hello friends! new(ish)!

OpenBSD: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>Keboler
No edit summary
>Keboler
No edit summary
Line 8: Line 8:
Here are some reasons why:
Here are some reasons why:
* It's not Linux - OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org initiated projects like systemd that are deservedly unpopular amongst Linux users. It also promotes portability so that a program can claim to run on more operating systems than just Linux.
* It's not Linux - OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org initiated projects like systemd that are deservedly unpopular amongst Linux users. It also promotes portability so that a program can claim to run on more operating systems than just Linux.
* Stuck in the mud - OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a [[http://marc.info blessed archive]] and a website that has come straight out of the 1990s. This is actually a good thing for many people.
* Stuck in the mud - OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a [http://marc.info blessed archive] and a website that has come straight out of the 1990s. This is actually a good thing for many people.
* The right way - You may come to a point at one time or another where you have actually been convinced that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and in many cases it is the best way of having it done.
* The right way - You may come to a point at one time or another where you have actually been convinced that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and in many cases it is the best way of having it done. An example of this is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation extremely easily and transparently.
* Sane defaults - OpenBSD tries to do whatever you wanted it to do out of the box, so it works for you and does so the first time instead of having to fiddle around with configuration; this is especially important due to security. Most, if not all daemons in the base system and even in ports and packages are chrooted and priv-dropped by default.
* Sane defaults - OpenBSD tries to do whatever you wanted it to do out of the box, so it works for you and does so the first time instead of having to fiddle around with configuration; this is especially important due to security. Most, if not all daemons in the base system and even in ports and packages are chrooted and priv-dropped by default.
* Integration - OpenBSD is developed in a single CVS tree (whine whine whine... they use C... V... S...), which means that the developers can work with a totally integrated solution instead of having to accommodate bits and pieces from various projects like Linux distributions. Again, an example of this is apmd, which works so well when the daemon and the kernel can have their interfaces synched up and always compatible.


== Licensing ==
== Licensing ==

Revision as of 15:16, 21 December 2015

Mascot of OpenBSD, Puffy the Pufferfish

OpenBSD is a free, multi-platform 4.4BSD based Unix-like operating system, part of the BSD family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.

Why?

Why might I want to use OpenBSD? Here are some reasons why:

  • It's not Linux - OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org initiated projects like systemd that are deservedly unpopular amongst Linux users. It also promotes portability so that a program can claim to run on more operating systems than just Linux.
  • Stuck in the mud - OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a blessed archive and a website that has come straight out of the 1990s. This is actually a good thing for many people.
  • The right way - You may come to a point at one time or another where you have actually been convinced that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and in many cases it is the best way of having it done. An example of this is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation extremely easily and transparently.
  • Sane defaults - OpenBSD tries to do whatever you wanted it to do out of the box, so it works for you and does so the first time instead of having to fiddle around with configuration; this is especially important due to security. Most, if not all daemons in the base system and even in ports and packages are chrooted and priv-dropped by default.
  • Integration - OpenBSD is developed in a single CVS tree (whine whine whine... they use C... V... S...), which means that the developers can work with a totally integrated solution instead of having to accommodate bits and pieces from various projects like Linux distributions. Again, an example of this is apmd, which works so well when the daemon and the kernel can have their interfaces synched up and always compatible.

Licensing

The BSD operating systems are where the BSD licence originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.

you might live in a world without morals; I don't.
Henning Brauer

The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned back in good will for the unrestricted use of the software in the first place.

As for the licensing state of OpenBSD itself, this author understands that most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, with new programs from OpenBSD generally released under the simpler ISC licence. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).

How To

Set up the shell

pdksh, OpenBSD's default shell, only sources .profile out of the box. Add

export ENV="${HOME}/.kshrc"

to your .profile, and then add your interactive shell customisation to .kshrc. Programs like startx and other shells will inherit $ENV from the environment, so it will continue to be sourced in all shells in the session.

Privilege escalation

sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far simpler implementation. To set it up, you need to edit /etc/doas.conf. This is an example doas.conf:

permit keepenv { PKG_PATH } :wheel as root
permit nopass root

This allows all users in the wheel group to run commands as root and pass the environment variable $PKG_PATH which is used to specify a package repository as described below. If you added your user account with the OpenBSD installer, it should have added it to the wheel group already. It also allows root to run commands without a password for all users on the system.

Package management

OpenBSD package management turns out to be easier and simpler than many Linux distributions. Instead of a system-wide repository and downloading a repository database, the OpenBSD package utilities simply pull packages from a remote server (or an official CD) specified in the environment variable $PKG_PATH and installs them. Remote repositories can be any of the mirrors listed here. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada. Add this to your .profile (or your .kshrc as described above):

export PKG_PATH="ftp://ftp.openbsd.org/pub/OpenBSD/packages/5.8/amd64"

where 5.8 is your version number, amd64 is your architecture and the beginning of the string replaced with whatever mirror you chose. If you set up your doas.conf to pass $PKG_PATH to root, you can begin installing programs from your normal user account like so.

$ doas pkg_add irssi
Password:
quirks-2.114 signed on 2015-08-09T11:57:52Z
Ambiguous: choose package for irssi
a       0: <None>
        1: irssi-0.8.16p0
        2: irssi-0.8.16p0-socks
Your choice: 1
irssi-0.8.16p0: ok

Read the package management article for more on how to use the OpenBSD package management system.

Init scripts

The OpenBSD init system is configured in /etc/rc.conf.local. It is advised that you only put used entries into rc.conf.local, however it is easier to simply copy rc.conf to rc.conf.local. Any system daemon can be enabled by setting it's _flags variable to blank or to pass flags to the daemon, and can be disabled by setting it to NO. Daemons from packages/ports are specified in the pkg_scripts variable. For example, here is a configuration for starting DNSCrypt and Tor as system daemons.

# rc.d(8) packages scripts
# started in the specified order and stopped in reverse order
dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40"
pkg_scripts="dnscrypt_proxy tor"

The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor.

Full disk encryption

Full disk encryption in OpenBSD is achieved through the use of softraid.

Boot up the OpenBSD install media and wait until you come to this prompt.

erase ^?, werase ^W, kill ^U, intr ^C, status ^T
Welcome to the OpenBSD/i386 5.8 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

Choose s to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command:

# fdisk -iy sd0

Now proceed to partition the disk into a swap partition on partition b and a larger partition on a, maybe like this:

> a b
offset: [whatever]
size: [whatever] 9G
FS type: [swap]
> a a
offset: [whatever] 
size: [whatever] 
FS type: [ffs] raid
> w
> q

Blank lines signify a blank line with enter typed. Swap needn't be on the encrypted partition, as OpenBSD has encrypted swap by default for many years. To initialise the RAID partition with a passphrase, type:

# bioctl -c C -l /dev/sd0a softraid0
Passphrase:
Verify passphrase:

You should see a dmesg message showing that the encrypted partition was mounted to sd1. Exit the shell with ^D or exit and when the installer asks you for your root disk, choose sd1 instead. The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel.