Installing OpenBSD 6.7 on your laptop is really hard (not)

[ home ]

Running OpenBSD 6.7 on your laptop is really hard (not)

June 2020. Previous versions of this page [ 5.5 | 6.2 | 6.3 | 6.4 | 6.5 | 6.6 ] and an lite OpenBSD desktop on a Thinkpad X60.

18th Oct 2020:: They chucked OpenBSD 6.8 over the wall today despite me checking the site every few hours. Updating page soon

Other pages about OpenBSD on a laptop...

This page describes installing OpenBSD on a Thinkpad L440 laptop with the xfce4 desktop environment. The resulting installation has auto-mounting of USB stick drives and can mount external NTFS formatted hard drives. I also present an alternative installation of the Gnome desktop environment which appears to be more stable on this hardware.

The laptop has 8Gb of RAM, Intel integrated graphics, and is fitted with a 200Gb SATA SSD.

Who is this page for and why does it exist?

This page is aimed at people who are familiar with Linux and who wish to explore one of the BSD distributions.

I'm assuming that the reader has successfully installed one of the popular Linux distributions, has some familiarity with the command line, including the use of a text editor to modify configuration files.

This page provides a task focused approach to setting up a desktop making use of many packages outside of the OpenBSD base as well as developing experience with the OpenBSD base.

Sources of information about OpenBSD

This page draws heavily on the OpenBSD FAQ and the man pages for commands and configuration files.

Packages ported to OpenBSD may include pkg-readmes that explain how the ported program can be integrated into the OpenBSD base.

Mail will be found waiting for the user on any new OpenBSD installation. Type mail at the command line to read them (or cheat and cat /var/mail/yourusername | more). And don't forget man afterboot.

Daemonforums have an OpenBSD section. This is not an official source but often has interesting posts. General Web searches will reveal tutorials and illustrations of various applications of OpenBSD. OpenBSD changes so be aware of the OpenBSD version used.

Install OpenBSD according to the FAQ

The OpenBSD FAQ - Installation Guide is recommended reading.

The Thinkpad L440 has UEFI boot but I disabled secure boot in the BIOS before booting from the OpenBSD USB stick that I produced on my Linux computer.

The OpenBSD installer asks a series of questions and gives sensible defaults in [square brackets]. I chose to use the [W]hole drive for OpenBSD and to accept [A]utomatic partitioning. Three points needed non-default input...

After the installer completes (a few minutes on the L440) you can reboot into the graphical log-in screen and type your user name and password.

The default X Window System session

The OpenBSD FAQ - is recommended reading.

OpenBSD base contains three window managers for use with X Windows. The default choice is an ancient version of fvwm and this is what should visible now.

There should be an xterm terminal window in the top left of the screen. The default terminal prompt is the machine name ('illy' for me) and the $ sign showing that the terminal has ordinary user rights. Click on the title bar of that window to give it focus (and bring it to the front if there is another window in the way). That terminal window will enable the completion of the next 4 steps.

The fonts might be very small on a modern laptop screen. With the mouse pointer over the window press Ctrl and click the right hand mouse button. A font menu will appear. Select Huge size to get readable characters.

The 'system bell' can become intrusive. To silence it on a temporary basis just type

illy$ xset b off

If the fvwm desktop in all its 90s glory becomes annoying a console (aka tty) can be used. Ctrl-Alt F2 will take you to a tty login from where all the commands in the next 4 sections can be run. Ctrl-Alt F5 returns to the X Windows 'shell'.

If the computer must be closed down before the xfce4 desktop environment is installed and configured use these commands as root

illy$ su
password:               # type the root password
illy# shutdown -ph now

Connect to the Internet install firmware packages and update the base system

See OpenBSD FAQ - Networking / Wireless Networking.

Small sections and examples from the man pages for hostname.if the WiFi card in use iwm in my case, ifconfig and dhclient will be useful. Remember that OpenBSD is often configured as a server and the range of networking functionality is comprehensive and very technical. man fw_update is brief.

To connect to a wired network just use these commands as root...

illy# ifconfig em0 up
illy# dhclient em0

For licencing reasons some firmware packages cannot be included on the OpenBSD install media. Run the fw_update command as root to install these

illy# fw_update

If you have no access to a wired connection and if the WiFi card itself needs a firmware package to function, it is possible to download the firmware package needed, copy it across to the laptop and then use the fw_update -p option to install from the local copy.

