Barry Price

Linux sysadmin in Bangkok, Thailand


| Comments

I spent the last couple of days rebuilding my home server, replacing Debian GNU/Linux 3.1 (Sarge) with OpenBSD 3.7. Why? Well, largely to expand my knowledge of UNIX-like systems other than Linux. I’ve been using Linux for several years, I’ve dabbled with Solaris too, but never really done a great deal with any of the BSDs other than installing, failing to work out the intricities, and deleting in a short space of time. This time I refused to replace it until I’d at least learnt how it worked.

The two main major differences I hit upon are the lack of easy updates and the lack of the enormous user community I’ve become used to with Debian.

Under Debian, you can ensure that your system is fully patched and up to date by entering:

apt-get update && apt-get -y dist-upgrade

Under OpenBSD it’s a little more complicated:

cd /usr  
export [email protected]:/cvs  
cvs -d$CVSROOT checkout -rOPENBSD_3_7 -P src

This checks out the entire source code of the base system (including most (but seemingly not all) errata since release) to /usr/src, with the kernel source placed into /usr/src/sys. It’s several hundred megabytes in size, so you may want to have a nice cup of tea (and maybe a biscuit) to hand while you wait.

Once this gargantuan mass has finished downloading, you can update your base system by firstly recompiling your kernel, then rebooting into the newly built kernel:

cd /usr/src/sys/arch/i386/conf  
/usr/sbin/config GENERIC  
cd /usr/src/sys/arch/i386/compile/GENERIC  
make clean && make depend && make  
cp /bsd /bsd.old  
cp bsd /bsd  

Once this is done (and assuming it works), you can rebuild userland:

cd /usr/src  
rm -r /usr/obj/*
make obj && make build

Again, this will take some time. Hob nobs are good, although I’m a Rich Tea man myself.

Once this is done, your base system will (probably) be up-to date. You still don’t have any applications though.

That’s right - OpenBSD’s base system is indeed impressively secure, but it doesn’t actually contain very much in the way of useful applications. I needed to add the following applications and libraries from the ports tree - this is a collection of Makefiles to tell the system how to build the collection of actual useful software that isn’t part of the base system. Incidentally, the software held within the ports tree “does NOT go through the thorough security audit that OpenBSD follows”. So your super-secure system just lost its super-security by your installing vaguely useful stuff on it. I was very surprised indeed to realise that this includes GnuPG.

I’ve had to install the following from ports so far:

autoconf, bzip2, centericq, db, gdbm, gettext, glib, gmake, gnupg, gnuplot, help2man, irssi, jpeg, libiconv, libslang, metaauto, netpbm, nmap, pcre, png, popt, samba, screen, slrn, tcl, textutils, tiff, tinyproxy, vim, wget.

Each of these was compiled from source. Acquiring the ports tree in the first place requires another CVS checkout:

export [email protected]:/cvs
cd /usr
cvs -q get -rOPENBSD_3_7 -P ports

Thankfully this isn’t anywhere near as large as the early checkout - just over 8Mb or so.

So now I’ve got a working OpenBSD system, cleverly partitioned, featuring a chrooted Apache service, thoroughly audited secure software (apart from the apps I’ll actually be using the most), and the smug sense of self-satisfaction that you compiled everything yourself (see Gentoo Linux).

But does it work? Well… no.

Installing and setting up tinyproxy and slrnpull required me to write a variety of shell scripts, which would have been supplied with Debian (and probably most other Linux distros). Upgrading the system takes hours. The IRC channel is practically dead, and there is little to no useful documentation outside the official site. The official site is, to be fair, excellently written to the point of installing and booting your system for the first time, but if you want to do anything useful after that then you’re going to have to piece together different snippets of what you need to know from various pages across the site.

I guess I’m bringing a lot of preconceptions about how these things should work from the Linux world, but I think even the most hardened BSD traditionalist would accept that centericq should at least work, rather than garbling the terminal display so that I have to restart Putty. I’ve spent a couple of days learning about this alternative world of UNIX, and I’ve learnt a few things. But I think I’ll just call it a weekend away, and head back to the safe pastures of Debian for now.