
OpenBSD: Why and How (2016) - kick
https://sivers.org/openbsd
======
Athas
>It's not for beginners.

I don't consider myself a beginner to Unix or computers (I even have a PhD in
the damn things), but I do consider myself a fairly inept and inexperienced
systems administrator, with no great desire to spend the time to become
better, and my needs are fairly basic - just the usual web/shell/IRC/mail
server stuff, and other random infrastructure needs that come along for my
work. Incidentally, this is exactly why I _prefer_ OpenBSD. Everything is so
minimalist, the defaults so sensible, and the documentation so good, that I
trust the machines I set up. I have great confidence that I did not overlook
something crucial. The OpenBSD http daemon is beautifully simple - too simple
for many uses, but perfect for mine. The OpenBSD mail daemon is the _only_
mail daemon I have ever been able to set up from scratch, just from reading
the man pages.

I run Linux (NixOS and RHEL) on my desktop and some servers respectively,
because of needs that OpenBSD simply does not support (mostly GPU computing).
Linux is fine and certainly runs very fast, but OpenBSD is the only operating
system I honestly _like_.

~~~
rlander
I would definitely not consider someone who runs NixOS on the desktop inept
nor inexperienced.

~~~
willtim
Yes those words are too strong, but NixOS has certainly halted my Linux
learning over the last few years :) In terms of configuration it's usually
just "some.feature = true". Whereas with Debian, I'd go read a blog and
cut'n'paste commands out of it and cross my fingers that they'd perform the
correct mutations of my own OS.

------
jim-jim-jim
>It's not for beginners.

Maybe true, but it's not just for experts either. OpenBSD's unfriendly
reputation ensured that I languished in Linux land way longer than I should
have, convinced that I was too dumb for anything else.

If you can navigate directory structure, use a package manager, and uncomment
lines in config files, you can use OpenBSD. Try it already. It's good.

~~~
vorpalhex
> OpenBSD's unfriendly reputation ensured that I languished in Linux land way
> longer than I should have

Funny enough, OpenBSD's unfriendly behavior just had me go back to Linux land
after running a FreeNAS server for two years. I got tired of every single help
thread I was reading start with "Well you're stupid and you shouldn't do that"
in one form or another.

Once Ubuntu got mature ZFS support in mainline, I was out.

~~~
chousuke
What does OpenBSD have to do with FreeNAS? Or did you just mean unfriendly
behaviour in general.

What I've noticed about the OpenBSD mailing lists is that while people are
generally decent and helpful if you show that you put at least some effort
into your question, I also see negative responses to the less good questions
that are just not needed, and without value.

I still like OpenBSD because it's just a good OS, but I think some people
could stand to tune up their filters a bit.

------
LeonM
Actually, my first UNIX experience was OpenBSD. I must have been around 14
years old or so when I ran an OpenBSD server at home, and use it as a NAT
router with PF.

Whenever I couldn't figure something out I'd just read the manpage and go from
there. Needless to say I also did a lot of trial and error, but that was
mostly due to my own lack of knowledge at the time.

Fast forward to 2019, and at Mailhardener we run a couple OpenBSD instances,
mostly because we really like OpenSMTPd. We also run Debian based servers for
convenience reasons.

I still wouldn't recommend OpenBSD though, for almost all situations it would
make more sense to run a Linux based OS. Whether it being on the desktop or on
a server.

~~~
degyves
Some specific reason to not recommend it?

------
AdrienLemaire
> if you’re experienced, like to “look under the hood”, and prefer software
> that does the minimum necessary, OpenBSD is for you.

I've been using Linux as my primary system for 10 years now. Isn't it a bit
exaggerated to group all Linux distributions together with ubuntu?

I think of myself as minimalist (arch linux / i3 / tmux / zsh / vim), thus
fitting the description, but I'm not convinced by the argument to make the
switch. On the contrary, the article feels like I better be ready to donate a
lot of money if I want the system to run as I want it to.

> It’s uncompromising. It’s not a people-pleaser or vendor-pleaser. Linux is
> in everything from Android phones to massive supercomputers, so has to
> include features for all of them. The OpenBSD developers say no to most
> things.

I'm not sure if that's a good thing or not. Doesn't sound very community
driven.

The security focus is probably the most interesting part here. I probably had
the wrong assumption that most security-focused guys were on Kali linux.

I'll need a bit more nudging to make the jump over.