Connect to WiFi

To find out the name of the WiFi driver, type the ifconfig command as root

illy# ifconfig | grep flag
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
enc0: flags=0<>
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136

iwm0 is the Intel WiFi driver. To connect to my home WiFi with wpa2 encryption make a hostname.if file like this...

illy# echo "join myhomewifi wpakey pass_phrase" >> /etc/hostname.iwm0
illy# echo "dhcp" >> /etc/hostname.iwm0

and check the file for typos...

illy# cat /etc/hostname.iwm0

Then restart the network...

illy# sh /etc/netstart

Check you have a functioning connection using ping...

illy# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=228 time=198.282 ms
64 bytes from icmp_seq=1 ttl=228 time=196.422 ms
64 bytes from icmp_seq=2 ttl=228 time=183.269 ms
^C          # Ctrl+C quits the ping command
--- ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 183.269/192.658/198.282/6.682 ms

Upgrade the base system using syspatch

See OpenBSD FAQ - System management / Security updates, OpenBSD 6.7 errata page and man syspatch

To apply the binary updates to the base system just become root and...

illy# syspatch
Get/Verify syspatch67-001_wscons.tgz 100% |*************|   113 KB    00:00    
Installing patch 001_wscons
Get/Verify syspatch67-002_rpki.tgz 100% |***************| 36470       00:00    
Installing patch 002_rpki
.... more lines ....
Relinking to create unique kernel... done; reboot to load the new kernel
Errata can be reviewed under /var/syspatch

As the message suggests, reboot the laptop to run the new kernel...

illy# reboot

OpenBSD does not have automatic updates (unless you set up a cron job to run syspatch or something). I just check the OpenBSD errata page now and again. You can subscribe to the openbsd-announce mailing list for warnings of new errata.

Install third party packages

See OpenBSD FAQ - Package Management.

Software not included in the OpenBSD base is ported to OpenBSD often by volunteers in the ports team. The pkg_add command is used to install packages. OpenBSD has a global mirror system that is accessed through a content delivery network and the address of the package repository is written to /etc/installurl during installation. The commands below will install nano an easy to use command line editor.

illy# pkg_add nano  # example from 6.5
quirks-3.124 signed on 2019-04-15T12:10:16Z
quirks-3.124: ok
nano-4.0:libiconv-1.14p3: ok
nano-4.0:gettext- ok
nano-4.0: ok

Occasionally, there is a glitch with the mirror or the internet connection and a package will not be correctly downloaded. pkg_add will mark such packages with the prefix partial-. I find that repeating the pkg_add command a bit later clears those up.

Install xfce4, Firefox and a pdf viewer

I like the xfce desktop environment. The OpenBSD port of xfce4 is version 4.14 and the commands below will provide a full install of xfce and Firefox and a pdf document reader.

illy# pkg_add xfce xfce-extras firefox evince xfce4-power-manager upower

This command will take some time to return as pkg_add will fetch all the dependencies for each of the packages listed above - dozens in the case of Xfce and Firefox. Dependencies of xfce include consolekit2 and dbus, both needed to enable Xfce to suspend or hibernate from the logout menu. See the next section for details.

pkg_add will stop when it reaches the document reader Evince and offer you a choice of two versions of the package, each compiled with different configuratons...

illy# pkg_add evince
Ambiguous: choose package for evince
a   0: <None>
    1: evince-3.34.2p0
    2: evince-3.34.2p0-light
Your choice: 2

Option 1 will pull in a large number of Gnome libraries. Option 2 has been provided by the packager for those of us who wish to use Evince to read pdf files with a different desktop or window manager.

Some of the more complex packages come with readme files installed to /usr/local/share/doc/pkg-readmes/. The pkg-readmes for the xfce and firefox packages will be essential reading in the next section.

A huge range of is ports available e.g. libreoffice and mplayer and so on. You can search for packages using pkg_info -Q <name> where <name> is part of the name of a program you know. For example....

illy$ pkg_info -Q inksc
illy$ pkg_info inkscape
Information for amd64/inkscape-0.92.4p2.tgz

SVG vector drawing application
.... lines about Inkscape ....

Don't reboot yet. You need to configure the graphical login and set up some daemons. See below...

Enable power management and allow xfce to shutdown and reboot

See OpenBSD FAQ - System Management / System daemons. The pkg-readme for Xfce is essential reading, try cat /usr/local/share/doc/pkg-readmes/xfce | more. A look at /usr/local/share/doc/pkg-readmes/xfce/firefox would be useful as well.

Optional: The first thing is to stop the xconsole starting each time you log in and to permanently silence the 'bell' and make the background to the login screen a solid colour. The file /etc/X11/xenodm/Xsetup_0 is run when you login to xenodm. Editing that file to comment out the line that starts xconsole and then adding some xset commands is best achieved using an editor. My modified file is shown below.

illy# cp /etc/X11/xenodm/Xsetup_0 /etc/X11/xenodm/Xsetup_0-back
illy# cat /etc/X11/xenodm/Xsetup_0  
# $OpenBSD: Xsetup_0,v 1.6 2019/06/29 13:33:06 espie Exp $

#xconsole -geometry 480x130-0-0 -daemon -notify -verbose -fn fixed -exitOnFail
xset b off
xsetroot -solid indigo
#  install package openbsd-backgrounds
#  then uncomment:
# if test -x /usr/local/bin/openbsd-wallpaper
# then
# 	/usr/local/bin/openbsd-wallpaper
# fi

# sxpm OpenBSD.xpm &

To enable suspend and resume and to run Xfce with the ability to control the power settings and to shut down and reboot, you need to enable some daemons...

