Metawire.org Admin On OpenBSD Hosting

hext0r writes "Open Hosting provider metawire.org administrator Daniel Selans recently wrote an informative article for the OpenBSD Journal about the difficulties and successes in running a free hosting provider using OpenBSD. It's an informative read for anyone considering starting any type of hosting company using free technologies."

*BSD IS UNDYING

[Leffe]

Maybe *BSD died back then... but it's most surely coming back! Just take a look at the latest NetCraft survey and you'll see that they have come back a little.

I think this article confirms it. Just check where it's posted: http://undeadly.org/, doesn't that light some lights!?

One thing that I can most definatelly note is that with the use of OpenBSD, the experience was made by far simpler, and headache free. The common belief out there is that OpenBSD is best used for security gateways, firewalls, routers and etc. Well, I personally do not believe so. The capability of this OS is only admin deep. The more you know, the more you can achieve. I have personally ran OpenBSD in large enterprise environments as web servers, file servers, database servers, and frankly, it's resource management and speed is uncomparable to most other operating systems out there, multiply that with the security standards, and you've got an amazing OS.

I feel like installing OpenBSD!

Nitpick

[sreeram]

about the difficulties and successes in running a free hosting provider using OpenBSD

I didn't see anything negative in that article. Nor any major "difficulties". He made it sound like it was a breeze - just put together a bunch of scripts and it's all done.

PS: I love OpenBSD. Like Daniel, I also use it as both a server and a desktop workstation. I just wish people would RTFA.

Re:Nitpick

Especially disappointing was that there weren't any explanations of why OpenBSD would be better than FreeBSD or NetBSD. I'm looking hard at moving from Linux to BSD, and I've got more questions that need answering than I had when I moved from Windows to Linux.

How does OpenBSD handle package management? Is it conducive to compiling everything by hand? Are there any serious packages that OpenBSD lacks? Will I have a lot of trouble if I want to use example_package-3.1.5 but the package system only has example_package-3.2.2 in it?

The BSDs have several advantages over Linux, especially the way the systems are engineered, but it's also very nice to be able to pick and choose the versions of software I want to run, rather than needing to rely on a package manager for them.

Re:Nitpick

[bl1st3r]

As one of the two co-owners of Metawire I must agree. Overall, the OpenBSD situation for us has been extremely positive. The difficulties that we had that were not mentioned in the article were mostly the cause of inproper configuration allowing local users (we are a shell provider) accessing services that we didn't expect, causing situations we couldn't avoid in time.

All in all though, it has been extremely smoothe and the users all seem to be appreciative.

One of the biggest challenges for us was getting a good userbase. We found that the majority of our users were from countries like Romania and Poland who just wanted a shell account to run a BNC and then never log in again. This went against everything we created Metawire FOR, which was to create a community of like-minded computer enthusiasts.

There have been some problems, but OpenBSD has helped to aleviate the majority of them.

Re:Nitpick

[bl1st3r]

One of the main reasons for selecting OpenBSD is that it handles local security better than some of the other flavors. FreeBSD is my personal favorite for servers, but as a server that handles local users, I would never go with anything other than OpenBSD ever again.

The package system is also very nice. OpenBSD audits the packages that are included to protect against retarded local exploits. OpenBSD doesn't trust third party packages and this shows in its track record of local and remote root priveledge escalation's. Third party software is often overlooked as a flaw with Open Source software. Every day we hear about a new Microsoft Outlook hole, but nothing ever gets mentioned on slashdot on how XMMS allows arbitrary code execution. This kind of stuff happens all the time, but is often overlooked because most people running servers don't let their users do anything.

As a free hosting provider like we try to be, we wanted to give the users as much access to the system as we could safely allow. This has been both a hinderance and a help. Having a truely open provider available for users has helped us grow at an exponential rate. But we have to be very concerned about every local vulnerability that exists.

Re:Nitpick

[andkaha]

How does OpenBSD handle package management?[...]

The BSDs have several advantages over Linux, especially the way the systems are engineered[...]

Just pick one of the BSDs and try it out. Noone knows what's best for you but yourself.

Re:Nitpick

[MikeX]

What do you want to know? As long as you post to the correct list, people are very nice. Stay away from the developer list with questions, the tolerance for that is apparantly fairly low.

Package management? The ports collection is awesome. Installation is, honestly, very easy. The pkg_add command takes care of everything (at least in my experience).

Compiling _everything_? I can't answer this one. Compiling all your programs (minus the libraries, etc) went very smoothly for me.