~~~
llarsson
Nor does the article state what the intended target even is.

Typically, UNIX systems was for servers. And that is probably where security
matters the most, too. Along with a conservative view on what hardware to
support, it sounds an awful lot like a server operating system.

So does the article claim that it is good to run an operating system that
targets servers on your desktop or laptop?

~~~
projektfu
Historically, I don’t think that’s the case. It was developed (after its
computer game concept) to support online documentation production. Most of its
installations were timesharing systems (e.g. Vax) until the workstation era
when it developed the workstation/server split. Considering the proliferation
of graphical interfaces on Unix in the 80s, it’s definitely a desktop OS.

------
infraredcabbage
As much as I love OpenBSD, it's one of those things that doesn't work for
enterprise.

1) Commands have different switches. This is really annoying since you're
probably using GNU/Linux at your day job.

2) It doesn't support all the new and fancy container/automation stuff that
your colleauge is super stoked about.

3) Most companies haven't even heard about it, which causes certain problems.
Example: I was working for a company that had a collaboration with Cisco, and
we needed some binary blob in order to provision networking equipment. Getting
this to work on OpenBSD was ten times as much work as making it run on Linux.

4) If you share your laptop with anyone, e.g. your wife or your parents when
you're on holiday, they'll be a lot happier with Ubuntu.

In a perfect world, everyone would be running OpenBSD, but in the world as it
is now, Linux is "better".

~~~
zdw
This reads like a mid-2000's "BSD is dying" slashdot post...

1) GNU extensions aren't always well thought out or standardized. Assuming
everywhere is a current GNU userland will break frequently on multiple non-
Linux OS's - look up trying to use `awk` on MacOS, which has BSD derived
version.

2) Trendy developer conveniences with half-assed security like containers
aren't really in line with OpenBSD's goals. If you want isolation, look into
chroot, pledge, and unveil.

3) I'd blame Cisco in this case, not OpenBSD.

4) Says who? If a browser works, most people will be happy. The main use case
for OpenBSD is network appliances like routers and infrastructure serving.

~~~
infraredcabbage
You're right, it is a BSD is dying post, only a decade later.

I agree with everything that you said. In an ideal world, we could all
convince our colleagues that Docker and SELinux and Apparmor and such things
are crap, and that everyone should be using OpenBSD alternatives. This is
nothing but wishful thinking, however.

I wish the industry (and Cisco) would know about OpenBSD and wish to use it,
but alas, this is not the case.

Yes, the main use is a fairly narrow part of possible uses, and introducing a
whole new OS, package system and command set just because you prefer pf over
nftables seems like something most of your colleagues would be a little
disgruntled with.

------
fmajid
I find OpenBSD much easier to manage than most Linuxes, where everything
changes every six months for no good reason. Then again, I have 30 years of
UNIX experience.

The main reason to avoid it is the limited hardware support, specially for
laptops. I wish there were an equivalent of System76 for OpenBSD.

