OpenBSD 6.3 released
marc.infoCongratulations and thanks to the OpenBSD developers for yet another great release!
From the release notes:
> o Support the sun4v hypervisor interrupt cookie API, adding support for SPARC T7-1/2/4 machines.
Who is running OpenBSD on a big expensive SPARC T7 and why? I'm genuinely curious as to what possible use cases there are which make this a desirable combination.
It was probably for testing, but that platform supports partitioning up the hardware through LDOMs, which OpenBSD supports as both a host and guest.
https://www.tedunangst.com/flak/post/OpenBSD-on-a-Sun-T5120 (Not expired, Ted runs his own CA)
unrelated, but I found his post about running his own CA quite interesting: https://www.tedunangst.com/flak/post/moving-to-https
Actually, being special is sometimes just boring and annoying.
>Do we really want an internet where the use of encryption requires authorization?
No, it doesn't require, it provides identification and that's a huge benefit. We are all far better by having it as a standard. Just configure Let's Encrypt and stop annoying your readers.
For a while, every article from his site on Lobste.rs had someone complaining about that. It got old. I eventually came up with a theory about what the prankster was really up to:
In general, OpenBSD support for Sparc helps with testing - the Sparc is architecturally quite a bit different from other CPUs:
https://www.openbsd.org/sparc64.html
"The other architectures that OpenBSD supports have benefited because some kinds of bugs are exposed more often by the 64-bit big endian nature of UltraSPARC."
That’s the same reason I include Solaris as a target in my automated build system. It’s arcane enough and independently developed enough to expose incorrect assumptions in C code.
Could you say how you do that? Keep an open indiana VM and tell Jenkins it's a build slave?
Take a look at this, https://news.ycombinator.com/item?id=12526420 (2016)
"SPARC64 is a favorite of this developer because it's some Alice in Wonderland stuff where up is down and left is right compared to other architectures. So it exposes a number of bugs that others don't."
I don't know about a SPARC T7, but I do run OpenBSD on my Sun Fire T2000 (UltraSPARC T1) and have been impressed with its LDOM support.
Thanks for the testimony. :)
Becoming a new SPARC user is becoming more tempting to me now.
I apologize for being an ignorant for so many years but... who is the OpenBSD target audience? In which areas it is the most popular OS? I worked with Windows, GNU/Linux and macOS (OSX) but never tried OpenBSD.
In my estimation, mostly a mix of:
- Those running network infrastructure (router, firewall, VPN gateway, mail server, etc.)
- Those who want a simple Unix desktop with no gimmicks and low hassle
- Hardcore Unix geeks who don't like the other flavors for $REASONS
In a more general or vague sense, OpenBSD is often appealing to people who care more about cohesiveness and correctness than about the sheer magnitude of performance and features. If you've ever thought that you might prefer to have an indefinitely supported version of Windows 7 because Windows 10 seems to be crawling with gratuitous changes, bugs, and dubious "features", the appeal is a bit like the Unix equivalent of that.
> - Those who want a simple Unix desktop with no gimmicks and low hassle
This! When you are using OpenBSD, and wonder how a particular piece of the kernel works, you just open the source code, read it, and you can usually have a good idea of the inner workings with some days studying it. Trying to do the same thing with linux, you would need months to grasp any idea of how it works. Linux is developed by thousands of people all around the world at the same time. OpenBSD on the other hand is developed by a few power developers, which gives the code a unique consistency and readability.
Just use Debian GNU/Linux minimum-installation without desktop environment. I doubt you're much faster in studying the OpenBSD kernel compared to the Linux kernel. I'm also not sure if some days are enough for both of them.
OpenBSD is great if you enjoy rooting around in the innards. I find the code simple and easy to read. Man pages are extraordinarily complete and accurate. OpenBSD devs go out of their way to delete unused and crufty code.
> OpenBSD devs go out of their way to delete unused and crufty code.
I noticed this first hand in while submitting a patch for my macbook's touchpad to FreeBSD's wsp driver and then comparing to OpenBSD's driver... The approaches between FreeBSD's and OpenBSD's driver couldn't be more opposite: FreeBSD's is big, explicitly listing each hardware revision/model (hence the reason I had to go in there and add mine), OpenBSD's very minimal, implicitly inferring all hardware revision options so users don't have to add each and every one, it's also very neat and tidy which I think is an underrated quality in source.
Admittedly this is only one file from one small number of devs, far from the whole of FreeBSD, but the contrast matches much of what i've heard of OpenBSD's approach: minimise cruft and bad code, if it's shit and not easy to re-write then delete it, better to be minimal than buggy and insecure.
Full Disclosure: My comment may well be outdated since I moved away from FreeBSD for my desktop 2 years ago, I have nothing against it, I just needed (other) working drivers.
BSD people, usually networking. And people who like security (though OpenBSD has detractors). It was used a lot as firewall for critical infrastructure a few years ago, perhaps still is.
Also, installation was quite fast if you knew what you were doing.
It has been my daily driver on laptops and desktops for eight years. I have run home servers with it as well.
It's my primary desktop as well. I like it because it's low churn, everything I need just works, and most of the configurations have sane defaults so config files tend to be short and simple or not needed at all.
I don't hack on the internals or build my own ports, I just use it. It stays out of my way and I like that.
This may seem like a ridiculous comment but I love that a lot of work on Linux has been to make it easy-as-pie to install/setup quickly and I feel like it's happened in the last couple years (cgroup + systemd stuff mostly). I praise docker for making immutable services commonplace, but I also love projects like cockpit from redhat + netbox + coreOS. There used to be so much technical debt that went into getting a server off the ground and monitoring it.
