Hacker News new | past | comments | ask | show | jobs | submit login
OpenBSD 6.0: why and how (sivers.org)
102 points by sivers on Sept 1, 2016 | hide | past | favorite | 48 comments

This point is one that cannot be overstated:

> Great documentation is a top priority. The built-in man pages are amazing. So if you're stuck on anything, searching the man pages on your own computer is going to give you a better answer than searching Google. (This makes it nicer to work offline, too.)

The OpenBSD documentation is absolutely stellar. It's well-structured, always up to date, has useful pointers and examples. If something is in base, then it's documented and you can use it today.

I still use Linux a lot (especially at work, I basically write Linux software for a living) and I've used it for a really long time (15 years, if not more), but I still regularly find myself reaching for a bookmark, or for Google, or for a bunch of notes I kept around because it took me hours to find out how to do <something> and never again.

In contrast, you can comfortably use and administer an OpenBSD box without needing anything but the man pages that ship with it. They're amazing.

It's not a "Linux is for plebs and it sucks" thing, it's just that serious documentation takes a back seat in its community (there are exceptions, but they're few and distro-specific). In contrast, the OpenBSD community encourages a culture where "good documentation" is part of "good software", not just something you get bonus points for.

In fact, despite how the media portrays it (usually through random quotes from Theo), the OpenBSD community is a refreshing island of sanity in today's computing field.

When I was a fresh new Solaris sysadmin in 2001, cast adrift as the only sysadmin when three people above me were made redundant all at once, I would read the Solaris man pages for the details ... but first I'd read the OpenBSD man pages to understand what the command was supposed to do.

Do you know how to add coloring to the man pages? I have tried: https://gist.github.com/boredzo/06271944983864da495d30363835... to no avail. I have played with all terminals, with more, with less, nothing affects the results.

OpenBSD switched to its own version of man(1) a while back (it's called "mandoc", previously "mdocml" [0]). mandoc's own documentation is excellent and, if it supports color at all, it's likely documented in its own manpage (and also probably on its homepage).

Note that if you're using the OpenBSD vtty (via wscons(4), at least), the default $TERM is `vt100`, which does not support color (beyond the cyan used to render italic text). I've had some luck setting $TERM to `vt220` to get more colors. In an xterm or something, this shouldn't be an issue.

An alternative would be to install some other version of `man` (you'll probably also need `groff` from ports, though some other implementation of troff/nroff might also work).

Frankly, though, I haven't seen colorized manpages before, so I'm not sure what else to tell you.

[0]: http://mdocml.bsd.lv/

I had no idea you could even get coloured manpages :-). Sorry, I don't know what to say.

OpenBSD is the one operating system I purchase on every release, going back at least five or six years. There is a certain elegance to the release that just makes me feel good about using it, even though my day job has me at a Linux prompt 10+ hours a day.

Unlike other operating system/environments, where any hope of comprehending what/how they work after a few iterations is progressively more difficult, and significant architectural changes hose you for hours/days on end (on even simple things like assigning an address to an interface), the slow methodical evolution of OpenBSD stays true to its roots. And tools like signify and doas, new additions to the fold, are almost instantly comprehensible, and never annoy like some of the Linux architectural changes of recent years.

Highly recommended for people who want a reliable, predictable, full featured, and comprehensible Un*x class operating system.

Ever wanted to try some BSD system in my daily usage and this post is a great motivation to actually try. Although there are still some questions:

1) what is the main difference between FreeBSD and OpenBSD? I see, that OpenBSD provides a very minimalistic environment, which still, I think, will perfectly serve my daily workflow based on StumpWM+Emacs+Firefox. Does FreeBSD provide some more "cookies" in aspect of daily usage?

2) What is the state of RaspberryPi support in OpenBSD?

3) Is there some known big issues with video/wifi hardware in OpenBSD?

> 1) what is the main difference between FreeBSD and OpenBSD?

"Security" is the often-stated end goal, but in practice, it boils down to an emphasis on code correctness, maintenance, reliability, portability and sane defaults. Realistically, it's sometimes done at the cost of functionality, but I think it's a smart approach.

This isn't to say that FreeBSD emphasizes incorrect code, just that the OpenBSD team seems to be more inclined to not include (or yank out) code that's unmaintained or is of questionable quality, even if it does useful stuff.

Some of their ideas seems utopic at first (like the insistence of native, instead of cross-compiling), but they turn out to be annoyingly right in the end. My own attitude towards OpenBSD drifted from "what a bunch of loons" back when I was a Linux teenage fan, to "this is how you do computer stuff properly" as I grew up.

> perfectly serve my daily workflow based on StumpWM+Emacs+Firefox

My stack is pretty much similar, except I'm back to WindowMaker (me and tiling WMs had a fight and it didn't end well and we're not speaking anymore).

