Interesting to see OpenBSD continuing to gain hardware support. I've been running it on a small home server for DNS/DHCP and the stability is remarkable. The man years of auditing really show.
Sorry for the off-topic, but I wish our FreeBSD camp could roll back a little from this faux-corporate glass ball without soul and a font from the early 90s spaceship toy box, to Beastie and a stylish serif. What I was trying to say - I'm in envy. OpenBSD artwork is absolutely amazing!
With all the security issues constantly being uncovered in other Operating Systems - which will only accelerate with Ai - it’s time everyone considers OpenBSD. Their decades-long security-focus is second to none. We have fully converted from Ubuntu/Debian to OpenBSD. No looking back.
I tried OpenBSD recently and found it behaves very differently from other OS. The same code works on Linux/FreeBSD/Windows but has poor multi thread performance on OpenBSD, async socket stopped working after sending at high speed for few seconds. I am not saying there is anything wrong in OpenBSD, it is just different.
It's not even close! It's nearly two orders of magnitude higher for Linux.
This isn't anecdotal or “vague opinion” CVEs are facts.
You can ask the follow-up question: Why is that?
And there are many reasons.
It could just be that Linux having more users/eyes means more bugs are surfaced ...
But you need to dig deeper to understand why OpenBSD is so much more secure,
the core team of OpenBSD proactively reviews the security of other OSes and when they learn something, they rapidly implement the feature/fix in OpenBSD.
Again, read: https://en.wikipedia.org/wiki/OpenBSD_security_features
Many of the proactive security features OpenBSD has are not implemented by other OSes. And in the case of kernel-level Crypto, they won't ever be because US export restrictions.
> And there are many reasons. It could just be that Linux having more users/eyes means more bugs are surfaced
You really brushed that one off, uh? The ratio of linux devices to openbsd is quite literally a million to one. The ratio of tech companies invested in linux to companies invested in openbsd is roughly 50,000 to 1. The ratio of professional security researchers paid to find flaws in Linux vs OpenBSD is harder to quantify at the moment, but I think we can guess a trend here.
I can agree to a degree that OpenBSD takes security more seriously, and they have made very interesting design decisions to enforce their security model. But I entirely disagree that the number of "CVEs are facts" to back your opinion that it is superior.
You are correct; OpenBSD is secure by default. And it's not subjective at all.
The homepage of https://www.openbsd.org proudly states "Only two remote holes in the default install, in a heck of a long time!" if they didn't have the evidence to support the statement, the internet would have forced them to remove it by now. ;-)
Remote (exploitable) holes are the ones we all care about.
It's not meaningfully more secure than e.g. Debian.
Their claim to fame ("only two remote holes in the default install in X number of years") is definitionally only valid for the default install in its default configuration which means: no httpd, no smtpd, no unbound, etc. etc. etc.
The default install isn't very useful, because it doesn't do a lot, and so "only two remote holes" or whatever isn't really saying much.
Linux has more CVEs because it's orders of magnitude more popular. OpenBSD has appalling performance, and more or less nobody uses it, so there just isn't a large focus on auditing and fixing it.
It's a great research project, but I would not run it on my personal devices.
The “kernel” in Qubes is arguably Xen rather than Linux, and that’s where the security boundaries are supposed to be defined rather than within VMs that may be running any OS. VM compartmentalization as a security mechanism is hard to compare to a more conventional Unix like OpenBSD.
It's not just Xen, it also relies on the hardware-assisted virtualization (VT-d), which is virtually unbreakable compared to anything else. Most Xen vulnerabilities do not even affect Qubes: https://www.qubes-os.org/security/xsa/#statistics
(This site is extremely good and has fairly recent coverage, point-by-point, of all OpenBSD's mitigations. An important subtext to take to this is that OpenBSD has a reputation for introducing mitigations that exploit developers make fun of. Some of them are great, some of them less so.)
The slides are over 6 years old. The developers' attitudes haven't changed much, but are all of the arguments still valid?
I've followed this discussion here and there over the years and it always goes like this:
1) everyone makes fun of the mitigations
2) many even outright assert they can easily defeat and exploit OpenBSD
3) nobody provides a working PoC when asked to demonstrate how insecure the OS is
And somewhere in the mix there's also you and your usual blabber, also without any substantial examples of how insecure and exploitable the OS is. Always.
You misunderstand the Qubes' approach to security. You isolate your workflows into separate VMs, so that security of a single VM doesn't matter. For example, my secrets are stored in a dedicated offline VM. All kernel bugs in it are just not exploitable. I open my online banking in a dedicated VM, in which nothing else is ever opened. Which attack vector do you think can be used against that?
How long did what take? Learning the essentials of OpenBSD, budget 4-6hours. Switching over servers from Ubuntu, an hour for the first one then 10mins each after that. You can copy config with your favourite tools; most have ports for OpenBSD already.
If you want to learn more in-depth, read: Michael W. Lucas
Absolute OpenBSD, 2nd Edition: Unix for the Practical Paranoid. Highly recommend it as teaches many fundamentals most software engineers skip.
Note that this specific symlink was special cased because sandboxed programs still need to access timezones. Also note that you would need to be root to create that special cased symlink. It's embarrassing, but less catastrophic than it looks at first glance.
Running security-critical code as root is still a bad idea.
Maybe I'm misunderstanding the video, but it looks to me as if the situation is:
You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox.
(Whether this is interesting or not depends on whether anyone actually tries to use the sandbox facility in such a way as to give root-in-the-sandbox privileges to untrusted people or code. I don't know enough about OpenBSD to answer that.)
So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged.
I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to".
If you're relying on a sandbox as your first line of defense you've already lost the war.
Thanks. It was not evident from the example whether root inside of the sandbox is necessary - I assumed creating arbitrary symlinks doesn't require any particular capabilities, and there's nothing special about the locations.
Though it's not clear to me now:
- why was this patched then?
- is the point about root that non-root wouldn't have access to passwd anyway?
OpenBSD doesn't have separate user accounts for sandboxes. If you're root inside the sandbox, you're root outside it. This exploit requires you to already be root.
Your arrogance is continued proof you could never comprehend the work that goes into building, releasing, and maintaining an entire OS, and your contributions will forever be limited to snarky negativity on message boards.
I used it a bit, had it installed for a while on a G4 PowerBook (must have been early-ish 2000s). I like the no-nonsense attitude towards blobs, security focus. Overall the experience was very good. The bit of code I read was also written nicely. I'll always endorse it and should really install it somewhere again in the near future.
We use OpenBSD for our VPSes on Hetzner, bare metal (for security focussed clients) and older (but still good) hardware in our Home Lab. OpenBSD is excellent on older (no longer supported by Cupertino) Apple hardware. We have an Intel Mac Mini Cluster with near-perfect uptime. If you need to run any kind of server (Web, Mail, DNS, NFS, Database) where you need stability & security, look no further.
Some learning curve, but totally worth it.
Have you tried such Openbsd installations vs FreeBSD? I forget the differences between OpenBSD and FreeBSD, so forgive the naivety. (I think NetBSD is more for embedded stuff, and Ghost and Dragonfly are more for conventional desktop use-cases if i recall correctly.)
I'm asking because i have not touched any BSD for over 2 decades...and I'm getting the itch to try some out...and was wondering if for server-type use cases (like you noted) whether OpenBSD is preferred over FreeBSD or the reverse, and why? Thanks in advance for any feedback you might provide!
FreeBSD is a heavier, more capable system, suitable for large servers. It's got its own virtualization platform (bhyve), an LXC-ish container system (jails), native ZFS, dtrace, Linux emulation, and a bunch more. It makes for a decent workstation and has pretty decent hardware support.
NetBSD is small and simple. It's a lot like an old-school UNIX. It makes a decent platform for small services. I run bind and dhcpd on a NetBSD machine. The source code is very pleasant to read. It uses the pkgsrc software repository. It's my preferred platform for writing POSIX code.
OpenBSD still carries much of the general feel of NetBSD and can fill a similar niche on a network, but the security focus stands out in their documentation, subprojects (OpenSSH, LibreSSL, OpenNTPD, etc.), APIs (see pledge(8)), and policies. It makes for a great firewall. I'd say it also requires the most know-how.
All of them have excellent documentation (especially compared to Linux distros) and the base system is developed alongside the kernel, giving you a very consistent experience compared to Linux distros where everything is developed in isolation. If you write C, it's worth keeping a BSD system around just for the manpages and to make sure you're not letting Linuxisms creep into your codebase.
The "lightweight" nature of OpenBSD is a matter of perspective - if you are happy with OpenBSD's feature set, then it's a plus. On the other hand, FreeBSD has a lot of additional features, including ZFS, which may be of interest. The last I checked, FreeBSD was more performant in various benchmarks, particularly regarding multi-core performance.
FreeBSD has a bit more of a lax attitude historically to security[0] and seems to prefer being reasonably performant and "easy to use" (this is subjective, but they care about supporting packages outside of base very much, and bundle non-FreeBSD produced packages as part of their base).
OpenBSD on the other hand is perfectly happy to leave oodles of performance on the table for security. They were the first OS to completely drop Hyperthreading support for example, years before spectre/meltdown.
So with these things in mind, FreeBSD is a lot more performant.
FreeBSD has the same roots as OpenBSD but the former has a “compatibility” focus whereas the latter has the security focus.
Having a background in security, the choice was obvious for me. But each person/org should decide based on their needs.
Haven’t had any issues running it on all major hardware (Dell, HP, Lenovo, Apple, etc) the UI isn’t as pretty as macOS on Desktop, but it runs Firefox & Chrome, etc. so you can do everything you need.
If you have an older Lenovo or Mac lying around collecting dust, dive in!
100%. I put off learning/using OpenBSD for a decade until a breach at a client (we weren’t responsible for DevOps/SysAdmin) made me pick it up because I don’t have time to be a full-time Linux Sysadmin anymore. Just want the servers to run without having to think about them. Wish I’d done it sooner.
Lost at lot of time on Linux, Docker, K8s, etc. that I could have skipped completely with OpenBSD.
Our servers are an order of magnitude simpler now, just single services per VM and I sleep better. ;-)
> ...I don’t have time to be a full-time Linux Sysadmin anymore. Just want the servers to run without having to think about them...
Very salient comment there! And, while not the only reason for me, but what you noted is sort of one reason that's triggering the itch in me to go back to playing with the BSDs. Don't get me wrong, I still do love fiddling around with some areas of linux once in a while....but then, there are other uses/areas where i just want a server to do its thing, and for my maintenance to be a little less (at least less than some linux distros require). So maybe i'm not the only one? :-)
There was FreeBSD and NetBSD. NetBSD supporting many platforms while FreeBSD supported just x86. There was some contention between NetBSD developers and Theo and crew left to create OpenBSD. They all more or less have common ancestry being derivatives of 386BSD.
Yeah, i knew there was some aspects of decendancy across the different BSDs.
And, I mentioned NetBSD for embedded stuff...but really, i *think* its that NetBsd is simply installed on tons of different hardware....so not only embedded....i kinda remembered that about NetBSD.
But, its the other BSDs - in particular FreeBSD vs OpenBSD - that i always forget the differences...but got it now. Thanks!
And, wow, do i miss the old X-window workstations...well, i should clarify that i LOVED those (I think they were Sparc?) workstations that ran Solaris or SunOS back in the day! Man, that takes me back some years...but i really loved those machines! :-)
OpenBSD supports sparc very well and is compatible with old sunos stuff (iirc). Unfortunately no 68k anymore (okay, technically there's a niche flavour of 68k that still is supported because of a very dedicated man in Japan)
I want to use OpenSMTPD so badly, but it doesn't have proper support for authentication via LDAP (at least, as far as I can tell). It insists on reading plaintext passwords from the LDAP server, rather than BINDing as the user in question.
I use OpenBSD among Hyperbola GNU/Linux, soon to be rebased from a deblobbed OpenBSD 7.0 hard fork. IT's dumb easy to setup too. Also, I daily use nvi, oksh, oed (a portable ed for GNU/Linux) among Xenocara and CWM, and this way the environment it's almost the same as OBSD but with a GNU/Linux kernel.
Yeah, I'm aware of FSFLA and Linux Libre, but Hurd is not ready yet and it's being worked on with LLM's (something really anti-GNU, as it's propietary SAAS).
I don't really see the LLM use as anti-GNU. It would be no different if the code was written in a proprietary IDE with fancy code completion. GNU doesn't restrict contributors to using exclusively free software for their contributions (if they did, they likely wouldn't have gotten very far considering how much work apple did on GCC). As long as the license is free and GPL compatible, it isn't inherently non-GNU (though, they'd encourage you not to use a SaSS for your own sake)
Now, is LLM code in the hurd a good thing? No, absolutely not. Ignoring the licensing limbo of LLM output that still isn't settled , LLMs make pretty bad code often enough that I wouldn't trust it to work on something as niche and relatively undocumented as the hurd.
A local LLM with GPL compatible input and with options to properly tag the source with a full backtracking of the code? Maybe, but that's not what's happening, but massive license laundering.
I use it on my personal laptop, essentially because I like how slim and simple it is.
Packaging is simple, kernel development and upgrade is simple, etc. Also the kernel code itself is written in a style I like, it's to the point, no useless abstractions, no fuss. I prefer it even amongst other BSDs I tried (netbsd and free*lbsd/dragonfly).
It just feels nice to be able to understand most of your system. It's not as fully featured as Linux, but there is a sense of understanding your system that is refreshing. A bit like if you're on vacation in a small and cute village where life is mundane and calming. At least that's how I feel with it. Mileage may vary.
A while ago I made some blog posts[1] diving into the source code of OpenBSD and FreeBSD (shameless self plug), but haven't had the time recently to write more.
Being able to understand the system, or at least being able to take a quick look when something doesn't work is very refreshing. Not to mention the outstanding man pages. Barely need to google things.
I used to run it on a laptop too, but the battery life was shorter and the laptop ran noticeably hotter than under Linux, so I eventually switched back.
That said, OpenBSD feels unusually coherent (ej. check wifi connection from terminal). The whole system has a level of consistency that's hard to find elsewhere, also between other BSDs.
I ran OpenBSD on my laptop 22 years ago. Back then, a full GUI environment with terminal, web browser, editor: 28MiB of memory for the whole operating system and user environment!
About 10 years ago we moved offices, and I was over checking out the new internet circuit and cabling in the office. The circuit was up, and I hadn't brought anything with me to connect to the network, but we had already moved some boxes of old stuff over.
I found a 10+ year old Dell Pentium III laptop in one of the boxes, installed OpenBSD to do some simple connectivity testing, and ended up with a full workstation install and using it for network monitoring and some other random stuff. It stayed in the network/server closet until we moved out of that building just a few years ago.
I run it. Home firewall, office desktops and laptops. It's pretty stable and I'm fairly familiar with it. Really simple if you know Unix. I hope it never goes away, not sure what I would replace it with. Linux is so complicated now, it's just too much for me to deal with
If OpenBSD dies (somehow, at this point so many things are maintained there (OpenSSH, LibreSSL, PF, Tmux, sudo kinda) that it'll always exist to a degree) one of the other BSDs will suffice. FreeBSD is bloaty but for the most part works fine enough
Not GP, but I mostly use: Firefox; Emacs; MPV; Keepass; calibre; xfe; mupdf;... Then a bunch of cli tools. There's a lot in base, so cli are mostly extra utilities like cmus, git, tig, ncdu,...
I would imagine that a lot of people who use OpenBSD on their laptops/desktops run a lean installation with one of the window managers in base (an ancient fvwm version, cwm which I find very nice and twm).
You can however have a full-fat desktop environment with xfce4 or gnome and applications like libreoffice, gimp, inkscape, audacity and so on if you wish. I've never tried KDE on top of OpenBSD base but I gather packages are in ports.
I think it is fair to say that the amd64 arch has good support. The i386 platform arch is on a 'best effort' basis these days which is understandable. I've never looked at the others.
SPARC is well supported (mostly because it's very good at finding bugs that wouldn't be big problems anywhere else despite not being 'correct') and big endian PowerPC (both 323 and 64) is fine, though hardware can be tricky since apple products tend to be so integrated that you can't really, say, replace a GPU because the support is poor
My wife and I are building a wedding rentals company. I'm responsible for the digital part and building a Ruby on Rails app deployed to OpenBSD. The entire thing runs on a cheap Supermirco U1 server in a rack at our home. :-)
open-bsd will always feel like a safe pick for anything in regard to vault or key holding ; it's not appropriate to run anything CPU intensive - but it's a very appropriate system for anything that just need to boot up and hold some data ; eventually expose a network interface.
It is, by far, my first choice for a router/firewall. It has so many niceties for this, all well integrated OOTB, and you can deploy something top notch in no time at all.
Been running it as my home router since 2.3.
I had it on a server for a very short time when I used hardware RAID but I replaced that quickly with FreeBSD for ZFS once I could afford to replace that old Dell.
I ran it on my personal laptop for several years when I had one, but having a work laptop for these past decades I don't have much use for a personal laptop. I would probably run it again on a nice portable when I retire. It would be nice to focus on being creative on such a machine. Coding and drawing mostly. I will continue to use Linux in my recording studio though.
I use it for my mailserver (thank you openbsd.amsterdam), for the gateway in my homelab, a dedicated OpenBSD VMD machine in my homelab, and on personal machines (Macbook Air M2, a Thinkpad X220 and on a T480 that dualboots OpenBSD/FreeBSD).
For mailserver I think it is the best option. And for Gateway, PF is just wonderful.
But even on my laptops I enjoy it. It is rock solid, and I have pretty much no complaints.
I've been running OpenBSD on my main laptop for about a decade, as well as on routers. It has the most consistent and well-designed interfaces of any modern *nix other than arguably macOS.
My home router, firewall and VPN gateway is an OpenBSD box, Intel N100 with quad 2.5G Ethernet. To be frank, Linux has better support for fighting bufferbloat with FC-CoDel, but pf is so much saner than Linux firewalls it's not even close.