I'm weird, dunno if others agree ~
OpenBSD's target audience? From what I've seen, it's OpenBSD developers. Your other question was answered in the OpenBSD FAQ. https://www.openbsd.org/faq/faq1.html#WhatIs
I run a home brew OpenBSD router. It hosts a vpn server. (Amongst other things) Comes in handy when traveling. Plus, it’s a good way to sharpen my professional skills.
I've been thinking about doing the same thing. What hardware did you use?
I've got an OpenBSD router setup on an APU2 (https://www.pcengines.ch/apu2c4.htm). It's running dhcpd, unbound, dnscrypt-proxy, openvpn server and an openvpn client and the load averages are pretty low. Haven't bench-marked throughput properly yet as I'm still configuring PF properly.
I used these [0][1] repos as a starting point, I wrote a few helpers to update dynamic dns and a DNS ad blocklist for unbound. This replaced a pfSense install and I'm happy with it so far.
[0] https://github.com/elad/openbsd-apu2 [1] https://github.com/northox/openbsd-apu2
I bought a qotom mini pc with 4 lab ports off amazon. It’s worked really well. I accidentally knocked it offline yesterday and it came right back up.
What I love about OpenBSD is the documentation. If An openbsd manpage describes it then it will work like that.
The only bummer is it’s a bit of a niche. I’m sure the majority of Linux distros dwarf its development team in warm bodies.
I've found some people who run OpenBSD tend to quite like Arch-Linux style systems, there are similarities in terms of minimalism, it's probably the most Arch like of the BSDs. The install process is similarly more hands on also... unlike say FreeBSD's installer which you can almost just keep pressing the return key on.
If you haven't used the OpenBSD installer lately, it's about that simple also.
Good to know, as much as I like the possibility of customising to that level I also appreciate good defaults so I don't have to if I don't want to (yet). I've been using Debian for a number of years for $HARDWARE_REASONS, but openBSD is probably what I will try next if I give the *BSDs another go.
Before cloud was a thing, I used to run an OpenBSD web server in my bedroom on my old desktop. I set it up after my commercial web host was hacked for running outdated Apache.
I stopped using OpenBSD when I tried installing it on my newer Core 2 Duo desktop in ~2008, but the OS would not boot, and I was told on IRC by OpenBSD developers that the hardware was too new for OpenBSD.
FWIW, now I use Arch Linux. I guess I'm in the target demographic.
I notice the new Broadcom Wifi bwfm(4) drivers. Anyone with better knowledge of the project know what hardware is supported by that? The manpage doesn't mention specific chips: https://man.openbsd.org/bwfm.4
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_...
indicates:
those are hex codes defined in:static const struct pci_matchid bwfm_pci_devices[] = { { PCI_VENDOR_BROADCOM, PCI_PRODUCT_BROADCOM_BCM43602 }, { PCI_VENDOR_BROADCOM, PCI_PRODUCT_BROADCOM_BCM4350 }, };http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/pci...
as:
so if you're not sure, checking boot up dmesg on OpenBSD or lspci on linux should give the hexcode of your device which should match 0x14e4 + one of the other two..vendor BROADCOM 0x14e4 Broadcom product BROADCOM BCM4350 0x43a3 BCM4350 product BROADCOM BCM43602 0x43ba BCM43602Ooh! Interesting. I've a ~2 year old Macbook Pro with the 43602 chipset. Would be lovely to be able to run OpenBSD on it without wifi dongles.
Busy upgrading machines now, lots of nice new things.
Looking forward to checking out the new execpromises in pledge. I use pledge in all my C stuff and have added it to a few other apps. Thanks OpenBSD devs!
I just wish other systems would adopt pledge.
Of all the priviledge dropping mechanisms I have encountered, pledge seemed the most comprehensible.
> Looking forward to checking out the new execpromises in pledge
Interesting that they just changed the interface from `int pledge(const char * promises, const char * paths[]);` to `int pledge(const char * promises, const char * execpromises);`. I guess that is the power they have by being a BSD and integrated system, they do not worry about userland compatibility.
The pledge(2) manpage for 6.2 and earlier states:
"BUGS. The path whitelist feature is not available at this time."
So the second argument was previously unused, and thus could be repurposed without hurting backwards compatability.
zokier's point is still correct though. OpenBSD is a complete system, kernel + userland. You upgrade in lockstep.
What type of machines do you run OpenBSD on, out of curiosity? Routers, workstations, web servers, embedded devices?
Routers, workstations, servers (DNS, web, mail, backup).
sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. -- hooray!
Can someone help explain what the "routing domain" is?
You can have multiple routing tables (similar to VRFs on networking gear) which are classified into routing domains and assign different rdomains to different applications. See rdomain(4): https://man.openbsd.org/rdomain.4
Thanks! And for the VRF tip.
man rdomain to start, though unfortunately you kind of need to already understand rdomains to fully understand the docs. Basically it's a network partitioning/virtualization tool. Two computers can have two routing tables. rdomains lets one computer have two routing tables. Each process is in one rdomain or another which determines where its traffic goes and how it sees the network.
It sounds like someone wanted /net and private namespaces from Plan 9, but they were stuck with Posix, and this is the catenary track they built to make the square wheels run smoothly.
Interfaces can be places into rdomains aswell
So.. they are like linux network namespaces?
Thanks!
I actually searched the release notes for ipv4 due to that awful april fools gag. That wasn't funny. ;)
I don't get it, Sorry. Can you elaborate? Thanks!
EDIT: Nevermind: https://marc.info/?l=openbsd-cvs&m=152256582629837&w=2
That was NetBSD :)
6.3 Song: Maybe...
no more songs. :(
Currently running my VPN in Linux on a pi. Gonna see if I get openbsd to run on the pi.
As of this morning, customers can install OpenBSD 6.3 on a Prgmr.com VPS using our updated netboot installer. https://prgmr.com/blog/2018/04/03/distributions-updated.html