[ home ]
Jan 2018: Works fine with OpenBSD 6.2. The
xfce4-mount-plugin is now included with an xfce4 install.
I used the steps below to install OpenBSD, add the xfce4 desktop and to set up a graphical log-in on my Thinkpad X200 laptop. More recent laptops are supported, especially Thinkpads. The tricky bits seem to be trackpad support, and bios/efi options.
Each step starts with a link to the relevant OpenBSD FAQ pages so you can cross check my suggestions. I recommend that you print this page out and read the whole page before pressing on with the installation.
[ top ]
Background reading: FAQ 4: The OpenBSD installation guide.
I usually plan to install a new kind of system twice. The
first install is just to see how things work, and to make mistakes. I
accept all the usual default settings. For instance, I select
[W]hole disk and
[A]uto partition settings at
the appropriate point in the OpenBSD installation. I then install again, this
time with the customised settings that I want, as I know what responses the system will give.
The steps below assume that you have successfully installed the base
OpenBSD system from the USB stick installer (
or the CD-ROM image (
[ top ]
Background reading: OpenBSD FAQ 6.2.1, 6.13.
I have a Netgear USB wifi stick that has a free/libre driver that
does not require firmware. On OpenBSD, each kind of wifi device has a
different driver name, like
iwn0 for Intel 5900 cards and
urtw0 for the
Netgear. Use the
ifconfig -a command to find the name of
the driver for your particular card. Below is a typical dialogue for
starting up an encrypted (wpa-personal) wifi connection.
$ su -l # ifconfig -a # shows a list of all the interfaces # ifconfig urtw0 up # ifconfig urtw0 scan # ifconfig urtw0 nwid connection_name wpakey password wpaprotos wpa1,wpa2 # dhclient urtw0 DHCPREQUEST on urtw0 to 255.255.255.255 # lots more output
Starting with OpenBSD 6.1, you need to use the
option with argument
wpa1 to enable connections using
wpa1 encryption because of security issues with the older
protocol. Many authors suggest not trusting wpa1 connections.
You have to repeat these commands each time you connect to wifi, including on resume from suspend. There are various scripts available that automate reconnection. A very simple example is shown in Step 1a below.
You may have to install firmware for some
wifi cards using the
fw_update command, e.g. Intel
cards. A wired connection to the router will enable you to connect to
the mirror to get the firmware for your particular card. On my Thinkpad,
the ethernet driver is called
em0 and connecting to a wired connection
is just one command...
# dhclient em0 DHCPDISCOVER on em0 - interval 3 DHCPOFFER from 192.168.0.1 (00:1b:2f:42:41:42) DHCPREQUEST on em0 to 255.255.255.255 DHCPACK from 192.168.0.1 (00:1b:2f:42:41:42) bound to 192.168.0.4 -- renewal in 43200 seconds. #
[ top ]
Background reading: OpenBSD FAQ 15.2.
Precompiled binaries for application software that is not part of the
OpenBSD base are called 'packages' and they are available from your local OpenBSD mirror. You use
pkg_add command as root to install packages. The
pkg_add command reads the URL of the package mirror from
If you installed the OpenBSD package sets from the Internet, you will
already have the
/etc/installurl file in place and you can
go to step 3. If, like me, you prefer to install OpenBSD from the
install.fs images, you will need to create the
/etc/installurl file as below...
$ cat /etc/installurl https://www.mirrorservice.org/pub/OpenBSD
pkg_add command will append the version and machine
architecture directories from the URL. Don't add a trailing slash or any
version number or machine architecture after the 'OpenBSD' part of the
A fresh OpenBSD install has two command line editors,
not a real hacker so I use
echo and redirection. As
$ su -l # echo "https://www.mirrorservice.org/pub/OpenBSD" >> /etc/installurl # exit
To install applications, you need to become root and run
$ su -l # pkg_add nano quirks-2.114 signed on 2015-08-09T15:30:39Z nano-2.4.2: ok # exit $
Once the command returns, exit root and try editing a text file with nano.
[ top ]
The packages below will provide the xfce4 desktop, a Web browser/email client and a pdf viewer.
