OpenBSD 6.5 with FDE on Online/Scaleway start-2-L/SuperMicro X11SSE-F
Online by Scaleway provides dedicated servers in France. The start-2-L reference is a “small” server that ships with KVM over IP. It is based on SuperMicro X11SSE-F . So far, the hardware seems to be supported pretty well and it is possible to run OpenBSD with Full Disk Encryption.
The official documentation explains how to install using their official ISO files. There even are some install6x.iso in the bsd directory. But install65.iso is not available (at the time of writing). Fortunately, using the provided JAVA console, one can boot using any local ISO they like.
Activate KVM over IP
From the Online console, browse to the server list and locate the one you’ll install OpenBSD on. I think the server has to be installed first using one of the predefined template. I used Debian and FreeBSD ; just to see how it works. The installation can take more than 1 hour before the KVM over IP option is available.
Activation is done by clicking the [ KVM OVER IP ] button. Accept the disclaimer and set the Authorized IP address. Only this one will be allowed to connect to the KVM. When set, you’ll be provided with an URL and credentials to access the SuperMicro management server Web page.
From the “Remote Control” menu, select “Console Redirection”. Click the [ Launch Console ] button to … yes, launch the console. This is a Java Network Launching Protocol (JNLP) thing. One can use an HTML5 console but attaching a local ISO file only works using Console Redirection.
On the JAVA application, from the “Virtual Media” menu, select “Virtual Storage”. In “Device 1”, set “Logical Drive Type” to ISO and select you “install65.iso”. Click the [ Plug In ] and [ OK ] buttons.
Start the server and wait for the SuperMicro prompt screen. Hit “F11” to “invoke Boot Menu”. Select “ATEN Virtual CDROM YS0J” to boot on virtual CD and proceed to the OpenBSD installation.
Installation happens as usual. Note that when you have a French keyboard, it is easier to set the layout to ENG/UK as you should need special characters and numbers.
To enable FDE, one has to use the “(S)hell” option and follow the OpenBSD documentation . I encrypted sd0 and used the MBR configuration ; GPT didn’t boot a all.
# cd /dev ; sh MAKEDEV sd1 sd2 # dd if=/dev/urandom of=/dev/rsd0c bs=1m # fdisk -iy sd0 # disklabel -E sd0 Label editor (enter '?' for help at any prompt) sd0> a a offset:  size:  * FS type: [4.2BSD] RAID sd0> w sd0> q No label changes. # bioctl -c C -l sd0a softraid0 # exit
Installation will be done on sd2. DHCP can be used as an initial configuration. I personally used an unattended file to automatically install OpenBSD.
# cat install-online.conf System hostname = arcadia Start sshd(8) by default = yes Do you expect to run the X Window System = no Change the default console to com0 = no Password for root = <strong><em><encrypted secret></em></strong> Public ssh key for root account = <strong><em><public SSH key></em></strong> Setup a user = no Allow root ssh login = prohibit-password What timezone are you in = Europe/Paris Which disk is the root disk = <em><strong>sd2</strong></em> Use (W)hole disk MBR, whole disk (G)PT or (E)dit = <em><strong>whole</strong></em> Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout = c URL to autopartitioning template for disklabel = disklabel-online.conf Location of sets = http HTTP proxy URL = none HTTP Server = cdn.openbsd.org Server directory = pub/OpenBSD/6.5/amd64 Set name(s) = all Set name(s) = done Location of sets = done # cat disklabel-online.conf / 20G swap 8G /var/log 5G /home 1G-*
When the installation is finished, reboot the server. OpenBSD should start properly.
By default, the KVM access is removed after a few hours. But since we know everything works, we can do it now.
On the JAVA application, from the “Virtual Media” menu, select “Virtual Storage”. In “Device 1”,click [ Plug Out ] and [ OK ]. Close the JAVA app.
From the console Web GUI, click [ DELETE SUPERMICRO ACCESS ].
Now enjoy OpenBSD from SSH. In case of a reboot or a loss of network access, the KVM over IP can be activated again.