A technical look at the OpenBSD operating system
from a NetBSD perspective
Hubert Feyrer, April 2005
Abstract: This article takes a look at an OpenBSD installation
and indicates what is not present or different to a NetBSD
installation. Changes in NetBSD that are not in OpenBSD are not
covered. Areas observed are installation, the boot process and
userland installed, including config files, binaries, documentation
present and various files present. A number of areas for further
comparison are suggested and leads to the conclusion that
OpenBSD is more a BSD "distribution" with many packages included in
the default installation than the core operating systems provided
by other BSD systems like NetBSD.
Motivation
As work related to my PhD thesis[0], I wanted to
see if OpenBSD runs equally well in qemu as NetBSD and FreeBSD
do. While there, I wanted to see what is there in OpenBSD that is
not there in NetBSD, given that OpenBSD forked from NetBSD some
time ago. The list below is an analysis of the OpenBSD operating
system from a NetBSD POV, with an emphasis on what is in OpenBSD
that's not in NetBSD.
Given my >10 years of experience in NetBSD, I know it quite
well, and I have no interest in making a comparison the other way
'round. I'd probably leave out too many interesting things present
only in NetBSD, and this text is intended as a "what we can learn
from OpenBSD" instead of a dicksize contest.
I welcome everyone to try out NetBSD themselves!
Installation
- The whole installation itself was performed inside qemu[3]
- When booting up the kernel, copyright lines for UCB and OpenBSD are
printed, with a copyright of NetBSD missing even more obvious. Seems
OpenBSD is shy to admit its ancestry (to say the least)!
The year they give in the OpenBSD copyright and also listed on the
website is 1995, but the same webpage[1] says "Only ... in 8
years". Now assuming we have the year 2005, going 8 years back
brings me to 1997, which is what I remember for the OpenBSD split,
not 1995. I wonder what that inconsistency is?
- Installation of the base system via FTP reported many errors from
mirrors, even from ftp.OpenBSD.org, while extracting sets during
installation. Erlangen as well as a local ftp-server (which got
the install sets added) seems to be reliable. I guess that this was
caused by qemu (which worked fine for installing NetBSD and FreeBSD
via FTP so far :/)
- Installation is still script based as in NetBSD 1.3(?). A bit hard to
read all the text, but ok. Disk partitioning via "disklabel -I" is ...
yuck. How many sectors was a gigabyte again, and how big is a
sector, anyways? :) I prefer NetBSD's sysinst a lot here.
- One question I found useful that was asked during installation was
if sshd should be started by default.
- One item that confused me was: ``Do you expect to run the X Window
System?'', as I didn't install any of the X sets. No further
information was available what this was about, or if/how it can be
changed later. Asking a friend, I was told this was
to enable in-kernel code to prevent connections from/to localhost,
for security raisins.
- After installation and on first bootup, things looked quite familiar
(except for the light-grey on blue kernel messages :). When the
system went into multiuser, it started printing:
``apm0: APM set CPU idle: unknown error code? (83)''. Every second.
Which made the console rather unusable.
- I was afraid I'd have to build a new kernel (which would take ages in
qemu) to get rid of apm, but having a helping hand nearby, I learned a
very nice feature, UCK: Running "config -e -o /bsd.new /bsd" started
an editor which allowed me to type "disable apm" and after "quit" get
a kernel without apm in /bsd.new. Someone please add this to NetBSD
(not that one would need to patch the NetBSD kernel after
installation in qemu in the first place, but UCK still nice)
- Another minor thing that's nice to have is console scrollback on by
default. While NetBSD needs some kernel and userland frobbing to enable
this, having shift+page up/down work by default in OpenBSD (just as
in Linux) is nice to have. Someone in NetBSD please pick this up! :)
The System
- During bootup, ssh host keys and some keys for the "isakmpd" daemon were
created. Looking at /etc/rc.conf, there are a number of services not
(or not any longer) present in NetBSD:
- bgpd is a very OpenBSD-specific (and probably utterly non-portable,
due to it's kernel interfacing) Border Gateway Protocol (BGP) daemon
implementation.
- hotplugd monitors device attach/detach events reported via the
hotplug(4) pseudo-device, doing what was discussed some time ago
on some NetBSD lists too. Currently seems to handle disks,
network interfaces, tape devices and serial line interfaces.
Recognition on special disk devices was done using disklabel information,
e.g. to mount a Sony DSC camera on /mnt/camera.
- httpd - ISTR there's an Apache in base.
- ftp and identd have options of run stand-alone instead of
via inetd
- afs: AFS client and servers are in OpenBSD's base as well. I couldn't
find traces of their ancestry in the manpages, may be OpenAFS or ARLA.