# pkg_add -v consolekit2 xfce xfce-extras evince seamonkey xscreensaver
consolekit2 package is needed to allow the user to
log out of xfce4 without using terminal commands. ConsoleKit essentially
wraps xfce4 in a session with some extra permissions.
pkg_add will stop when it reaches the
document reader Evince and offer you a choice of two versions of the
package, each compiled with different configuratons...
# pkg_add evince quirks-2.114 signed on 2015-08-09T15:30:39Z Ambiguous: choose package for evince a 0:
1: evince-3.16.1p0 2: evince-3.16.1p0-light Your choice: 2
Because Evince is part of the Gnome Desktop suite of programs, choosing option 1 will pull in a large number of Gnome libraries, including part of Nautilus the Gnome file manager. Option 2 has been provided by the packager for those of us who wish to use Evince to read pdf files with a different desktop or window manager. The functionality appears to be similar, just less dependencies on other parts of Gnome.
Firefox is a much more popular choice for the Web
browser, but I think I prefer Seamonkey. I run Seamonkey
no-script plugin and with options set in a very conservative
way. This reduces the load on the processor, and keeps me safe on the
Web. The venerable
xscreensaver provides desktop blanking
and locking when you step away from your machine.
Some of the more complex packages - especially those that install
daemons - come with
readme files installed to
/usr/local/share/doc/pkg-readmes/. It is best to skim these
for pointers to configuration.
Don't reboot yet. You need to configure the graphical login and set up some daemons. See step 4 below...
/etc/rc.conf.localto enable apmd and graphical log-in
[ top ]
Background reading: Comparison
of Desktop Environments, ConsoleKit Github
readme with definitions, xenodm man page and
the package_readme for consolekit2 at
As root add some lines to
/etc/rc.conf.local to enable power management (
that you can use Fn-F4 to suspend your thinkpad, and to enable the
graphical log-in manager
xenodm. Xenodm is an OpenBSD fork of the
# nano /etc/rc.conf.local multicast_host=YES # Some avahi shenanigans apmd_flags="-A" # Laptop power saving xenodm_flags="" # Starts xenodm graphical login pkg_scripts="messagebus" # Enables dbus/ConsoleKit stuff
Then as user add an
.xsession file with
a line that will start consolekit so that you can shutdown &c from
$ cat .xsession exec ck-launch-session startxfce4
Reboot and you'll get the xenodm login greeter. When you log in, Xfce4 will ask you to specify a layout, and then show you the desktop. One unusual feature is the X console window showing on Desktop 1 - it looks like a small terminal window. The X console will spit out messages when you plug in e.g. a USB stick. Shutdown, suspend and restart should work from the xfce4 Logout menu item - check they are not greyed out and that they work.
/etc/doas.confto allow user mounting of an external USB stick
[ top ]
Background reading: OpenBSD FAQ sections 10 (doas), 14 (File Systems Intro) as well as
man doas and
You must use
doas and a few lines in
/etc/doas.conf to allow user mounting of USB sticks. My
/etc/doas.conf file looks like this...
$ cat /etc/doas.conf # http://daemonforums.org/showthread.php?t=9774 permit nopass keith as root cmd mount permit nopass keith as root cmd umount
Once OpenBSD sources the
doas.conf file, you can mount and
unmount(say) an external USB thumb drive formatted to VFAT like
doas mount /dev/sd1i /home/keith/usb # mounts my USB on ~/usb doas umount /dev/sd1i # un-mounts the drive
I knew that my USB stick corresponded to the
device because I ran the
dmesg command after plugging the
USB stick in and waiting a few seconds. The device will be listed in the
last few lines of the dmesg output something like this...
umass0 at uhub0 port 2 configuration 1 interface 0 "Kingston DataTraveler 112" rev 2.00/1.00 addr 3 umass0: using SCSI over Bulk-Only scsibus4 at umass0: 2 targets, initiator 0 sd1 at scsibus4 targ 1 lun 0:
SCSI2 0/direct removable serial.0951162aFCC127195547 sd1: 14762MB, 512 bytes/sector, 30233588 sectors
Once mounted, you can use a graphical file manager like Thunar to
copy and paste files to and from your storage stick. You can't unmount the USB stick from Thunar, remember to use the
umount /dev/sd1i command before removing the USB stick.
