Once I got it up and running, it seemed very old-school Unix. No bash
or tcsh, no emacs, nothing like that. I downloaded and compiled all
that, and it all works great. Maybe it's because of the old-school
Unix feeling, but this thing feels like more of a real OS than Linux
does.
I want to use OpenBSD on the production system because I understand
that it's the most secure OS out there.
Now that I have it on my test system, I have to figure out how to
install it on my production system. It should be simple, except for
two questions:
First, I don't want any swap on the production system. How do I tell
it not to use any swap? Yes, this is a peculiar thing to do, but I
have my own very solid reasons for not wanting swap. It has 512mb of
RAM, and if it ever starts running out, I'll buy more.
Second, the production system is going to use an ICP Vortex RAID
controller. Should I get the GDT-RS series or the RD series? I can't
see what the difference between them is. I'm only going to use RAID
level 1 (mirroring).
Once I get the ICP controller, I know that I need to recompile the
OpenBSD kernel with the drivers for the card. I can probably figure
out how to do this, but how do I then do an installation based on the
new kernel? All the disks in the system are going to be on the ICP
controller, so it has to install on that (I won't be able to have / on
some other non-RAID disk, and the installation boot disk will have to
be able to write to the ICP disks). Will this be hard to do? Any
tips will be appreciated.
Thanks,
e
--
This message was my two cents worth. Please deposit two cents into my
e-gold account by following this link:
http://rootworks.com/twocentsworth.cgi?102861
275A B627 1826 D627 ED35 B8DF 7DDE 4428 0F5C 4454
You're wrong. OpenBSD's VM doesn't like not having swap, and I've
personally suffered through various problems because of it (I didn't
have swap by accident). You'll want to throw a decent amount of disk
at swap compared to how much RAM you have, or you'll see your machine
suddenly stop responding for "no good reason." The kernel keeps working
but all the processes deadlock on having no available RAM.
> Second, the production system is going to use an ICP Vortex RAID
> controller. Should I get the GDT-RS series or the RD series? I can't
> see what the difference between them is. I'm only going to use RAID
> level 1 (mirroring).
gdt* at pci? dev ? function ? # ICP Vortex GDT RAID controllers
scsibus* at gdt?
> Once I get the ICP controller, I know that I need to recompile the
> OpenBSD kernel with the drivers for the card. I can probably figure
Nope. The GENERIC kernel configuration (which is what OpenBSD installs
by default) has almost every supported piece of hardware compiled in.
The only ones that aren't are weird peripherals that either aren't fully
supported (or are experimental) or a few old ISA cards that can break
the system during probe.
OpenBSD: Turn it on and it just works(tm).
--
David Terrell | "Please note that calling an attacker
d...@meat.net | 'lame' is not an approved security method."
http://wwn.nebcorp.com/ | - Benjy Feen
You want swap space. If you do start paging, not having swap will
cause a deadlock. Just put some swap on it.
> Second, the production system is going to use an ICP Vortex RAID
> controller. Should I get the GDT-RS series or the RD series? I can't
> see what the difference between them is. I'm only going to use RAID
> level 1 (mirroring).
The software interface to these devices is identical. The driver doesn't
care which it is.
>
> Once I get the ICP controller, I know that I need to recompile the
> OpenBSD kernel with the drivers for the card. I can probably figure
> out how to do this, but how do I then do an installation based on the
> new kernel?
Nope, you don't need to do that. The icp support is in the standard
kernel.
> All the disks in the system are going to be on the ICP
> controller, so it has to install on that (I won't be able to have / on
> some other non-RAID disk, and the installation boot disk will have to
> be able to write to the ICP disks). Will this be hard to do? Any
> tips will be appreciated.
You can ask niklas@ if you run into problems, but I suspect it'll be just
like installing on regular disks.
> Once I got it up and running, it seemed very old-school Unix. No bash
it's true. this is one of the reasons i and many of the other people here
use it. we're big fans of the bsd hacker feel. there's a certain fit to
an old-fashioned bsd unix that other unices, for all their good points,
don't have.
> or tcsh, no emacs, nothing like that. I downloaded and compiled all
> that, and it all works great. Maybe it's because of the old-school Unix
ooh... use ports and packages. http://www.OpenBSD.org/ports.html
> I want to use OpenBSD on the production system because I understand
> that it's the most secure OS out there.
this is a difficult assertion to support. the question is most secure
under what circumstances? it's generally accepted as being the most
secure general-purpose unix system *out of the box*. on the other hand,
as an end user, you can smuck all that up by installing insecure software.
additionally, there are specialized systems with radically different
architectures and trust models that may or may not be more secure, but
they're not as well supported, software wise, as a generic unix system.