WiFi is handled separately by a Ubiquiti UniFi system, but I don't trust Ubiquiti not to exfiltrate data after their underhanded attempt to turn telemetry on a few years ago. OpenBSD WiFI is somewhat mediocre, but it has improved in this release with experimental support for WiFi 6 after years of being stuck at 802.11n.
The closest you will get to the OpenBSD experience on Linux is with Alpine Linux.
>so much saner than Linux firewalls it's not even close.
This is a big one for me. I've run openBSD and Linux custom boxes as SoHo routers and I just cannot stand Linux firewalls, I've never liked them and IPTables is just terrible. Yes I know there are wrappers around it now but it's still the default everywhere and still used by lots of other software like Docker. I'm using OPNSense now which is FreeBSD based instead of completely rolling my own but I love that it is still BSD under the hood.
One differing opinion I will offer is that I find NixOS to be the Linux distro most in the openBSD spirit despite it being very different from a UX and config management perspective. Alpine is interesting, but it has its own security and compatibility issues, especially around MUSL libc which I have had cause many strange downstream issues over the years, I just hit one recently in JVM GC caused by its memory allocation implementation. I've stopped using alpine altogether because of them.
I use it for home router, my laptop, several vms for various services, and on one vps I keep around should I need to quickly set something up. I keep a proxmox server for anything I can’t or won’t run on OpenBSD.
Not really, but OpenBSD has been in my life for 25 years.
I used OpenBSD to create the firewalls for our LAN parties when I was at school.
The first shellserver I ran, on an UltraSparc IIi was OpenBSD, gave out accounts to my friends.
And then I used it as a firewall, both professionally and personally, for many years. Until the first Turris Omnia was released, and now I have retired even Turris for pfSense, which is FreeBSD I believe.
But the PF firewall in OpenBSD was superior, definitely to the syntax of IPtables.
To me Linux was a great server OS, and OpenBSD was a great FW/Gateway OS.
I’ve been using it on an old PC Engines router (great hardware, by the way! I wish they were still around.)
It ran for over 8 years without downtime, but I’ve had repeated problems in the last year or so.
I used the default partitioning scheme, which makes /usr tiny, and /var huge, and since it is a router, did not install X11.
At some point, they made x11 mandatory for auto updates. This is dumb, because all the upgrade tool is doing is untarring a list of tarballs. So, I had to perform partition surgery from the upgrade ramdisk to make room for X11.
Now, they made some ASLR relinking scheme mandatory, which makes sense, except the relink directory is 1.5GB (larger than the entire rest of the distribution, and far larger than the parts I voluntarily installed!).
For some reason the relink output files go in /usr, which, by default, won’t hold it at upgrade. It really belongs in /var, because it is not immutable, and also, there’s room there! So, I had to repartition the router from a rescue environment again.
They also removed the ability for ntp to sync on machines without cmos clocks, and the alternate config options don’t seem to work. That’s a bit more niche, granted, but my router hw is reasonably common for openbsd use and has that property. You can make it work by using a second utility to force clock sync at boot.
I like that they keep things simple, but they also recently pulled out any semblance of power loss safety for their file system. I’ve had to serial console in a few times to run fsck, which isn’t really the behavior I want from the home router!
They don’t have any way to setup DDNS in the base install, so you have to use a port or pkg. The port I chose was EOL’ed by upstream (ISC), so I’ll probably need to switch to dnsmasq as a dhcp server / dns server, which is fine, but those services are a significant fraction of the attack surface of my router. DDNS seems like a pretty simple thing to implement, and would be really high value for router use cases. Without it, I’d have to assign static addresses to everything on the LAN, then edit DNS records.
I think all this stuff is fixable, but wish they’d take the niche of “rock solid secure infrastructure” a bit more seriously. This used to be a nice “set and forget” weekend project but now it requires attention every few release cycles.
7.8 barely managed to fit in my duct tape and bailing wire partition layout. I’m probably going to switch to freebsd on a box with faster NICs when I finally get a > 1GBit internet connection (hopefully in the next year or so).
If I upgrade to 7.9, I’ll have to give up on using the openbsd hypervisor, since, with the partition scheme that the installer chose, there will no longer be a partition large enough to hold the download sets and also the vm image.
This is particularly frustrating because the boot drive is under 50% full. I’d just do “one big partition”, but they warn against that for good reason - it complicates manual fs repair at boot.
Anyway, I really like the project. It would be nice if they did a “fix common papercuts” release, since I doubt many users are as patient as I am.
If you are looking to install it, either use fewer partitions, or way over provision storage (I was 10x over provisioned at install, and the stuff I use hasn’t grown more than 10-20%) and also make sure you choose much larger partition sizes than recommended. This will add under $100 to your hardware cost, even with the storage shortages.
Backup, do a fresh install with new partitions, restore. You have to do this every once in a while especially if your partition sizing is from nearly a decade ago.
My one complaint about OpenBSD would probably be lack of resizable partitions. You can expand them, but only if you have free contiguous space and most of the time one partition starts where the prior one ends. It's rarely a problem in practice, as only /home and /var and maybe /usr/local tend to be subject to any guesswork, but it can bite you from time to time as in your case.
I've already done this twice for this box. Its disk is half empty, and the used space is 75% compounding useless bloat:
- 50% of the used space are package sets I never asked for.
- The stuff I did ask for is somehow 2x larger than it needs to be, since they don't randomize binaries in place.
- If they'd actually follow their own filesystem hierarchy standards, and stop using /usr as a build target (very bad things will happen if a crash happens in the middle of that! Why are we making lots of small separate partitions again?!?) then I could just make /var big. Then I would not have to repartition yet again after they introduce /lib/lolz/3gib or whatever in 2027.
Alternatively, if they had a journalling filesystem or still supported soft updates, then I could have one big partition, which would solve it once and for all.
Anyway, I'd argue "take the lan offline, backup the router, repartition and restore" isn't a planned reasonable maintenance task for a router. The fact that its so obviously easily avoidable is really frustrating.
Alternatively, if they just had a "which sets to install?" config option for auto-update (like they do for the OS installer!) then I wouldn't have to do this.
Yeah it sucks when partitions that were sized 8-10 years ago are no longer adequate. I've hit the "/usr is too small to complete an upgrade" trap myself. When that happened I rejected the installer's partition suggestions and made /usr substantially larger (this is also necessary if you're going to be building large ports, which also happens under /usr).
So far that has worked for me.
Some people would also argue that using an 8 year old device as a critical path in your LAN is a risk in itself. Taking routers down to do upgrades is pretty common in the enterprise IT world.
I needed to create a backdoor network-level KVM contraption to help my dad relocate some servers. tl;dr an office was closing down, he pulled the rack and stood it up in his basement. I mailed him a unifi edgerouter 4 that was reflashed to run openbsd. On boot it would create a vpn tunnel to a vps and basically expose a public WAN port to the rack. So it was in my dads garage on his Fios internet, but from a networking perspective it thought that it was in a Linode datacenter.
The ER4 has 3 ports: 1 was for the uplink, one exposed the WAN connection to the rack, and then the 3rd port became a client inside of the network. I could shell into it from home (he's on the other side of the country) and operate from the residential network and also the server network simultaneously. Worked well enough for a few weeks to keep access around until we could engineer a better solution.
Configuring OpenBSD was really quite simple and rewarding. No insane linux network stack / netplan / cloud-init / bs ... just a few conf files.
That's too bad. I might need bluetooth on keyboard, mice, headphone/earbuds, etc. OpenBSD seems so nice, but right now it is limited to running as a server, and not a desktop, which could be considered a good thing, as it focuses on simplicity. However, I do wish it had more hardware support.
EDIT: Running openBSD in a VM might get me the best of both world, with hardware support on host OS (linux/win) and the benefit of running OpenBSD.
It wasn't security really, it was just the entire stack being so complex and poorly maintained that it became insecure. If someone wants to go back and do things right, they're free to do so
Firmware backdoors in wireless chipsets are a really big attack surface, and disabling wireless at least gives you the chance to monitor five eyes activity on ethernet.
It's a lock/mutex implementation that puts the blocked thread to sleep, usually via cooperative yielding to the scheduler instead of continuing to perform CAS operations on the lock continuously. Spinlocks have great performance when they're not heavily contended and the locks are held for short periods of time, but if either of those things are true the blocked thread can easily consume an entire CPU core while it's blocked.
Sweet! I’m just about to replace pfsense with openbsd on my router. Smoothly setting up ipv6 is a bit of a headscratcher atm, mainly because i’ve never had to understand it before.
Yes free from American restrictions. Because America law prohibits from giving out cryptography to outside countries so according to OpenBSD we outsiders have no luck in getting a cryptographically secure operating system except for OpenBSD
If I remember, it's still illegal to export to "rogue states," Iran and North Korea being the major two, and terrorist organizations. But I don't think anybody has been charged for it and there's reason to suspect it wouldn't hold up given the pgp ruling.
We can't really export anything to those "rogue states" anyway. Also, as backwards as NK can act in some contexts, I dislike the classification of them as a rogue state. The kims are pretty good at geopolitics and wouldn't do anything stupid or dangerous without a good enough reason to make its actions no longer "rogue". If anything, the US is closer to a rogue state currently with its rubber stamp congress and willingness to do whatever the orangutan in charge says
early 2000s so close enough. I know this because for a while, WEP was intentionally crippled in the US for a while because of the archaic encryption laws
Sidenote, does anyone remember a "click here to become an international arms dealer" esque site as a protest of our encryption laws or did I make that up. I swear I heard that somewhere
I would really love to adopt OpenBSD but the one thing I can't deal with is the absence of journalized filesystem.
Just the idea not to be able to recover after a power cut and work is hard to accept to be honest.
I have been recently considering running it on a minimal Alpine ZFS host but I am not sure how much I can optimize the display experience since I do not think OpenBSD support QXL/SPICE.
I dual boot OpenBSD on it, and it's been doing fine. The out of the box experience is pretty bare although the default window manager cwm is surprisingly nice once you get to know it. Note that apmd, the power management daemon used to manage CPU speed and low-battery suspend, is not enabled by default. The high-DPI screen required some adjustments in Xresources (I haven't dared try a multi-monitor, mixed DPI setup).
NetBSD seemed okay to but I've only used it a little bit. It actually set up X pretty well for the screen using some built in script with heuristics to determine font size from the screen metrics.
No wifi driver for Framework 16. Was fun installing (and surprisingly quick) and playing around a little. But unfortunately that's a dealbreaker for me.
BSDs are interesting projects. As I understand it there's a broad difference of them all doing things reasonably well but a) Free is general-purpose, b) Net is especially portable/many architecture and Open is security focused
9fronts site will always be one of my favorite place on the net. I don't like plan9 (architecturally it is amazing, I just am to bigoted to stay sane on its userland) but the humor is so my style of humor
I have used OpenBSD as a desktop for 7 years. Though my usage and the machine were minimal. But I thoroughly liked it. I want to go back to it. One good thing is that if your hardware has some problems or about to have problems then installing OpenBSD will make your computer kernel panic. So I use it as a diagnosing tool for my hardware
I always wanted to get into bsd, especially openbsd. I like the idea of a more cohesive os.
But I don't really know what to use it for to get started. My desktop runs linux with steam for games. My AI server needs rocm drivers so ubuntu-server. My vps runs debian, maybe that one, but there is no DO image for BSD. Open for ideas..
OpenBSD for the layer where you need the highest security. We use it for hosting our Postgres clusters. You could easily use it for your VPS. There is a learning curve. But if you’re already comfortable with Linux you’ll pick it up in a few hours.
I am a diehard FreeBSD fan and I used it on my laptop for 20+ years, and dualbooted it for windows only for gaming.
I tried my best to get gaming going, even running Arch in a jail, but it's not great for gaming purposes. I was even virtualizing OpenBSD to use PCI passthrough for better wifi...
Today I am using Arch Linux instead of my dual boot setup. Is it perfect? Nope, but at least I can play Age of Empires 2.
I still use FreeBSD on my servers, obviously.
FreeBSD is great, but on the desktop, and especially on the laptop, there are some warts.
FreeBSD is mainly server focused. There's been work on the desktop recently, but it isn't what FreeBSD devs are paid to focus on. To be fair to the people paying them, it's a damn good server OS.
Also, check out DragonflyBSD. It has a really nice filesystem and Dillon does good work
FreeBSD is focused on making a good, general purpose operating system. It just happens to be very good at being a server. It's also very good at being a desktop.
OpenBSD 7.9 release artwork by Lyra Henderson
https://www.openbsd.org/images/PinkPuffy.png
https://www.openbsd.org/images/puffy79.gif
Release song is "Diamond in the Rough" - Composed & produced by Bob Kitella.
https://www.openbsd.org/lyrics.html#79
Apparel (t-shirts, so far): https://openbsdstore.com/
Interesting to see OpenBSD continuing to gain hardware support. I've been running it on a small home server for DNS/DHCP and the stability is remarkable. The man years of auditing really show.
Sorry for the off-topic, but I wish our FreeBSD camp could roll back a little from this faux-corporate glass ball without soul and a font from the early 90s spaceship toy box, to Beastie and a stylish serif. What I was trying to say - I'm in envy. OpenBSD artwork is absolutely amazing!
The big news for some of us is that Exim has been dropped from ports. Here is a good article about transitioning from Exim to OpenSMTPD:
https://nxdomain.no/~peter/time_for_opensmtpd.html
I tried using OpenSMTPD a long time ago, shortly after it came out, but things were not stable enough. I guess it is time to give it another go...
I really like OpenSMTPD; no nonsense and configuration feels rather modern compared to the legacy stuff that's out there.
With all the security issues constantly being uncovered in other Operating Systems - which will only accelerate with Ai - it’s time everyone considers OpenBSD. Their decades-long security-focus is second to none. We have fully converted from Ubuntu/Debian to OpenBSD. No looking back.
I tried OpenBSD recently and found it behaves very differently from other OS. The same code works on Linux/FreeBSD/Windows but has poor multi thread performance on OpenBSD, async socket stopped working after sending at high speed for few seconds. I am not saying there is anything wrong in OpenBSD, it is just different.
Is OpenBSD actually more secure than Linux? I have not been able to find any data to support this—only some vague opinions.
The Data:
Compare the number of CVE vulnerability trends over time between Linux: https://www.cvedetails.com/vendor/33 and OpenBSD: https://www.cvedetails.com/vendor/97
It's not even close! It's nearly two orders of magnitude higher for Linux. This isn't anecdotal or “vague opinion” CVEs are facts.
You can ask the follow-up question: Why is that?
And there are many reasons. It could just be that Linux having more users/eyes means more bugs are surfaced ... But you need to dig deeper to understand why OpenBSD is so much more secure, the core team of OpenBSD proactively reviews the security of other OSes and when they learn something, they rapidly implement the feature/fix in OpenBSD.
Again, read: https://en.wikipedia.org/wiki/OpenBSD_security_features Many of the proactive security features OpenBSD has are not implemented by other OSes. And in the case of kernel-level Crypto, they won't ever be because US export restrictions.
> And there are many reasons. It could just be that Linux having more users/eyes means more bugs are surfaced
You really brushed that one off, uh? The ratio of linux devices to openbsd is quite literally a million to one. The ratio of tech companies invested in linux to companies invested in openbsd is roughly 50,000 to 1. The ratio of professional security researchers paid to find flaws in Linux vs OpenBSD is harder to quantify at the moment, but I think we can guess a trend here.
I can agree to a degree that OpenBSD takes security more seriously, and they have made very interesting design decisions to enforce their security model. But I entirely disagree that the number of "CVEs are facts" to back your opinion that it is superior.
US export restrictions? There are broad license exceptions since decades, so kernels like Linux are free distributable. Same would apply to OpenBSD.
"Is Secure" is subjective.
I would be in favour to say that out of the box OpenBSD is more secure than Linux.
You are correct; OpenBSD is secure by default. And it's not subjective at all.
The homepage of https://www.openbsd.org proudly states "Only two remote holes in the default install, in a heck of a long time!" if they didn't have the evidence to support the statement, the internet would have forced them to remove it by now. ;-)
Remote (exploitable) holes are the ones we all care about.
It's not meaningfully more secure than e.g. Debian.
Their claim to fame ("only two remote holes in the default install in X number of years") is definitionally only valid for the default install in its default configuration which means: no httpd, no smtpd, no unbound, etc. etc. etc.
The default install isn't very useful, because it doesn't do a lot, and so "only two remote holes" or whatever isn't really saying much.
For example: there are still CVEs popping up: https://nvd.nist.gov/vuln/detail/CVE-2024-11148
Linux has more CVEs because it's orders of magnitude more popular. OpenBSD has appalling performance, and more or less nobody uses it, so there just isn't a large focus on auditing and fixing it.
It's a great research project, but I would not run it on my personal devices.
macOS is BSD roots on top of Darwin
While true it doesn't answer why OpenBSD is considered more secure by default than Linux. Despite its BSD roots, macOS has had its share of CVEs:
https://www.cvedetails.com/version-list/49/70318/1/Apple-Mac...
No. (It's fine!)
If you care about security, why not consider Qubes OS? Related discussion: https://forum.qubes-os.org/t/qubesos-vs-openbsd-security/790...
Qubes OS uses the Linux kernel. Without wanting to start a flame-war and with all respect to Linux, it’s not even close. See: https://en.wikipedia.org/wiki/OpenBSD_security_features
The “kernel” in Qubes is arguably Xen rather than Linux, and that’s where the security boundaries are supposed to be defined rather than within VMs that may be running any OS. VM compartmentalization as a security mechanism is hard to compare to a more conventional Unix like OpenBSD.
It's not just Xen, it also relies on the hardware-assisted virtualization (VT-d), which is virtually unbreakable compared to anything else. Most Xen vulnerabilities do not even affect Qubes: https://www.qubes-os.org/security/xsa/#statistics
https://isopenbsdsecu.re/
(This site is extremely good and has fairly recent coverage, point-by-point, of all OpenBSD's mitigations. An important subtext to take to this is that OpenBSD has a reputation for introducing mitigations that exploit developers make fun of. Some of them are great, some of them less so.)
The slides are over 6 years old. The developers' attitudes haven't changed much, but are all of the arguments still valid?