I don't write much Lisp anymore so I'm not up-to-date on what happened with the OpenBSD ports, but I think all major Common Lisp implementations run well on it (but if you want to run SBCL on 6.0, you'll have to watch out for the mandatory W^X). I don't know if it interests you, I figured you'd want to know if you also hack on StumpWM.

> 2) What is the state of RaspberryPi support in OpenBSD?


> 3) Is there some known big issues with video/wifi hardware in OpenBSD?

Basically, if it says nVidia on it, it doesn't work. If it says ATI on it and it's not too bleeding-edge, it works great. I heard good things about Intel GPUs, but I haven't tried it.

My nVidia cards have always "worked" totally fine with OpenBSD. There isn't any 3D acceleration or anything like that, but running X has always worked fine for me with the open-source nv driver. Obviously it's not ideal, but I wouldn't call it a showstopper except for a small handful of potential use cases.

> 1) what is the main difference between FreeBSD and OpenBSD?

FreeBSD has more. More users, more developers, more features, more drivers, more ports, more money behind it, more settings to tweak, more bugs. By comparison, OpenBSD has a much bigger focus on cohesiveness, consistency, and sound defaults (e.g. custom kernel configs are discouraged/unsupported). I'd argue that OpenBSD has a more usable base system (including things like X11, doas, and tmux).

> 2) What is the state of RaspberryPi support in OpenBSD?

"Support" is nonexistent, but I think there have been a few changes in armv7 for Pi 2/3 and a couple developers are slowly working on it. Don't hold your breath.

> 3) Is there some known big issues with video/wifi hardware in OpenBSD?

The open-source Radeon drivers are pretty outdated at this point (I think the latest adapter with full acceleration support is something in the Radeon HD 7000 family), the Nouveau driver isn't ported, and there aren't proprietary drivers, so you don't really have the option of using a recent discrete GPU. Most effort goes into the Intel drivers (the developers use laptops a lot). 802.11n support is still pretty new and hasn't seen a huge amount of real-world validation yet. Drivers for n-capable hardware are older/better tested, but people have mostly run them in 802.11a/g modes.

> I'd argue that OpenBSD has a more usable base system (including things like X11, doas, and tmux).

Not to mention an actually pleasant /bin/sh (a modified version of pdksh; compare to FreeBSD's extremely minimal version of ash which is (sometimes) useful for running scripts and not much else).

1) The main difference is in their approach to security. OpenBSD's primary focus is a complete, open source, BSD system with a focus on security. The way they attempt to and often succeed at achieving that goal is through "code correctness" and emphasizing the use of integrated cryptography. That isn't to say FreeBSD is insecure, it just isn't their primary focus.

2) I'll let Theo answer that... http://marc.info/?l=openbsd-misc&m=132788027403910&w=2

3) Not "big issues". But since OpenBSD doesn't sign NDAs to get firmware or drivers, and since they like to rework any software that isn't up to their standards, they do lag behind in hardware support. A good way to check if what you have is supported is to read their release notes. For example https://www.openbsd.org/60.html has a list under "improved hardware support".

Didn't get which history Theo is referencing in the message. Could you link to some more context?

The OpenBSD project has never accepted binary blobs into the system. So, unless firmware is open-source, it's not going into OpenBSD. Note that the Raspberry Pi's firmware consists of a binary blob (iirc, there are a couple of other binary blobs needed, too, as drivers).

> The installers are amazing. The initial installation takes like five minutes. Hit [Enter] to the defaults, make your username and password, and it's ready to go.

I love OpenBSD, but this is blatantly false. The installer is 20 years behind any other major OS. The only installation that is really supported is on a dedicated machine, overwriting everything in the drive. And in true OpenBSD fashion, it'll do it without prompting you twice. OpenBSD's fdisk is spartan at best.

Also for ideological reasons (that I share) the installation media does not include firmware. Lots of video and network cards needs firmware to work, so make sure you download a copy of any required firmware to a USB stick beforehand.

Question that may be obvious for those who have experience on the matter: is OpenBSD for server use a nobrainer? It's not that popular on that section even though everything looks so good, so well suited for serving.

I've had no issues serving with OpenBSD, but have gravitated towards FreeBSD myself due to the availability of ZFS and dtrace on that platform.

Both are stellar operating systems, and you'd be doing yourself a disservice if you didn't at least try playing around with them.

It's good, but in my opinion, the fact that patches are not distributed in binary form is a bit of a problem. (Yes, I understand the reasons). With debian, I type "apt-get upgrade" and that's it. With openbsd it's more complicated.

OpenBSD binary patches: https://stable.mtier.org

Yes, but isn't it a bad idea to install binary patches from a third party?

This 3rd party is comprised by OpenBSD developers though. While not an official OpenBSD project, the people that provide these patches are the same people that have built OpenBSD packages in the first place. So if you trust those binaries, you should trust these binaries too.

This is simply outdated and wrong information. M:Tier does not employ "the same people that have built OpenBSD packages in the first place." Last I checked, naddy@ built the AMD64 packages. He does not work there. In fact, I don't know if any OpenBSD developers still work there. Maybe one (jasper@) but you'd need to ask them.

Thanks for the important correction. It would be great if this were documented somewhere.

ajacoutot@ and jasper@ work for m:tier.

I basically go with OpenBSD unless I need a big file system (then I go with FreeBSD) or one of the infernal vendors we have (often a government contractor for a grant) requires something else (Windows or Red Hat (yes, Red Hat specifically, never any other distro)).

Gotta love how easy the "how" part is. Just a 226MB installer and a tiny README, script, and config packaged by the author. I was wishing for something like this for FreeBSD while reading the desktop tutorial [1] last week (2.6GB installer and a whole lot of manual config).

The fact that at least a firewall comes preconfigured seems like a big deal for people who just want to get a basic system going and not mess that part up.

[1] - https://news.ycombinator.com/item?id=12371688

Can someone please tell me which laptop runs openbsd flawlessly and is fairly new?

For example what do the openbsd devs use?

I'm pretty much just going to buy whatever is suggested if I can verify that it's at least a half decent laptop.


> The 2015 X1 Carbon Thinkpad works really well.

-- http://www.tedunangst.com/flak/post/openbsd-laptops

Their biggest problem may be the size of their user/usage community, it may not be so "Everything is rock-solid and just works" for you and you should probably expect that some features may not be so tested or used outside of the developer using the code for their own purpose. On the plus side, it allows them to fast move forward and break backward compatibility for the greater good, however keep in mind to follow their mailing list and read the change log very carefully to avoid surprises.

I love OpenBSD, but one reason I don't use it for my day-to-day work is that it lacks some tools that I now find indispensable. For example, LXC containers are incredibly useful for creating isolated, lightweight, development environments. I don't know of anything similar for OBSD.

chroot for isolated environments, but it's not as easy to set up as lxc from what I recall. You could automate setup with ansible or scripts if it's something you do a lot.

You can run VMs in qemu, but the one time I tried it it was painfully slow.

There's also work on vmm introduced in 5.9 but I'm not sure how close it is to something that is really is complete and usable.




Thanks. I'll take another look at chroot jails when I do my next periodic "Install OpenBSD and see if I can use it as a day-to-day work OS" experiment :)

chroot(2)[0][1] is probably what you want, although I prefer FreeBSD jails.

[0]: https://www.ibm.com/developerworks/community/blogs/karsten/e... [1]:

Does OpenBSD have an encrypted filesystem that is comparable to Mac OS X FileVault? I like knowing that when I put my Mac to sleep, no one will ever be able to access the contents of my disc without my password.

OpenBSD supports encrypted user mounts and full disk encryption

Yes. My laptop running OpenBSD uses full-disk encryption.

Also, OpenBSD has encrypted its swap partitions by default for ages.

Does OpenBSD have real package management yet and a clean story for upgrading from one release to the next?

I guess the response would be, what is it about OpenBSD package management haven't you liked in the past, and what difficulty have you had upgrading from one release to the next?

For example - here are the instructions for upgrading from 5.9 to 6.0: http://www.openbsd.org/faq/upgrade60.html

Once you are done upgrading the operating system, you upgrade your packages with the command:

  o pkg_add -u

A package manager should know about all the files installed on the system. Previously (and it has been many years) *BSD just splatted files into the filesystem and didn't keep track of them.

OpenBSD's pkg_add/* tools are related to the old FreeBSD utilities only by name, Marc Espie rewrote OpenBSD's package tools in Perl many years ago. It is a modern packaging system with proper dependency tracking, per-file checksum verification, privsep and cryptographic signatures (signify/ed25519)

> It's not for beginners. Beginners should use Ubuntu.

Please change it to PC-BSD

A bit of topic: I'm sure that most (if not all) OpenBSD visitors are pro users but a website redesign would make the 'conversion' more friendly for newbies.

I find the openbsd.org site to be excellently laid out and presented. Most sites on the web would do well to take lessons.

I like that the site has been about the same for 15 years[0] but using a slightly larger or more readable font, or increasing space between menu items wouldn't hurt.

(Although maybe the current page works as a "ah, turned off by the looks, effin' hipsters" kind of filter)

[0] the homepage has actually gotten slightly worse compared to around 2001 when I first saw it, https://web.archive.org/web/20010302003922/http://www.openbs... as the list below "About OpenBSD" now is messed up with one or two elements per line for unexplicable reasons

OpenBSD's website is kept this way explicitly out of spite for people who whinge about it.

Honestly, that kind of spite isn't encouraging if one is deciding on an OS to use.

I don't disagree, however OpenBSD's opinion is "We don't care if you use it. We write it for us and it works for us." (paraphrasing).

What exactly is wrong with the current OpenBSD website? It looks fine on the desktop and its ok on the iPhone.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact