I’ve always wanted to use NetBSD for an application for an embedded system / IoT device but never had the pleasure (yet!).
I'm asking because i have not touched any BSD for over 2 decades...and I'm getting the itch to try some out...and was wondering if for server-type use cases (like you noted) whether OpenBSD is preferred over FreeBSD or the reverse, and why? Thanks in advance for any feedback you might provide!
We've run into instability issues with the newer Linux kernels (starting with 6.x, I think) and have had to stop upgrading.
Packaging is simple, kernel development and upgrade is simple, etc. Also the kernel code itself is written in a style I like, it's to the point, no useless abstractions, no fuss. I prefer it even amongst other BSDs I tried (netbsd and free*lbsd/dragonfly).
It just feels nice to be able to understand most of your system. It's not as fully featured as Linux, but there is a sense of understanding your system that is refreshing. A bit like if you're on vacation in a small and cute village where life is mundane and calming. At least that's how I feel with it. Mileage may vary.
A while ago I made some blog posts[1] diving into the source code of OpenBSD and FreeBSD (shameless self plug), but haven't had the time recently to write more.
Being able to understand the system, or at least being able to take a quick look when something doesn't work is very refreshing. Not to mention the outstanding man pages. Barely need to google things.
That said, OpenBSD feels unusually coherent (ej. check wifi connection from terminal). The whole system has a level of consistency that's hard to find elsewhere, also between other BSDs.
For pet servers, it usually fits perfect.
I ran OpenBSD on my laptop 22 years ago. Back then, a full GUI environment with terminal, web browser, editor: 28MiB of memory for the whole operating system and user environment!
That's why I used to run Slackware, and then foud Alpine to be the best - much better than Void or Arch IMO. Works well as a very minimal system, and I know everything very well because of it. It's an ideal approach IMO, the best of both worlds.
I wish I had an OpenBSD development laptop, but I don't have one right now.
I ran it on my personal laptop for several years when I had one, but having a work laptop for these past decades I don't have much use for a personal laptop. I would probably run it again on a nice portable when I retire. It would be nice to focus on being creative on such a machine. Coding and drawing mostly. I will continue to use Linux in my recording studio though.
For mailserver I think it is the best option. And for Gateway, PF is just wonderful.
But even on my laptops I enjoy it. It is rock solid, and I have pretty much no complaints.
And on my laptop, occasionally, to experience it in person.
I used OpenBSD to create the firewalls for our LAN parties when I was at school.
The first shellserver I ran, on an UltraSparc IIi was OpenBSD, gave out accounts to my friends.
And then I used it as a firewall, both professionally and personally, for many years. Until the first Turris Omnia was released, and now I have retired even Turris for pfSense, which is FreeBSD I believe.
But the PF firewall in OpenBSD was superior, definitely to the syntax of IPtables.
To me Linux was a great server OS, and OpenBSD was a great FW/Gateway OS.
WiFi is handled separately by a Ubiquiti UniFi system, but I don't trust Ubiquiti not to exfiltrate data after their underhanded attempt to turn telemetry on a few years ago. OpenBSD WiFI is somewhat mediocre, but it has improved in this release with experimental support for WiFi 6 after years of being stuck at 802.11n.
The closest you will get to the OpenBSD experience on Linux is with Alpine Linux.
This is a big one for me. I've run openBSD and Linux custom boxes as SoHo routers and I just cannot stand Linux firewalls, I've never liked them and IPTables is just terrible. Yes I know there are wrappers around it now but it's still the default everywhere and still used by lots of other software like Docker. I'm using OPNSense now which is FreeBSD based instead of completely rolling my own but I love that it is still BSD under the hood.
One differing opinion I will offer is that I find NixOS to be the Linux distro most in the openBSD spirit despite it being very different from a UX and config management perspective. Alpine is interesting, but it has its own security and compatibility issues, especially around MUSL libc which I have had cause many strange downstream issues over the years, I just hit one recently in JVM GC caused by its memory allocation implementation. I've stopped using alpine altogether because of them.
Work: I need a simple easy to use system that I can configure to meet third party compliance requirements without jumping through hoops. It really excels when you can mostly use the base system there, maybe couple services. For example it's so nice to just have a couple pledge/unveil lines for example in a Go service.
Also super nice for "set and forget" style stuff. For example "I just need a HTTPS server with acme and SFTP". That's something you get out of the box with no third party packages (so everything vetted, pledge/unveil for everything, maintenance just running syspatch and sysupgrade), which is really nice.
Personal: Private mail server, family website, a quick and dirty "watching streams together" service I set up to watch stuff with people not in the same place as I am. prosody to have XMPP for friends and family.
I would NOT use it for "people throw stuff at you" use cases (Linux and FreeBSD do a far better job there). But I absolutely love it for scenarios where you want very very low maintenance. For example that private email server. I don't have time to do big upgrade plans, or "hardening" systems or reinventing the wheel. I cannot afford to do privately what I do in a day job or consulting (setting up or maintaining really rather complicated infrastructure).
I have done that many years with Debian, but the Linux world sadly is a big complex and complicated mess. That's great, when I get paid to deal with it, but annoying otherwise.
And I don't mean that bashing wise. I use Linux, I like Linux, but somehow there is a huge drive to overengineering and then building hacks and weird workarounds that become normalized until it's a proper job. Without wanting to start a flame war, but the whole Docker, Containers, Kubernetes, Helm, Orchestrators, etc. story is a lot of reinventing the wheel and a static executable like a Go service in a container, so essentially coming with a whole Linux distribution even though one never thinks about it that way is just really absurd. That's what executables, processes, etc. were invented for.
And since I've lived through the story and as mentioned make a limit, I understand how that came to be, but it feels like the industry took a wrong turn because it was cool and exciting and then (nearly) everyone decided to use that hammer for everything one could imagine to be a nail. And then the next layer came and the next and the next. But all of them doing things differently. And suddenly to have a Postgres cluster you need Kubernetes, and Helm, but also need to know both PG config and the orchestrator's config, etc.
It's a mess and the OpenBSD people somehow knew that decades before I did.
It ran for over 8 years without downtime, but I’ve had repeated problems in the last year or so.
I used the default partitioning scheme, which makes /usr tiny, and /var huge, and since it is a router, did not install X11.
At some point, they made x11 mandatory for auto updates. This is dumb, because all the upgrade tool is doing is untarring a list of tarballs. So, I had to perform partition surgery from the upgrade ramdisk to make room for X11.
Now, they made some ASLR relinking scheme mandatory, which makes sense, except the relink directory is 1.5GB (larger than the entire rest of the distribution, and far larger than the parts I voluntarily installed!).
For some reason the relink output files go in /usr, which, by default, won’t hold it at upgrade. It really belongs in /var, because it is not immutable, and also, there’s room there! So, I had to repartition the router from a rescue environment again.
They also removed the ability for ntp to sync on machines without cmos clocks, and the alternate config options don’t seem to work. That’s a bit more niche, granted, but my router hw is reasonably common for openbsd use and has that property. You can make it work by using a second utility to force clock sync at boot.
I like that they keep things simple, but they also recently pulled out any semblance of power loss safety for their file system. I’ve had to serial console in a few times to run fsck, which isn’t really the behavior I want from the home router!
They don’t have any way to setup DDNS in the base install, so you have to use a port or pkg. The port I chose was EOL’ed by upstream (ISC), so I’ll probably need to switch to dnsmasq as a dhcp server / dns server, which is fine, but those services are a significant fraction of the attack surface of my router. DDNS seems like a pretty simple thing to implement, and would be really high value for router use cases. Without it, I’d have to assign static addresses to everything on the LAN, then edit DNS records.
I think all this stuff is fixable, but wish they’d take the niche of “rock solid secure infrastructure” a bit more seriously. This used to be a nice “set and forget” weekend project but now it requires attention every few release cycles.
7.8 barely managed to fit in my duct tape and bailing wire partition layout. I’m probably going to switch to freebsd on a box with faster NICs when I finally get a > 1GBit internet connection (hopefully in the next year or so).
If I upgrade to 7.9, I’ll have to give up on using the openbsd hypervisor, since, with the partition scheme that the installer chose, there will no longer be a partition large enough to hold the download sets and also the vm image.
This is particularly frustrating because the boot drive is under 50% full. I’d just do “one big partition”, but they warn against that for good reason - it complicates manual fs repair at boot.
