Store

Feed

Categories

Ads

Recent Posts

Ads

Security Advisories

RSS FreeBSD Advisories

RSS NetBSD Advisories

How to install NetBSD on Compact Flash (for the Soekris 4501)

This was tested on NetBSD 3.99.16, however the instructions should apply to older versions as well. I have attempted to flag steps where you may run into version incompatabilities with “Version Note”.

There are a number of devices that will allow you to read your CF card on a NetBSD machine, the device I chose was the mediaGear Keychain Compact Flash Reader.

A snippet of your dmesg output should appear as follows:

  [...]
  umass0 at uhub1 port 1 configuration 1 interface 0
  umass0: mediaGear Compact Flash Keychain, rev 1.10/1.00, addr 2
  umass0: using SCSI over Bulk-Only
  scsibus0 at umass0: 2 targets, 1 lun per target
  sd0 at scsibus0 target 0 lun 0: <MG, CF-Key, 1.00> disk removable
  sd0: fabricating a geometry
  sd0: 244 MB, 244 cyl, 64 head, 32 sec, 512 bytes/sect x 500400 sectors
  [...]

 
Run the following commands:

  # cd /root
  # mkdir cfimage
  # dd if=/dev/zero of=netbsd.img bs=512 count=500400
  # vnconfig vnd0 netbsd.img
  # fdisk -ua0 vnd0
  # disklabel -e -I vnd0
  # newfs /dev/vnd0a
  # mount /dev/vnd0a /root/cfimage
  # cd /root/cfimage && mtree -Udef /etc/mtree/NetBSD.dist
  # tar xzpf i386/binary/sets/base.tgz
  # tar xzpf i386/binary/sets/kern-GENERIC.tgz


  # cp i386/binary/sets/etc.tgz /root/cfimage/root

  # chroot /root/cfimage /bin/sh

 
You are in the chroot environment, continue with
Version Note: Older versions of etcupdate do not accept a tgz file an argument, you will need to extract the contents prior to running it.

  # etcupdate -s /root/etc.tgz
  # rm /root/etc.tgz
  # touch /etc/mail/local-host-names

 
Add a non-root user and his group.

  # groupadd jdoe
  # useradd -g jdoe -G wheel -k /etc/skel -s /bin/csh -m jdoe

 
Note: included in wheel group to allow user to run su.

Other files you will likely need to modify are…

  /etc/fstab
  /etc/ifconfig.sip0
  /etc/localtime
  /etc/mygate
  /etc/mygate6
  /etc/myname
  /etc/rc.conf
  /etc/resolv.conf
  /etc/ttys

 
To exit your chroot environment simply

  # exit

 
Now you will need to make the CF bootable. First we begin by copying the secodary bootstrap, followed be installing the primary.
Note: You can’t install the primary bootstrap on a mounted device, do not forget the umount step
Note #2: The baud rate you pass to installboot should match what you’ve configured in the Soekris bios.
Note #3: If you chose to use a different filesystem for primary bootstrap partition, /usr/mdec/bootxx_ffsv1 sould be changed to reflect that.

  # cp /usr/mdec/boot .
  # cd ~ && umount /root/cfimage
  # installboot -v -o console=com0,speed=19200 /dev/rvnd0a /usr/mdec/bootxx_ffsv1

 
We end by unconfiguring the vnode disk and writing it to CF.

  # vnconfig -u vnd0
  # dd if=netbsd.img of=/dev/sd0d bs=1m

 

Configuring IPSec with x509 certificates on OpenBSD

This document will explain howto configure OpenBSD’s IPSec to authenticate via a Certificate Authority and x509 certificates. It is demonstrated with OpenBSD 4.1 and depends upon ipsecctl which first appeared in OpenBSD 3.8.

First you will need to place your CA certificate in /etc/isakmpd/ca.

  # ls -al /etc/isakmpd/ca
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:25 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3460 Jun  1 12:27 cacert.pem

 
Next you will to place your hosts certificate in /etc/isakmpd/certs.