Use rcctl to enable and start the apmd daemon (straight from the FAQ page). Suspend to RAM should then work.

illy# rcctl enable apmd
illy# rcctl set apmd flags -A
illy# rcctl start apmd

Next enable and start the messagebus (aka dbus-daemon)...

illy# rcctl enable messagebus
illy# rcctl start messagebus

rcctl actually writes lines into /etc/rc.conf.local and that file can be edited directly from a root command prompt.

Finally when you start an X Window session, the server looks for a file called ~/.xsession in the root of your home drive and runs the commands in that file. Below is the contents of my .xsession file for running Xfce based on the pkg-readme...

illy$ cat ~/.xsession
# See pkg-readme for xfce
# Dbus/message bus enabled in rc.conf.local
# Want to be able to suspend from xfce4 logout menu
/usr/local/bin/startxfce4 --with-ck-launch

I usually reboot at this stage and check that Xfce starts properly and that I can suspend and reboot from the logout menu.

Firefox version 76 is ported to OpenBSD 6.7 at present. The porters have added pledge and unveil support to this build of Firefox - a sort of sandbox to restrict Firefox's access to the computer. The main difference this makes in everyday use is that Firefox can only save or open files to ~/Downloads. This new feature was described in the pkg-readme file for Firefox. Had I read that file, I could have saved a few minutes of head scratching and puzzlement...

Crashes and memory limits

If a program segfaults, OpenBSD dumps the memory in use by the program to file for analysis. If the program is run by a user, the resulting core file will end up in the user's home directory.

In OpenBSD 6.7 with xfce I am seeing xfce4-screensaver crashing on login each time, and ocasionally xfwm and xfce4-panel decide to join in. I have removed xfce4 screensaver from my startup applications (always untick the save session for future logins box when you do this as otherwise Xfce will just restore the programs you had running in the last session...) and I don't see the \*core files as often now.

By default, OpenBSD enforces limits on the maximum memory that applications can use depending on the role of the user. Web browsers like a lot of memory, so it is wise to increase the allocation of memory that can be used. The allocations are set in the `/etc/login.conf' file

I add my user to the staff group then raise the memory limit for the staff group to 4096 Mb...

#illy usermod -G staff YOUR_USERNAME
#illy cat /etc/login.conf
.... lines ....
.... lines ....

The login.conf file needs to be edited ('staff' is on line 72) and the change is seen on logging out and back in.

Allow user mounting of external drives using doas

See OpenBSD FAQ - Disk setup, man doas, man doas.conf, man ntfs-3g package after installation.

One of the biggest differences in everyday desktop use between Linux and OpenBSD is the approach to mounting external storage. Automount of storage sticks does not just happen in OpenBSD. Remember from installation that SCSI-like (i.e. SATA) hard drives are numbered sd0, sd1 and not sda, sdb as in Linux.

OpenBSD uses doas to allow a user to run commands as root, replacing sudo. The /etc/doas.conf file has a simple and logical syntax for giving the user the right to mount an external drive. Mounting NTFS drives for read and write is best managed through an external package called ntfs-3g, installed with pkg_add ntfs_3g (no possibility of confusion there at all). Mounting FAT formatted USB sticks is performed using the mount command which is part of base. Unmounting any device is achieved using umount.

The following commands (as root) will add the needed lines to doas.conf...

illy# echo "permit nopass keith as root cmd mount" >> /etc/doas.conf
illy# echo "permit nopass keith as root cmd umount" >> /etc/doas.conf
illy# echo "permit nopass keith as root cmd ntfs-3g" >> /etc/doas.conf

Mounting a USB stick to ~/usb as user looks like this...

illy$ mkdir ~/usb
illy$ dmesg | grep sd1
sd1 at scsibus4 targ 1 lun 0: <, USB DISK 2.0, PMAP> removable serial. numbers
illy$ doas mount /dev/sd1i ~/usb
illy$ ls ~/usb

With this VFAT formatted USB stick plugged in, I can mount my NTFS formatted backup drive to ~/backup like this...

illy$ mkdir ~/backup
illy$ dmesg | grep sd2 
sd2 at scsibus5 targ 1 lun 0: <WD, Elements 10B8, 1012> serial. numbers
illy$ ls ~/backup
illy$ doas ntfs-3g /dev/sd2i ~/backup
illy$ ls ~/backup
Music                      System Volume Information
Pix                        X220

Below are the commands for unmounting both drives...

illy$ doas umount ~/usb
illy$ doas umount ~/backup
illy$ ls usb
illy$ ls backup

For some reason, ntfs-3g gives an error message if you try to unmount from /dev/sd2i, so I just unmount from the target directories on my home drive for both commands.