As for lacking serious packages...I haven't found anything that I needed that I couldn't get, but that's me. Most of the time, if you're package won't work on OpenBSD, there is some sort of BSD licensed equivalent that works well.

If the package version you want is not available, you can always recompile, but the amount of packages and their different available versions is astoundingly huge.

One of the biggest advantages of OpenBSD? The documentation is beautiful. They really weren't messing around with this. Not only is the documentation abundant, the quality is really nice. There are examples and troubleshooting tips all over the place (in the man pages).

It runs on essentially anything, so grab an old machine and play with it, I think you'll find most things are intuitive.

--Mx

Re:Nitpick

[Brandybuck]

Not to disparage OpenBSD at all, but the mere fact that you're asking such questions means you're probably not their target user. At least not at the present.

The purpose of your system and your personal inclinations should guide your choice of BSD. If you want cutting edge software then OpenBSD may not be for you, because it stresses stability over recency. It's so conservative in this regard it makes Debian-stable seem daring.

Re:Nitpick

[bl1st3r]

It's a proxy. Allows users to just leech bandwidth. A lot of the foreigners are using it on our system to get onto IRC networks that their ISP's get banned from for warez abuse and things of that nature.

Re:Nitpick

[styrotech]

If you want cutting edge software then OpenBSD may not be for you, because it stresses stability over recency. It's so conservative in this regard it makes Debian-stable seem daring.

Even as a big Debian fan, I still have to admit OpenBSD has newer software than Debian Woody.

OpenBSD ain't bad, it comes out every 6 months and is usually fairly up to date.

Re:Nitpick

How funny, you list a samsung article that is dated back to 2001. What year do you live in? Not to mention that there was a follow up to the article that tweaks *BSD settings and they match the other OS' almost 1 for 1 on performance:

Which OS is Fastest -- FreeBSD Follow-Up
http://www.samag.com/documents/sam0108q /

What most people forget is that *BSD are configured for stability and it is up to the admin to tweak for performance. And performance depends on what kind of server you are going to be running. As MS would say, get the facts and actully read the first article as well as the follow up. How about responding to this one mr./mrs. troll.

FYI: the follow up is still in 2001. Perhaps reading and providing some more recent articles might make your point. If you can find any that prove less than stellar performance. Bring it on!!! And I am read with tons of new bench marks that prove my point and they are recent, like a month old.

Re:Nitpick

[acidtripp101]

OpenBSD is supposedly more secure than FreeBSD, but in terms of direct remote root exploits, they're just about the same as FreeBSD- both use Openssh which hasn't had that great a security track record. OpenSSH appears to be developed and maintained by the OpenBSD team. Whether OpenSSH's security/quality is representative of the rest of the OpenBSD team's work is up to you to figure out.

Wrong. 99% of the OpenSSH vulnerablities don't affect OpenBSD. I can't tell you the specifics, but the reason is basicly that the way OpenSSH is integrated into the system along with kernel specific security measures prevent exploits that would affect another POSIX OS. If you read the security announcements for the OpenSSH vulnerabilities, you'll usually see that OpenBSD is immune.

Re:Nitpick

"This OS over that OS" arguements invite flamewars, and are all too often just disinformation anyway. Any 'ix can be used for whatever purpose you like, and usually the best one for *your* job is the one *you* are most familiar with.

I use OpenBSD for just about every task imaginable (and the other BSDs and various Linux flavors as well BTW). These days the only big software package I can think of that isn't working on OpenBSD is OpenOffice (related to some problem with the OpenOffice build system I think, but don't quote me), which might be relevent for some desktop users. Mozilla and native Java are now working pretty well. Problems that once existed with MySQL also seem to have disappeared some time ago (admittedly, I've never stressed it though, and I prefer PostGre anyway).

Work has been done to make the 8 GB install barrier has disappear finally (I think this is done: I can't quite remember), and even SMP is being worked on actively -- so perhaps some time in the not too distant future ...

Re:Nitpick

[TheLink]

"If you read the security announcements for the OpenSSH vulnerabilities, you'll usually see that OpenBSD is immune."

Examples? I've read the announcements. There's one where OpenBSD is immune (only affects openssh-portable), but the others I read don't indicate that OpenBSD is immune.

So I don't see how OpenBSD is much more secure than FreeBSD.

Some pointers would be helpful.

