Abstract: This article takes a look at an OpenBSD installation and indicates what is not present or different to a NetBSD installation. Changes in NetBSD that are not in OpenBSD are not covered. Areas observed are installation, the boot process and userland installed, including config files, binaries, documentation present and various files present. A number of areas for further comparison are suggested and leads to the conclusion that OpenBSD is more a BSD "distribution" with many packages included in the default installation than the core operating systems provided by other BSD systems like NetBSD.

Motivation

Given my >10 years of experience in NetBSD, I know it quite well, and I have no interest in making a comparison the other way 'round. I'd probably leave out too many interesting things present only in NetBSD, and this text is intended as a "what we can learn from OpenBSD" instead of a dicksize contest.

I welcome everyone to try out NetBSD themselves!

Installation

• The whole installation itself was performed inside qemu[3]
• When booting up the kernel, copyright lines for UCB and OpenBSD are printed, with a copyright of NetBSD missing even more obvious. Seems OpenBSD is shy to admit its ancestry (to say the least)!

  The year they give in the OpenBSD copyright and also listed on the website is 1995, but the same webpage[1] says "Only ... in 8 years". Now assuming we have the year 2005, going 8 years back brings me to 1997, which is what I remember for the OpenBSD split, not 1995. I wonder what that inconsistency is?

• Installation of the base system via FTP reported many errors from mirrors, even from ftp.OpenBSD.org, while extracting sets during installation. Erlangen as well as a local ftp-server (which got the install sets added) seems to be reliable. I guess that this was caused by qemu (which worked fine for installing NetBSD and FreeBSD via FTP so far :/)
• Installation is still script based as in NetBSD 1.3(?). A bit hard to read all the text, but ok. Disk partitioning via "disklabel -I" is ... yuck. How many sectors was a gigabyte again, and how big is a sector, anyways? :) I prefer NetBSD's sysinst a lot here.
• One question I found useful that was asked during installation was if sshd should be started by default.
• One item that confused me was: ``Do you expect to run the X Window System?'', as I didn't install any of the X sets. No further information was available what this was about, or if/how it can be changed later. Asking a friend, I was told this was to enable in-kernel code to prevent connections from/to localhost, for security raisins.
• After installation and on first bootup, things looked quite familiar (except for the light-grey on blue kernel messages :). When the system went into multiuser, it started printing: ``apm0: APM set CPU idle: unknown error code? (83)''. Every second. Which made the console rather unusable.
• I was afraid I'd have to build a new kernel (which would take ages in qemu) to get rid of apm, but having a helping hand nearby, I learned a very nice feature, UCK: Running "config -e -o /bsd.new /bsd" started an editor which allowed me to type "disable apm" and after "quit" get a kernel without apm in /bsd.new. Someone please add this to NetBSD (not that one would need to patch the NetBSD kernel after installation in qemu in the first place, but UCK still nice)
• Another minor thing that's nice to have is console scrollback on by default. While NetBSD needs some kernel and userland frobbing to enable this, having shift+page up/down work by default in OpenBSD (just as in Linux) is nice to have. Someone in NetBSD please pick this up! :)

The System

• During bootup, ssh host keys and some keys for the "isakmpd" daemon were created. Looking at /etc/rc.conf, there are a number of services not (or not any longer) present in NetBSD:
  • bgpd is a very OpenBSD-specific (and probably utterly non-portable, due to it's kernel interfacing) Border Gateway Protocol (BGP) daemon implementation.
  • hotplugd monitors device attach/detach events reported via the hotplug(4) pseudo-device, doing what was discussed some time ago on some NetBSD lists too. Currently seems to handle disks, network interfaces, tape devices and serial line interfaces. Recognition on special disk devices was done using disklabel information, e.g. to mount a Sony DSC camera on /mnt/camera.
  • httpd - ISTR there's an Apache in base.
  • ftp and identd have options of run stand-alone instead of via inetd
  • afs: AFS client and servers are in OpenBSD's base as well. I couldn't find traces of their ancestry in the manpages, may be OpenAFS or ARLA.
  • shlib_dirs: extra directories for ldconfig. Seems no ld.so.conf is used/available on OpenBSD. I couldn't find the facility to load optimized shared libs present in NetBSD's ld.so.conf.
  • The facility to overrides to system defaults is solved differently on OpenBSD than on NetBSD: there's only a /etc/rc.conf, which checks for /etc/rc.conf.local at the end. I guess the right way would be not to add /etc/rc.conf but create rc.conf.local instead. This isn't mentioned explicitly at the start of /etc/rc.conf, and when one's at the bottom of rc.conf after editing things, this may be a bit of a disappointment. ;)

• A look at /etc looks quite familiar, a few differences notable are:
  • afs: config files for the AFS client/server, and a README with a pointer to the ARLA homepage
  • authpf: empty dir, probably for the facility which allows altering PF rules after a user has logged in via ssh, according to authpf(8). I admit I haven't follow the whole PF integration into NetBSD enough to tell if this is now in NetBSD too or not. Not that I'll need it...
  • fbtab: used by login() to determine which devices should be chown'd to the new user; known as ttyaction on NetBSD.
  • inetd.conf: interesting to see ident, daytime and time on by default for IPv4 and V6, and comsat being also on, but bound only to 127.0.0.1 and ::1. I wonder what fun one could have with an account on such a machine. 8-)
  • ksh.kshrc: lots of funny shell functions, e.g. for aliases, prompt and $PATH manipulation and doing a few terminal specific settings shipped here.
  • locate.rc: path to locate database, where to search, what to exclude, what filesystem types to scan.
  • login.conf: contains methods for default and ftp login (i.e. what PAM does in NetBSD now) and a few examples for daemons, "staff"
  • lynx.cfg: Uhu, we apparently have lynx in base.
  • passwd: 21 "system" accounts (_x11, _dhcp, ...), all sharing /var/empty as homedir and /sbin/nologin as shell. There's still a root account. :)
  • portal.conf: example for mount_portal - NetBSD has about the same thing in the mount_portal(8) manpage.
  • rc.local: runs /usr/local/sbin/cfsd when present (and mountd runs).
  • sensorsd.conf: contains some thresholds upon which sendord will send warnings, like high CPU temperature, low CPU fan RPM, etc. Mostly what powerd(8) does in NetBSD.
  • sudoers: OpenBSD comes with sudo in addition to su.
  • sysctl.conf: many (commented out) examples for setting funny things like enabling userland to use /dev/crypto, when APM warns/halts for battery level, switching on/off various emulations (a.out, bsd/os, Linux, ...).
  • systrace: contains file for named and lpd, for restricting these. (I have no idea how/if they are used)
  • ttys: contains all lines where logins can happen. 27 lines for serial and virtual consoles, and 1018 lines for network logins.

• /bin: Interesting things that I found that are not in NetBSD: none :)

• /sbin: Interesting things that I found that are not in NetBSD:
  • mount_xfs: This doesn't have anything to do with the SGI journaling filesystem (judging by the manpage), but something with AFS. (I'm AFS-clueless, can't comment)
  • kbd: lists and sets available keymaps. Adding the listing to wsconsctl would be useful...
  • ncheck (== ncheck_ffs): lists what path/filename belongs to an inode, can be found on Solaris.
  • scan_ffs: find UFS/FFS partitions on a disk, if you've accidentally nuked the disklabel. Fun. :)
  • scsi: pretty much what scsictl(8) does

• Looking in /var shows that there are named database and and httpd config files (and HTML documentation for the apache shipped in the base system).

• /usr/bin: There are 80 binaries here that aren't present in NetBSD, some of which include:
  • perl and related programs (a2p, cpan, pod2latex, pod2man, perlcc, ...) I wonder if LaTeX could be included to make use of pod2latex, after Apache and lynx are there as well...
  • apache-related programs like htdigest, htpasswd
  • Various aliases for openssl (b64decode, b64encode, otp-md4, ...)
  • pctr: intended to display CPU performance counters, same as "pmc" on NetBSD. On OpenBSD, this gave me a kernel "panic: privileged instruction fault trap, code 0" when ran as root. In the default install. I'm not impressed. Trace is something like pctrioctl <- spec_ioctl <- spec_vnoperate ...
  • Random userland code available via pkgsrc in NetBSD: lynx, nawk, nc, verify_krb5_conf, ...