I've followed this discussion here and there over the years and it always goes like this:
1) everyone makes fun of the mitigations
2) many even outright assert they can easily defeat and exploit OpenBSD
3) nobody provides a working PoC when asked to demonstrate how insecure the OS is
And somewhere in the mix there's also you and your usual blabber, also without any substantial examples of how insecure and exploitable the OS is. Always.
The site isn't the slide deck. Let's talk after you've read it?
You misunderstand the Qubes' approach to security. You isolate your workflows into separate VMs, so that security of a single VM doesn't matter. For example, my secrets are stored in a dedicated offline VM. All kernel bugs in it are just not exploitable. I open my online banking in a dedicated VM, in which nothing else is ever opened. Which attack vector do you think can be used against that?
If you really really care about security, then consider CHERI and CheriBSD
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
What? How long did it take?
How long did what take? Learning the essentials of OpenBSD, budget 4-6hours. Switching over servers from Ubuntu, an hour for the first one then 10mins each after that. You can copy config with your favourite tools; most have ports for OpenBSD already. If you want to learn more in-depth, read: Michael W. Lucas Absolute OpenBSD, 2nd Edition: Unix for the Practical Paranoid. Highly recommend it as teaches many fundamentals most software engineers skip.
How many upgrades have you done so far? And how many kernel fixes?
Long time ago I maintained a couple of obsd servers, and the cost in time of upgrades and the (occasional) security fixes was substantial.
I still maintain a couple of servers, but if it wasn't because Debian makes it easier by automating most of it, I don't think I could do it.
Yet I miss my time with obsd. I'm very interested in your experience.
>it’s time everyone considers OpenBSD
https://x.com/ortegaalfredo/status/2055362910415671459
When your super secure feature gets defeated by a symlink maybe it's not really time to consider it...
Sure, things are not better in the linux world but at least there's more eyes to fix issues there just because of the market share.
Note that this specific symlink was special cased because sandboxed programs still need to access timezones. Also note that you would need to be root to create that special cased symlink. It's embarrassing, but less catastrophic than it looks at first glance.
Running security-critical code as root is still a bad idea.
Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment?
For my next trick I will demonstrate how to break into my own house to open the blinds by using my keys.
Security researcher theatrics will never not be funny.
Maybe I'm misunderstanding the video, but it looks to me as if the situation is:
You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox.
(Whether this is interesting or not depends on whether anyone actually tries to use the sandbox facility in such a way as to give root-in-the-sandbox privileges to untrusted people or code. I don't know enough about OpenBSD to answer that.)
OpenBSD doesn't do different user accounts inside vs outside sandboxes; if you're root in the sandbox, you're root on the system.
So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged.
I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to".
If you're relying on a sandbox as your first line of defense you've already lost the war.
I think the idea is to not run programs as root in the sandbox.
The parents tone wasn't warranted, but bugs like this could be more serious if combined with privilege escalation bugs in the sandbox.
Ideally, sandboxes should be like Vegas - what happens in the sandbox stays in the sandbox.
(I'm just speaking hypothetically here, I'm not knowledgeable about OpenBSD or it's sandboxes)
>Your "evidence" for him to reconsider is a sandbox "bypass" that requires you to be root to set up the environment
Can you help figure out where does it say unveil does not really work when root is involved?
You left a snarky comment, then paraded around a positively lame example as some sort of trophy.
Here's what I can figure out: you need root to set up the environment just so. It's a don't-care. The end.
So, a break out of chroot in a chroot jailed app would be a non-issue because I need root to set it up?
If you need root to set up the escape, then yes that is relatively uninteresting. Like, we know chroot can't contain root.
Thanks. It was not evident from the example whether root inside of the sandbox is necessary - I assumed creating arbitrary symlinks doesn't require any particular capabilities, and there's nothing special about the locations.
Though it's not clear to me now:
- why was this patched then?
- is the point about root that non-root wouldn't have access to passwd anyway?
OpenBSD doesn't have separate user accounts for sandboxes. If you're root inside the sandbox, you're root outside it. This exploit requires you to already be root.
>Here's what I can figure out: you need root to set up the environment just so.
I guess you just don't understand what unveil does.
Your arrogance is continued proof you could never comprehend the work that goes into building, releasing, and maintaining an entire OS, and your contributions will forever be limited to snarky negativity on message boards.
Anything on unveil and not about me?
If you think their code sucks to the point people should think twice about using it, I suggest you stop using OpenSSH immediately.
Please be sure to let us know when your better, more secure replacement is ready.
I used it a bit, had it installed for a while on a G4 PowerBook (must have been early-ish 2000s). I like the no-nonsense attitude towards blobs, security focus. Overall the experience was very good. The bit of code I read was also written nicely. I'll always endorse it and should really install it somewhere again in the near future.
This is also the 60th release. Congrats team.
Anyone here using OpenBSD? If so, for what purpose?
I’ve always wanted to use NetBSD for an application for an embedded system / IoT device but never had the pleasure (yet!).
We use OpenBSD for our VPSes on Hetzner, bare metal (for security focussed clients) and older (but still good) hardware in our Home Lab. OpenBSD is excellent on older (no longer supported by Cupertino) Apple hardware. We have an Intel Mac Mini Cluster with near-perfect uptime. If you need to run any kind of server (Web, Mail, DNS, NFS, Database) where you need stability & security, look no further. Some learning curve, but totally worth it.
Have you tried such Openbsd installations vs FreeBSD? I forget the differences between OpenBSD and FreeBSD, so forgive the naivety. (I think NetBSD is more for embedded stuff, and Ghost and Dragonfly are more for conventional desktop use-cases if i recall correctly.)
I'm asking because i have not touched any BSD for over 2 decades...and I'm getting the itch to try some out...and was wondering if for server-type use cases (like you noted) whether OpenBSD is preferred over FreeBSD or the reverse, and why? Thanks in advance for any feedback you might provide!
FreeBSD is a heavier, more capable system, suitable for large servers. It's got its own virtualization platform (bhyve), an LXC-ish container system (jails), native ZFS, dtrace, Linux emulation, and a bunch more. It makes for a decent workstation and has pretty decent hardware support.
NetBSD is small and simple. It's a lot like an old-school UNIX. It makes a decent platform for small services. I run bind and dhcpd on a NetBSD machine. The source code is very pleasant to read. It uses the pkgsrc software repository. It's my preferred platform for writing POSIX code.
OpenBSD still carries much of the general feel of NetBSD and can fill a similar niche on a network, but the security focus stands out in their documentation, subprojects (OpenSSH, LibreSSL, OpenNTPD, etc.), APIs (see pledge(8)), and policies. It makes for a great firewall. I'd say it also requires the most know-how.
All of them have excellent documentation (especially compared to Linux distros) and the base system is developed alongside the kernel, giving you a very consistent experience compared to Linux distros where everything is developed in isolation. If you write C, it's worth keeping a BSD system around just for the manpages and to make sure you're not letting Linuxisms creep into your codebase.
Thank you, this helped alot!
The "lightweight" nature of OpenBSD is a matter of perspective - if you are happy with OpenBSD's feature set, then it's a plus. On the other hand, FreeBSD has a lot of additional features, including ZFS, which may be of interest. The last I checked, FreeBSD was more performant in various benchmarks, particularly regarding multi-core performance.
FreeBSD has a bit more of a lax attitude historically to security[0] and seems to prefer being reasonably performant and "easy to use" (this is subjective, but they care about supporting packages outside of base very much, and bundle non-FreeBSD produced packages as part of their base).
OpenBSD on the other hand is perfectly happy to leave oodles of performance on the table for security. They were the first OS to completely drop Hyperthreading support for example, years before spectre/meltdown.
So with these things in mind, FreeBSD is a lot more performant.
[0]: https://vez.mrsk.me/freebsd-defaults
FreeBSD has the same roots as OpenBSD but the former has a “compatibility” focus whereas the latter has the security focus. Having a background in security, the choice was obvious for me. But each person/org should decide based on their needs. Haven’t had any issues running it on all major hardware (Dell, HP, Lenovo, Apple, etc) the UI isn’t as pretty as macOS on Desktop, but it runs Firefox & Chrome, etc. so you can do everything you need. If you have an older Lenovo or Mac lying around collecting dust, dive in!
Yeah, thanks that helps! Its the old convenience vs security balancing act :-)
100%. I put off learning/using OpenBSD for a decade until a breach at a client (we weren’t responsible for DevOps/SysAdmin) made me pick it up because I don’t have time to be a full-time Linux Sysadmin anymore. Just want the servers to run without having to think about them. Wish I’d done it sooner. Lost at lot of time on Linux, Docker, K8s, etc. that I could have skipped completely with OpenBSD. Our servers are an order of magnitude simpler now, just single services per VM and I sleep better. ;-)
> ...I don’t have time to be a full-time Linux Sysadmin anymore. Just want the servers to run without having to think about them...
