OpenBSD's documentation needs some work once you get into less well-traveled aspects of pf and routing. For instance, getting reliable external interface load balancing to work is maddening. (The example at the bottom of http://www.openbsd.org/faq/pf/pools.html does not work and is not the best approach.)
Other than a few esoteric situations like that one though, I agree: OpenBSD's documentation is pretty darn good.
I like them primarily because they're sitting in a corner quietly doing their own thing, and their own thing happens to be a very stable & very reliable network service operating system with an emphasis on security and performance. It's a refreshing change from the ADHD present in the development communities of other operating systems.
OpenBSD clean and simple design makes it a breeze to maintain. It's documentation always tells you the whole truth and for most tasks, its so intuitive that you almost always already know where to do your stuff.
Then I'm not sure if it will remain simple for you :) But you should have plenty of tools to get the job done. I can't comment much on the security features, except maybe for the firewall. PF is much simpler to understand than iptables. Rule definitions read almost like English. If you understand TCP/IP it's pretty easy to come up with a simple config. No need for a frontend à la UFW.
In my case I use it on a personal computer and as long as I've got X.org and network connectivity I'm happy. By default OpenBSD doesn't have much software installed. In term of user software, you get ksh, vi (not Vim), optionally X.org with FVWM and I guess that's pretty much it. Then you just add what you need. Oh you also get Tmux, which originates from the OpenBSD project.
Thanks, just need the server version for now. Linux + IPTables + chroot can be a bit of a tangle I can't always get to work.
Wasn't sure until recently if I could use OpenJDK with the framework I'm using, but it seems to be compatible, so am starting to look at Free/OpenBSD + OpenJDK for it.
Tmux, ssh, and vim are good enough for the server side IDE, so as long as vim is in the repo's, should be gtg. :)
The man pages and FAQ are a good place to start for documentation. It's rather nice having everything in one place, rather than scattered around forum posts, mailing lists, HOWTOs, etc, some of which might or might not be outdated.
Unless you have some really weird hardware, I'd be surprised if OpenBSD didn't support it. The best way to check is to boot an iso and look at the output of dmesg, however.
OpenBSD has been the model for opensource software release engineering. Their presentations on managing their releases are always worth a look. In 2013 regular quality releases are quite common, but OpenBSD has been releasing on schedule from the time of Debian's four year release cycle.
I'd really love to give OpenBSD a try outside of VM testing. Does it have something like FreeBSD's NanoBSD (http://www.freebsd.org/doc/en_US.ISO8859-1/articles/nanobsd/...) yet? The seamless update-image-and-switch is a killer feature for my embedded use.
It's not officially supported, however, and only recommended for systems that are likely to suffer power outages and for which running fsck would be problematic. I've used it a little on embedded systems and so far it's worked fine.
Even after reading that, I still don't understand what "nanobsd" is supposed to be for. All of the big 3 BSDs have used crunchgen plus kernels with embedded filesystems to create small, single file systems for over a decade. That's how the installation images are made.
I'm very excited about that. I recently switched to FreeBSD for my samba server (because of ZFS), but I still use OpenBSD for everything else. I've long (delayed, delayed, etc.) been going to replace the mail server and I might move from Postfix to OpenSMTP. I will have to do some tests.
Back when I looked at OpenBSD a decade ago, I liked the OS but upgrading from one version to the next seemed to be problematic. Anybody had any experiences (good or bad) with upgrading modern OpenBSD?
Upgrading OpenBSD is as transparent as it gets. Put a new kernel in place, extract the install sets, run sysmerge to update /etc and X configuration and you're done.
The FAQ has a very cautious explanation of the whole process, pointing out every imaginable pitfall. Once you've done it, it's a five minute job on most standard installations.
The official recommendation is to boot the installation kernel and upgrade that way, but I've never had a problem doing a remote upgrade. It's always been entirely painless.
One could argue that it's not quite as simple as "apt-get dist-upgrade" but I like it better - the upgrade process is more explicit about not touching your config files. And since it's a BSD, the base system isn't packaged, so I'm not entirely sure how it would work (although FreeBSD does have freebsd-update now, so it's possible).
