I played with OpenBSD many, many years ago (when I had much more free time) but then didn't touch it for years.
After hearing about JETPLOW [0], I decided to replace the Cisco ASA that I had been using for my (fiber) Internet connection at home with an open-source router/firewall.
I had a RouterMaxx 1106 [1] (PDF) laying around so I decided to put OpenBSD on it and use that. In short order, I built an OpenBSD virtual machine, used flashrd [2] to build an OpenBSD image I could put on a CompactFlash card, and had it up and running.
It just works.
About two years later, it's still humming along nicely. The only downtime that I've had is when I upgraded to a new OpenBSD version. I could've minimized somewhat but I use a new CF card every time.
Nowadays, I've also got a dedicated laptop running OpenBSD that I use solely for "security critical" stuff for $work. A separate machine stands in between the Internet and our MX hosts and runs OpenBSD's spamd [3] to help keep spam out of our users' mailboxes (N.B.: the number of messages hitting out Barracuda dropped by ~70%, with zero complaints received from any of our users).
In addition, we're just beginning a project to basically rebuild our entire server infrastructure and we'll be using OpenBSD for certain functions: remote access (OpenVPN), SSH jump hosts, possibly authoritative DNS, etc.
I'm a firm believer in using "the best tool for the job". Most of our servers will be running FreeBSD, but OpenBSD definitely has its place in our environment.
This is quite the handy resource! Great idea and well done. OpenBSD is really quite friendly, just need to be comfortable with reading man pages and Unix basics.
A tip for first-timers: perform the installation with an Ethernet internet connection. On my laptop, wireless firmware was installed and configured automagically on first boot. After that it's all gravy.
> A tip for first-timers: perform the installation with an Ethernet internet connection.
Yes, it's much easier that way.
Then, once the firmware for your wireless card is installed, configure your wired and wireless interfaces as a failover trunk (if you switch back and forth between them very often). This way, your IP address doesn't change when you {dis}connect your Ethernet cable. Obviously, everyone has different needs but this works out great for me (I plug in when at my desk and use wireless the rest of the time).
Only use failover trunk if your wireless network and wired connections share same subnet. Otherwise it work that well. Like once you connect the ethernet cable you lose network connectivity as trunk won't renew your address.
Seems the currently recommended method is to just run dhclient on both wireless and wired interfaces and let the routing table to decide which to use.
I agree. It certainly feels more friendly than I was expecting. And the fact that they patched in modern features to old utilities (wpa in ifconfig instead of wpa_supplicant) makes things super clean and easy to understand. FreeBSD is less easy to use, and Linux, by comparison is a mess.
That said. Finding pre-built binary packages can be hit or miss. And ports requires X11 to be installed.
But when all is said and done. It's the community that's most important. And OpenBSD has one of the kindest and active IRC channels on freenode. Far from the "in your face"/elitist reputation others have stated before.
> And the fact that they patched in modern features to old utilities (wpa in ifconfig instead of wpa_supplicant) makes things super clean and easy to understand
Sure.. though from what I can see, openbsd didn't support wpa enterprise until 2013, and at that point it was supported using wpa_supplicant.
Agreed, OpenBSD is rock solid; it just works, with well thought out defaults and excellent drivers for devices that are supported. I only wish they would port hammer faster..
That's the only thing stopping me from running OpenBSD 24/7/365 on my workstation. It's getting marginally better with each release, but even on a system that screams under any other OS, OpenBSD just lags and lags, even with tweaks.
I've found a great use case for it though; older, slower hardware (think P4 and older) actually benefits from running OpenBSD versus most modern Linux distros. For example, I have an ancient PIII laptop that refuses to run anything other than OpenBSD, Slackware, and Haiku OS. Out of those, OpenBSD is the fastest and least buggy. Granted, it's just a toy/hobby device, but I found it intriguing nonetheless.
Could you be more specific on what problems you have?
Usually OpenBSD has been running quite smoothly.
Only issues I've experienced have been on video use. Like I haven't been able to get smooth playback of HD material. And firefox seems to be bit choppy but that is probably my "gazillion tabs" I keep open.
Those are some of the issues I've experienced, even with SD video and only a few tabs open in Firefox.
There's also a general choppiness to X itself. All of this with accelerated Intel graphics, so it's not necessarily driver related. I just figure that given the project's focus on security and clean code, desktop OS performance takes a necessary back seat.
Even with all of that, I give every new release a thorough test run on my old workstation and laptop, just to see if things have improved in that area. And they have been steadily improving!
When did you try it? They fixed ACPI power management issue in 5.8. So if you tried it before that it might explain the battery life issue.