- shlib_dirs: extra directories for ldconfig. Seems no ld.so.conf is
used/available on OpenBSD. I couldn't find the facility to load
optimized shared libs present in NetBSD's ld.so.conf.
- The facility to overrides to system defaults is solved differently
on OpenBSD than on NetBSD: there's only a /etc/rc.conf, which checks
for /etc/rc.conf.local at the end. I guess the right way would be
not to add /etc/rc.conf but create rc.conf.local instead. This isn't
mentioned explicitly at the start of /etc/rc.conf, and when one's
at the bottom of rc.conf after editing things, this may be a bit
of a disappointment. ;)
- A look at /etc looks quite familiar, a few differences notable
are:
- afs: config files for the AFS client/server, and a README with a
pointer to the ARLA homepage
- authpf: empty dir, probably for the facility which allows altering
PF rules after a user has logged in via ssh, according to authpf(8).
I admit I haven't follow the whole PF integration into NetBSD enough
to tell if this is now in NetBSD too or not. Not that I'll need it...
- fbtab: used by login() to determine which devices should be chown'd
to the new user; known as ttyaction on NetBSD.
- inetd.conf: interesting to see ident, daytime and time on by default
for IPv4 and V6, and comsat being also on, but bound only to 127.0.0.1
and ::1. I wonder what fun one could have with an account on such
a machine. 8-)
- ksh.kshrc: lots of funny shell functions, e.g. for aliases, prompt
and $PATH manipulation and doing a few terminal specific settings
shipped here.
- locate.rc: path to locate database, where to search, what to
exclude, what filesystem types to scan.
- login.conf: contains methods for default and ftp login (i.e. what
PAM does in NetBSD now) and a few examples for daemons, "staff"
- lynx.cfg: Uhu, we apparently have lynx in base.
- passwd: 21 "system" accounts (_x11, _dhcp, ...), all sharing
/var/empty as homedir and /sbin/nologin as shell. There's still a
root account. :)
- portal.conf: example for mount_portal - NetBSD has about the same
thing in the mount_portal(8) manpage.
- rc.local: runs /usr/local/sbin/cfsd when present (and mountd runs).
- sensorsd.conf: contains some thresholds upon which sendord will
send warnings, like high CPU temperature, low CPU fan RPM, etc.
Mostly what powerd(8) does in NetBSD.
- sudoers: OpenBSD comes with sudo in addition to su.
- sysctl.conf: many (commented out) examples for setting funny things
like enabling userland to use /dev/crypto, when APM warns/halts for
battery level, switching on/off various emulations (a.out, bsd/os,
Linux, ...).
- systrace: contains file for named and lpd, for restricting these.
(I have no idea how/if they are used)
- ttys: contains all lines where logins can happen. 27 lines for
serial and virtual consoles, and 1018 lines for network logins.
- /bin: Interesting things that I found that are not in NetBSD: none :)
- /sbin: Interesting things that I found that are not in NetBSD:
- mount_xfs: This doesn't have anything to do with the SGI journaling
filesystem (judging by the manpage), but something with AFS.
(I'm AFS-clueless, can't comment)
- kbd: lists and sets available keymaps. Adding the listing to
wsconsctl would be useful...
- ncheck (== ncheck_ffs): lists what path/filename belongs to an inode,
can be found on Solaris.
- scan_ffs: find UFS/FFS partitions on a disk, if you've accidentally
nuked the disklabel. Fun. :)
- scsi: pretty much what scsictl(8) does
- Looking in /var shows that there are named database and and httpd
config files (and HTML documentation for the apache shipped in the
base system).
- /usr/bin: There are 80 binaries here that aren't present in
NetBSD, some of which include:
- perl and related programs (a2p, cpan, pod2latex, pod2man, perlcc, ...)
I wonder if LaTeX could be included to make use of pod2latex, after
Apache and lynx are there as well...
- apache-related programs like htdigest, htpasswd
- Various aliases for openssl (b64decode, b64encode, otp-md4, ...)
- pctr: intended to display CPU performance counters, same as "pmc" on
NetBSD. On OpenBSD, this gave me a kernel "panic: privileged instruction
fault trap, code 0" when ran as root. In the default install.
I'm not impressed.
Trace is something like pctrioctl <- spec_ioctl <- spec_vnoperate ...
- Random userland code available via pkgsrc in NetBSD: lynx, nawk, nc,
verify_krb5_conf, ...