  # ls -al /etc/isakmpd/certs
  total 16
  drwxr-xr-x  2 root  wheel   512 Jun  1 13:59 .
  drwxr-xr-x  8 root  wheel   512 Jun  1 13:18 ..
  -r--r--r--  1 root  wheel  3008 Jun  1 13:59 192.168.25.25.pem

 
This certificate should be processed with a subjectAltName extension field as described in the isakmpd man page.

  # setenv CERTIP 192.168.25.25
  # openssl x509 -req -days 365 -in 192.168.25.25.csr \
          -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
          -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
          -extensions x509v3_IPAddr -out 192.168.25.25.pem

 
When you view the resulting certificate, you should see similar results in the X509v3 extensions.

[...]
  X509v3 extensions:
      X509v3 Subject Alternative Name:
          IP Address:192.168.25.25
[...]

 
Here is an example ipsec.conf used with the above configuration to connect with a peer running ipsec-tools/racoon.

ike esp from 192.168.25.25 to 192.168.25.211 \\
   main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des

 
You should ensure that isakmpd is running with the -K argument.
You can add the following to /etc/rc.conf.local

isakmpd_flags="-K"
ipsec=YES

 
In older versions of OpenBSD the following needs to be added to /etc/rc.local
as the rc.conf variable ipsec does not exist.

ipsecctl -f /etc/ipsec.conf

 

 

NetBSD PXE boot install (without NFS)

This was tested on NetBSD 3.99.16, however the instructions should apply to other versions as well. I have attempted to flag steps where you may run into version incompatabilities with “Version Note”.

To PXEboot install NetBSD we will first need to configure a tftp server. You will need to insure that tftp is uncommented from inetd.conf and that inetd is enabled to run.

/etc/inetd.conf

  tftp dgram udp wait root /usr/libexec/tftpd tftpd -l  -s /tftpboot

 
/etc/rc.conf

  inetd=YES

 
Then we will need to create the /tftpboot directory and populate it. You will need the pxeboot_ia32.bin file (included in base.tgz) and the netbsd-INSTALL kernel.

Note: The installboot command is only necessary if you’re booting via a serial console (i.e. a Soekris box) as is the case in this paper.
Version Note: In the event you will need serial console support older versions of installboot may not support writing to pxeboot_ia32.bin, you will need to extract or build pxeboot_ia32_com0.bin.

  # cd /root
  # mkdir -p /tftpboot
  # gunzip netbsd-INSTALL.gz
  # cp netbsd-INSTALL /tftpboot
  # tar -zf base.tgz -x ./usr/mdec/pxeboot_ia32.bin
  # cd usr/mdec
  # installboot -e -o console=com0,speed=19200 pxeboot_ia32.bin
  # cp pxeboot_ia32.bin /tftpboot

 
Next you will need to configure dhcpd, and ensure it is enabled to run. You must configure dhcpd to serve pxeboot_ia32.bin.
Note: The next-server option is critical, it should refer to the tftp server IP address.
Note 2: The filename is given relative to the root-path.

/etc/dhcpd.conf

  default-lease-time 3600;
  max-lease-time 7200;
  option subnet-mask 255.255.255.0;
  option domain-name "domain.local";
  ddns-update-style ad-hoc;
  option domain-name-servers 10.0.10.100;
  subnet 10.0.10.0 netmask 255.255.255.0 {
                  option routers 10.0.10.1;
                  range 10.0.10.150 10.0.10.200;
                  next-server 10.0.10.5;
                  option root-path "/tftpboot";
                  filename "/pxeboot_ia32.bin";
  }

 
/etc/rc.conf

  dhcpd=YES

 
Make sure dhcpd and inetd are running, and then boot the host you wish to install.

  # /etc/rc.d/inetd restart
  # /etc/rc.d/dhcpd restart

 
If you are attempting to install onto a Soekris box, you must tell it to PXEboot

  > boot F0

 
You will see the PXEboot sequence, which will launch the NetBSD bootloader, you need to interrupt the NetBSD bootloader (hit spacebar several times). Once you are at the NetBSD bootloader prompt, enter the following:

  > boot tftp:netbsd-INSTALL

 
After this point, you will be booted into the NetBSD installation process you are used to.