November 2, 2005

Trying out the new OpenBSD 3.8

Author: Nathan Willis

Yesterday OpenBSD, the proactively secure Unix-like operating system, released version 3.8, featuring several improvements to networking, RAID management tools, and increased security. At openbsd.org you can download installation files or order the official three-disc CD set, which supports 16 processor architectures out of the box. I took this new release as an opportunity to perform my first ever OpenBSD install.

I downloaded a boot CD image for my test machine, a SunBlade 100. It is an entry-level 64-bit UltraSPARC-IIe workstation -- a few years old, and begging for either an upgrade to Solaris 10 or an entirely new operating system. Not all architectures support booting from local media, but for those that do you can get started with just the boot image, and perform the rest of the installation over FTP.

The Linux user's perspective

The installation process was smooth, and will remind appropriately vintaged Linux users of the text-mode installs prevalent circa 1998. There's no automatic disk partitioning, no fancy menus, no friendly cartoon characters. But honestly, I didn't miss any of it. Graphical OS installation is pretty mundane too, and with the exception of monitor resolution testing, doesn't offer much beyond eye-candy.

One of the first differences I noticed on my OpenBSD system was how little was configured for me on installation. In OpenBSD you use the command-line program pkg_add to install packages. When configured correctly, it performs automatic dependency-checking and downloads the necessities from the official OpenBSD FTP servers or your mirror of choice. OpenBSD no built-in list of available packages, and updates are not automatic or even schedulable.

"Installed" is well and good, but it still leaves you some work to do. Setting up the x.org X server, for instance, requires you to look up hardware specs for your equipment (some of which, such as my monitor's ReferenceClock frequency, I had never even heard of before), in contrast with the built-in database included with many Linux distributions today. If the information is close at hand, you will have no trouble, but be forewarned that the OS will not help you guess your way out of a jam.

Similarly, I installed the GNOME packages, but had to spend considerable time looking on the Net for help configuring it to launch at login, to manage windows with Metacity, and to run GDM on system startup. A few years ago I knew all the .Xsession and .xinitrc secret handshakes, but I've gone soft. Today the Linux distros handle this for you, and I don't see any reason why OpenBSD couldn't, but some admonishment is due to the GNOME and KDE projects as well (the process was equally hard for both environments). Both environments work well in Linux when configured correctly, but the lack of documentation on how to configure them left me hunting old mailing list archives for clues.

So, apart from requiring you to learn more about Unix system configuration than you knew you'd forgotten, how is working on OpenBSD different from working on Linux? The short answer is: it isn't. Unless you depend on closed-source commercial applications (which in general you won't find for OpenBSD), virtually the entire catalog of familiar free and open source software titles is available through the packages and ports system ("packages" in BSD lingo refer to programs in the official binary release, "ports" are apps from outside the official tree and are generally built from source on the local machine).

Chalk that up to a fine job on the part of the package maintainers; pkg_add itself lacks the convenient GUI of Synaptic or YUM but otherwise does a identical job. But since OpenBSD and all its official packages are managed by a single, small core team, they are more tightly integrated. I found applications in the packages system that haven't shipped with a Linux distribution for years, like the X10 home automation package bottlerocket, and the OpenBSD package worked for me, which hasn't happened with a Linux distribution for years either.

Sure, some differences -- such as the use of the Korn shell (ksh) instead of bash, and more restrictive permissions on some system files -- desktop users will see every day, but most of OpenBSD's selling points touch on security and stability and are under the hood.

The new bells and whistles

New to this release are several security enhancements, such as rewritten memory allocation routines that randomize assigned addresses and rapidly return freed memory to the kernel, which should reduce buffer overflow vulnerabilities even for poorly written applications. Motherboards with a hardware "watchdog" timer can now be monitored with watchdogd.

Network security gets a facelift with improvements to IPSec synchronization and configuration, and the first implementation of the Inter Access-Point Protocol (IAPP) for communication between wireless access points.

The developers added a number of hard disk features, such as the ability to freeze the security features of ATA drives (and thus prevent malicious code from altering them), the ability to park the drive heads in response to the motion-sensitive "Active Protection System" in IBM Thinkpads, and new drivers to monitor hard disk status via the SCSI Enclosure Services command set.

RAID users will gain a new management tool called bioctl, which operates by directly calling the RAID controller's BIOS commands, thus allowing RAID volume management without rebooting.

The most interesting feature in my humble opinion is the trunk virtual network interface. With trunk, you can combine multiple physical network interfaces and treat them as a single virtual interface, allowing for bandwidth aggregation and automatic fail-over. In addition, these virtual interfaces can themselves contain virtual interfaces and handle more complex scenarios, such as seamless hand-off between multiple wireless networks.

Firewall configuration is not complicated by trunk, since virtual interfaces are treated the same as physical ones in filter rule sets. I am no systems administrator, but I had to try that out with a couple of spare Ethernet cards.

Final thoughts

You can read the official release notes, installation guides, and more at the OpenBSD project Web site. You can order OpenBSD 3.8 CD sets can be online for $45, and the usual assortment of stickers, posters, T-shirts, and theme songs too.

Due to OpenBSD's focus on server-class features, many casual Linux users may find it an uphill battle to use OpenBSD as a desktop system. But it deserves a place on your network (and not just controlling your X10 devices). The first time I installed Linux the learning curve forced me to do some serious study, but the rewards were well worth it. Thus far the same is true for my first OpenBSD installation.

Click Here!