Bug Busters! OpenBSD 5.1 Released

An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "

Open BSD confirms it

[future+assassin]

Netcaft is dead....

Re:Open BSD confirms it

[HyperQuantum]

That must be in Soviet Russia...

Re:7000 Ports?

[mirix]

OpenBSD ports are a set of makefiles that will build packages, not OS 'ports' like you are thinking.

Re:YAY!

OpenBSD is relevant to those of us to whom it's relevant. There is no "grand scheme". It's a secure, well-maintained, and well-documented OS. Oh, and it's free, in every sense of the word.

Re:YAY!

[101percent]

Given that OpenSSH alone is the most used FOSS program, and there is virtually no corporate contributions, I think Theo just has lost patience for people who come on the lists and complain.

Who ya gonna call?

[Billly+Gates]

Bug busters!

Re:YAY!

[gman003]

In the Grand Scheme of Things? No.

But, for a grand enough definition of "grand scheme of things", your entire life is irrelevant. The history books will forget you, no matter how important, after enough millennia. And I'm pretty sure the rotation of the galaxy cares not one whit for the combined accomplishments (to date) of the entire human race.

So, in the end, who cares for the grand scheme of things? As long as it's relevant to you, it's relevant enough.

Personally, I have an OpenBSD box (normally my experimental-server-slash-tertiary-backup-desktop, currently my experimental-server-slash-secondary-backup-desktop, as my primary-desktop is currently my primary-doorstop). And I haven't updated it since... 4.6? 4.8? Can't be assed to ssh in and check. So 5.1 isn't important to me, but OpenBSD itself somewhat is.

Re:Over 7000 ports

[e9th]

There was a brief time, four or five years ago, when something (expat maybe?) was mistakenly placed in xbase, so you had to install the xbase set for a whole bunch of ports/packages. That situation didn't last. And even then, you didn't have to run X.

Re:YAY!

[pipatron]

What has changed since the beginning that made OpenBSD less relevant?

Re:YAY!

[tck42]

As a network appliance type device at least I'd say it's still very relevant. I still prefer configuring / maintaining pf over iptables (or any other competitor I've tried) for any non-trivial ruleset, the documentation is IMO much better than most of the other stuff out there, it's relatively secure and relatively stable, and the performance and compatibility with older hardware has been great (in my experience). I use it for my gateway device and have never had any problems. I briefly used Linux for the same task and found myself spending more time messing with it. I could easily see it replacing all sorts of expensive commercial solutions at my workplace but managers like commercial vendors. It's just well put together and does what it's built for quite well. I think there's room for all sorts of stuff in the "grand scheme", not just shiny and popular stuff.

Re:YAY!

[mirix]

This is true, but the base install is pretty limited, so it's hard to compare, really.

(I think it's been three holes since the dawn of OpenBSD, by the way).

That said I still use it on some of my outward-facing stuff. PF is great. The pre-chrooted httpd is nice. Some other parts, not so much, though... can't think of a good example right now, but once in a while I run into things that amaze me with backwards-ness compared to my linux boxes.

Oh, and the documentation is a work of art compared to linux. That's a really nice feature.

Re:over 7000 ports

[JustOK]

just use port 4000 twice. It's all binary.

Re:YAY!

Yeah, totally agree that OpenBSD is relevant today. I would even say OpenBSD is becoming more relevant today than it has been in the past, as we will receive more backdoors in open source projects that rely on binary distribution methods. I really hope OpenBSD sticks around, since it is the only truly stable open source distribution. I have used it since 2.6 and have always enjoyed the no-bullshit approach to having reliability and security together. The OpenBSD doesn't make the poor decisions that are so common in Linux distributions (the plymouth OS process on Ubuntu is a good example of common Linux stupidity). Also, OpenBSD doesn't have the hardware pressure of NetBSD, nor the feature pressure of FreeBSD, so they can focus on security and reliability. OpenBSD is relevant to those of us that require a quality operating system.

Re:YAY!

[Just+Some+Guy]

This is true, but the base install is pretty limited, so it's hard to compare, really.

That's not a bug: it's a feature. I know you already know that, but I mention it for the benefit of people not already familiar with OpenBSD. OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler. Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain.