Thanks for the details. On Linux the upgrade process can be problematic depending on which distro you're using and how wrenching the upgrades are to the various packages you're relying on, but I must admit I've been spoiled by Debian's apt-get dist-upgrade. Good to hear that with a little experience, OpenBSD's upgrade can be similarly stable.
OpenBSD's way for system upgrades is so easy: unzip tarballs, run /etc diff, reboot. Its always astonishing how simple and carefree it is to upgrade to the next major.
Contrary to that, most companies would never upgrade a linux system. My feeling is, the most used "upgrade" plan for debian is to not upgrade as long as possible and then do a full reinstall with a new version.
"All softraid(4) boot(8) support is now enabled by default, including support for booting from crypto volumes." awesome.
I also use OpenBSD for embedded work, in fact I think everybody is using it for embedded systems. You can strip the kernel down to a tiny install, run securelevel 2 and chflags to prevent any tampering from console.
It has been more a lack of time and interest than anything else. KDE4 was added just past this release, and will be in 5.4 (unless another meteorite hits the wrong part of Russia).
I've been out of the "paying attention to unix stuff" world for a long time now, but back in the 2.8-3.8 times I followed openbsd related news very closely. It seemed in that time period that openbsd usage was growing rather quickly, and lots of people were talking about it. Having just come back now, it seems as though all that growth has vanished. The mailing lists are very quiet, undeadly is practically dead, nobody is talking about openbsd anymore at all. Is it just that people ran out of things to say, or did everyone leave for one reason or another?
I think it's more that OpenBSD has always been aimed at "infrastructure" tasks - it chugs away as a router or firewall with aplomb. The core is very mature, thus most development is on refinements, not entirely new features.
It might be better to follow the papers/presentations given here that detail what work is being done:
Additionally, undeadly seems to be, well... more dead than usual. I wonder if this is just based on waning interest from the website maintaner than OpenBSD slowing down.
I'm a bit curious as to who uses *BSDs these days. At one point I knew of at least a few with copies of FreeBSD, but these days most of my acquaintances, social & professional, use OSX or some Linux flavor. As far as servers go, I haven't seen one in the wild in quite some time.
This is of course highly anecdotal, but even on the distrowatch page hit rankings FreeBSD ranks below distros I've never even heard of (Zorin, SolusOS) at #19. OpenBSD is down in the 70's. On a complete tangent, I was also surprised to find Mandriva well in the 40's. [1]
What is the community & ecosystem like these days?
The Apache Software Foundation (you might have heard of them ;) runs their servers on FreeBSD.
NetFlix runs some (all?) of their servers on FreeBSD.
Google uses FreeBSD for their network search applicance (for corporate intranets or whatever). They also just announced their funding of the Capsicum security framework project for FreeBSD (and later, a port to Linux).
The Weather Channel uses FreeBSD to power their network appliances that render the forecasts for local cable networks.
NetApp and Juniper Networks use FreeBSD for their networking gear.
There are more examples here if you want to read them:
The FreeBSD forums are reasonably active and very friendly, you should check them out if you want to learn more (or have more questions about *BSDs in general):
Also, Netflix and Yahoo are pretty big users. I used to use BSD on my personal machines just because I prefer their approach to things and the documentation. I now use Linux just because my day job practically requires it.
edit: And regarding GP's surprise about Mandriva - Mageia is a community fork and is #2 - the Mandrake users I knew all switched to Mageia.
To add to that list, there's also pfsense: http://www.pfsense.org/ a FreeBSD based distribution for building routers which uses the pf firewall, originally from OpenBSD. I know a number of small companies, my own included, which use it and there's even a book written about it!
I'd hazard a guess that there are similar projects based on BSD floating around for various other uses too.
Linux popularity with IaaS and PaaS providers has a lot to do with it.
Support for the BSD crowd at AWS pretty much is non-existent (they are working on it and making progress, though, with FreeBSD). Rackspace has some support, but only for FreeBSD and with some limitations.