Notice how the man ntfs-3g page uses Linux disk numbering. One example of the difference between OpenBSD base documentation and that for third-party packages.

Use xfce4-mount to automount a USB stick

The xfce4-mount allows the mounting and unmounting of USB sticks from the xfce panel.

Add an icon for the plugin to the XFCE4 panel by right-clicking on the panel and selecting Panel | Add New Items and searching for mount.

By default, xfce4-mount-plugin lists all the devices including the default local hard drive including all the partitions on sd0. I can set options to prevent that and to use a custom mount command. Right click over the xfce4-mount icon and select Properties | File Systems tab. Add the pattern /dev/sd0* to the Exclude specified file systems textbox so the local drive is not listed.

Right-click on the xfce4-mount icon, and select Preferences | Commands and write the following in the Custom Commands textboxes, after ensuring that the Custom Commands checkbox was ticked...

doas mount %m
doas umount %m

Now to ensure that a USB stick is listed in the xfce4-mount-popup list, you have to add a line for the device to /etc/fstab...

illy# echo "/dev/sd1i /home/keith/usb msdos rw,noauto 0 0" >> /etc/fstab

Using an fstab entry like this means that only one vfat formatted USB thumb drive will be listed and available with mouse clicks.

I have not yet worked out a way of automounting a mix of VFAT and NTFS drives. Probably a script run instead of doas mount that will work out what drive it is and mount it to an appropriate mount point...

Alternative install with Gnome desktop

See the pkg-readme for gnome. The recipe shown here is simply the 'Cheat Sheet'!

Start with a fresh installation with xenodm disabled and a working Internet connection.

The Gnome Desktop is distributed as two main meta-packages in OpenBSD 6.7 so you need to install both of those for the full experience including the Gnome Web browser and Evolution email. Installing just the gnome package fetches a fully functional but bare desktop to which you can add your own applications.

illy# pkg_add gnome gnome-extras

The gnome pkg-readme suggests creating a gnome group and using that as an entry in /etc/login.conf to increase the RAM available. I've left the 1024 Mb allocation from the readme as I want to see how crashy this desktop is.

illy# cat <<'EOF' >>/etc/login.conf

illy# usermod -L gnome keith

Then enable the various daemons required (including apmd for power management) so that they run in the correct order, and reboot into the Gnome login screen...

illy# rcctl enable apmd
illy# rcctl set apmd flags -A
illy# rcctl enable multicast messagebus avahi_daemon gdm
illy# reboot

Once logged in, I tried the Gnome Web browser (Epiphany) - just hit the window keys and type 'Web', and a few of the other applicatons. I ended up adding Firefox, Libreoffice and some graphical programs...

illy# pkg_add firefox gimp inkscape libreoffice

And finally I added the same lines as in the Xfce section to /etc/doas.conf to enable user mounting of storage from the command line...

illy$ cat /etc/doas.conf
permit nopass keith as root cmd mount
permit nopass keith as root cmd umount
permit nopass keith as root cmd ntfs-3g

If I mount a usb stick from the command line, Nautilus the Gnome file manager will unmount the device by clicking on the unmount button in the left pane, but Gnome asks for confirmation. I can also unmount an NTFS hard drive in the same way. Not sure if I can prefix the command that nautilus is running with 'doas' in some way...

I also experimented with hotplugd and a script that can be installed from packages called hotplug-diskmount. When set up according to the suggestions in the pkg-readme, I could mount a USB stick automatically, but had to navigate to the mount-point manually in Nautilus. All of the hotplugd based suggestions for disk mounting I can find don't cover safe unmounting of the attached drives so I'm sticking with the command line at present.

The main outstanding issue so far is powering off from within Gnome. I have to type my user password into a graphical input box to confirm.

Gnome itself has not crashed at all (yet). Only LibreOffice dumped a core when I was changing the interface settings (once, not subsequently).

Challenge: Reinstall with hard drive encryption

My threat model for this laptop includes opportunistic theft and me leaving it on the bus. Using whole drive encryption on OpenBSD is covered in the OpenBSD FAQ - Disk Setup / RAID and disk Encryption / Full Disk Encryption

The basic strategy is to

I have followed the commands in the FAQ to set up whole disk encryption. The challenge is to invite you to do the same...

Keith Burnett, June 2020