The final target for an OpenBSD install on the net4521 is a CompactFlash card. However during development it would be inefficient to continually update the image, plus CF has a limited number of writes per sector. A better solution is to boot over the network.

The network boot sequence is documented in diskless(8) which is a good starting point. However the process described there is geared towards booting Unix servers, booting on Intel machines is potentially a bit different:

  1. The network card loads a built in PXE loader
  2. The PXE loader gets an IP address and boot loader from DHCP
  3. The boot loader downloads the OpenBSD kernel via TFTP
  4. The kernel boots and mounts its root and swap on NFS

From that point the system boots as usual.

Firmware and the Boot Loader

While i386 compatible PCs still use what is basically the same primitive BIOS that was introduced at the dawn of the PC age, Unix servers have powerful firmware that includes support for network booting. So while the OpenBSD ports to Sparc, Motorola, and HP machines include a network boot loader, the Intel world is much less fortunate. Incidentally Apple's Macintosh has OpenFirmware with network booting support, just like a Sun. I don't believe OpenBSD supports this as of 3.2 though.

Intel has come to the rescue with a proprietary booting solution called PXE. Some network cards come with a PXE loader in ROM and those cards can boot an operating system from the network. Naturally, the Soekris also supports PXE and so will load the boot loader from the network

Unfortunately, OpenBSD seems to be the one free Unix without a network boot loader on i386 platforms. The Gnu project comes to the rescue with Grub, the GRand Unified Bootloader. Grub can't boot OpenBSD without some patches, which are available along with binaries at

Booting Grub

In order to find Grub's "pxegrub" the PXE loader consults a DHCP server. The DHCP server must be configured to not only give out an IP address but also the boot loader. This is done simply by adding a "filename" option to dhcpd.conf:

      shared-network WIRED-NET {
      option domain-name-servers;

      subnet netmask {
        option routers;
        option option-150 "(nd)/menu.lst";
        filename "pxegrub";

The PXE loader will retrieve the specified filename via TFTP and execute it. Note that the "option-150" option is a way of telling Grub to load a menu of operating system choices. This probably doesn't work with the patched Grub.

The server that served up the DHCP response also needs to be running TFTP so that the "pxegrub" file can be download and later the kernel as well. It is possible to offload this task to another server with the dhcpd.conf next-server option but in this example one server will handle the entire boot process. The TFTP server should be chroot'd to a directory with the boot loader and the OpenBSD kernel:

      ls -al /home/tftp
      -rwxr-xr-x  1 root  wheel   939090 Jan  5 16:44 bsd.gz
      -rw-r--r--  1 root  wheel       71 Jan  4 20:08 menu.lst
      -rw-r--r--  1 root  wheel   127040 Jan  5 02:06 pxegrub

Now when the PXE loader executes it will download and launch Grub. When Grub is loaded it will display some messages indicating if the network card is detected and then present a "grub> " prompt. At this point it is time to tell Grub to use DHCP/TFTP for booting and then to load the OpenBSD kernel!

      grub> dhcp

      [ grub outputs network configuration ]

      grub> kernel (nd)/bsd.gz

      [ grub outputs kernel information ]

      grub> boot

      [ openbsd kernel messages are displayed ]

Booting OpenBSD

The GENERIC kernel does not support diskless booting, for that you need the DISKLESS configuration which will load the root and swap filesystems from NFS. The following extra kernel options are also useful:

      option      PCCOMCONSOLE
      option      CONSPEED=19200

When a *BSD diskless kernel is booted it consults:

  1. rarpd - for the system's IP address
  2. rpc.bootparamd - for the root and swap NFS share names
  3. mountd to connect to the NFS shares

OpenBSD is quite secure upon default install. The following steps will open the system up to many new attacks via TFTP, RPC, NFS, and likely others. It would be wise to make sure the server is inaccessible outside of the local network during this vulnerable phase.


      00:01:02:03:04:05      bootclient 

/etc/hosts:            server          bootclient


      bootclient  root=         \


      /export  -maproot=root -alldirs bootclient
      /usr     -ro                    bootclient

/export contains a swap file and a root filesystem

      ls -al /export

      drwxr-xr-x   8 root  wheel       512 Jan  5 14:00 root
      -rw-r--r--   1 root  wheel  16777216 Jan  5 16:45 swap

After completing the configuration it is time to load all of the daemons. Starting them from the command line makes sense since this is a temporary configuration for bootstrapping. Order matters because some daemons depend on services provide by others ala RPC.

      # rarpd <interface>
      # portmap
      # rpc.bootparamd
      # mountd
      # nfsd -t -u

Thats it!

At this point the target machine can be started. The PXE loader should load Grub and after following the steps in the Booting Grub section the OpenBSD kernel will be downloaded and executed. If the root filesystem is set up properly then a diskless OpenBSD system should soon be up and running.

Next: CompactFlash Installation

  1. Introduction
  2. OpenBSD Configuration
  3. Diskless Booting
  4. CompactFlash Installation
  5. Mac OS X IPSec
  6. Errata

email address