That also means that it's trivially easy to deploy a task-specific server that runs almost nothing not directly related to performing that task. For example, here are all the processes running after booting a particular mail gateway:

$ ps ax
PID TT STAT TIME COMMAND
1 ?? Ss 0:00.01 /sbin/init
21888 ?? Is 0:00.00 syslogd: [priv] (syslogd)
11594 ?? I 0:00.01 /usr/sbin/syslogd -a /var/www/dev/log -a /var/empty/dev/log
18652 ?? Is 0:00.00 pflogd: [priv] (pflogd)
16925 ?? S 0:00.01 pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd)
4551 ?? Is 0:00.00 ntpd: [priv] (ntpd)
12960 ?? S 0:00.01 ntpd: ntp engine (ntpd)
15118 ?? I 0:00.00 ntpd: dns engine (ntpd)
8253 ?? Is 0:00.00 /usr/sbin/sshd
32235 ?? Ss 0:00.01 sendmail: accepting connections (sendmail)
1749 ?? Ss 0:00.00 /usr/sbin/cron
23675 ?? Is 0:00.05 sshd: kirk [priv] (sshd)
25682 ?? S 0:00.04 sshd: kirk@ttyp0 (sshd)
17102 p0 Ss 0:00.19 -zsh (zsh)
17713 p0 R+ 0:00.00 ps -ax
8581 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0
4910 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1
25709 C2 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC2
12308 C3 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC3
19809 C5 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC5

So we have init (boots the system; makes sure things are running that are supposed to be); the system event logger; the firewall event logger; an NTP daemon to keep the time set correctly; the SSH daemon I used to connect into it; Sendmail (the OpenBSD-hardened version); the scheduled task manager; my shell process; and the program that listens for console logins. There's just not a lot you can strip away from that.

Here's the list of open sockets that an external user can connect to:

tcp 0 0 127.0.0.1.587 star.star LISTEN
tcp 0 0 127.0.0.1.25 star.star LISTEN
tcp 0 0 *.22 star.star LISTEN

So SMTP (25 and 587) and SSH are listening. Again, that's as minimal as you can feasibly get. Well, I suppose you could axe everything firewall related, since the only open ports are to services that are deliberately exposed to the Internet already, but security comes in layers.

It's obviously possible to build secure systems with other OSes, but OpenBSD goes a long way toward making it easy. "Secure by default" is a wonderful starting point!

Oh, and pf has the most beautiful firewall rule syntax of any system I've ever used.

Re:This one goes to 65535...

[Just+Some+Guy]

The OS I'm using has 65536 ports.

And if you're running Windows, there's a good chance they're all in use.

Re:YAY!

[Just+Some+Guy]

I replaced our Sonicwall with OpenBSD+PF nearly 8 years ago. The only user-visible difference is that we stopped having unplanned network outages.

Re:YAY!

[identity0]

>Theo just has lost patience for people

fixed.

Choices of s/w & IPv6 support

[unixisc]

I had a look at it, and found some things interesting.

Under highlights, it mentions that it supports GNOME 3.2.1 (fallback mode), but for KDE, it supports 3.5.10. For GNOME, this is the first time I have seen any BSD support GNOME3 - in fact, there was some discussion in the past about how GNOME3 wouldn't run on BSDs due to systemd being a requirement. The other interesting aspect of this is that it goes for the latest, much publicly disparaged version of GNOME, but for KDE, which is much improved, it's @ 3.5. They could have either gone for KDE4.8, or if they didn't like that, they could have ditched KDE altogether and gone w/ Trinity.

The other thing I noticed throughout the notes was improvements in support for IPv6, such as fragment handling, but what I haven't figured out is how mature is OpenBSD's IPv6 support compared to FreeBSD? FBSD is currently second to none when it comes to IPv6 support (I'm not sure how it compares to Windows 7, which has been innovative for IPv6 on its own, w/o relying on the BSD layer 3 stack as it did for IPv4), but I was curious about OBSD. If someone wanted to create an IPv6 firewall cum router w/ OBSD as the management OS, does the OS have whatever it needs for this purpose?