Anyway, I really like the project. It would be nice if they did a “fix common papercuts” release, since I doubt many users are as patient as I am.
If you are looking to install it, either use fewer partitions, or way over provision storage (I was 10x over provisioned at install, and the stuff I use hasn’t grown more than 10-20%) and also make sure you choose much larger partition sizes than recommended. This will add under $100 to your hardware cost, even with the storage shortages.
My one complaint about OpenBSD would probably be lack of resizable partitions. You can expand them, but only if you have free contiguous space and most of the time one partition starts where the prior one ends. It's rarely a problem in practice, as only /home and /var and maybe /usr/local tend to be subject to any guesswork, but it can bite you from time to time as in your case.
The ER4 has 3 ports: 1 was for the uplink, one exposed the WAN connection to the rack, and then the 3rd port became a client inside of the network. I could shell into it from home (he's on the other side of the country) and operate from the residential network and also the server network simultaneously. Worked well enough for a few weeks to keep access around until we could engineer a better solution.
Configuring OpenBSD was really quite simple and rewarding. No insane linux network stack / netplan / cloud-init / bs ... just a few conf files.
obligatory pic: https://i.imgur.com/Mkf9ckc.jpeg
doas sysctl hw.smt=1But I couldn't find if they have a strict "no binary blob allowed" policy like OpenBSD.
- [0] https://doc.qubes-os.org/en/r4.3/user/troubleshooting/pci-tr...
If I had to pick a BSD, it would be FreeBSD anyway.
I know you've been an advocate for OSes and languages that are outside of the mainstream.
I finally got around to living in plan9...
My experiment, a social network for plan9 written in rc and some awk.
Compare the number of CVE vulnerability trends over time between Linux: https://www.cvedetails.com/vendor/33 and OpenBSD: https://www.cvedetails.com/vendor/97
It's not even close! It's nearly two orders of magnitude higher for Linux. This isn't anecdotal or “vague opinion” CVEs are facts.
You can ask the follow-up question: Why is that?
And there are many reasons. It could just be that Linux having more users/eyes means more bugs are surfaced ... But you need to dig deeper to understand why OpenBSD is so much more secure, the core team of OpenBSD proactively reviews the security of other OSes and when they learn something, they rapidly implement the feature/fix in OpenBSD.
Again, read: https://en.wikipedia.org/wiki/OpenBSD_security_features Many of the proactive security features OpenBSD has are not implemented by other OSes. And in the case of kernel-level Crypto, they won't ever be because US export restrictions.
I would be in favour to say that out of the box OpenBSD is more secure than Linux.
Their claim to fame ("only two remote holes in the default install in X number of years") is definitionally only valid for the default install in its default configuration which means: no httpd, no smtpd, no unbound, etc. etc. etc.
The default install isn't very useful, because it doesn't do a lot, and so "only two remote holes" or whatever isn't really saying much.
For example: there are still CVEs popping up: https://nvd.nist.gov/vuln/detail/CVE-2024-11148
Linux has more CVEs because it's orders of magnitude more popular. OpenBSD has appalling performance, and more or less nobody uses it, so there just isn't a large focus on auditing and fixing it.
It's a great research project, but I would not run it on my personal devices. Not because it's "insecure" but because the putative security benefits do not merit the shockingly poor performance.
The way forward is seL4[0][1].
https://x.com/ortegaalfredo/status/2055362910415671459
When your super secure feature gets defeated by a symlink maybe it's not really time to consider it...
Sure, things are not better in the linux world but at least there's more eyes to fix issues there just because of the market share.
Running security-critical code as root is still a bad idea.
For my next trick I will demonstrate how to break into my own house to open the blinds by using my keys.
Security researcher theatrics will never not be funny.
Also, check out DragonflyBSD. It has a really nice filesystem and Dillon does good work
Same, it's particularly good for troubleshooting older hardware too since most bog standard x86 parts are well supported.
If I have a random ISA/PCI/AGP/PCIe card that OpenBSD can't see or properly initialize, it's probably an issue with the card.
But I don't really know what to use it for to get started. My desktop runs linux with steam for games. My AI server needs rocm drivers so ubuntu-server. My vps runs debian, maybe that one, but there is no DO image for BSD. Open for ideas..
https://unixdigest.com/articles/the-main-differences-between...