Very salient comment there! And, while not the only reason for me, but what you noted is sort of one reason that's triggering the itch in me to go back to playing with the BSDs. Don't get me wrong, I still do love fiddling around with some areas of linux once in a while....but then, there are other uses/areas where i just want a server to do its thing, and for my maintenance to be a little less (at least less than some linux distros require). So maybe i'm not the only one? :-)
Actually that is mostly current HW compat. NetBSD would be I guess the one for legacy HW compat.
There was FreeBSD and NetBSD. NetBSD supporting many platforms while FreeBSD supported just x86. There was some contention between NetBSD developers and Theo and crew left to create OpenBSD. They all more or less have common ancestry being derivatives of 386BSD.
Yeah, i knew there was some aspects of decendancy across the different BSDs.
And, I mentioned NetBSD for embedded stuff...but really, i *think* its that NetBsd is simply installed on tons of different hardware....so not only embedded....i kinda remembered that about NetBSD.
But, its the other BSDs - in particular FreeBSD vs OpenBSD - that i always forget the differences...but got it now. Thanks!
freebsd = utility
openbsd = security
netbsd = portability
freebsd: performance, features, drivers, software compat - closest to linux in utility & usability though unlike linux in execution
openbsd: safety for exposed services
netbsd: portable across many cpu & hardware platforms - big-endian powerpc sun, hitachi sh3 jornada, etc, easiest to port to a new arch
Oh this is a wonderful and succinct summary; thanks!
OpenBSD is security focused while FreeBSD will remind you of older X-Windows workstations.
Thanks!
And, wow, do i miss the old X-window workstations...well, i should clarify that i LOVED those (I think they were Sparc?) workstations that ran Solaris or SunOS back in the day! Man, that takes me back some years...but i really loved those machines! :-)
OpenBSD supports sparc very well and is compatible with old sunos stuff (iirc). Unfortunately no 68k anymore (okay, technically there's a niche flavour of 68k that still is supported because of a very dedicated man in Japan)
> OpenBSD supports sparc very well and is compatible with old sunos stuff (iirc)
No 32-bit sparc anymore (only UltraSPARC, aka sparc64).
No SunOS compatibility (despite Theo de Raadt inventing it for NetBSD, before being copied by other BSDs).
https://marc.info/?l=openbsd-tech&m=161435521906992&w=2
> Technically there's a niche flavour of 68k that still is supported because of a very dedicated man in Japan
luna88k, while related, is not 68k.
https://www.openbsd.org/luna88k.html
I must've read about the sunos thing somewhere and imagined it still existed.
>luna88k, while related, is not 68k
I misremembered it as being similar to the relationship between the 6502 and the 65C816
I want to use OpenSMTPD so badly, but it doesn't have proper support for authentication via LDAP (at least, as far as I can tell). It insists on reading plaintext passwords from the LDAP server, rather than BINDing as the user in question.
I use OpenBSD among Hyperbola GNU/Linux, soon to be rebased from a deblobbed OpenBSD 7.0 hard fork. IT's dumb easy to setup too. Also, I daily use nvi, oksh, oed (a portable ed for GNU/Linux) among Xenocara and CWM, and this way the environment it's almost the same as OBSD but with a GNU/Linux kernel.
(technically it's just a Linux kernel. GNU doesn't do any kernel work aside from deblob scripts)
Yeah, I'm aware of FSFLA and Linux Libre, but Hurd is not ready yet and it's being worked on with LLM's (something really anti-GNU, as it's propietary SAAS).
https://lists.gnu.org/archive/html/bug-hurd/2026-03/msg00100...
In the end Hyperbola BSD will be more free than OpenBSD and the former GNU maintainers themselves...
I don't really see the LLM use as anti-GNU. It would be no different if the code was written in a proprietary IDE with fancy code completion. GNU doesn't restrict contributors to using exclusively free software for their contributions (if they did, they likely wouldn't have gotten very far considering how much work apple did on GCC). As long as the license is free and GPL compatible, it isn't inherently non-GNU (though, they'd encourage you not to use a SaSS for your own sake)
Now, is LLM code in the hurd a good thing? No, absolutely not. Ignoring the licensing limbo of LLM output that still isn't settled , LLMs make pretty bad code often enough that I wouldn't trust it to work on something as niche and relatively undocumented as the hurd.
A local LLM with GPL compatible input and with options to properly tag the source with a full backtracking of the code? Maybe, but that's not what's happening, but massive license laundering.
I never said anything to the contrary, I agree 100%
What's the situation with Broadcom wifi on your intel macs?
We've run into instability issues with the newer Linux kernels (starting with 6.x, I think) and have had to stop upgrading.
Ah, we have all connected via Ethernet. Side-stepped the WiFi issue. ;-) But have read of others successfully navigating it.
I use it on my personal laptop, essentially because I like how slim and simple it is.
Packaging is simple, kernel development and upgrade is simple, etc. Also the kernel code itself is written in a style I like, it's to the point, no useless abstractions, no fuss. I prefer it even amongst other BSDs I tried (netbsd and free*lbsd/dragonfly).
It just feels nice to be able to understand most of your system. It's not as fully featured as Linux, but there is a sense of understanding your system that is refreshing. A bit like if you're on vacation in a small and cute village where life is mundane and calming. At least that's how I feel with it. Mileage may vary.
This.
A while ago I made some blog posts[1] diving into the source code of OpenBSD and FreeBSD (shameless self plug), but haven't had the time recently to write more.
Being able to understand the system, or at least being able to take a quick look when something doesn't work is very refreshing. Not to mention the outstanding man pages. Barely need to google things.
[1]: https://blog.wollwage.com/
I used to run it on a laptop too, but the battery life was shorter and the laptop ran noticeably hotter than under Linux, so I eventually switched back.
That said, OpenBSD feels unusually coherent (ej. check wifi connection from terminal). The whole system has a level of consistency that's hard to find elsewhere, also between other BSDs.
For pet servers, it usually fits perfect.
> I like how slim and simple it is.
I ran OpenBSD on my laptop 22 years ago. Back then, a full GUI environment with terminal, web browser, editor: 28MiB of memory for the whole operating system and user environment!
About 10 years ago we moved offices, and I was over checking out the new internet circuit and cabling in the office. The circuit was up, and I hadn't brought anything with me to connect to the network, but we had already moved some boxes of old stuff over.
I found a 10+ year old Dell Pentium III laptop in one of the boxes, installed OpenBSD to do some simple connectivity testing, and ended up with a full workstation install and using it for network monitoring and some other random stuff. It stayed in the network/server closet until we moved out of that building just a few years ago.
I run it. Home firewall, office desktops and laptops. It's pretty stable and I'm fairly familiar with it. Really simple if you know Unix. I hope it never goes away, not sure what I would replace it with. Linux is so complicated now, it's just too much for me to deal with
Yeah, I also use it because it is fairly low maintenance. There's the sysupgrade every 6-month, but it goes smoothly every time.
If OpenBSD dies (somehow, at this point so many things are maintained there (OpenSSH, LibreSSL, PF, Tmux, sudo kinda) that it'll always exist to a degree) one of the other BSDs will suffice. FreeBSD is bloaty but for the most part works fine enough
What software do you run on your desktops and laptops?
Not GP, but I mostly use: Firefox; Emacs; MPV; Keepass; calibre; xfe; mupdf;... Then a bunch of cli tools. There's a lot in base, so cli are mostly extra utilities like cmus, git, tig, ncdu,...
I would imagine that a lot of people who use OpenBSD on their laptops/desktops run a lean installation with one of the window managers in base (an ancient fvwm version, cwm which I find very nice and twm).
You can however have a full-fat desktop environment with xfce4 or gnome and applications like libreoffice, gimp, inkscape, audacity and so on if you wish. I've never tried KDE on top of OpenBSD base but I gather packages are in ports.
I think it is fair to say that the amd64 arch has good support. The i386 platform arch is on a 'best effort' basis these days which is understandable. I've never looked at the others.
SPARC is well supported (mostly because it's very good at finding bugs that wouldn't be big problems anywhere else despite not being 'correct') and big endian PowerPC (both 323 and 64) is fine, though hardware can be tricky since apple products tend to be so integrated that you can't really, say, replace a GPU because the support is poor
My wife and I are building a wedding rentals company. I'm responsible for the digital part and building a Ruby on Rails app deployed to OpenBSD. The entire thing runs on a cheap Supermirco U1 server in a rack at our home. :-)
open-bsd will always feel like a safe pick for anything in regard to vault or key holding ; it's not appropriate to run anything CPU intensive - but it's a very appropriate system for anything that just need to boot up and hold some data ; eventually expose a network interface.
It is, by far, my first choice for a router/firewall. It has so many niceties for this, all well integrated OOTB, and you can deploy something top notch in no time at all.
Been running it as my home router since 2.3. I had it on a server for a very short time when I used hardware RAID but I replaced that quickly with FreeBSD for ZFS once I could afford to replace that old Dell.
I ran it on my personal laptop for several years when I had one, but having a work laptop for these past decades I don't have much use for a personal laptop. I would probably run it again on a nice portable when I retire. It would be nice to focus on being creative on such a machine. Coding and drawing mostly. I will continue to use Linux in my recording studio though.
I use it for my mailserver (thank you openbsd.amsterdam), for the gateway in my homelab, a dedicated OpenBSD VMD machine in my homelab, and on personal machines (Macbook Air M2, a Thinkpad X220 and on a T480 that dualboots OpenBSD/FreeBSD).
