ssh myopenbsdbox # log-in to your machine
doas sysupgrade # will log you out, go drink some coffee
ssh myopenbsdbox # log-in to the upgraded machine
doas sysmerge # if any, solve merge conflicts of your cfg files
doas pkg_add -u # if any, upgrade local packages
doas sysclean # print obsolete files that you may want to remove
the last step is optional. You may pipe its output to xargs rm -rf if you feel confident.
It's good to see their regular update cadence bringing new code to the masses without much delay, like OpenSSH 9.0, for example.
I think many people who run other Unix-like OSes don't always realize how much of the code they use regularly comes from the OpenBSD project, even if we don't often run OpenBSD directly.
> I think many people who run other Unix-like OSes don't always realize how much of the code they use regularly comes from the OpenBSD project, even if we don't often run OpenBSD directly.
OpenBSD is a huge contributor to the Unix ecosystem. Also, don't forget the top-notch documentation. Even when I'm using Linux at work, I'll still often pull up the OpenBSD man pages because they're so much better.
With mandoc, they've also worked hard on the HTML output. No more fixed with fonts, good layout, internal and external links, and compact. I wish more documentation was like this!
Obligatory link to Peter N.M. Hansteen's presentation "OpenBSD and You". On slide 6, you'll see which operating systems use OpenBSD's code to its benefit.
Yup, there were some premature release announcements, but it seems it's really available now. (Note that OpenBSD releases come out twice a year, pretty much like clockwork, and that version numbers aren't indicative of the magnitude of the underlying changes: 7.0 was just the next release after 6.9).
Headline improvement for this version: it's fully supported on Apple Silicon. Not sure there is a huge market for that, but still pretty cool!
> Yup, there were some premature release announcements, but it seems it's really available now
Technically you it was always available, you can always follow -current or whatever they call it.
Most sensible people don't, however, because it entails going back to the old-school way of keeping OpenBSD up to date, i.e. you don't get to benefit from syspatch, fwupdate and sysupgrade. All three utils being (relatively) recent inventions that help keep your average sysadmin sane !
Actually you get the advantages of all of those when running -current if you follow it by using the binary snapshots. You can follow current by upgrading to the latest snapshot via ‘sysupgrade -s’.
I’ll use OpenBSD again if and when there’s a long-term branch that freezes the pf.conf syntax, let’s say for 10 years.
Of course people are free to run their volunteer projects however they like, but I’m also free to decide that I’m not going to have my firewall rules randomly break if I want to keep my router updated. Over the last 15 years or so
I’ve been burned by OpenBSD multiple times on this issue.
Every OpenBSD release comes with a comprehensive, release-specific upgrade guide which tells you all quirks (including changes to configuration syntax). For this version, you can find the respective doc here: https://www.openbsd.org/faq/upgrade71.html (Note the entire section called "Configuration and syntax changes")
There's also a pretty clear instruction at the top: "For critical or physically remote machines, test it on an identical, local system first."
I mean, I know it's annoying to hear that, but they are pretty upfront about basically everything with this OS, and you just have to be diligent about actually reading the documentation for the system upgrade. You were not "burned" by the OS or its developers.
Yeah try reconfiguring a remote firewall with breaking changes and therefore new behavior without OOB access. Don’t make a single mistake or you could be traveling hours/days.
Good luck with your “reading” now that the breaking changes have made hundreds of online tutorials, articles, books etc that would guide you obsolete and wrong.
So if you skip testing, and you skip reading the upgrade guide, skip editing pf.conf to adapt to some upcoming change and reboot into the upgraded OS version, you will still get a default pf that allows you to ssh in and fix it.
But sure, one can still shoot oneself in the foot if you aim for it.
CVS might work for the existing devs, but it can be a non-starter for onboarding experienced developers. Avoiding the upgrade to modern VCS tooling would be a deal-breaker for me, despite any other potential upsides. I view it as the tip of an iceberg of outstanding technical debt.
I think you focus on the wrong thing. If your code is good, just send git diff to the mailing list and watch it being commited. Tools used is not some kind of magic pixie dust ...
It's a fun time playing around with OpenBSD on laptop. I've used it a couple times on old thinkpad's, it's always an interesting reminder that there is *nix that is not Linux, and that there's more than one way to do things.
