electronic.alchemy :: Bhyve-ready NetBSD Images
electronic.alchemy
where the past meets the future
smartos > Bhyve-ready NetBSD Images

Bhyve-ready NetBSD Images

Created by hww3. Last updated by hww3, 5 days ago. Version #6.

I've put together some bhyve images of NetBSD for use with MNX Triton Datacenter and SmartOS. They include a pre-configured cloud-init and should be fairly well integrated with Triton.

The latest images are available for NetBSD 10.1 and contain the following:

I'm hosting the image on my IMGAPI server. You can add it as a source to your imgadm:

root@headnode# imgadm source -a http://images.welliver.org

Here's the current list of images:

root@headnode# imgadm avail | grep netbsd
3a362e0e-afaf-11ed-97b3-cfb1bff0c1d0  netbsd-9.3-cloudimage           20230219                                    bsd      zvol          2023-02-19
caf6d5d6-69c2-11f0-a449-c7e57fb31843  netbsd-10.1-cloudimage           20250726                                    bsd      zvol          2025-07-26

These images are intended to be light weight, so only the minimum install sets (plus the compiler and headers, necessary for building software). Here's an example of how to add other installation sets:

root# cd / && curl -L http://mirror.planetunix.net/pub/NetBSD/NetBSD-10.1/amd64/binary/sets/ttxt.tar.xz | tar xzvf -

I've tested both images as a pkgsrc build platform and they work at least as well as my previous virtual environment running on VMWare.

An important note regarding security

By default, NetBSD does not assign a password to the root user. This means that unless the password is changed, anyone with console access can log in as root. Generally, anyone in the wheel group can su to root without being prompted for a password. A user, "netbsd" is also created as the recommended login approach. This user will also have ssh keys installed, but by default has no password.

The images generated will automatically set a root password if it's provided in the instance metadata. This happens automatically in Triton, but it also works with SmartOS if it's provided in the instance information (see the example below for how to do this).

Also note, the metadata client is executable by anyone, so even if the password is set, it relies on the security of the communication port (/dev/tty01) and thus //could// be easy to retrieve, unless it's been changed. This seems to be the case with all image types, and again, the only protection comes from the permission set on the metadata socket or device.

How the images are built

The image build script must be run from a netbsd system, in order to format the ffs disk and install the netbsd boot loader. Additionally, cloud-init installation won't be successful if the current NetBSD version isn't the same as the image we're building (point releases may work, however). Thus, building an image is a two-step process: create an image on a vm running a previous NetBSD release, and then boot into that and run the image builder in order to get a fully functional image. The interim image won't have networking automatically set up, so there's some legwork that needs to be done there. It's unclear what the right approach is, ditching cloud-init or automating more of the process. Given that major releases happen once every 2-3 years, it may not be worth the effort to try to improve the process.

So, start by cloning the following repository on a NetBSD system:

[external]https://git.sr.ht/~hww3/netbsd-cloud-images

Edit the script for the version of NetBSD you'd like to use and to make any changes, and then (as root) run build.sh. This should create a new blank UEFI-based NetBSD install with everything configured for the first run. The result will be a raw image called "final.raw".

Copy this to your smartos/triton headnode and create a blank bhyve vm (take the script and template from the repository above):

./bhyve_import_raw_image.sh final.raw netbsd-10.1-cloudimage 10.1 netbsd-cloudimage-template.json 

Adapted from the following source: [external]https://github.com/virt-lightning/netbsd-cloud-images

Notes for creating the initial image:

NetBSD DVD install images are UEFI ready starting with NetBSD 9.0, so we can finally use BHYVE for the entire process. An image from the previous version of NetBSD can be used, as described above, so the following isn't relevant unless you like doing things the hard way.

NOTE: the build vms don't need to be built on smartos, or even bhyve. You can generate the "final.raw" image on VMware or UTM, etc if that's easier.

A key trick is to make sure that the CD drive is located at a high PCI slot to ensure it gets priority:

UUID=youInstanceUUID
ISO="NetBSD-9.3-amd64.iso"
cp $ISO /zones/$UUID/root/
vmadm update $UUID bhyve_extra_opts="-s 7:0,ahci-cd,/$ISO"
vmadm start $UUID
vmadm update $UUID bhyve_extra_opts=""

You can use VNC to perform the original install. Not all VNC clients work equally well. I've had good luck with TigerVNC, but not with MacOS Screen Sharing and the "official" VNC client. Chicken also worked well, but is no longer supported on recent MacOS.

Not categorized | RSS Feed | BackLinks

comments powered by Disqus