Re:The problem with BSD is its ports system

[Nimrangul]

I understand you are trolling, but incase someone takes an anonymous coward's words seriously I'll bite.

Because of the way ports and packages are designed this complation issue of yours does not happen.

You do not need to configure anything to compile a port, you need to run "make install" after enabling root permissions or getting sudo setup.

Packages are not the norm by any stretch of the imagination for anyone I know that uses a BSD. Installing a pkg works fine as long as you also have the dependancies it will just install the same as if you made from a port and I have never found a port in the 3.3 release that installs broken not bad for the 193 I use for my desktop.

The only messed up compile I've ever seen is xmame+xmess, which my machine could not handle cause it doesn't have enough resources to compile it.

OpenBSD is equally able to use the ports and pkgs in it's system because the system was designed for Open.

Amen.

I would just like to echo that Metawire is by far the best shell hosting I have ever used. I think I was one of the first signups, and since the beginning they allow alot of trust to their users and aren't restrictive.

Metawire is simply exactly what it says on the tin. Free, and amazing shell hosting, have them for an email account, or your website, for hosting scripts and whatever else you can think of.

Great service.

The cost is picked up by the administrators themselves, and it's ran extremely professionally with complete regard for their users.

Simply by the services they allow you can see that OpenBSD is a great OS for just about anything and everything.

Re:Amen.

[miryth]

Well, I have to say, I'm a bit less than pleased with the email service... it tends to work fine, just... late. Very late. Not all the time, though, just enough so I'm looking forward to G-mail or whatever :p

Re:OpenBSD developers should also appeal for fundi

Donations and selling CDs and other cool stuff has always been the way OpenBSD has been funded.

If you are willing to donate money, OpenBSD donations is the place to go.

Of course, buying CDs, t-shirts or posters also helps the project. Look at the catalog here.

Ack!

[__aavhli5779]

Metawire.org, my precious server, slashdotted!

I guess we can consider the fact that it's still up a testament to OpenBSD :)

In all seriousness, though, OpenBSD has been a blessing for running Metawire. I joined the admin team a few months ago, after having been a lowly user and an active member of the community since last year, and have found (as Danny put so well in his article) that the biggest challenges in terms of maintaining a secure and stable server with thousands of users are well met by a system with a philosophy like OpenBSD's.

The challenges that OpenBSD and a proper user management system (which I have been an active developer on since I was made an admin) can not handle are those that plague any provider of a free service, namely the ages-old Tragedy of the Commons.

Garret Hardin's prophetic essay deals mainly with the human tendency for one to maximize the usage of any communal space for his own personal gain, and at the same time to shirk the responsibilities of its upkeep since it is not "his". As this applies to being a free shell provider on the Internet, you have to deal constantly with users who apply, abuse the service, are given the boot, and then show up again. As far as they are concerned it is a common space, freely available, for which they are not responsible. Since they do not take ownership in any sense, what responsibility to they have to keep things OK for others?

The "tragedy of the commons" manifests itself in the biggest administrative headaches the team has had to face so far. People signing up to use bandwidth-hogging psyBNCs/IRC proxies to get past bans on networks or keep nicknames alive, people using our service to mailbomb, people using it to host illegal materials... Had they been using a paid shell (which are widely available) for which they had some degree of "ownership" and at least an implied responsibility to follow the rules, their behavior might be less destructive, but because they are using a free resource, they feel unburdened by any responsibility towards other users and the administrative staff.

I could let these failings of human nature get me down, but thankfully there is another tool which can fill in where OpenBSD fails. Perhaps even the vagaries of man can be overcome...

by Perl :P

Re:What I know about *BSD:

Dam are you trolls dense.
1) No you cannot play a ton of commercial games, however you can play UT, Half-Life and so forth.
2)Grandma better learn a little about unix.
3)Lacks gui? Gnome 2.6 is there KDE 3.2.x is there, so is Windowmaker, Xfce. Check out the ports collection at www.freebsd.org/ports and well will see what exists.
4) Support? There a few commercial support sites for FreeBSD, I wont list any because this isnt a commercial. You have tons of mailing lists and boards were you can post your question.
5)Assortment of fragmented OS'. Please provide examples. Otherwise share what your smoking with the class.
6) Can be run on X86. Aaaahh, it was developed on the X86 and that is a Tier I plaform as well as the Sparc and so forth.
7) You have to know as much about C to compile apps on Linux? "make install clean". Where is the programming?
8) You apparently dont know what your talking about with respect to hardware. Check out the HCL lists on the websites.
9)Incompatiable with GNU/Linux, perhaps you unfamiliar with Linux Binary Compatability mode as well as a host of other binary modes.
10)With all your points proven wrong, then I guess it really cant be dying.
11)The only reason I respond to this troll was to dispell some myths about the *BSD.