On a separate note, I did find it interesting that they include software that's now GPL3 - such as Emacs, GCC, Libre Office, among others. In the case of the compiler, they didn't offer LLVM/Clang, and nor do they seem to prefer BSD software to others - for instance, Apache is the web server that they offer, and not Nginx. In short, I found their choices of default software pretty interesting, given all the recent discussions regarding GPL3 vs BSDL and so on.

Quality Control with Balls!

...the base install is pretty limited...

The base install is painstakingly audited. They look for all bugs, even ones that have no apparent means of exploitation. This has often resulted in OpenBSD being unaffected by holes discovered in other systems. The same degree of assurance cannot be extended to thousands of ports, however, so a line is drawn around the base install.

That being said, I've heard that Theo expects that one should be able to 'cd /usr/ports' and 'make install' - to build and install every port in the tree - without error. What other OS has the balls to pull that off?

Re:How well does it run on VMs?

[jawtheshark]

It should work. Do remember that it's not paravirtualized. While not VMWare, I've run it in VirtualBox sessions. If VirtualBox can do it, so should VMWare.

Partitioning scheme: Not more complicated than on the bare metal.

ISO: You can do that, but you'll have to create the ISO yourself (which isn't hard - they might even provide downloadables these day... I wouldn't know, you'll see why), or you just buy the official CD (recommended version). Me? I don't bother with CD's anymore. Just use the PXE-boot (netboot) method and be done with it.

VMWare tools: What VMWare tools? I'm pretty sure, there aren't any... You don't need them. You're not going to run X on it anyway, are you? Once you have ssh running, you probably never will use the console again. Besides, I'm sure VMWare can handle serial-port connections. My OpenBSD box doesn't even have a graphics card. RS232 is enough.

Re:YAY!

[TheRaven64]

OpenBSD installs almost nothing by default, to the point that many systems don't even have man pages or a compiler.

The standard install includes everything required by the Single UNIX Specification, including man pages and a compiler. You can choose not to install them, but that typically only happens on small embedded systems with 16-64MB of Flash.

Fewer things installed = few things to break = fewer attack vectors = fewer things to maintain

It also means you don't get the situation like Ubuntu where every time I turn on the system I have running Ubuntu it wants to install 200+MB of updates for stuff I never use and don't want installed.

Re:YAY!

[serviscope_minor]

Theo just has lost patience for people

That's simply not true. Theo has lost patience with whiners who want someone else to do their thinking for him.

I've got polite, helpful responses personally from Theo. I was trying to build a module (despite all the dire warnings how not to do this or ask questions and how unsupported it is) so I could hack on the drivers for a moderately exotic piece of hardware. I posted questions. He was one of the people with a response.

It turns out that if you know that the mailing list doesn't suffer fools, you work that little bit harder to write a sensible mail.

You double check everything and make sure you read the docs. This catches many of the bugs initially and then you don't need to post in the first place. If it doesn't fix the problem, it gives the mailing list inhabitants a good indication of what the problem is.

To me it seems unbelievible rude to ask some of the world experts for a bit of their time to help without bothering to check the things that you need help on. I just don't understand how most other people don't also see this as rude.

Re:IPv6 support

[unixisc]

Edit: Specifically, "IPv6 code was merged into NetBSD in June 1999, and is part of NetBSD."

http://www.netbsd.org/docs/network/ipv6/

So there.

Okay, checked out that page. Seems to be more of a history lesson on IPv6 support in NetBSD. One key thing I noticed - all the BSDs, be it FreeBSD or NetBSD seem to prefer the autoconfiguration as far as IP addresses go, and typically don't support DHCP6. So anyone who has issues w/ EUI-64 is SOL. They mention that routers can't be autoconfigured, and that nodes should not be manually configured. But this is one of the reasons that DHCP6 is more important in IPv6 than DHCP4 was in IPv4.

Re:How well does it run on VMs?

[Nikademus]

It works fine on vmware, but it seems some other virtualization software don't work as well. It puts much strain on the virtualization.
You can install the full base OS in under 4 minutes like I did here https://www.youtube.com/watch?v=28ujY4vlz4c