The final target for an OpenBSD install on the net4521 is a CompactFlash card. However during development it would be inefficient to continually update the image, plus CF has a limited number of writes per sector. A better solution is to boot over the network.

The network boot sequence is documented in diskless(8) which is a good starting point. However the process described there is geared towards booting Unix servers, booting on Intel machines is potentially a bit different:

  1. The network card loads a built in PXE loader
  2. The PXE loader gets an IP address and boot loader from DHCP
  3. The boot loader downloads the OpenBSD kernel via TFTP
  4. The kernel boots and mounts its root and swap on NFS

From that point the system boots as usual.

Firmware and the Boot Loader

i386 compatible PCs have a very primitive firmware, the BIOS, which usually doesn't support advanced features like network booting. However Intel developed a proprietary booting solution called PXE. Some network cards come with a PXE loader in ROM and those cards can boot an operating system from the network. Naturally, the Soekris also supports PXE and so will load the boot loader from the network

Since version 3.5 OpenBSD has come with a PXE boot loader called pxeboot. Prior to that you needed a third party boot loader like grub, an older version of this page describes how to use it.


In order to find an operating system's boot loader the PXE loader consults a DHCP server. The DHCP server must be configured to not only give out an IP address but also the boot loader. This is done simply by adding a "filename" option to dhcpd.conf:

      shared-network WIRED-NET {
      option domain-name-servers;

      subnet netmask {
        option routers;
        filename "pxeboot";

The PXE loader will retrieve the specified filename via TFTP and execute it.

The server that served up the DHCP response also needs to be running TFTP so that the "pxeboot" file can be download and later the kernel as well. It is possible to offload this task to another server with the dhcpd.conf next-server option but in this example one server will handle the entire boot process. The TFTP server should be chroot'd to a directory with the boot loader and the OpenBSD kernel:

      ls -al /home/tftp
      -rwxr-xr-x  1 root  wheel   939090 Jan  5 16:44 bsd.gz
      -rw-r--r--  1 root  wheel       71 Jan  4 20:08 menu.lst
      -rw-r--r--  1 root  wheel   127040 Jan  5 02:06 pxeboot
      drwxr-xr-x  1 root  wheel   127040 Jan  5 02:06 etc      

Now when the PXE loader executes it will download and launch pxeboot which will look for a file named 'etc/boot.conf' on the same TFTP server. This is a standard boot.conf configuration file:

      set tty com0
      boot bsd.gz

Booting OpenBSD

The GENERIC kernel does not support diskless booting, for that you need the DISKLESS configuration which will load the root and swap filesystems from NFS. The following extra kernel options are also useful:

      option      PCCOMCONSOLE
      option      CONSPEED=19200

When a *BSD diskless kernel is booted it consults:

  1. rarpd - for the system's IP address
  2. rpc.bootparamd - for the root and swap NFS share names
  3. mountd to connect to the NFS shares

OpenBSD is quite secure upon default install. The following steps will open the system up to many new attacks via TFTP, RPC, NFS, and likely others. It would be wise to make sure the server is inaccessible outside of the local network during this vulnerable phase.


      00:01:02:03:04:05      bootclient 

/etc/hosts:            server          bootclient


      bootclient  root=         \


      /export  -maproot=root -alldirs bootclient
      /usr     -ro                    bootclient

/export contains a swap file and a root filesystem

      ls -al /export

      drwxr-xr-x   8 root  wheel       512 Jan  5 14:00 root
      -rw-r--r--   1 root  wheel  16777216 Jan  5 16:45 swap

After completing the configuration it is time to load all of the daemons. Starting them from the command line makes sense since this is a temporary configuration for bootstrapping. Order matters because some daemons depend on services provide by others ala RPC.

      # rarpd <interface>
      # portmap
      # rpc.bootparamd
      # mountd
      # nfsd -t -u

Thats it!

At this point the target machine can be started. The PXE loader should load pxeboot and the OpenBSD kernel will be downloaded and executed. If the root filesystem is set up properly then a diskless OpenBSD system should soon be up and running.

Next: CompactFlash Installation

  1. Introduction
  2. OpenBSD Configuration
  3. Diskless Booting
  4. CompactFlash Installation
  5. Mac OS X IPSec
  6. Errata

email address