OpenBSD Stable ISO

The OpenBSD project distributes a binary base system and packages, built from sources at release time. Any security issues or stability fixes after release require sources to be rebuilt by the end user. While this may not be much of an issue with either small deployments or fast systems. Occasionally there might be a need to build your own Stable ISO for repeated installation, or quick installation into low end systems (netbooks?). The procedure at hand is reasonably well documented, if slightly dispersed.

For this tutorial I’ll presume you have dedicated a specific multicore AMD64 machine for the purpose of building this Stable ISO, targeting an AMD64 or i386 build. Adjust where required for your own purposes. I’d recommend against execting this procedure on production systems though.

Most steps in this tutorial will take between 5-10 minutes on vaguely recent hardware (Core 2 Duo), unless noted otherwise.

First do a basic install of OpenBSD (6.0 in our particular example). I’d highly recommend to enable NTP for time syncing and perform custom disk slicing, so you have plenty of place in /usr, because you will need it.

Step 1: Preparing sources

Login as regular user, and then su to root. The name of this regular user (and the FQDN) will show up in your newly built kernel’s dmesg.

Then get all the source OpenBSD source tarball and unpack them accordingly.

cd /usr
ftp ftp://ftp.whatever.org/pub/OpenBSD/6.0/ports.tar.gz
ftp ftp://ftp.whatever.org/pub/OpenBSD/6.0/sys.tar.gz
ftp ftp://ftp.whatever.org/pub/OpenBSD/6.0/src.tar.gz
ftp ftp://ftp.whatever.org/pub/OpenBSD/6.0/xenocara.tar.gz
ftp ftp://ftp.whatever.org/pub/OpenBSD/6.0/SHA256.sig
signify -C -p /etc/signify/openbsd-60-base.pub -x SHA256.sig ports.tar.gz
signify -C -p /etc/signify/openbsd-60-base.pub -x SHA256.sig sys.tar.gz
signify -C -p /etc/signify/openbsd-60-base.pub -x SHA256.sig src.tar.gz
signify -C -p /etc/signify/openbsd-60-base.pub -x SHA256.sig xenocara.tar.gz
cd /usr/src
tar xzf ../sys.tar.gz
tar xzf ../src.tar.gz
cd /usr
tar xzf xenocara.tar.gz
tar xzf ports.tar.gz

These are the unpatched release sources, so we’ll need to update them from CVS.

cvs -qd anoncvs@anoncvs.whatever.org:/cvs get -rOPENBSD_6_0 -P src
cvs -qd anoncvs@anoncvs.whatever.org:/cvs get -rOPENBSD_6_0 -P xenocara
cvs -qd anoncvs@anoncvs.whatever.org:/cvs get -rOPENBSD_6_0 -P ports 

Remove the old release source tarballs, and generate new updated source tarball.

rm SHA256.sig
rm ports.tar.gz
rm xenocara.tar.gz
rm sys.tar.gz
rm src.tar.gz
tar czf ports.tar.gz ports
tar czf xenocara.tar.gz xenocara
cd /usr/src
mv sys ..
tar czf ../src.tar.gz .
cd /usr
tar czf sys.tar.gz sys
rm -Rf src sys xenocara ports
mkdir /usr/src
cd /usr/src
tar xzf ../src.tar.gz
tar xzf ../sys.tar.gz
cd /usr
tar xzf xenocara.tar.gz
tar xzf ports.tar.gz

Next…

Step 2: Building sources

First we’ll need to build and install an updated kernel:

cd /usr/src/sys/arch/i386/conf
config GENERIC.MP
cd /usr/src/sys/arch/i386/compile/GENERIC.MP
make clean && make
cd /usr/src/sys/arch/i386/compile/GENERIC.MP
make install
reboot

Make sure you’ve rebooted your system after having installed the new kernel, then login as your regular user again and su to root.