For mailserver I think it is the best option. And for Gateway, PF is just wonderful.
But even on my laptops I enjoy it. It is rock solid, and I have pretty much no complaints.
Web/SSH/mail server using the built in httpd, sshd and smtpd. Very happy with it.
And on my laptop, occasionally, to experience it in person.
I use it. It's secure, and if your hardware is supported it mostly just works. A good unix experience if you're willing to learn its intricacies
I've been running OpenBSD on my main laptop for about a decade, as well as on routers. It has the most consistent and well-designed interfaces of any modern *nix other than arguably macOS.
Single tenant(and single core) tiny VMs with OpenBSD's VMM hypervisor and confidential computing through AMD-SEV.
My home router, firewall and VPN gateway is an OpenBSD box, Intel N100 with quad 2.5G Ethernet. To be frank, Linux has better support for fighting bufferbloat with FC-CoDel, but pf is so much saner than Linux firewalls it's not even close.
WiFi is handled separately by a Ubiquiti UniFi system, but I don't trust Ubiquiti not to exfiltrate data after their underhanded attempt to turn telemetry on a few years ago. OpenBSD WiFI is somewhat mediocre, but it has improved in this release with experimental support for WiFi 6 after years of being stuck at 802.11n.
The closest you will get to the OpenBSD experience on Linux is with Alpine Linux.
>so much saner than Linux firewalls it's not even close.
This is a big one for me. I've run openBSD and Linux custom boxes as SoHo routers and I just cannot stand Linux firewalls, I've never liked them and IPTables is just terrible. Yes I know there are wrappers around it now but it's still the default everywhere and still used by lots of other software like Docker. I'm using OPNSense now which is FreeBSD based instead of completely rolling my own but I love that it is still BSD under the hood.
One differing opinion I will offer is that I find NixOS to be the Linux distro most in the openBSD spirit despite it being very different from a UX and config management perspective. Alpine is interesting, but it has its own security and compatibility issues, especially around MUSL libc which I have had cause many strange downstream issues over the years, I just hit one recently in JVM GC caused by its memory allocation implementation. I've stopped using alpine altogether because of them.
I use it for home router, my laptop, several vms for various services, and on one vps I keep around should I need to quickly set something up. I keep a proxmox server for anything I can’t or won’t run on OpenBSD.
Not really, but OpenBSD has been in my life for 25 years.
I used OpenBSD to create the firewalls for our LAN parties when I was at school.
The first shellserver I ran, on an UltraSparc IIi was OpenBSD, gave out accounts to my friends.
And then I used it as a firewall, both professionally and personally, for many years. Until the first Turris Omnia was released, and now I have retired even Turris for pfSense, which is FreeBSD I believe.
But the PF firewall in OpenBSD was superior, definitely to the syntax of IPtables.
To me Linux was a great server OS, and OpenBSD was a great FW/Gateway OS.
I use OpenBSD for my home server. Runs everything from httpd to a Minecraft server.
Runs well on my Lenovo T-490. I use this as my main non-Windows laptop.
Running OpenBSD 7.9 with KDE 6.6.4. Desktop usage.
It has been my daily driver for years.
I’ve been using it on an old PC Engines router (great hardware, by the way! I wish they were still around.)
It ran for over 8 years without downtime, but I’ve had repeated problems in the last year or so.
I used the default partitioning scheme, which makes /usr tiny, and /var huge, and since it is a router, did not install X11.
At some point, they made x11 mandatory for auto updates. This is dumb, because all the upgrade tool is doing is untarring a list of tarballs. So, I had to perform partition surgery from the upgrade ramdisk to make room for X11.
Now, they made some ASLR relinking scheme mandatory, which makes sense, except the relink directory is 1.5GB (larger than the entire rest of the distribution, and far larger than the parts I voluntarily installed!).
For some reason the relink output files go in /usr, which, by default, won’t hold it at upgrade. It really belongs in /var, because it is not immutable, and also, there’s room there! So, I had to repartition the router from a rescue environment again.
They also removed the ability for ntp to sync on machines without cmos clocks, and the alternate config options don’t seem to work. That’s a bit more niche, granted, but my router hw is reasonably common for openbsd use and has that property. You can make it work by using a second utility to force clock sync at boot.
I like that they keep things simple, but they also recently pulled out any semblance of power loss safety for their file system. I’ve had to serial console in a few times to run fsck, which isn’t really the behavior I want from the home router!
They don’t have any way to setup DDNS in the base install, so you have to use a port or pkg. The port I chose was EOL’ed by upstream (ISC), so I’ll probably need to switch to dnsmasq as a dhcp server / dns server, which is fine, but those services are a significant fraction of the attack surface of my router. DDNS seems like a pretty simple thing to implement, and would be really high value for router use cases. Without it, I’d have to assign static addresses to everything on the LAN, then edit DNS records.
I think all this stuff is fixable, but wish they’d take the niche of “rock solid secure infrastructure” a bit more seriously. This used to be a nice “set and forget” weekend project but now it requires attention every few release cycles.
7.8 barely managed to fit in my duct tape and bailing wire partition layout. I’m probably going to switch to freebsd on a box with faster NICs when I finally get a > 1GBit internet connection (hopefully in the next year or so).
If I upgrade to 7.9, I’ll have to give up on using the openbsd hypervisor, since, with the partition scheme that the installer chose, there will no longer be a partition large enough to hold the download sets and also the vm image.
This is particularly frustrating because the boot drive is under 50% full. I’d just do “one big partition”, but they warn against that for good reason - it complicates manual fs repair at boot.
Anyway, I really like the project. It would be nice if they did a “fix common papercuts” release, since I doubt many users are as patient as I am.
If you are looking to install it, either use fewer partitions, or way over provision storage (I was 10x over provisioned at install, and the stuff I use hasn’t grown more than 10-20%) and also make sure you choose much larger partition sizes than recommended. This will add under $100 to your hardware cost, even with the storage shortages.
Backup, do a fresh install with new partitions, restore. You have to do this every once in a while especially if your partition sizing is from nearly a decade ago.
My one complaint about OpenBSD would probably be lack of resizable partitions. You can expand them, but only if you have free contiguous space and most of the time one partition starts where the prior one ends. It's rarely a problem in practice, as only /home and /var and maybe /usr/local tend to be subject to any guesswork, but it can bite you from time to time as in your case.
My point is that you shouldn't have to do this!
I've already done this twice for this box. Its disk is half empty, and the used space is 75% compounding useless bloat:
- 50% of the used space are package sets I never asked for.
- The stuff I did ask for is somehow 2x larger than it needs to be, since they don't randomize binaries in place.
- If they'd actually follow their own filesystem hierarchy standards, and stop using /usr as a build target (very bad things will happen if a crash happens in the middle of that! Why are we making lots of small separate partitions again?!?) then I could just make /var big. Then I would not have to repartition yet again after they introduce /lib/lolz/3gib or whatever in 2027.
Alternatively, if they had a journalling filesystem or still supported soft updates, then I could have one big partition, which would solve it once and for all.
Anyway, I'd argue "take the lan offline, backup the router, repartition and restore" isn't a planned reasonable maintenance task for a router. The fact that its so obviously easily avoidable is really frustrating.
Alternatively, if they just had a "which sets to install?" config option for auto-update (like they do for the OS installer!) then I wouldn't have to do this.
Yeah it sucks when partitions that were sized 8-10 years ago are no longer adequate. I've hit the "/usr is too small to complete an upgrade" trap myself. When that happened I rejected the installer's partition suggestions and made /usr substantially larger (this is also necessary if you're going to be building large ports, which also happens under /usr).
So far that has worked for me.
Some people would also argue that using an 8 year old device as a critical path in your LAN is a risk in itself. Taking routers down to do upgrades is pretty common in the enterprise IT world.
I needed to create a backdoor network-level KVM contraption to help my dad relocate some servers. tl;dr an office was closing down, he pulled the rack and stood it up in his basement. I mailed him a unifi edgerouter 4 that was reflashed to run openbsd. On boot it would create a vpn tunnel to a vps and basically expose a public WAN port to the rack. So it was in my dads garage on his Fios internet, but from a networking perspective it thought that it was in a Linode datacenter.
The ER4 has 3 ports: 1 was for the uplink, one exposed the WAN connection to the rack, and then the 3rd port became a client inside of the network. I could shell into it from home (he's on the other side of the country) and operate from the residential network and also the server network simultaneously. Worked well enough for a few weeks to keep access around until we could engineer a better solution.
Configuring OpenBSD was really quite simple and rewarding. No insane linux network stack / netplan / cloud-init / bs ... just a few conf files.
obligatory pic: https://i.imgur.com/Mkf9ckc.jpeg
They've made major progress on the WiFi front in this release, finally getting experimental WiFi 6 support.
I wish OpenBSD supported Bluetooth. Unfortunately, its absence is a deal breaker for me. I did use OpenBSD on the desktop it was great.
* https://www.openbsdhandbook.com/multimedia/#bluetooth-audio
Removed in 2014.