- /usr/sbin had the following interesting things in OpenBSD that I didn't
know from NetBSD:
- activadm, activinit, cryptoadm, cryptoinit: used to manage ActivCard,
CRYPTOCard and SNK-004 token databases and crypto cards
- bgpctl, bgpd: OpenBGP
- bos, fs, pts: part of AFS
- extattrctl: dumps core when started with "extattrctl start /" (same
for /dev/wd0a instead of /). Seems it's not working much better as
in NetBSD. :>
- hotplugd, httpd: various daemons, see description of config files
above
- memconfig: seems to tune CPU cache parameters; left to the kernel
on NetBSD
- mkhybrid: mkisofs + joliet+HFS. There's no cdrecord in the base
system.
- pkg: replacement-to-be of pkg_* tools (says the manpage). Seems to
be used internally by pkg_* only so far.
- popa3d: POP daemon. Apparently no IMAP daemon in base, but the
POP daemon does SSL. While there, the only MTA seems to be
sendmail, no postfix, qmail, etc.
- procmap: same as pmap(1) on NetBSD
- rdconfig: I'm not sure if this equivalent to mdconfig
- syslogc: seems to read the system messages from some special memory
region, instead of using standard IPC.
- tcpdrop: drops a TCP connection, given local and foreign address
and port. Yow! X-) Security by handing everyone his own gun!
And I thought Canadians were pacifists... SCNR
- After all this boring stuff off to more important things: /usr/games!
OpenBSD has only 46 files here while NetBSD has 50. Removed files include
countmail, dab, dm, larn, rogue and wtf. Files added are:
- bs - battleships
- grdc - grand (curses) digital clock.
- Some other interesting findings:
- /usr/libexec/cvs/contrib, /usr/libdata/cvs/contrib: some scripts
and documentation that come with CVS. Kinda non-obvious to find.
- /usr/lkm's empty - no loadable kernel modules available for use.
- /usr/share/texinfo: This only contains two XML files, a Document
Type Description of the texinfo file format, and a stylesheet.
Did I overlook XML tools in the base installation. (Hey, Solaris has
all manpages in some SGML, so this isn't THAT unrealistic...!)
Things left out
While the above list contains a look at a static installation of
OpenBSD, dynamic behaviour, general system operation in practice and
performance were not covered. Some areas that may be interesting to
look at from a NetBSD point of view include:
- Toolchain changes made that were not fed back to the GCC project
- Operating of the IPsec and IPv6 code
- Details of the "ports" system for handing 3rd party
software. While it originates in FreeBSD just like NetBSD's
pkgsrc, I remember a number of unique changes back from the Open
Packages project, which were identified to be included into that
project then. Pity that never happened.
- Probably many more that I can't think of right now. :)
Conclusion
- After disabling apm, OpenBSD works fine in qemu.
- Looking at the operating system, I see a lot of NetBSD in OpenBSD
(obviously).
- A number of things added are 3rd party packages that are available on
demand somewhere else (apache, perl, sudo, lynx). I think this load of
3rd party packages bundled in the base OS is what Linus Torvalds
meant the other day when he told me his impression that "BSD" had
everything and its mother bundled in the base installation[2].
- Unique things that I see that aren't available elsewhere are
bgpd, the crypto-card tools, hotplugging framework. PF is slowly
getting ported to other systems.
- From the security propagated a lot by OpenBSD, I can see several
pieces of software integraded that are (partly) available as
option from 3rd parties elsewhere, but the whole system doesn't
doesn't suggest an overall "oh wow, it's so secure" feeling to
me. The fact that one has to work as root after installation
doesn't help to this.
- In summary, OpenBSD reminds me of a BSD distribution that comes
with a collection of things arranged, similar to a Linux
distribution. From a maintenance point of view, if would be much
more efficient to work on integrating these changes into an
existing operating system, to feed changes made to existing
software back to the original authors and projects, and to work on
portable interfaces and software instead of taking the effort of
maintaining separate copies with all the overhead of keeping things
in sync (even if only one way) involved. But the reasons behind all
this are unfortunately not of technical nature and motivation.
References
[0] http://www.feyrer.de/vulab/
[1] http://www.OpenBSD.org/
[2] http://mail-index.netbsd.org/netbsd-advocacy/2005/01/08/0003.html
[3] http://fabrice.bellard.free.fr/qemu/
Errata
- It's been pointed out that OpenBSD was really started in 1995, and
that the "8 years..." is really the time since their last network
exploitable bug (silly me to mix that up!)
- I've forgot to mention the existance of osfpd and sensord.
The former implements the Open Shortest Path First routing
protocol, the latter can be used to monitor some devices and
set thresholds (see description of the config file above)
This page has been accessed
14250
times
(c) Copyright 2005 Hubert Feyrer
$Id: openbsd-experiences.html,v 1.5 2005/05/01 19:35:49 feyrer Exp $