/etc/fstabentry to allow graphical mount/unmount of a USB thumb drive
[ top ]
Background reading: xfce4-mount-plugin page on the Xfce Web site.
A note on how disks get numbered: My laptop has SATA
hard drive as its fixed disc, and that device will appear as
/dev/sd0 to OpenBSD. If I install from a CD-ROM and
don't use full disk encryption, the first USB stick I plug in
will appear as
/dev/sd1. If I do use hard drive
encryption, OpenBSD will be using a softraid disc that will appear as
/dev/sd1, and the first USB stick that I plug in will
/dev/sd2. The safest thing to do when following the instructions in
this step is to run the
mount command without any
arguments. That gives you a list of what is mounted where...
$ mount # example from OpenBSD with hard drive encryption # and installed to a softraid disc at /dev/sd1 /dev/sd1a on / type ffs (local) /dev/sd1k on /home type ffs (local, nodev, nosuid) /dev/sd1d on /tmp type ffs (local, nodev, nosuid) /dev/sd1f on /usr type ffs (local, nodev) /dev/sd1g on /usr/X11R6 type ffs (local, nodev) /dev/sd1h on /usr/local type ffs (local, nodev, wxallowed) /dev/sd1j on /usr/obj type ffs (local, nodev, nosuid) /dev/sd1i on /usr/src type ffs (local, nodev, nosuid) /dev/sd1e on /var type ffs (local, nodev, nosuid) /dev/sd2i on /home/keith/usb type msdos (local, uid=1000, gid=1000)
The instructions below reflect an OpenBSD installation on
sd0 with a USB stick that will appear at
xfce4-mount package is installed as part of the
xfce4 package set. add an icon for the plugin to the XFCE4
panel by right-clicking on the panel and selecting
Panel | Add New Items and searching for 'mount'.
xfce4-mount-plugin lists all the devices
including the default local hard drive including all the partitions on
sd0. I can set options to prevent that and to use a custom mount
command. Right click over the xfce4-mount icon and select
Properties | File Systems tab. I just added the pattern
/dev/sd0* to the Exclude specified file systems textbox so
my local drive was not listed.
I then once again right-clicked on the xfce4-mount icon, and selected Preferences | Commands and wrote the following in the Custom Commands textboxes, after ensuring that the Custom Commands checkbox was ticked...
doas mount %m doas umount %m
Now to ensure that a USB stick is listed in the
xfce4-mount-popup list, you have to add a line for the device to
/etc/fstab. My extra line looks like this (adapted from the
/dev/sd1i /home/keith/usb msdos rw,noauto 0 0
fstab entry like this means that only one USB
thumb drive will be listed and available with mouse clicks. If you are
in the habit of using several USB thumb drives then just experiment with
different lines and mountpoints
Thunar has volume management enabled by default, so mounted drives will be listed on the left hand side of the file window with an 'eject' icon next to each device. Attempting to eject a mounted drive by clicking on the eject icon will give an error message and has no effect. To avoid these error messages, I have unticked Enable Volume Management in the Thunar Preferences. The USB devices are still listed but with no eject icon next to them.
[ top ]
Background reading: pages about following the
-stable branch or following the
-current branch, and the OpenBSD 6.2 Errata
syspatch command provides binary updates to the core system. Running the
syspatch command without arguments while connected to the Internet resulted in
the first three errata for OpenBSD 6.2 being installed as you can see in the
$ su Password: # syspatch Get/Verify syspatch62-002_fktrace... 100% |*************| 77434 00:00 Installing patch 002_fktrace Get/Verify syspatch62-003_mpls.tgz 100% |***************| 29798 00:00 Installing patch 003_mpls Relinking to create unique kernel... done.
M:Tier sponsors OpenBSD and has provided
binpatches for the packages in the
stable release for use together with the
openup script. Their update page has been updated for OpenBSD 6.2, and they
openup to upgrade packages that you have installed in addition
to the base system.