I haven't seen any multiple-second system freezes ever. Did you report those issues in bug tracker or mailing lists?
The above ~5yr old laptop will give 60fps running minecraft with no hiccups / glitches. Installed an SSD and frankly its a perfect workstation for anything I would use and I see no lag.
It shouldn't be power-hungry... A lot of OpenBSD developers use OpenBSD on their ThinkPads. It should work fine. Maybe you haven't configured power management.
You're telling me what it shouldn't be or should be, but I am telling you what it is.
You are free to search marc.info for the fruitless threads of me trying to solve multi-second system freezes when opening emacs or changing workspaces if you like.
The fact that the devs dogfood their stuff is irrelevant: it doesn't perform even remotely as well as Linux on the same (modern) hardware.
In OpenBSD you can let the kernel do the power management with "sysctl hw.perfpolicy=auto".
Also there was fix in ACPI in 5.8 to fix power use in newer processors. If I remember it correctly the processor didn't use the deep sleep states so they consumed more power.
I've never seriously used any BSD, but I do have to admit I like that things don't change for the sake of change, as seems to happen on Linux every couple of years. With OpenBSD, docs from 10 years ago are generally workable, because nothing on the user side has changed. That's got some definite benefits. I've been using Linux as my primary OS for 20 years, as of this year (which is, coincidentally about as long as OpenBSD has been around), and I don't feel significantly more "on top of" the OS than I did 10 or even 15 years ago. On many fronts, I'm further behind, because I have so much less free time, and there's so much more to a Linux system. And, so much has changed.
That said, there's a bunch of trade-offs. Virtualization on OpenBSD is, as far as I can tell, effectively a non-starter for any major project (i.e. those with many VMs, a virtual network, virtual disks, etc.). Containers seem to not exist, at all, though I found some historic mentions of jail-based options.
It seems like a perfect candidate for a VM or container guest OS, due to security focus, small size, simple deployment, etc. But, you then have to have two sets of skills: Managing your guest operating system, and managing your host operating system. Since Linux is the strongest container or VM hosting OS on the server (this was once debatable when Solaris Zones was new and Linux was still somewhat immature on the container front, but I don't think anyone would make the case that Linux isn't the obvious choice for hosting VMs or containers in most deployments today), and Linux is pretty far away from OpenBSD, you've got two pretty widely divergent skill sets needed.
Nonetheless, every time I read about OpenBSD, I feel a strong urge to give it a try. It seems extremely elegant in the way old UNIX systems were elegant. It appeals to me on a lot of fronts. Also, the code and documentation are extremely readable, in ways I've rarely seen elsewhere (FreeBSD also meets this description, but it's so much bigger it can still be daunting).
I wonder if anyone is working on a Zones port to any BSD? OpenBSD with a convincing container or virtualization story would be a tipping point for me, in terms of being willing to put in the effort to learn it and use it.
OpenBSD typically doesn't make major changes within a single release (e.g. 5.8), but major changes certainly do happen from one release to the next (e.g. 5.7 to 5.8). A couple of recent examples that come to mind include the removal of sendmail, removal of Apache, addition of OpenSMTPd, addition of their own httpd, replacing sudo with doas, etc. You definitely want to read the release notes before upgrading or switching to a new version!
Haven't you already disqualified yourself from being able to make that judgment? ("I've never seriously used any BSD.")
Being old does give it a long history of successful use. Jails are exactly what Docker for FreeBSD uses for its containers; I'm not sure what more you'd be looking for in a container system, if lxc is something you'll mention in a positive light.
My comments were sincere, and from a place of familiarity with and appreciation for Zones. Joyent is great, SmartOS looks cool, and we've worked with and supported Zones in our products longer than anybody that I know of (Sun paid Jamie to add Zones support to Webmin back when Zones was in development; it goes way back). Heck, I don't think any of our big competitors even support Zones (and I know why: nobody's buying Zones support...we have at least 100+ times more Linux users). I'm on your team, when it comes to talking nice about Zones. Great technology, that was many years ahead of Linux.
But, be real here. Linux likely sees more contributions in a month than SmartOS has had in its whole existence. The size and scope of the ecosystem is just vastly different. Most people have never even heard of SmartOS. And, Linux has caught up. It's always been a leader on full virtualization (Xen was developed first for Linux, after all), but it's also now got several great container options, including core kernel support than runs deep. There's not much you can do with SmartOS that you can't do with Linux today; and, the reverse is not true.
Don't get me wrong: SmartOS seems really cool, and I want to spend some time with it in the near future. We've always had a soft spot for Solaris (despite not selling a lot to Solaris users, since they're so vastly outnumbered by Linux users), and there's no one I can imagine better for the task of pushing it forward than Joyent.
If speed would be main deciding factor, I'd go with FreeBSD/Linux. OpenBSD network stack is still pretty much under big kernel lock so multiple cores won't help as much.
Though in the 5.8 and -current branch they've made lot of progress in making the network stack MP-safe. See undeadly.org hackathon reports for details.
But, here is an answer - 10,000 requests per second is 100 microseconds per request. At 100Mbps network speed, this gives (roughly) 10 characters per microsecond or a budget of 1,000 characters combined per request. We will take 100 characters for the request, and 900 characters for the reply. Of course, you could go with 1Gps network service, and multiply this by 10. But, you will need at least 20kpps "per core".
However, you also have to contend with disk i/o and/or the database layer.
Which OS? I think you are probably a long way from being able to answer that question. Note that OpenBSD will not be as "multicore performant" but that may not matter in your application.
At that rate, you are limited by context changes from userland to the OS. So you must use an event driven approach like nginx or node.js. In contrast to the Apache way of opening a thread per connection.
I've been using OpenBSD on my firewall for ages, but the fact that patches are only distributed in source form is a giant giant hassle. I understand the reasons for that but it's a level of inconvenience that I find unbearable today. On Debian it's just "apt-get upgrade". On OpenBSD it's so more difficult that I usually end just not patching it at all.
To add to Gracana's comment. M:Tier provides openup tool which will update your base system and packages to match -stable. That way you don't have to patch and compile your kernel yourself.
For trustworthiness of M:Tier, several project developers are employed by M:Tier.
There are different FreeBSD flavours such as PC-BSD which solely focus on PC Desktop usage.
I wonder why there are any similar initiative for OpenBSD? I am sure OpenBSD is great fit for Server and Internet based Appliance where security is a prime concern, and doesn't require PC desktop support.
Very nice, here's the plain text version instead of slide format.
Learn to tame OpenBSD quickly.
December 24, 2015
History
Forked from NetBSD. Theo De Raadt is the founder and leader of the OpenBSD project. The first OpenBSD release (1.1/CVS) appear on October 18, 1995.
Why use OpenBSD ?
UNIX-like
Get the last version of OpenSSH, OpenSMTPD, OpenNTPD, OpenBGPD, OpenOSPFD, LibreSSL
Get the last PF (Packet Filter) features
Security focused Operating System
Thorough documentation
Cryptography
Forked from NetBSD. Theo De Raadt is the founder and leader of the OpenBSD project. The first OpenBSD release (1.1/CVS) appear on October 18, 1995.
OpenBSD Version numbers
Six month release cycle
New release is incremented by 0.1
OpenBSD's Flavors
-release: The version of OpenBSD shipped every six months
-current: Development just after the release
-stable: Release, plus patches (support ~ 1 year)
File Contain
/etc/myname Default hostname.
/etc/hostname.if Configuration for each network interface, for example: /etc/hostname.bge0
/etc/mygate Default gateway.
/etc/resolv.conf Resolver (DNS).
/etc/hosts Known hosts on the network.
Networking
# See available network cards:
/sbin/ifconfig
# Restart networking service:
/bin/sh /etc/netstart
# Set DHCP for 're0' interface, on the fly:
/sbin/dhclient re0
Networking (Routing)
# Show the routing table (ipv4):
/usr/bin/netstat -rnf inet
# Show the routing table (ipv6):
/usr/bin/netstat -rnf inet6
# Delete all gateway entries from the routing table:
/sbin/route -n flush
Networking (set at startup)
Example 1: configure static IP address for re0.
## file: /etc/hostname.re0
inet 192.168.0.58 255.255.255.0
# For more information, read the manual: hostname.if(5)
Don't forget to run 'sh /etc/netstart re0' to apply changes to running system.
Example 2: configure DHCP for bge0.
## file: /etc/hostname.bge0
dhcp
# For more information, read the manual: hostname.if(5)
Don't forget to run 'sh /etc/netstart bge0' to apply changes to running system.
Example 3: configure wireless.
## file: /etc/hostname.iwn0
nwid ACCESS_POINT_NAME
wpakey THE_SECRET_KEY
dhcp
# For more information, read the manual: hostname.if(5)
Don't forget to run 'sh /etc/netstart iwn0' to apply changes to running system.
PF (Packet Filter)
Ruleset: /etc/pf.conf
Useful commands.