~~~
wowtip
Thinkpads are almost the System76 equivalent for OpenBSD? As long as you stay
away from nvidia graphics, that is...

~~~
pimeys
Having a ThinkPad X230 in daily use with OpenBSD, have to say it's an
excellent laptop and everything just works. Even the WAN, which can be turned
on using `ifconfig` and is handy in places with no wifi, such as the country
house.

------
juped
OpenBSD is often described as "security focused", but this isn't really what
its hat is. The key value of OpenBSD is good engineering practice, which ends
up leading you to practices like privilege separation (and OS features to
facilitate privilege separation) which aren't "security" so much as they are
good defensive engineering - you write your software to be correct and not
fail; you also write it so that when it fails it can't do much damage; you
also write it so that faults crash loudly and hard rather than quietly doing
damage, and so on.

------
wwarner
I like the solidity of openbsd, but I'll defend linux here in two ways. First,
the gpl2 license. There was a time when linux was way way ahead in terms of
functionality, and in my estimation it was due to the copyleft licensing. It
opened a floodgate of pent up demand to establish an open platform on which
companies could standardize. Some have said that linux's success was an
accident of timing, as the bsd's were hampered by lawsuits at the time, but to
my mind the lawsuits made copyleft that much more attractive.

Second, the incredible flexibility of linux allows it to work in so many
wildly different applications. It's a monolithic design, but it's so flexible
you don't need to worry about it; it can be as narrow or as broad as you want
it to be.

------
m4r35n357
OpenBSD is very well documented. The kernel and software stack is integrated.
They care about security and write a lot of secure stuff used in other
systems. There is usually one way of doing things. You do not need
StackExchange.

Just try it.

~~~
justaj
Here's the thing though: I use sites like SE a _lot_, primarily because I can
usually type my thought into a search engine and then expect a question with
hopefully more than one answer. Would the answers be as succinct and accurate
as the OpenBSD manpages? Probably not, but at least it gives me an idea and
hints as to where I can find more accurate information if I were so inclined
(which I'm sometimes not! Sometimes quick & dirty just works)

------
lcall
Among the reasons I like OpenBSD is that it tries (hard) to be "secure by
default", meaning, that the initial install has had "only 2 remote holes in
the default install" since about 1996. Then as I make changes from that
default I can consider the implications of each one.

And I appreciate the low likelihood of privilege escalation (I keep seeing
those bugs come up for the linux kernel, not for OpenBSD), and pledge/unveil
limiting what apps can do to what they normally should do, so that damage by
compromised apps can be greatly limited to a given user account or less. And
yes, the clarity of documentation (like the excellent FAQs) and predictability
of the system.

So basically, I read news all the time about this or that exploit, and I am
not in the vulnerable group. But I do think that it took me more work to get
set up the way I want, than when I used Debian more, but that work was _very_
well worth it, and even more so when I include my config customizations to
various apps that now work just as I want.

One addition to the base system I always make is to change the /etc/profile to
set the default umask to 0077 (and other changes for my own convenience etc).
I've long wondered why umask 0077 is not the system default. Although after
changing it I had to wrap pkg_add in a script ("pa") which sets it back to the
original default so that some apps don't get broken during installation for
some reason.

Also, it seems worthwhile to choose compatible hardware, or some things might
not work.

~~~
karmakaze
The main issue I've had with any bsd system isn't the system itself but the
settings and configurations of packages. Often defaults are different for no
other reason than the package creator thought it might be a minor improvement
in some way. I'd rather be using a more thoroughly used set of packages. The
few times I've used non-Ubuntu based package sources I often find I'm
contributing to make it just work. Now I'm not saying that Ubuntu packages are
always right but I'd like the authors of the software choose defaults and if
they get fixed/changed it happens in a given version on all systems.

~~~
lcall
Yes, there is a tradeoff sometimes between security and convenience, and
OpenBSD chooses security by default, and things usually just work. But Ubuntu
is probably more convenient/easy for some things (or debian or devuan anyway:
I've been burned by ubuntu, and even debian, where devuan seemed to "just
work" the most... more tradeoffs always.)

------
Datenstrom
I have been running OpenBSD and PF on a PC Engines APU[1] for my gateway
router/firewall at home for about 5 years now and the thing is rock solid. I
just love the minimalism and simplicity which is likely the source of the
incredible stability of the platform. Besides updates or modifying PF rules I
have never had to touch the box.