--
"Necessity is the mother of lean code."
http://www.zweknu.org/ for PGP key and more.
> First, I don't want any swap on the production system. How do I tell
> it not to use any swap? Yes, this is a peculiar thing to do, but I
> have my own very solid reasons for not wanting swap. It has 512mb of
> RAM, and if it ever starts running out, I'll buy more.
If one of your reasons for not wanting swap is a concern of writing
confidential data to the disk, have a look at the UVM_SWAP_ENCRYPT option
in options(4), vm.swapencrypt in sysctl(8), VM_SWAPENCRYPT in
sysctl(3) and vm.swapencrypt.enable in /etc/sysctl.conf
Andreas
--
Andreas Gunnarsson <and...@crt.se>
Carlstedt Research & Technology
Phone: +46 31 7014268
Mobile: +46 70 4262889
Fax: +46 31 101987
For what I'm doing, I can't have anything swapping to physical disk.
The box will have 512mb of ram. Should I allocate some of that as ram
disk, and put swap on that, or should I throw more memory on it, and
go without swap? Those seem to be the only two options. I know that
you can run OpenBSD on a machine with much less that 512mb total of
swap and RAM. The machine I just installed it on has only 64mb of RAM
and 100mb of swap, so if it can run in 164mb of total memory, 512mb
should be plenty, right?
I know this is a peculiar thing to do, but it's part of the
requirements for this machine.
> Nope. The GENERIC kernel configuration (which is what OpenBSD installs
> by default) has almost every supported piece of hardware compiled in.
> The only ones that aren't are weird peripherals that either aren't fully
> supported (or are experimental) or a few old ISA cards that can break
> the system during probe.
Cool. I'll test that as soon as I get the system in.
e
As Andreas pointed below, if you have a security concerns, you can ask
OpenBSD (>= 2.7) to encrypt its swap space whenever it begins to swap
(which obviously wouldn't happen soon : I've 128M, and I don't see it
often swap).
If you don't want to create a swap partition, you have the opportunity
to swap to a file : see swapctl(8).
Moreover, if you're concerned about your data's confidentiality, just
wait some more. Niels Provos is working on importing tcfs :-)
T.
On 18-Jun-2000 Andreas Gunnarsson wrote:
> On Sat, 17 Jun 2000, Erich wrote:
>
>> First, I don't want any swap on the production system. How do I
>> tell it not to use any swap? Yes, this is a peculiar thing to do,
>> but I have my own very solid reasons for not wanting swap. It has
>> 512mb of RAM, and if it ever starts running out, I'll buy more.
>
Trevor Schroeder wrote:
> it's true. this is one of the reasons i and many of the other people here
> use it. we're big fans of the bsd hacker feel. there's a certain fit to
> an old-fashioned bsd unix that other unices, for all their good points,
> don't have.
While admittedly openbsd is my favorite operating system, I don't know
about other's but has anyone noticed that other "old school" unixes like
solaris also have a more polished feel then linux. Every thing seems to
have more thought put into it.
While not trying to turn this into a bash linux rant I feel as a
unix-like os its sub par and feels like a toy. There seems to be this
preoccupation with emulating windows (gnome, kde, etc.) if they like
windows so much why don't they just use it rather then poorly copy its
design (which is a poorly copied version of something else; a fact they
like to point out so often, ironic isn't it ? ) As rebuttal someone
might counter that there just copying the components of other operating
systems that are worthwhile, however they copied some pretty irritating
things like window management from windows (I am of course speaking of
kde and gnome) I don't know about you but I find window management in
windows to be completely counter intuitive, its a gaudy interface that
leads to screen clutter . On a side note I believe microsoft vastly
underestimated the number of windows that people would open at any given
time.
On a totally unrelated note there was a rather inflammatory paper
written by robert pike (utah 2000) that struck a cord with a lot of
people I however thought there was some merit to his arguments there is
not a lot of systems research being done on nixes.
There are a few projects here and there but not much real substance. I
for one would like to see some alternative to X there haven't been any
in a really long time (network effect) even considering serious
limitations in its design.
This being said apple is doing some pretty interesting things with MacOS
x its too bad that the hardware is proprietary and there focusing on the
desktop space, it would make a really nice hybrid workstation os.
> > I want to use OpenBSD on the production system because I understand
> > that it's the most secure OS out there.
>
> this is a difficult assertion to support. the question is most secure
> under what circumstances? it's generally accepted as being the most
> secure general-purpose unix system *out of the box*. on the other hand,
> as an end user, you can smuck all that up by installing insecure software.