By the numbers

Compare this fact:

"Only one remote hole in the default install, in more than 7 years!"

Please list all of your superior OS' that can match that this track record.

I await your list/answers!!

Re:By the numbers

DOS 1.0 - 6.22
AmigaOS
the OS the C64 had
the OS my toaster uses
Windows XP with the network cable unplugged
Debian (all versions) default kernel, base only

*Looks as though BSD is then, dying.

Re:New *BSD Anthem

[Nimrangul]

Last Kiss wasn't a Pearl Jam original, it was Wayne Cochran's song. Urban legend says it was based on an actual event.

The song's been covered like 4 times, but Wayne wrote it and performed it first.

Read the following for more information: http://www.tsimon.com/lastkiss.htm

Considering the work required to make a relyricing, I would have at least thought you'd do a little reading up on the song.

from their webpage update, FYI

[ricochet81]

Posted on their frontpage,

"Metawire User Upgrade 01 Apr 2004 by blister

Metawire has recently gotten a corporate sponsor, Microsoft, who is going to be putting the administration on a paid salary as well as provide hardware, software, and money for bandwidth for us to promote hosting on the superior Microsoft platform. Metawire will be going through a 2 week upgrade to the new server farm, at the end of which we will be transferring all email and webhosting to the new servers. Everyone show your thanks to Microsoft by purchasing some MS software. Microsoft has really helped this community out big time and deserve all your support."

I am not trolling... but that last sentence is sarcasm right?

Re:from their webpage update, FYI

[bl1st3r]

Um... Congrats on falling for an April Fools joke 24 days after the fact. As the same blister who posted that, you have made my day knowing that I have the ability to hop forward through time and fool people nearly a full month after the actual joke.

Congrats.

-Eric

Re:from their webpage update, FYI

[irc.goatse.cx+troll]

I fooled your mom.

Re:from their webpage update, FYI

[ricochet81]

Awe, I wanted to assume you were playing M$ out of their blood money :( Yeah, i missed the date. good one.

Here's some pointers.

[Bensmum]

Read the website, install the OS, read the mailing list. Security wise, open vs free, its not even close. You thinking that giving a user a shell is as good as giving them root is a good example of how freebsd is not as secure as open.

Try this, install openbsd and freebsd, and count how many setuid root apps are installed on each. Does apache chroot() on freebsd? Do bind, syslog, tcpdump, X and probably a couple other things I am forgetting have priviledge seperation like openssh? Has freebsd thouroughly audited their code? Does freebsd have propolice, non-executable stack, W^X and stack gap randomization to prevent programs that do inevitably have security problems from being exploited? Random pids? Random ephemeral ports? Encrypted swap?

That's a list I came up with off the top of my head, its not complete. I like freebsd too, and I use it where it serves it purpose, but trying to pretend its as secure as open is rediculous.

Re:The problem with BSD is its ports system

[evilviper]

The only messed up compile I've ever seen is xmame+xmess, which my machine could not handle cause it doesn't have enough resources to compile it.

Sounds like you need to look into ulimit...

Re:The problem with BSD is its ports system

[Nimrangul]

My machine is only a P2 450 with 192 MB of (broken) RAM. Setting my limits to unlimited and running nothing but the make, it cannot do it.

Re:Agreed and please donate

[Taxman457]

They also place very little restrictions on what you can do. SSL access to webmail will be online soon too.

I just signed up for an account and have been very pleased. It sounded to good to be true, but its been great. But if people don't eventually donate, it may not be able to continue in the long run, so please consider that. They seem fine now, but lets keep it that way.

Sign up, contribute, and eventually donate if you like at:
http://metawire.org/donate.php

Slightly off-topic...

[alexatrit]

I've had a Metawire account for a few months, with basic rights. No problems with the operation of the system, or the management. The only side effect that I've seen is lag. My original guess was that their DSL-class links weren't keeping up with the demand, or that having several dozen logged in users was taking a toll on the hardware. Nowadays, the systems seem to have their days of speediness and their days of lagged response.

Re:Hey Mr Troll !

[grub]

hahahaha! Oh man, I'm a BSD nut and that was absolutely hilarious. :) Thanks for the LOL.