Maybe when I finally get around to building a router it'll be OpenBSD, that would be fun.
Setting up an OpenBSD router is almost trivial - it's all there in the base system. dhcpd, unbound, net.inet.ip.forwarding=1 and a forwarding rule in pf.conf and you're good to go. Then the tinkering starts, of course (even wireguard's available in base). Do run a few benchmarks - my APU2 can't really live up to gbit IP throughput (iperf3 speeds were about 500 Mbps, no performance tuning ). Luckily the veb(4) software switching does reach 1 Gbps locally and my uplink is only 100/100.
What I'm more worried about is hardware support, specifically for a PCI Wifi board I pulled from recycling a while ago. It'll probably trivial to find out, even if just by installing the OS and trying fw_update.
I need to just sit down and do it, but I have a working setup right now and can't quite get the motivation to at the moment.
Yeah wlan is by far the weakest point of OpenBSD networking - especially
as an AP. Slipped my mind completely actually. The way most do it is to have separate APs.
Yes, once in a while I play around with it as well. And each time I like the straightforwardness. But building on premises windows software there are not much uses cases for using OpenBSD boxes and I have a lot of stuff related to our business I first have to spend my time on before fiddling around for fiddling arounds sake.
OpenBSD includes firmware it can permissively redistribute, for example as of 7.1, OpenBSD developers spent many months working with Realtek to change the firmware license for rtwn(4), urtwn(4) and rsu(4) wireless devices so that it could be included in base and on the install media.
For firmware that cannot be distributed on the install media, it is instead packaged separately and made installable through fw_update(8), if you have a working Internet connection will be fetched automatically from the installer or on first boot.
You can also add firmware to install media yourself, if you have an existing OpenBSD install:
> Implemented poll(2), select(2), ppoll(2) and pselect(2) on top of kqueue.
Does anyone have more information on this? OpenBSD must be the only one to implement this way?
I feel like this doesn't matter much from outside the kernel, it's just an implementation detail.
The limitations of those syscalls are inherent to the interface and won't be "fixed" this way.
So it's no doubt convenient for the OpenBSD devs to unify the implementation, but this is not a user visible change or even something user mode programmers should care about.
I need to try OpenBSD on a partition again, I kept running into issues where my display would freeze after 15 minutes. I assume it was because I was trying to watch videos + coupled with using an Nvidia card.
From what I read online, OpenBSD does lack compared to FreeBSD in hardware support
I know the answer is "just use FreeBSD", but out of interest does anyone run OpenBSD with a LAMP stack in any sort of production environment with a medium-level(whatever this may mean to you) of traffic ?
The answer is actually "just use OpenBSD". I work for a local ISP and reinstalled all the aging OpenSUSE boxes with OpenBSD almost 5 years ago. Zero issues and peace of mind, because you know your servers can take care of themselves while you're on vacation. (I've started with OpenBSD around version 5.0 and have witnessed a situation where linux had a bug where whole world was running around with hands in the air and the same issue has been either fixed or mitigated in OpenBSD years ago)
Core of the network is still Cisco and Nokia boxes, but all the support/servery stuff runs on OpenBSD - ELK stack, nextcloud servers, db servers, smokeping, nagios, syslog, tacacs, rpki validators, mail relay.s - you name it.
Only exception is backups servers, where we use TrueNAS with ZFS (FreeBSD-based).
I was testing 10gig SFP+ NICs (intel, broadcom) in linux, freebsd and openbsd with iperf3. I was seeing line rate in linux and freebsd and somewhere around 3gbps in OpenBSD. So while linux and freebsd has top performance, OpenBSD's performance with security mitigations enabled by default is good enough(tm) in most cases.
This will be very opinionated, but ... when I'm working with linux, I need to google stuff around, because there are no [,usable] manpages. Sure, it's easy, everybody just loves to google their stack traces to find solutions ... BSD is boring, it just work. And from my experience, OpenBSD was acting like an apprentice, when I was setting something up. It handed me the tools or configs at the moment I needed them. Everything is there at arms reach. If you know what you're doing, the system is helping you. Need config file? - there's one in /etc/examples!