> additionally, there are specialized systems with radically different
> architectures and trust models that may or may not be more secure, but
> they're not as well supported, software wise, as a generic unix system.
Security is a component of reliability and a by product of quality ,
OpenBSD is secure as the site likes to point out because emphasis is
placed on bug hunting and good software engineering techniques. OpenBSD
is probably the highest quality software available for platforms like
ia32, it has cousins in operating systems like OS/390 (how often do you
here of buffer overflows in mainframes), Open VMS (a kludge design but
reliable) where reliability is *really*, *really* important and the
careful attention to software engineering and bug hunting is there. That
being said its always possible for users to break the security of any
operating system not matter how secure it is by doing something careless
or stupid.
Anyway,
I should be getting something accomplished,
Jonathan
Well, you're blatantly uninformed, but since you're a newbie, that's ok. :)
OpenBSD is rather `new school'. The idea is to boot up a running system
off the ground first, then you add packages that you want.
You don't need to compile bash, tcsh, nor emacs. Just grab the corresponding
packages off the packages directory, pkg_add them, and voila.
If you really insist on using source, go grab the ports tree, it has all
sorts of fairly useful tweaks to default compiles, and you'll be much better
off starting off it than compiling plain old source...
--
Marc Espie
|anime, sf, juggling, unicycle, acrobatics, comics...
|AmigaOS, OpenBSD, C++, perl, Icon, PostScript...
| `real programmers don't die, they just get out of beta'
Almost got me. I'm sure you can try harder next time :-)
> While admittedly openbsd is my favorite operating system, I don't know
> about other's but has anyone noticed that other "old school" unixes like
> solaris also have a more polished feel then linux. Every thing seems to
> have more thought put into it.
>
> While not trying to turn this into a bash linux rant I feel as a
> unix-like os its sub par and feels like a toy. There seems to be this
I've noticed a similar contrast in the "feel" of the OS. However, I
think this is almost completely a UI issue, and probably doesn't go
much deeper than that. From what I can tell, it is more a matter of
consistent style being used in all the applications - man pages, usage
instructions, etc. If you have all of those (across all the apps
installed by default) looking very similar you get a "tighter" feel to
the OS. And if you install 2000 applications (2/3 of the number
included with Debian Linux) you're pretty much guaranteed to have a
bunch that don't fit.
This doesn't seem to have anything to do with the quality of the code.
OpenBSD feels much "tighter" than Linux, but then again the console on
my Linux boxen never gets fucked up, while terminal emulation on my
OpenBSD boxen dies regularly and suffers from numerous bugs. (This is
not to imply that OpenBSD has lots of bad code. I just happen to see
bugs in this one subsystem.)
> preoccupation with emulating windows (gnome, kde, etc.) if they like
> windows so much why don't they just use it rather then poorly copy its
> design (which is a poorly copied version of something else; a fact they
> like to point out so often, ironic isn't it ? ) As rebuttal someone
I hate that tendency, too. I use Enlightenment and GNOME apps,
without the GNOME panel. Problem solved. Of course, from what I can
tell Enlightenment is a _really_ poorly designed piece of software -
but it works quite well... (Has anyone tried Sawfish? It seems to
have the same flexibility) Besides, the most important thing to have
in X is a good xterm or equivalent (Eterm does it for me). Thank GOD
nobody has bothered cloning the M$ "command prompt" thingy.
Software can be well coded and have a really lousy interface (anyone
use dd(1) lately?) And it can have a great UI and be poorly written
(Enlightenment). Quality of the user experience does not necessarily
equate to quality of the code. Personally I just haven't run into
very many kick ass programmers who are also kick as UI designers.
And, as always, documentation takes a back seat to
functionality/getting things working.
Erik
-Bob
That's old school. Marc, you've forgotten about real SunOS or BSD on a vax.
Security is the concern. There's no way I can let an application
write unencrypted data to disk. It will be OpenBSD 2.7, and as
Andreas pointed out, all I have to do is uncomment
#vm.swapencrypt=1 # 1=Encrypt pages that go to swap
in /etc/sysctl.conf and reboot, and then the swap is encrypted, right?
Makes me wonder why it's commented out by default.
> Moreover, if you're concerned about your data's confidentiality,
> just wait some more. Niels Provos is working on importing tcfs :-)
I will certainly use that when it's available, so that I can
distribute the virtual disk encryption keys to multiple people, but
for now, I can just use the loopback encrypted filesystem, right? Any
tips on setting that up?
