BSD Magazine PDF
BSD Magazine PDF
BSD Magazine PDF
ewa.dudzic@bsdmag.org
Dear All,
Executive Editor: Karolina Lesińska
karolina.lesinska@bsdmag.org This is the second time we meet. I hope you enjoyed the first
Editor Assistant: Katarzyna Kaczor issue of our brand new mag and that you have been looking
Director: Ewa Dudzic forward to this issue. As always, you’re more than welcome to
ewa.dudzic@bsdmag.org send in your comments, replies, ideas and suggestions. If you’d
like to become a BSD author or betatester, don’t hesitate - just
Art Director: Agnieszka Marchocka
DTP Technician:Przemysław Banasiewicz sign in.
Prepress technician: Ireneusz Pogroszewski This time my thanks go to Matt Olander and Jim Brown
for their great help in improving the quality of the magazine. In
Contributing: Gilles Chehade, Machtelt Garells,
Rob Somerville, Petr Topiarz, Svetoslav P. Chukov, addition, I’d like to thank all of you who got involved with this
Antti Kantee, Michele Cranmer, Xavier Brinon, project and devoted your free time to help and respond to all
Peter N.M.Hansteen, Girish Venkatachalam, Eric ‘’emergencies’’, even in the middle of the night. Thank you!
Schnoebelen, Federico Biancuzzi, Mikel King
This issue is devoted to OpenBSD. As usual, we tried to
Special Thanks to: Matt Olander, Jim Brown cover the most interesting and useful topics as well as providing
how-to’s that will help you improve your skills. Gilles Chehade
Senior Consultant/Publisher:
Paweł Marciniak pawel@software.com.pl guides you through the process of installation and configuration
of OpenBSD 4.3 and Peter N.M.Hansteen gives you a kick-start
National Sales Manager: Ewa Dudzic on using packages. Gilles also teaches you how to provide the
ewa.dudzic@bsdmag.org
Marketing Director: Ewa Dudzic best development platform on OpenBSD.
ewa.dudzic@bsdmag.org Machtelt Garrels discusses the certification that is being
Executive Ad Consultant: developed by the BSD Certification Group Advisory Board. Rob
Karolina Lesińska
karolina.lesinska@bsdmag.org Somerville demonstrates how to build an OpenBSD server
Advertising Sales: Karolina Lesińska from scratch, Petr Topiarz, from the Czech OpeBSD community,
karolina.lesinska@bsdmag.org provides a guide for people who use Linux or FreeBSD and
Production Director: Marta Kurpiewska would like to give OpenBSD a try on the desktop and Svetoslav
P. Chukov presents PBI - PC BSD installer.
Publisher : In the administration section, Eric Schnoebelen and Michele
Software Wydawnictwo Sp.z.o.o
02-682 Warszawa, Bokserska 1 Cranmer explain how to create a gateway between the Jabber
worldwide publishing network and closed networks and how to secure client-to-server
and server-to-server communications using XMPP/Jabber
Postal addres:
Software Media LLC features. Antti Kantee describes the kernel as a programming
1521 Concord Pike, Suite 301 and testing environment.
Brandywine Executive Center We also decided to cover BSD in context of its use in
Wilmington, DE 19803
USA business and education: Girish Venkatachalam explains how to
tel: 1 917 338 36 31 use OpenBSD to make money and iXsystems presents the use
www.bsdmag.org of PC BSD in schools.
Software-Wydawnictwo Sp zo.o. is looking For those who don’t really feel like getting into more technical
for partners from all over the World. If you details, Federico Biancuzzi interviews OpenBSD developer
are interested in cooperating with us, please Damien Bergamini, Michel King introduces Mac OS X as the
contact us by e-mail: editors@bsdmag.org
Print: 101 Studio, Printed in Poland „other” BSD and Xavier Brinon reviews Absolute FreeBSD (2nd
Edition) by Michael W. Lucas.
Distributed in the USA by: Source Interlink Enjoy!
Fulfillment Division, 27500 Riverview Centre
Boulevard, Suite 400, Bonita Springs, FL 34134 all the best
Tel: 239-949-4450.
4 BSD 2/2008
Contents
www.bsdmag.org 5
what’s new
Eldorado, Maximus and GSA
During the last 20 years malware (malicious software) has potentially malicious behaviour in advance – not requiring
been constantly evolving and security programs have evolved in updates for every single new variant. F-PROT pioneered heuristic
parallel. We have seen boot sector viruses, parasitic file-infecting scanning back in 1992, and over the years we have introduced
viruses, macro viruses, mass-mailing worms, stand-alone various innovations, such as heuristics based on neural networks.
backdoors, password stealers and various types of Trojans. The latest development in the F-PROT engine has been the
In the past two years we have seen better financed and introduction of three independent heuristic engines, code-named
organized malware development, possibly due to involvement of Eldorado, Maximus and GSA. Those engines use fundamentally
organized crime, but the other recent major development is the different methods and are maintained by different teams, with a
apperance of server-side polymorphism. Twenty years ago the bit of a friendly in-house rivalry. The goal is that by the end of 2008
lifespan of malware was measured in months, even years. Today, those three heuristic scanning engines will provide proactive
it is measured in hours. Dedicated servers distribute malware that detection of the vast majority of new malware – detect it as soon
changes every few minutes, faster than any anti-virus company as it is released by the authors, without requiring any updates.
