Vmm /

Configure vmm on OpenBSD

You will need to install vmm-firmware (which appears to be free software):

$ doas fw_update

By default, there are only four tap interfaces. We need to create sufficient devices for all our virtual machines:

# cd /dev
# for i in $(jot 50 4 50); do sh MAKEDEV tap$i; done

We need to increase arpq because we may have so many virtual machines on the same switch:

# sysctl net.inet.ip.arpq.maxlen=1024
# echo "net.inet.ip.arpq.maxlen=1024" >> /etc/sysctl.conf

We will need to permit IPv4 and IPv6 forwarding for our virtual machines:

# sysctl net.inet.ip.forwarding=1
# echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
# sysctl net.inet6.ip6.forwarding=1
# echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf

Optional virtual Ethernet device

Depending on your networking settings, you may find it helpful to create a vether(4) device which will be used as the interface for the bridge. For example, we might create /etc/hostname.vether0:

inet 192.168.0.1 255.255.255.255

Replace 192.168.0.1 with the actual IP address you intend to use as the default gateway. Replace 255.255.255.255 with the subnet mask.

Creating bridge device

Next we must create /etc/hostname.bridge0:

add if0

where if0 is the device you want to bridge. If you want to bridge the optional virtual Ethernet interface above, replace if0 with vether0.

We edit /etc/vm.conf:

socket owner :vmdusers

switch "switch0" {
    interface bridge0
}

vm "username" {
    owner username
    memory 512M
    cdrom "/home/username/username.iso"
    disk /home/username/username.qcow2
    interface { 
        locked lladdr aa:bb:cc:dd:ee:01
        switch "switch0"
    }
}

WARNING: Do not use aa:bb:cc:dd:ee:xx. Replace with your own random lladdr address.

WARNING: Do not to pick a broadcast MAC address. If the first octet of the address is an odd number (such as f1:xx:xx:xx:xx:xx or f3:xx:xx:xx:xx:xx), it will appear as a broadcast device and may be the cause of routing issues.

Next, we download our OpenBSD ISO.

$ doas useradd -m -g =uid -c "iso" -d /home/iso -s /sbin/nologin iso
$ ftp https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/install75.iso
$ ftp https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/SHA256.sig
$ signify -C -p /etc/signify/openbsd-75-base.pub -x SHA256.sig install75.iso
Signature Verified
install75.iso: OK
$ doas mv install75.iso /home/iso/
$ doas mv SHA256.sig /home/iso/
$ doas chown -R iso:iso /home/iso/

If the signature does not verify, don't proceed.

We will want to enable and start vmd:

$ doas rcctl enable vmd
$ doas rcctl start vmd  

We need to create a new group vmdusers for each of our users so they can access the serial console:

# groupadd vmdusers
# chown root:vmdusers /var/run/vmd.sock

For each virtual machine, we create a user and a disk image using install.pl:

$ ./install.pl
# vmctl create -s 20G username.qcow2

If some users are using the wrong IPs, you can run tcpdump with the -e flag to show the lladdr of tcp packets.