The old saying goes like "Those who don't understand UNIX are condemned to reinvent it, poorly." I don't think I need to tell you, but do your testing before you switch over your production. Hopping off the bandwagon has its benefits, but also its costs. OTOH, (ad 2), I think you'd know your way around. I've played with BSD4.3 in SIMH couple weeks ago and was surprised that I can use it!
ad 3: I've had an argument with security guys forcing minimum password length couple months ago. Somehow they just couldn't understand that I don't have passwords at all and use SSH keys. Also, linux doesn't have pledge and unveil or chroot by default, so they just don't understand the benefits ...
ad 5: for me, OpenBSD is the only system where I can ps auxwww and know what's going on ... Not sure what's going on, but the working theory is that most people just don't care or understand, so this is not a value for them from the start...
Most linux VPS could be taken over by writing miniroot.fs to the virtual drive & rebooting the drive. Some might need to emulate some cloud-init stuff ...
P.S. I've started with linux more than 20y ago. I was blessed enough (hey! life provides only gifts ;) ) to administer some Solaris 6,7,9 and 10 boxes that has shown me "proper" UNIX ... since then, it's painful to experience some linux stuff that has been solved already, and just works(tm), but NIH ...
> ad 3: I've had an argument with security guys forcing minimum password length couple months ago. Somehow they just couldn't understand that I don't have passwords at all and use SSH keys
I have had the exact same argument many times too, I could not get them to understand how much better ssh keys are then passwords.
Now if I can only find a "DECENT" VPS host that offers any bsd default install options looking at you scaleway !
I don't know if Vultr fits in "decent" but I've had no problem with them and they support direct OpenBSD installs. You can spin a full OpenBSD in less than 2 minutes.
> I was seeing line rate in linux and freebsd and somewhere around 3gbps in OpenBSD.
This is the only reason I don't still run OpenBSD firewalls - because the little appliance I use doesn't have the CPU to keep a gigabit NIC saturated and I have gigabit internet. Now that topton refreshed their offerings with 10th and 11th gen 2.5gbe firewalls [1] I plan to try again. Having said that, I tried drag racing PFsense, Fedora and OpenBSD in virtual machines on a DL360 G9 under vmware and OpenBSD wasn't able to keep up there either.
I run a few Rails apps with about 200 weekly users total all on OpenBSD. I much prefer it over my Debian experience. But I have to say Fly.io and Render look very good.
Extended ASCII, that is. So, there are characters such as á, ű, ó and whatnot. Many people think that "lack of UTF-8" or "ASCII only" means there are no such characters.
There is no such thing as extended ASCII, as the standard only specifies characters up to 0x7F. What comes after is implementation dependent, DOS/Windows had code pages, there's ISO standards, SHIFT-JIS, etc. none of which are compatible with each other.
Glad to hear that. In that case text console in OpenBSD is not ASCII since I can pretty much both type and see those characters, right?! I mean, why say that it is ASCII-only if extended ASCII does not exist, yet those characters are displayed properly?
FreeBSD's PF has been forked long time ago and lives independent life now. FreeBSD have implemented SMP improvements, but this hasn't been taken back by OpenBSD that has moved on since ... there are some incompatibilities.
Both OpenBSD and FreeBSD are boringtech(tm). It just work, without all the drama, changing init systems and or system tools every couple years. It really depends on your workload, but with FreeBSD, you can run linux/windows/whatever in BHYVE or virtualbox if you need something specific ...
I've ran FreeBSD servers with ZFS and jails (bastille) before, but I usually fall back to OpenBSD (if storage <100G) or SmartOS (storage >100G -> ZFS). Really depends on the workload. Give it a shot or mention what you need.
I quit using ZFS when FreeBSD managed to somehow lose the entire zpool it was installed on. That was a long time ago, so I'd hope it's better now, but I've had no reason or inclination to waste my time with it since.
I've lost a 3T collection of HDTV movies back in the day (student) because of WD green drive that decided to return something else that was written to it in a USB box. Took me a while to realize what's going on, but seeing cksum errors when this particular drive was a member of zraid1, I didn't lose any more data (blocks with correct data and checksum were returned from pool) and was able to replace it on my schedule and money. Since then, I just don't feel like gambling on bitrot. Neither on movies, nor on family photos.