[ top ]
Read the man pages and the package readmes. Putting it all together can be difficult at first as the documents reference each other, but it gets familiar with experience and experimentation like most things.
[ top ]
Tested on OpenBSD 6.2 on a Thinkpad X200 with a 120Gb SSD. There has been a report of these instructions not working but without details of machine, installation media or which step failed or any error. Treat with the instructions below with caution. The X200 throws a kernel error identical to this one when trying to start an X session currently but the encryption works!
Background reading: OpenBSD FAQ sections 14.1, 14.2 and 14.3. It is probably better to try this after you have worked through a default install and become familiar with fdisk and disklabel.
I like to use an encrypted hard drive just in case I leave this laptop on the bus or it gets stolen by a petty thief who does not realise how old the laptop is.
OpenBSD provides encryption through its bioctl RAID management interface. Essentially you create an encrypted softraid device that looks like another disk to the OpenBSD system and then create the file system partitions within that device. My recipe is adapted from a tutorial by David Crumpton.
The steps below assume that you are installing onto the whole of the
single hard drive using a SATA interface and that OpenBSD sees the
physical hard drive as
sd0 and the USB stick I booted from
[S]hellto get the root prompt #
# fdisk -iy sd0initialises the disk
# disklabel -E sd0enters the partition editor. Once in the disklabel command prompt
?to see a list of the commands within disklabel (I find this reassuring)
aand return to create a partition
aand return to create the sd0a partition
RAIDas the partition type
wto write the partition
qto quit the disklabel program and return to the root prompt #
# bioctl -c C -l /dev/sd0a softraid0to create an encrypted RAID device. Enter a strong passphrase at the prompt, and then enter the phrase again to check the typing. A look at the bioctl man page will clarify the option letters and the result is an encrypted RAID device that looks like a disk to the disklabel program. The encrypted device is identified as sd2 on my system because sd1 is the USB stick that I booted from and sd0 is the hard drive in the laptop.
# exitto return to the OpenBSD installer
Available disks are: sd0 sd1 sd2" question is reached. Select the softraid device
[W]holedisk. I got a warning after this step: "
MBR is not showing a valid signature, ignoring it" but everything seems to be working.
[A]utopartition layout and got the usual half dozen partitions within the softraid device sd2.
softraid is roaming used to be sd2 now sd1 using UUID.a" where UUID is some long random disk identifier. The USB stick I installed from is no longer connected and so isn't using the sd1 identifier, so that identifier is allocated to the encrypted softraid device.
The swap partition is within the encrypted softraid device so we can
disable OpenBSD's default encryption of the swap partition. You can do
that by copying the sysctl.conf file from /etc/examples/sysctl.conf to
/etc/sysctl.conf and uncommenting the line that reads
vm.swapencrypt.enable=0. My commands looked like
# cp /etc/examples/sysctl.conf /etc/sysctl.conf # nano /etc/sysctl.conf vm.swapencrypt.enable=0 # uncomment this line or just add this line to empty sysctl.conf file # cat /etc/sysctl.conf | grep vm.s vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
[ top ]
There is no graphical wifi manager available on OpenBSD. Many users
have written fancy scripts that will automatically reconnect and/or list
the strongest available wifi signals. I like this little script that
runs from my user account and simply automates the typing in of the
ifconfig commands. None of the network related
configuration files are changed so I can always fall back on the
ifconfig commands in a new place. The script itself also
serves as a reminder of the syntax of the commands.
$ cat bin/wifi #!/bin/sh # adapted from http://marc.info/?l=openbsd-tech&m=146490607627340&w=2 if [[ $1 == "home" ]]; then doas ifconfig iwn0 nwid home_wifi_name wpa wpakey home_wifi_password wpaprotos wpa1,wpa2 doas dhclient iwn0 fi if [[ $1 == "blackberry" ]]; then doas ifconfig iwn0 nwid phone_hotspot_name wpa wpakey phone_hotspot_password doas dhclient iwn0 fi
The script requires the following lines to be added to
permit nopass keith as root cmd ifconfig permit nopass keith as root cmd dhclient
Keith Burnett, 1st Jan 2018: Updated for OpenBSD 6.2. No major changes apparent.