[1] [https://pcengines.ch/apu2.htm](https://pcengines.ch/apu2.htm)

~~~
oil25
Same here, but I have found wireless performance to be subpar. Ended up
double-NAT'ing a second APU with Debian to use 802.11. Still plenty happy with
OpenBSD though.

------
equalunique
Strace & procfs are some of my favorite Linux programs. OpenBSD's ktrace &
kdump are much more limited in what they can do. Is there anything out there
that can provide similar functionality for OpenBSD?

~~~
AdrienLemaire
> [https://en.wikipedia.org/wiki/Procfs](https://en.wikipedia.org/wiki/Procfs)

procfs isn't a program but a pseudo-filesystem. Are you just meaning to say
that the info stored in /proc and displayed by strace is very useful to you?
Or am I missing something else?

~~~
equalunique
No, you're right. So what on OpenBSD can provide that information in a
similarly convenient way?

------
UptownMusic
A colleague once told me, "My wife's laptop keeps breaking, but she won't get
a new one unless it runs Unix." Over one year ago I installed OpenBSD on a X1
Carbon 5th Gen, installed some software and connected her to her backup disk
and router. She has never had a problem and has never had to ask me about
anything. OpenBSD is great for beginners to use.

------
dang
Discussed at the time:
[https://news.ycombinator.com/item?id=12403655](https://news.ycombinator.com/item?id=12403655)

------
larme
for me OpenBSD is just like (old) macOS for hackers. Everything supposed to
work just works consistently.

~~~
mattl
Mac OS, or Mac OS X?

------
ohithereyou
I got stuck at finding a web browser that wasn't severely out last time that I
tried OpenBSD as a daily driver workstation. This was about two years ago, and
it wasn't a definite thing that it could even run Firefox.

Does anybody here know if this issue has been fixed? Having a reliable, up to
date, secure web browser (well, as secure as a web browser can be - up to date
with the browser's own security updates) was the only thing that was holding
me back from using it as a workstation. I had no problem back then using it as
a server, but I couldn't justify running OpenBSD on my servers and Debian
unstable on my desktop.

~~~
JoachimSchipper
OpenBSD now has binary packages for -stable, but AFAIK this does not include
e.g. Chromium:
[https://news.ycombinator.com/item?id=20694338](https://news.ycombinator.com/item?id=20694338).

Running -current does give you up-to-date Firefox and Chromium packages.

~~~
ohithereyou
So to have a browser with the latest security fixes you have to run -current?

~~~
lcall
The latest obsd version (6.6, or the one just before, 6.5) makes package
updates easier without running -current. So it probably depends on if that
maintainer has kept them current during the release period. I haven't followed
that closely to know how much that has been the case.

But see my comments elsewhere in this discussion page for why I value obsd's
pledge/unveil browser mods and lack of privilege escalation more important
than having the latest browser fixes (which I also value, but relatively
less).

------
r3trohack3r
A similarly passionate talk written for Debian:
[https://wiki.debian.org/WhyDebian](https://wiki.debian.org/WhyDebian)

------
Hitton
> _Everything is rock-solid and just works. Hardware I couldn’t get working in
> Linux just works on a first try with OpenBSD._

I guess I live in different universe than the author.

------
gautamcgoel
What is browser/video decoding support like? Can you use Netflix on
Firefox/Chrome?

------
aryx
Looks indeed like a very developer-oriented OS. Then why still use CVS?

~~~
kick
git is GPL, which BSD people tend not to like.

I think they're writing a git replacement under the BSD License, though I
don't know how progress is going on that.

~~~
brobdingnagians
The author of the BSD version, Game of Trees (got), recently did a
presentation at EuroBSDCon, and that video is online[1]. It focuses on
security and has quite a bit of functionality, including some new things like
having multiple working directories from the same repository and even checking
out subdirectories from the repository. Looks like progress is going well. It
doesn't do network/remote actions, but you can use the normal git binary for
pushing and pulling.

[1]
[https://www.youtube.com/watch?v=PRIgeouw7-4](https://www.youtube.com/watch?v=PRIgeouw7-4)

~~~
Nullabillity
> having multiple working directories from the same repository
    
    
      $ git worktree add ../foo-develop develop