# Disable PF
/sbin/pfctl -d
# Enable PF and load the rules
/sbin/pfctl -ef /etc/pf.conf
# Just load the rules (apply changes)
/sbin/pfctl -f /etc/pf.conf
# View the loaded rules
/sbin/pfctl -s rules
For more information, read the manual: pfctl(8)
Pf ruleset sample
## file: /etc/pf.conf
# Protect a laptop (allow only ping/ssh from anywhere)
set skip on lo
set fingerprints "/dev/null"
block log all
pass in on egress inet proto icmp all icmp-type echoreq
pass in on egress inet proto tcp from any to any port ssh
pass out
# For more information, read the manual: pf.conf(5)
Members in 'wheel' group can use su(1) to become 'root'.
For more information, read the manual: group(8,5)
sudo replaced with doas(1)
## file: /etc/doas.conf
# Permit the user 'Marc' to reboot the box
permit nopass marc as root cmd reboot
Marc can now reboot the box:
$ doas reboot
For more information, read the manual: doas.conf(5)
Install Packages
export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/amd64/
# OR use 'installpath' variable in /etc/pkg.conf:
installpath=http://ftp2.fr.openbsd.org/pub/OpenBSD/%c/packages/%a/
# Add sudo package
/usr/sbin/pkg_add sudo
Some packages provide configuration and other information in a file located in '/usr/local/share/doc/pkg-readmes'.
For more information, read the manual: pkg.conf(5)
Packages
# List packages installed
/usr/sbin/pkg_info
# View install-message for a specific package
/usr/sbin/pkg_info -M package_name
# Remove a Package
/usr/sbin/pkg_delete package_name
# Delete unused dependencies
/usr/sbin/pkg_delete -a
For more information, read the manual: packages(7)
The most important:
/ Root directory.
/home User home directories.
/root Default home directory for the superuser.
/mnt A temporary mount point.
/etc System configuration files and scripts.
/etc/examples Example configuration files for base system daemons.
/etc/skel (dot) files for new accounts.
/etc/signify Key files used for signify(1).
/tmp Cleaned after a reboot.
/var/tmp Symbolic link to the system /tmp.
/var/log Log files.
/var/run pid, socket files, utmp, dmesg.boot
/var/db Database files.
/var/www Configuration files for httpd(8).
/usr/local Used for third packages installed.
/usr/src BSD and/or local source files.
For more information, read the manual: hier(7)
OpenBSD Kernels
/bsd
Pure kernel executable (the operating system loaded into memory at boot-time).
/bsd.mp
Pure kernel executable for multiprocessor machines.
/bsd.rd
Installation kernel. The built-in RAM disk contains utilities which can be run without an external file system, so this kernel is useful for limited system maintenance too.
Tune the system
sysctl(8) get or set kernel state
config(8) modify a kernel
Comments here, generally, should contribute to or advance the discussion.
I'm having trouble seeing how pointing out a typo to other HN readers -- who can't fix it -- benefits any of us. If you felt inclined to point it out to someone, you should have pointed it to the author (who conveniently provided a way to contact him).
If we always pointed out every typo or grammatical error in every submission (as users on some other discussion sites tend to do), this comments section would be full of them and the quality of the site would quickly diminish.
After hearing about JETPLOW [0], I decided to replace the Cisco ASA that I had been using for my (fiber) Internet connection at home with an open-source router/firewall.
I had a RouterMaxx 1106 [1] (PDF) laying around so I decided to put OpenBSD on it and use that. In short order, I built an OpenBSD virtual machine, used flashrd [2] to build an OpenBSD image I could put on a CompactFlash card, and had it up and running.
It just works.
About two years later, it's still humming along nicely. The only downtime that I've had is when I upgraded to a new OpenBSD version. I could've minimized somewhat but I use a new CF card every time.
Nowadays, I've also got a dedicated laptop running OpenBSD that I use solely for "security critical" stuff for $work. A separate machine stands in between the Internet and our MX hosts and runs OpenBSD's spamd [3] to help keep spam out of our users' mailboxes (N.B.: the number of messages hitting out Barracuda dropped by ~70%, with zero complaints received from any of our users).
In addition, we're just beginning a project to basically rebuild our entire server infrastructure and we'll be using OpenBSD for certain functions: remote access (OpenVPN), SSH jump hosts, possibly authoritative DNS, etc.
I'm a firm believer in using "the best tool for the job". Most of our servers will be running FreeBSD, but OpenBSD definitely has its place in our environment.
[0]: https://nsa.gov1.info/dni/nsa-ant-catalog/firewalls/
[1]: http://www.balticnetworks.com/docs/routermaxx%206%20port.pdf
[2]: http://www.nmedia.net/flashrd/
[3]: http://www.openbsd.org/spamd/