Next we’ll build (~1hour) and install an updated userland.

rm -rf /usr/obj/*
cd /usr/src
make obj
cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
cd /usr/src
make build
reboot

Again make sure you’ve rebooted your system after having installed the new userland, then login as your regular user again and su to root.

Next we’ll build (~1hour) and install an updated Xenocara.

cd /usr/xenocara
rm -rf /usr/xobj/*
make bootstrap
make obj
make build
reboot

Next…

Step 3: Building a release

After having rebooted login as a regular user once again and su to root.

Then build a release like so.

export DESTDIR=/usr/dest
export RELEASEDIR=/usr/rel
mkdir -p ${DESTDIR} ${RELEASEDIR}
cd /usr/src/etc
make release
cd /usr/src/distrib/sets
sh checkflist

Then we do the same for Xenocara.

export DESTDIR=/usr/xdest
export RELEASEDIR=/usr/rel
mkdir -p ${DESTDIR} ${RELEASEDIR}
cd /usr/xenocara
make release

Next…

Step 4: Building Ports (optional)

Optionally you can build some ports, to include on your Stable ISO, for example…

cd /usr/ports/security/gnupg
env FLAVOR= make install
cd /usr/ports/shells/bash
make install
cd /usr/ports/editors/nano
make install
cd /usr/ports/www/links+ 
env FLAVOR=no_x11 make install
cd /usr/ports/net/wget
make install
cd /usr/ports/net/rsync
make install
cd /usr/ports/archivers/unzip
make install
cd /usr/ports/devel/gmake
make install
cd /usr/ports/lang/go
make install
cd /usr/ports/devel/git
make install

And so on…

You’ll note we’ve been using make install as opposed to make package, as make package won’t pull in dependencies that don’t matter at build-time, but likely will prevent the package from installing properly if missing.

Step 5: Create an ISO image

Prepare and populate a CD root tree.

mkdir -p /usr/cd/etc
echo 'set image /6.0/i386/bsd.rd' > /usr/cd/etc/boot.conf
mkdir -p /usr/cd/6.0/i386
cd /usr/cd
cp /usr/rel/* /usr/cd/6.0/i386
cp /usr/*.tar.gz /usr/cd/6.0

The release set include a miniature iso that merely includes the installation ramdisk which doesn’t make much sense to include on a full Stable ISO, so optionally we’ll remove that.

cd /usr/cd/6.0/i386
rm cd60.iso 
rm SHA256; cksum -a sha256 * > SHA256

Then optionally add checksums for the source tarballs.

cd /usr/cd/6.0
rm SHA256; cksum -a sha256 *.tar.gz > SHA256

Optionally add the packages built from ports.

mkdir -p /usr/cd/6.0/packages/i386
cp /usr/ports/packages/i386/all/*.tgz /usr/cd/6.0/packages/i386

Then optionally add checksums for the packages built from ports.

cd /usr/cd/6.0/packages/i386
rm SHA256; cksum -a sha256 * > SHA256

And finally build the ISO image.

cd /usr/cd
mkhybrid -v -a -r -L -l -d -D -N \
         -sysid OPENBSD \
         -V OPENBSD \
         -volset OPENBSD \
         -p "PREPARER NAME" \
         -P "PUBLISHER NAME" \
         -b 6.0/i386/cdbr \
         -c 6.0/i386/boot.cat \
         -o ../unofficial-openbsd-stable-6.0.5-20160903-i386.iso .

Since OpenBSD 5.5, both the base system and packages are signed for proper releases, the result of the above procedure will produce an unsigned base system and packages, resulting in (expected) signature warnings during installation.

Step 6: Burn

Once you have your freshly mastered ISO, you can burn it to your favorite brand of CD-R:

cdio -f cd0c tao -s 8 unofficial-openbsd-stable-6.0.4-20160903-i386.iso

And don’t forget to buy the official release media if you use OpenBSD in any significant capacity, as the project can really use your support.