This is the most amazingly helpful list. I also really like the
nuclear-armed puffer fish.
e
Sorry for offtopic..
Erik Debill <ede...@mail.pcorder.com> said :
> Software can be well coded and have a really lousy interface (anyone
> use dd(1) lately?)
Hey, stop bashing dd, it has great UI that reminds me old IBM mainframe
days!
> And it can have a great UI and be poorly written
> (Enlightenment).
E? Great UI? It breaks my eyes. It is bad taste, after all.
All that bitmaps-gradients-transparency colorful crap.
I am still on good old Openlook and i am really happy with it.
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
Encrypting the swap needs some extra CPU cycles, I guess...
>
>> Moreover, if you're concerned about your data's confidentiality,
>> just wait some more. Niels Provos is working on importing tcfs :-)
>
> I will certainly use that when it's available, so that I can
> distribute the virtual disk encryption keys to multiple people, but
> for now, I can just use the loopback encrypted filesystem, right?
> Any tips on setting that up?
Don't know about this, never played with that :( What is it exactly ?)
>
> This is the most amazingly helpful list. I also really like the
> nuclear-armed puffer fish.
>
Indeed ;-)
T.
1. compile a new current kernel with 'option TCFS' somewhere ..
2. compile src/sbin/mount_tcfs and install
3. compile src/usr.bin/tcfs and install
4. reboot to new kernel anduserland
/etc/fstab sample entry:
/mnt2 /mnt/tcfs tcfs noauto,rw,label=default,cipher=0 0 0
first mkdir /mnt2 and /mnt/tcfs
then:
mount /mnt/tcfs
mkdir /etc/tcfs
tcfsmng adduser
<give a valid username>
as the user:
tcfsuse genkey
<asks for password, give password, like ssh-keygen>
cd /mnt/tcfs
echo hi > notcrypted
echo this is a secret > hehe
tcfsuse flags x hehe # 'turn on encryption on this file'
cat /mnt2/hehe
(you see garbage, the encrypted data)
tcfsuse flags x . # 'turn on encryption by default for this dir'
echo this secret will never get out > hoho
... there are also group keys possible, and the decryption can only
occur with the 'minimum' number of users logged in and/or having added
their keys to the kernel filesystem key database, you choose what
minimum is ..
Please let me know what info is missing, etc, maybe this will head
towards docs shortly :-)
Oh and look at http://tcfs.dia.unisa.it .. for some ideas as to
what are possible, but ignore the part that says its nfs loopback,
thats only for linux, bsd's vfs layer is more useful ..
--
Todd Fries .. to...@fries.net
On 19-Jun-2000 Todd T. Fries wrote:
> ...
>
> tcfsmng adduser
> <give a valid username>
>
> as the user:
> tcfsuse genkey
> <asks for password, give password, like ssh-keygen>
everything fine up to this, but tcfsuse complains :
I don't have root privileges!
so, chmod u+s /usr/bin/tcfsuse ... correction to add in make install
>
> cd /mnt/tcfs
> echo hi > notcrypted
> echo this is a secret > hehe
> tcfsuse flags x hehe # 'turn on encryption on this file'
another complain :
$ tcfsuse flags x hehe
fchflags: Permission denied
setflags error
and cat /mnt2/hehe is plain text !
but if I do another echo [sth] > hehe, I get :
ksh: cannot create hehe: Permission denied
What's wrong ? Am I not -current enough ? (as it happens sometimes)
T.
On Tue, Jun 20, 2000 at 12:27:43AM +0200, Thierry Deval wrote:
[..]
> everything fine up to this, but tcfsuse complains :
> I don't have root privileges!
> so, chmod u+s /usr/bin/tcfsuse ... correction to add in make install
chances are you'll have to make your own decision to setuid this binary
until it has been thoroughly audited... but first it needs to finish being
cleaned up :-)
> > cd /mnt/tcfs
> > echo hi > notcrypted
> > echo this is a secret > hehe
> > tcfsuse flags x hehe # 'turn on encryption on this file'
>
> another complain :
> $ tcfsuse flags x hehe
> fchflags: Permission denied
> setflags error
>
> and cat /mnt2/hehe is plain text !
> but if I do another echo [sth] > hehe, I get :
> ksh: cannot create hehe: Permission denied
>
> What's wrong ? Am I not -current enough ? (as it happens sometimes)
Dunno, maybe key is not added? maybe you dont have permissions on the directory
in which the file resides?
BTW, until you set the flags to be encrypted, files are not encrypted by
default, until you set the flags on the directory to be encrypted .. but
that is current behavior, subject to change, yada yada ..