Most of the PaaS players use Linux under the hood because they rely on AWS under the hood.
I'd love to hear about IaaS or PaaS players who use BSD, though.
Distrowatch only counts distros that Distrowatch users click on, rather than actual popularity.
I wouldn't go on there and click Ubuntu or FreeBSD, because I know what they are and have no real need to view their Distrowatch pages. But my curiosity might lead me to click on Zorin or SolusOS because, like you, I've never heard of them.
I run freebsd or OSX, basically for the aesthetic. FreeBSD is the least annoying of the OS's I have run (never tried OpenBSD), and most of the stuff I want compiles on it, though not as well as Linux stacks.
I'm not sure what you mean by "these days". Most people used linux back then too. People who use BSDs are generally people who care about quality and simplicity, and who don't like having to learn a new replacement for a core component every few weeks.
Not sure if this is the reason but I think OS development was just much more exciting back then and more people were into it. Now people focus a lot more on the web. Some people left OpenBSD and forked it to make Bitrig, not sure how much that affected their development speed.
Yeah, I wasn't sure how much of that is my perception vs actual reality. I don't find unix fascinating and interesting any more, so I have a hard time judging whether that is skewing my perception of how much discussion and interest there seems to be from other people.
On the other hand, openbsd has no xen support and ec2 and other xen based providers are hugely popular now. I wonder how much that has affected things. I ran everything on openbsd back then, and now that I am getting back to doing some sysadmining, it appears openbsd isn't even an option for a lot of people.
Neither of those things address the issue. A huge portion of the "people who will be installing a unix system" market are using EC2 instead of hardware. That cuts the potential userbase for openbsd down significantly.
Now I am confused. I started looking into this, and Amazon claims they are not using HVM for windows instances, they are using a PVM driver. So in that case, running "windows" instances wouldn't help. But then, why are those freebsd amis intended for "windows" instances?
Edit: nevermind, the PVM drivers they were talking about are just to speed up IO, windows instances do have to be HVM.
The perception of OpenBSD's usage was always low. OpenBSD was always about network infrastructure and simple, super solid servers. It's never something you write blog posts about because of fancy bleeding edge setups. The chance is high that your packets travel through several OpenBSD boxes while surfing the web. Also virtualization was never a topic for OpenBSD[0] - it is not a use case for such a system.
"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes." -- Theo de Raadt
It seems like you didn't read my post. The perception of openbsd usage was not low, that's the point. OpenBSD was virtually unheard of it when it forked from netbsd, but in the days of the ipf -> pf replacement, openbgpd being developed, etc there was tons of blog posts, mailing list traffic, etc about openbsd.
Your link about virtualization is about people absurdly thinking that virtualization buys them security. He said nothing about virtualization being "not a use case for openbsd". You do know openbsd has explicitly added drivers to support running under virtualization right?
I never used openbsd because it is secure, I used it because it is the least horrible OS I've tried. Poorly supporting more hardware is not very important to me, supporting the major hardware well is far more valuable.
OpenBSD will run on almost everything, just the kernel does not contain binary blobs in order to support absolutely everything. You can if you want download non free firmware and install it yourself painlessly if the installer doesn't automagically find your drivers. I have yet to find a machine where I've had to do this though, since I usually buy no-name Taiwanese hardware which is always supported by *BSD because the manufacturers give out hardware documentation to them
>OpenBSD will run on almost everything, just the kernel does not contain binary blobs in order to support absolutely everything.
Not running with 3D acceleration with nVidia video hardware is a big stopping point. Yes, it's not their fault, but that's not running on "almost everything".
That is still the state linux is in. The difference is with openbsd, 99% of hardware is supported, and the 1% has no driver. In linux, 99% of hardware is supported, and the 1% has a buggy broken driver that will crash your kernel. Buying dodgy hardware is a bad idea regardless of your OS.
I used OpenBSD a lot ten years ago but I don't anymore. Two things have changed: OpenGL and filesystems. I use Linux on GUI machines because it has good GPU support. I use FreeBSD on servers because it has ZFS.
