Hacker News new | past | comments | ask | show | jobs | submit login
Quick and dirty way to have OpenBSD running on Linode (linode.com)
51 points by 6d6b73 on July 20, 2015 | hide | past | favorite | 46 comments



This is great for sure. I just wish Linode/Digital Ocean/etc would take notice how much work people are willing to go through to use openbsd on their platforms and provide official images to make things easier. It's obviously a minority of people, but they're also loyal customers willing to go out of their way to run what they want on your platform. Seems like a great move to build community good-will.


I've been in talks with the DO owner regarding how at least half of the DO BSD UserVoice votes (https://digitalocean.uservoice.com/forums/136585-digitalocea...) were for OpenBSD. Yet only FreeBSD got supported.

How, for instance, most of the cool stuff in FreeBSD comes from OpenBSD (pf, OpenSSH, OpenSMTPD, OpenNTPD, LibreSSL, http://itwire.com/business-it-news/open-source/62641-crypto-...). How, for instance, one cannot protect oneself properly using FreeBSD's outdated version of pf.

He's expressed his utmost sympathy, and it is my belief that he's slowly but surely realizing OpenBSD's worth.


OpenSMTPD, OpenNTPD and LibreSSL aren't in FreeBSD.

To say that most cool stuff in FreeBSD comes from OpenBSD is pretty misleading. Certainly, FreeBSD has lots of cool things that come from other operating systems. :)


This is great, I remember being disappointed about only freebsd being added from this effort as well. Thanks from the rest of us for keeping the conversation going :)


can you mention what is unsafe with FreeBSD's outdated version of pf?


The main difference in my experience (I am both a FreeBSD and OpenBSD user) is in syntax, not functionality. It's not as if FreeBSD is shipping a strangely vulnerable version of PF. I believe it's possible also he may be referring to multi-core PF which last I heard was still a ways away in FreeBSD.


Multi-core pf landed in freebsd 10. There are further enhancements in the pipe, like a better hashing algorithm, planned for 11


As someone who is totally unfamiliar with OpenBSD, why are people going to all this trouble? Does it offer something different to the plethora of linux distributions that are available?

Apologies if my curiosity is misinterpreted as ignorance.


Don't get me wrong, I love Linux and have been using it since I was a kid. But, for what it's worth, here's my selling point:

Choose OpenBSD for your Unix needs. OpenBSD -- the world's simplest and most secure Unix-like OS. Creator of the world's most used SSH implementation OpenSSH, the world's most elegant firewall PF, the world's most elegant mail server OpenSMTPD, the OpenSSL rewrite LibreSSL, and the NTP rewrite OpenNTPD. OpenBSD -- the cleanest kernel, the cleanest userland and the cleanest configuration syntax.



Nitpick: LibreSSL is a fork/cleanup of OpenSSL, not a rewrite.


Given how involved that "cleanup" was, "rewrite" isn't entirely inaccurate ;)


Definitely not, curiosity is always important! I could mention the security focus and a bunch of other things but instead of going into another thread here explaining differences ( it looks like you already have a reply starting ), I'd suggest doing a search here on HN for OpenBSD. You'll find a ton of threads with discussions about the relative plusses and minuses.


There are several reasons why folks (myself included) prefer OpenBSD for a lot of server roles:

-- PF (which, in my system-administrating experience, is way nicer than any GNU/Linux firewall to date) is only available on BSD-derived systems (including OS X and - IIRC - Solaris), and originated on OpenBSD.

-- OpenBSD has a very strong security track record over the last 1 1/2 decades or so.

-- OpenBSD has been the source of a lot of really nice bits of software [0], and tends to be the first and preferred platform for quite a bit of that software. My own use cases revolve around PF, OpenSSH, tmux, httpd/relayd, spamd, and OpenSMTPD. httpd and relayd in particular are currently exclusive to OpenBSD last I checked.

This isn't to say that OpenBSD is right for everyone (notably, upgrading between releases and getting the latest patches for a given release can be... involved, to say the least), but there are certainly reasons to prefer it over GNU/Linux or the other BSDs.

Not to mention that some Linux-only software will happily run on the mainstream BSDs - OpenBSD included - thanks to a binary compatibility layer. Even things that rely heavily on Linuxisms - like Docker - can run on at least FreeBSD [1], and doing the same for OpenBSD, while probably more involved (OpenBSD notably prefers chroots over newfangled virtualization techniques like containers and jails; in the opinion of its authors and users, containers/jails/etc. only provide an illusion of isolation, and chroots provide equivalent functionality without dishonesty. While I don't entirely agree with this, I can see where the attitude comes from and understand the rationale.), might very well be possible sometime in the not-so-distant future.

[0]: https://en.wikipedia.org/wiki/OpenBSD#OpenBSD_component_proj...


OpenBSD is an really polished operating system built to a much higher, tighter standard than Linux and the GNU libraries are. I used it right up until "cloud computing", and then for economic reasons needed to use Linux instead.

The biggest problem with OpenBSD has been lack of support for hardware and virtualization, though a lot of the reason for this has been the OpenBSD team's own hostility towards virtualization. I get their reasoning (virtualization is a security issue), but the economic consequences have been devastating to their userbase.

The cost difference and ability to run on cheaper hardware was a big reason Linux won out over Windows. It's important to make operating systems accessible to everyone, even those that can't afford full dedicated servers.


"The biggest problem with OpenBSD has been lack of support for hardware and virtualization, though a lot of the reason for this has been the OpenBSD team's own hostility towards virtualization. I get their reasoning (virtualization is a security issue), but the economic consequences have been devastating to their user base."

If you watch the the ruBSD 2013 interview video with Theo de Raadt[1] at the 6:36, he states that they should take a shot at dealing with modern x86 VMs. That gives me quite a bit of hope along with the work on vmware related drivers in each release.

I use VMware at work, seems to do ok.

1) https://www.youtube.com/watch?v=OXS8ljif9b8


consistency and cleanliness. man pages are a dream, documentation solid and up to date. you can get things done and focus on what you want to accomplish, not what is getting in your way.


It's pretty simple on Vultr.

https://www.vultr.com/docs/setup-openbsd


Came here to say this. One of the reasons I chose Vultr over DO and Linode is the flexibility, and the price is competitive with DO.

Though, I understand why someone who already has a Linode investment would want to do this instead of changing providers, kudos to the author for sharing!


Also works fine on Bytemark's BigV - just mount the install CD as an ISO: https://forum.bytemark.co.uk/t/anyone-installed-their-own-os...



I think the dirtiest remote install I've done was installing FreeBSD 6.X on a QEMU VM with zeroed raw disk image, then dd | gzip | netcat to a failsafe linux the hosting provided, and from there overwriting the hard disk with shell redirection.


Oh my, that's nothing ;-) All I had was a minimal debian install with ssh access. So I installed QEMU, and over ssh with X11-forwarding i started it up using debians /dev/sda as the QEMU harddrive (yes you can: qemu-system-x86_64 -hda /dev/sda -cdrom install57.iso -boot d -m 256). Now install it without deleting debians partition. An then add the OpenBSD bootentry to grub. Dual boot remote server!


Are there any hosting providers that will truly accomodate raw disk (filesystem: ffs, etc.) images as opposed to proprietary image or container formats (Amazon's, VMWare's, etc.), without having jump through numerous hoops?

For the sake of example, say I already have my system built and configured just the way I like it, as a "raw" ffs image file. And FWIW the kernel on that image is multiboot compatible and can run as a Xen guest.

I also have my own non-GRUB bootloader. But I realize that it may not be feasible for the hosting provider to let me use it.


dd it onto a "raw" Linode disk, set the bootloader to "Direct to disk".


Not a Linode customer. If you have access to the grub(2) prompt, you can download a OpenBSD ramdisk and boot it directly from there. The whole process boils down to

Download file to /boot (or anywhere accessible from grub)

Reboot / boot OpenBSD installer

Did that on my cloudcost machine to experiment with OpenBSD services.


It's a VPS. You don't have access to grub in any form.


That's untrue; Linode offers PV-GRUB. I've been using it to boot FreeBSD with their Xen offering for years.


I installed OpenBSD at ramnode: mount ISO and use HTML5 VNC client to install the system.

I don't really like preinstalled images, because I don't trust them. They usually tinker with network settings, sometimes with other things. I prefer official installer.


> preinstalled images

I had the issue with FreeBSD on kimsufi (2To UFS-formatted drive...). The great thing however was how good their recovery system was: they provide a Linux and BSD live rescue boot that you can use to chroot-install your system. There are just so many parameters that will get badly set with a pre-installed image: FS, size, hostname, routes, adresses, packages not in base (!!!)...

IMO, a reliable rescue mode along the preinstalled images would have all users happy, as either you are in command of the install or are just getting started anyway and don't mind the default settings.


Why not just use http://www.geekisp.com which is an all BSD shop? I've been a satisfied customer for probably around 10 years now.


Because their pricing doesn't match the current pricing situation of going as cheap as possible


True, but their customer service is bar none. Worth a few extra bucks.


Whats the point of running OpenBSD on Linode? Surely the fact that you're using Linode negates pretty much all of the security benefits provided by OpenBSD.


I don't see how it does anything of the sort. Using Linode may expose you to additional attacks (I'm not quite sure what you're referring to), but if running OpenBSD daemons with OpenBSD's protections leaves your server less vulnerable to direct attack than alternatives on Linux, this is a significant improvement.


I was just referring to their security track record :) (4? compromises within 3 or so years)


Not in any order:

   * they like OpenBSD
   * they want to learn OpenBSD


But why Linode over any of the plethora of alternatives that actually support OpenBSD (and offer significantly better pricing than Linode)?


In my experience (happy customer for 3+ years) their support is absolutely exceptional. Some people value things like that over penny pinching on business critical infrastructure.


Do they support users running OpenBSD at all?

That's the main reason I wouldn't do it, when there are other hosting companies that explicitly do support it.


Yet they have pretty much the worst security track record in the entire industry. They also have a history of trying to cover up issues and straight up lying to their customers.


Already a linode customer?


Like who?


I don't know about pricing (they're slightly pricier last I checked), but 1984.is is one example of a hosting company that supports OpenBSD directly.


I'm sure that's a good hosting company for Icelanders, but what about the rest of the world?


I live in California; it's actually not terribly bad from where I am latency-wise.

That said, I currently just run my personal mail server. However, I'd reckon latency to be pretty decent from the East Coast (of North America) or western Europe. Not sure about the whole rest of the world, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: