freebsd logo

Oracle Cloud doesn’t propose FreeBSD like a lot of providers so we need to install it using a direct flash.

This is my initial setup phase and everything starts with an Always-Free running Oracle Linux.

Flashing FreeBSD 13.1

Connected using ssh and using root:

  1. You need to check that you have wget installed otherwise you need to install it: dnf install wget -y
  2. Identify your disk with fdisk -l, in my case it’s /dev/sda
  3. Flashing: depends of your VM (AMD64 or AARCH64), you need to use the good one
# AMD64
wget https://download.freebsd.org/ftp/releases/VM-IMAGES/13.1-RELEASE/amd64/Latest/FreeBSD-13.1-RELEASE-amd64.raw.xz -O - | xz -dc | dd of=/dev/sda bs=1M cov=fdatasync

# AARCH64
wget https://download.freebsd.org/ftp/releases/VM-IMAGES/13.1-RELEASE/aarch64/Latest/FreeBSD-13.1-RELEASE-arm64-aarch64.raw.xz -O - | xz -dc | dd of=/dev/sda bs=1M cov=fdatasync
  1. Initiate the reboot using the dashboard: https://cloud.oracle.com

FreeBSD is now installed

Post-install steps

Using the console using the dashboard, let’s do a quick config and enable ssh.

Switch from quarterly to the latest repository (optional)

Depending if the version in quarterly is valid for your usage or not.

sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf

Update the system

freebsd-update fetch install
pkg update
reboot

Install packages

Let’s install a text editor, tmux, a sudo alternative, a DHCP client doing IPv4 and IPv6 and OpenSSH

pkg install -y doas dual-dhclient-daemon openssh-portable tmux vim

sudo is also available but on FreeBSD, I prefer doas

Config doas for group wheel

echo "permit :wheel" > /usr/local/etc/doas.conf

Config ssh server

vim /usr/local/etc/ssh/sshd_config

In my case, I force post-install (before the configuration management run (ansible/saltstack)):

  • PubkeyAuthentication yes
  • PasswordAuthentication no
  • PermitEmptyPasswords no
  • VersionAddendum sycured

Tune the boot time

/etc/loader.conf

autoboot_wait="0"
autoboot_delay="0"
beastie_disable="YES"
boot_serial="YES"
loader_logo="none"
cryptodev_load="YES"

Tune the system and services at boot

/etc/rc.conf

hostname="oci-test"
ifconfig_DEFAULT="DHCP inet6 accept_rtadv"
ipv6_activate_all_interfaces="YES"
dhclient_enable="YES"
dhclient_program="/usr/local/sbin/dual-dhclient"
growfs_enable="YES"
sshd_enable="NO"
openssh_enable="YES"

Create opc user

pw user add -n opc -d /home/opc -G wheel -m -s /bin/sh

Change the password

passwd opc

Add you ssh public key

mkdir -p /home/opc/.ssh
echo "MY_PUBLIC_KEY" > /home/opc/.ssh/authorized_keys
chown -R opc:opc /home/opc/.ssh
chmod 600 /home/opc/.ssh/authorized_keys

And finally, run the last reboot

Conclusion

This is a working way to have a FreeBSD when your provider doesn’t offer it.

I haven’t added a part about the firewall because the VM is already protected using security rules at the subnet level.

But you’ve 2 possibilities about the firewall:

  • stateful: pf
  • stateless: ipfw

If you want more information about pf, you can look at Packet Filter - OpenBSD Handbook.