdam VM:
I also updated my ratfactor.com DNS record on my registrar, name.com, to re-use an old subdomain for this VM: willard.ratfactor.com.
(Willard is a reference to a 1968 fiction book by Stephen Gilbert about a man who uses rats for revenge. I read the book some years back and remember enjoying it.)
$ ssh willard.ratfactor.com
... ssh stuff ...
OpenBSD 7.4 (GENERIC) #3: Wed Feb 28 06:23:08 MST 2024
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
willard2$ awk '{print$NF}' .ssh/authorized_keys
(password shows up here)
willard2$ su -
Password:
willard2# echo 'permit dave' > /etc/doas.conf
willard2# echo 'permit nopass keepenv root as root' >> /etc/doas.conf
willard2# cat /etc/doas.conf
permit dave
permit nopass keepenv root as root
willard2# cat /etc/doas.conf
permit dave
permit nopass keepenv root as root
I always use keys rather than passwords to log into servers, so I followed the advice to turn off password logins. I knew it would work, but there’s always that brief moment of fear when reconnecting after changing an SSH setting like that:
willard2$ doas rcctl set sshd flags -o PasswordAuthentication=no willard2$ doas rcctl restart sshd ... willard2$ ^D $ ssh willard.ratfactor.com Last login: Thu Nov 14 02:10:37 2024 from 99.59.251.76 ...
Whew!
Upgrading from OpenBSD 7.4 to 7.6
When I signed up, 7.4 was current. It’s time to upgrade my VM to OpenBSD 7.6 which has this amazing distinction:
With this release all files that existed in the first commit in the OpenBSD source repository have been updated, modified or replaced at some point in time, reaching OpenBSD of Theseus.
willard2$ doas sysupgrade Fetching from https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/ ... Verifying sets. Fetching updated firmware. fw_update: add none; update intel| Upgrading. Connection to willard.ratfactor.com closed by remote host. Connection to willard.ratfactor.com closed.
It did take a moment (or three) for the VM to come back up after the upgrade, but eventually I was able to SSH back in:
$ ssh willard.ratfactor.com Last login: Thu Nov 14 01:40:47 2024 from xx.xx.xx.xx OpenBSD 7.5 (GENERIC) #79: Wed Mar 20 15:33:49 MDT 2024
Ah, so I’m one version away. I run sysupgrade a second time:
willard2$ doas sysupgrade Fetching from https://cdn.openbsd.org/pub/OpenBSD/7.6/amd64/ ... Verifying sets. Fetching updated firmware. fw_update: add none; update intel| Upgrading. Connection to willard.ratfactor.com closed by remote host. Connection to willard.ratfactor.com closed.
While that was rebooting, I thought it would be neat to see if I could actually watch what it was doing, so…
The VM Console
OpenBSD Amsterdam makes the host server available directly via SSH so you can control your VM at the command line.
My little slice of heaven is vm18 on server22.openbsd.amsterdam.
$ ssh -e none -p 31415 server22.openbsd.amsterdam
Last login: Mon Mar 4 22:41:10 2024 from 99.59.251.76
OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
Welcome to OpenBSD: The proactively secure Unix-like operating system.
________ ________
______ ______________ __ ___________\_____ \\_____ \
/ ___// __ \_ __ \ \/ // __ \_ __ \/ ____/ / ____/
\___ \\ ___/| | \/\ /\ ___/| | \/ \/ \
/____ >\___ >__| \_/ \___ >__| \_______ \_______ \
\/ \/ \/ \/ \/
OpenBSD.Amsterdam
https://openbsd.amsterdam/onboard.html
https://openbsd.amsterdam/upgrade.html
Unresponsive VM? Run: doas pkill -9 -xf "vmd: <your VM name>"
And connecting to the console looks like this (remember, vm18 is my VM on this server):
server22$ vmctl console vm18 Connected to /dev/ttypi (speed 115200) done vmmci0: powerdown rebooting... Using drive 0, partition 3. Loading...... probing: pc0 com0 mem[638K 1022M a20=on] disk: hd0+ >> OpenBSD/amd64 BOOT 3.67 \ com0: 115200 baud switching console to com0 >> OpenBSD/amd64 BOOT 3.67 boot> ... cpu0: Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz, 2400.07 MHz, 06-3f-02 cpu0: cpuid 1 edx=78ba97f<FPU,VME,DE,PSE,TSC,MSR,PAE,CX8,SEP,PGE,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2> ecx=f6d83203<SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV> cpu0: cpuid 7.0 ebx=23a9<FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS> edx=400<MD_CLEAR> cpu0: cpuid 80000001 edx=24100800<NXE,PAGE1GB,LONG> ecx=21<LAHF,ABM> cpu0: cpuid 80000007 edx=100<ITSC> cpu0: MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 20MB 64b/line 20-way L3 cache cpu0: smt 0, core 0, package 0 ... Checking for available binary patches... Run syspatch(8) to install: 001_unbound 002_xserver starting local daemons: cron. Thu Nov 14 02:00:16 CET 2024 OpenBSD/amd64 (willard2.openbsd.amsterdam) (tty00) login:
I chopped down the output above quite a bit. But as you can see, I managed to catch it just as it was coming back up. That’s exactly what I would have seen if I were looking at a monitor on a physical computer right in front of me (or a serial console connected to same).
Very cool.
That’ll do it for now. I finish off the night by purchasing an OpenBSD 7.6 T-shirt and sticker featuring a rowing team of puffer fish. They’ve been killing it with the release art. What an awesome community.
Next will be messing about with OpenBSD’s httpd, which I’m very excited about.