Removed in 2014.
- Kensington Expert Trackball (I lost the 2.4ghz dongle)
- JBL wireless earbuds/Audio Technica M40xs
- Nintendo Switch controller
EDIT: Running openBSD in a VM might get me the best of both world, with hardware support on host OS (linux/win) and the benefit of running OpenBSD.
E.g. I use the Seeed Studio XIAO nRF52840 for my BLE keyboard.
https://www.openbsd.org/images/PinkPuffy.png
https://www.openbsd.org/images/puffy79.gif
Release song is "Diamond in the Rough" - Composed & produced by Bob Kitella.
https://www.openbsd.org/lyrics.html#79
Apparel (t-shirts, so far): https://openbsdstore.com/
> Apparel (t-shirts, so far): https://openbsdstore.com/
Interesting.
In the image you linked (PinkPuffy.png), the cat's hat says "security." In the OpenBSD store, the cat's hat reads "POLICE" on several of the shirts.
Job Snijders works closely with the artists each release, and runs the store.
Edit: oops, bad eyesight led my brain to believe "no way this is legible text" when in fact it is. Needed a screen magnifier to read it clearly. Though the other items have police in place of security.
Is this an AI-generated comment
It was originally [flagged] and [dead]
https://nxdomain.no/~peter/time_for_opensmtpd.html
I tried using OpenSMTPD a long time ago, shortly after it came out, but things were not stable enough. I guess it is time to give it another go...
NetBSD seemed okay to but I've only used it a little bit. It actually set up X pretty well for the screen using some built in script with heuristics to determine font size from the screen metrics.
Anyone know what a "parking lock" is (and how it works)?
I couldn't find anything on the man pages about it.
Wow, this is from 10-years ago.
Just the idea not to be able to recover after a power cut and work is hard to accept to be honest.
I have been recently considering running it on a minimal Alpine ZFS host but I am not sure how much I can optimize the display experience since I do not think OpenBSD support QXL/SPICE.
I would be curious if someone found a way...
Sweet! I’m just about to replace pfsense with openbsd on my router. Smoothly setting up ipv6 is a bit of a headscratcher atm, mainly because i’ve never had to understand it before.
I have to admit I am not entirely convinced about the merit of having slow cores on the cpu at all(big/little architecture). You don't want your tasks to be scheduled on them. And even for background tasks shouldn't it be better to have them complete faster for less power? To say nothing about what if they have different features. what happens when a process that wants to use cpu feature X(avx512?) gets scheduled on a cpu without X?
Openbsd took the quick and dirty shotgun approach here in disabling the slow cores. But is there even a good heuristic for scheduling jobs on them? The only thing I can think of is some sort complicated mechanism of putting manual tags in the executable or thread. A "this process is suitable for slow cores" sort of thing.
I was reading about this on on the lists, apparently a naive scheduler puts a process wherever and some new big/little systems have very slow little cores. This really hit recompiling code hard.
Race to idle is only clearly beneficial for tasks that have a clear start and end. If a background task is sustained, responds to unpredictable events, or does small amounts of work and wakes frequently, the CPU's boost logic won't solve your energy usage problem.
> To say nothing about what if they have different features. what happens when a process that wants to use cpu feature X(avx512?) gets scheduled on a cpu without X
This idea has been proposed in the past, but isn't actually used on x86-64 or ARM. E-cores have the same instruction set as P-cores, so there's no risk of running into an invalid CPU instruction.
Truly heterogeneous instruction sets may come back in the future, though. So be on your toes.
OpenBSD does a lot of things well, definitely punches above their weight. One underrated feature is their approach to releasing. No "When it's done" here. Like clockwork twice a year, they slow down, clean the shop, get their experiments in order and cook a release, a stable point in time. More projects could learn a thing or two from this.
This is also the 60th release. Congrats team.
I'm using it as a daily driver since Debian adopted systemd and it works great. I use it wherever possible: home router, laptops, obsda.ms vm, workstation, thin clients, etc.
With every release OpenBSD becomes better. Fully recommended to take advantage of old hardware too, like a fanless thin client bought for cheap from surplus.
I really love the no-nonsense approach I can't find elsewhere.