That's too bad. I might need bluetooth on keyboard, mice, headphone/earbuds, etc. OpenBSD seems so nice, but right now it is limited to running as a server, and not a desktop, which could be considered a good thing, as it focuses on simplicity. However, I do wish it had more hardware support.
EDIT: Running openBSD in a VM might get me the best of both world, with hardware support on host OS (linux/win) and the benefit of running OpenBSD.
The sole set of wired headphones in my house is for my OpenBSD laptop.
Interesting! Curious which Bluetooth device(s) you can’t live without.
Naming a few peripherals on my desk that see regular usage on Linux:
- Kensington Expert Trackball (I lost the 2.4ghz dongle)
- JBL wireless earbuds/Audio Technica M40xs
- Nintendo Switch controller
They did for awhile, but removed it due to complexity and security issues.
It wasn't security really, it was just the entire stack being so complex and poorly maintained that it became insecure. If someone wants to go back and do things right, they're free to do so
Firmware backdoors in wireless chipsets are a really big attack surface, and disabling wireless at least gives you the chance to monitor five eyes activity on ethernet.
> Replaced the cas spinlock in kernel mutexes with a "parking" lock.
Anyone know what a "parking lock" is (and how it works)?
I couldn't find anything on the man pages about it.
https://man.openbsd.org/OpenBSD-5.5/lock.9
https://man.openbsd.org/OpenBSD-5.9/mutex.9
"Parking" lock is a reference to this:
https://webkit.org/blog/6161/locking-in-webkit/
Thanks!
Wow, this is from 10-years ago.
It's a lock/mutex implementation that puts the blocked thread to sleep, usually via cooperative yielding to the scheduler instead of continuing to perform CAS operations on the lock continuously. Spinlocks have great performance when they're not heavily contended and the locks are held for short periods of time, but if either of those things are true the blocked thread can easily consume an entire CPU core while it's blocked.
Sweet, I was just wondering when 7.9 would release. And with a song! We haven't gotten one of those in a while iirc
I always check their releases to get the song, like in other thread.. last song was 7.3
Announcement mail: https://marc.info/?l=openbsd-announce&m=177919671915512&w=2
> Enabled IPv6 autoconf (SLAAC) by default.
Sweet! I’m just about to replace pfsense with openbsd on my router. Smoothly setting up ipv6 is a bit of a headscratcher atm, mainly because i’ve never had to understand it before.
I recently updated an older OpenBSD router and firewall and the amount of native IPv6 support right out of the box makes this an unbelievable breeze.
While I daily Linux on my workstation, OpenBSD is my favorite OS, by far, and I use it wherever it makes sense for me.
A song released with it too! So much care for OpenBSD.
Nice! Had to lookup when one was last released, 7.3. https://www.openbsd.org/lyrics.html
Direct link to the song so you can play in the browser: https://ftp.openbsd.org/pub/OpenBSD/songs/song79.ogg
the canadian OS :)
Yes free from American restrictions. Because America law prohibits from giving out cryptography to outside countries so according to OpenBSD we outsiders have no luck in getting a cryptographically secure operating system except for OpenBSD
That isn't a thing anymore iirc
If I remember, it's still illegal to export to "rogue states," Iran and North Korea being the major two, and terrorist organizations. But I don't think anybody has been charged for it and there's reason to suspect it wouldn't hold up given the pgp ruling.
We can't really export anything to those "rogue states" anyway. Also, as backwards as NK can act in some contexts, I dislike the classification of them as a rogue state. The kims are pretty good at geopolitics and wouldn't do anything stupid or dangerous without a good enough reason to make its actions no longer "rogue". If anything, the US is closer to a rogue state currently with its rubber stamp congress and willingness to do whatever the orangutan in charge says
>We can't really export anything to those "rogue states" anyway
Sure, but there are additional laws regarding cryptography, even in publicly available software.
"Rogue states" is a legal designation, we can both dislike it as much as we want but I doubt the US will change it's view
I think that pretty much ended in the 90s.
early 2000s so close enough. I know this because for a while, WEP was intentionally crippled in the US for a while because of the archaic encryption laws
Sidenote, does anyone remember a "click here to become an international arms dealer" esque site as a protest of our encryption laws or did I make that up. I swear I heard that somewhere
Developed at 4500ft elevation in the Texas of Canada, primarily.
Well it 40 below and I don't give a...
I would really love to adopt OpenBSD but the one thing I can't deal with is the absence of journalized filesystem.
Just the idea not to be able to recover after a power cut and work is hard to accept to be honest.
I have been recently considering running it on a minimal Alpine ZFS host but I am not sure how much I can optimize the display experience since I do not think OpenBSD support QXL/SPICE.
I would be curious if someone found a way...
How do the various BSDs run on framework laptops?
I dual boot OpenBSD on it, and it's been doing fine. The out of the box experience is pretty bare although the default window manager cwm is surprisingly nice once you get to know it. Note that apmd, the power management daemon used to manage CPU speed and low-battery suspend, is not enabled by default. The high-DPI screen required some adjustments in Xresources (I haven't dared try a multi-monitor, mixed DPI setup).
NetBSD seemed okay to but I've only used it a little bit. It actually set up X pretty well for the screen using some built in script with heuristics to determine font size from the screen metrics.
No wifi driver for Framework 16. Was fun installing (and surprisingly quick) and playing around a little. But unfortunately that's a dealbreaker for me.
There's been a bunch of progress on FreeBSD, and OpenBSD isn't that much worse
Power management, webcam, trackpad, accessories, etc tend not to be a good fit for niche BSD and Linux. Stick to desktop or server.
Congrats on another successful release, OpenBSD team! Happy user since the 4.x days.
i use it and its secure
Neat that they're working on Intel's p/e/l core support. I was just comparing Linux and windows support history the other day.
ang benchmarks against state of the art?
It depends. You can expect a 5 to 15% performance hit depending on the task. In OpenBSD, security comes first and performance comes second.
BSDs are interesting projects. As I understand it there's a broad difference of them all doing things reasonably well but a) Free is general-purpose, b) Net is especially portable/many architecture and Open is security focused
OpenBSD's primary purpose is to create artwork (https://www.openbsd.org/artwork.html), releasing an OS is a side project.
Based on the CD covers I used v2.3 and v2.4. That's been a while. I might still have the CD sets somewhere out in storage with other legacy stuff.
That's 9front where CSP, GeFS and the like are futuristic artwork, kinda like modern DaVinci. We are not ready yet.
9fronts site will always be one of my favorite place on the net. I don't like plan9 (architecturally it is amazing, I just am to bigoted to stay sane on its userland) but the humor is so my style of humor
The main differences between OpenBSD, FreeBSD, NetBSD and DragonFly BSD
https://unixdigest.com/articles/the-main-differences-between...
I have used OpenBSD as a desktop for 7 years. Though my usage and the machine were minimal. But I thoroughly liked it. I want to go back to it. One good thing is that if your hardware has some problems or about to have problems then installing OpenBSD will make your computer kernel panic. So I use it as a diagnosing tool for my hardware
> So I use it as a diagnosing tool for my hardware
Same, it's particularly good for troubleshooting older hardware too since most bog standard x86 parts are well supported.
If I have a random ISA/PCI/AGP/PCIe card that OpenBSD can't see or properly initialize, it's probably an issue with the card.
I always wanted to get into bsd, especially openbsd. I like the idea of a more cohesive os.
But I don't really know what to use it for to get started. My desktop runs linux with steam for games. My AI server needs rocm drivers so ubuntu-server. My vps runs debian, maybe that one, but there is no DO image for BSD. Open for ideas..
OpenBSD for the layer where you need the highest security. We use it for hosting our Postgres clusters. You could easily use it for your VPS. There is a learning curve. But if you’re already comfortable with Linux you’ll pick it up in a few hours.
FreeBSD would work well for your purposes, it has a really good hypervisor and linux abi compatibility
I doubt it.
I am a diehard FreeBSD fan and I used it on my laptop for 20+ years, and dualbooted it for windows only for gaming.
I tried my best to get gaming going, even running Arch in a jail, but it's not great for gaming purposes. I was even virtualizing OpenBSD to use PCI passthrough for better wifi...
Today I am using Arch Linux instead of my dual boot setup. Is it perfect? Nope, but at least I can play Age of Empires 2.
I still use FreeBSD on my servers, obviously. FreeBSD is great, but on the desktop, and especially on the laptop, there are some warts.
FreeBSD is mainly server focused. There's been work on the desktop recently, but it isn't what FreeBSD devs are paid to focus on. To be fair to the people paying them, it's a damn good server OS.
Also, check out DragonflyBSD. It has a really nice filesystem and Dillon does good work
FreeBSD is focused on making a good, general purpose operating system. It just happens to be very good at being a server. It's also very good at being a desktop.
Subpar wifi performance compared to Linux(perhaps better now?) subpar bluetooth, etc, etc, hardly makes it a good desktop OS.
Passable yes, if you love it, but let's be realistic.
I love FreeBSD btw.
DragonflyBSD is a beautifully well done OS.
I wonder why they didn‘t spend 20 minutes to make that web page work better with smartphones.
Works fine on my phone. Maybe it's you.