• /usr/sbin had the following interesting things in OpenBSD that I didn't know from NetBSD:
  • activadm, activinit, cryptoadm, cryptoinit: used to manage ActivCard, CRYPTOCard and SNK-004 token databases and crypto cards
  • bgpctl, bgpd: OpenBGP
  • bos, fs, pts: part of AFS
  • extattrctl: dumps core when started with "extattrctl start /" (same for /dev/wd0a instead of /). Seems it's not working much better as in NetBSD. :>
  • hotplugd, httpd: various daemons, see description of config files above
  • memconfig: seems to tune CPU cache parameters; left to the kernel on NetBSD
  • mkhybrid: mkisofs + joliet+HFS. There's no cdrecord in the base system.
  • pkg: replacement-to-be of pkg_* tools (says the manpage). Seems to be used internally by pkg_* only so far.
  • popa3d: POP daemon. Apparently no IMAP daemon in base, but the POP daemon does SSL. While there, the only MTA seems to be sendmail, no postfix, qmail, etc.
  • procmap: same as pmap(1) on NetBSD
  • rdconfig: I'm not sure if this equivalent to mdconfig
  • syslogc: seems to read the system messages from some special memory region, instead of using standard IPC.
  • tcpdrop: drops a TCP connection, given local and foreign address and port. Yow! X-) Security by handing everyone his own gun! And I thought Canadians were pacifists... SCNR

• After all this boring stuff off to more important things: /usr/games! OpenBSD has only 46 files here while NetBSD has 50. Removed files include countmail, dab, dm, larn, rogue and wtf. Files added are:
  • bs - battleships
  • grdc - grand (curses) digital clock.

• Some other interesting findings:
  • /usr/libexec/cvs/contrib, /usr/libdata/cvs/contrib: some scripts and documentation that come with CVS. Kinda non-obvious to find.
  • /usr/lkm's empty - no loadable kernel modules available for use.
  • /usr/share/texinfo: This only contains two XML files, a Document Type Description of the texinfo file format, and a stylesheet. Did I overlook XML tools in the base installation. (Hey, Solaris has all manpages in some SGML, so this isn't THAT unrealistic...!)

Things left out

• Toolchain changes made that were not fed back to the GCC project
• Operating of the IPsec and IPv6 code
• Details of the "ports" system for handing 3rd party software. While it originates in FreeBSD just like NetBSD's pkgsrc, I remember a number of unique changes back from the Open Packages project, which were identified to be included into that project then. Pity that never happened.
• Probably many more that I can't think of right now. :)

Conclusion

• After disabling apm, OpenBSD works fine in qemu.
• Looking at the operating system, I see a lot of NetBSD in OpenBSD (obviously).
• A number of things added are 3rd party packages that are available on demand somewhere else (apache, perl, sudo, lynx). I think this load of 3rd party packages bundled in the base OS is what Linus Torvalds meant the other day when he told me his impression that "BSD" had everything and its mother bundled in the base installation[2].
• Unique things that I see that aren't available elsewhere are bgpd, the crypto-card tools, hotplugging framework. PF is slowly getting ported to other systems.
• From the security propagated a lot by OpenBSD, I can see several pieces of software integraded that are (partly) available as option from 3rd parties elsewhere, but the whole system doesn't doesn't suggest an overall "oh wow, it's so secure" feeling to me. The fact that one has to work as root after installation doesn't help to this.
• In summary, OpenBSD reminds me of a BSD distribution that comes with a collection of things arranged, similar to a Linux distribution. From a maintenance point of view, if would be much more efficient to work on integrating these changes into an existing operating system, to feed changes made to existing software back to the original authors and projects, and to work on portable interfaces and software instead of taking the effort of maintaining separate copies with all the overhead of keeping things in sync (even if only one way) involved. But the reasons behind all this are unfortunately not of technical nature and motivation.

References

Errata

• It's been pointed out that OpenBSD was really started in 1995, and that the "8 years..." is really the time since their last network exploitable bug (silly me to mix that up!)
• I've forgot to mention the existance of osfpd and sensord. The former implements the Open Shortest Path First routing protocol, the latter can be used to monitor some devices and set thresholds (see description of the config file above)