can respond. Adding detection of each individual variant is of It will never be possible to detect all malware proactively – any
limited use, as it will no longer be in active distribution by the time such claims are just irresponsible marketing hype, but Eldorado,
the users of the anti-virus product receive the detection update. Maximus and GSA will provide F-PROT users with a significant
The approach the F-PROT developers have taken is to level of protection. That is our goal.
increase the emphasis on heuristic detection, which detects
Reinoud Zandijk has been working on support for the All third parties are allowed and encouraged to change
Universal Disk Format in NetBSD for quite some time, and any previously used NetBSD Foundation license to the new
in mid-May he reached another major milestone by adding two clause NetBSD license. Updated NetBSD copyright and
write support to NetBSD's UDF file system. `It can now read licensing terms can be found at http://www.NetBSD.org/about/
and write files and directories on CD-R/RW, CD-MRW, DVD-R/ redistribution.html.
RW, DVD+R/RW, DVD+MRW, (USB) flash media and harddisc
partitions. Media like Iomega Rev should also work fine,' he Getting ready for best release
said. In fact, this means that within NetBSD you now can The NetBSD source tree has been frozen in preparation for a new
mount any UDF formatted media and use your favorite tools, release. During the freeze period, no new functionality is being
like cp, mv, rm, or even X11 file manager over it. added to the tree, and only bug fixing is allowed. The pkgsrc,
another major NetBSD project, has used freeze periods ever
New default license for NetBSD since it started making branches, in order to stabilize features
Following from a vote amongst the membership of the NetBSD in preparation for a stable branch. This practice has been
Foundation and in recognition of the changing face of software successful over time, and now it was decided to try it for NetBSD
licensing, the Foundation has changed its recommended releases too. As soon as source tree entered into freeze period,
license to be a two clause BSD license. Dropped clauses the NetBSD Release Engineering Teem, who manages all stable
are the advertising clause and the "endorsement" clause (3 branches, is controlling all commits. The Releng will also define
and 4 respectively). We have seen organizations and people how long the freeze will take. It is expected that the upcoming
concerned about the old clause 3 in the license, to the extent NetBSD 5.0 release will contain many interesting features, like
where NetBSD code could not be used in commercial products; improved threading and SMP, new kernel scheduler supporting
the new license means that these concerns are no longer valid, real-time classes, write support for UDF, Automated Testing
said Alistair Crooks, The NetBSD Foundation's president. Also, Framework, EM64T/AMD64 and PAE support for Xen, as well as
the members of the NetBSD Foundation no longer considered support for new hardware platforms and numerous devices.
clause 4 to be useful in today's software world. by Mike M. Volokhov
Software News:
Firefox 3- Released June 17th. Just in case you've been living beta release is made available to allow a broad user base to
under a rock Firefox runs under the X Windowing System on test and evaluate the next major version of OpenOffice.org, but
all current versions of BSDs, as well as Mac OS X, Solaris, and is not recommended for production use at this stage. If you are
of course Microsoft Windows. To download a binary version for a regular user of OpenOffice.org, here's a great opportunity to
your particular Operating System go to http://www.mozilla.com, help us make the next release the best ever. For more details,
however on most of the BSDs you will need to either install it refer to the following URL: http://www.openoffice.org/project/
from the ports or use pgksrc. OpenOffice.org 3.0- The public marketing/3.0/announcementbeta.html
beta release of OpenOffice.org 3.0 is now ready for testing. This
6 BSD 2/2008
BSD Fresh
The BSD Certification Group has recently released the BSD The result? It's not a cake-walk. If you come to the exam
Associate certification exam. This exam is the first in a series with experience in a single version of BSD, you won't pass the
of exams that focus on BSD systems. The exam covers seven exam. Comments from those who have taken it, said it was
diverse knowledge domains- Installing & Upgrading the OS and harder than I thought it would be and it made you think.
Software; Securing the Operating System; Files, Filesystems, Now that the exam is out, there are many projects that
and Disks, etc. The complete list is on the website. the BSDCG would like to get started, such as the BSD
The exam has been active since February 2008, and to Professional certification. This certification will probe even
date the exam has been held eight times in various cities deeper into complex administrative tasks that BSD system
in North America and Europe: Los Angeles, Ottawa, Krakow, administrators have to perform every day- filesystem issues
Brussels, Toronto, Berlin, Ede, and Chemnitz. You might think and access controls, process control, virtualization, multiple
that it's an easy exam and everyone passes, but that isn't the network configurations, firewalls, and so forth. The good news
case. The failure rate is currently about 20%. is that there is a rich load of material to draw on- BSD systems
Why is the failure rate so high? Without a doubt, it's because contain a wealth of well documented features, thanks to
people come to the exam expecting it to be a breeze and they developers all over the world.
find out it's not. The exam tracks very closely to the objectives The certification effort is community driven and everyone
that were published by the BSDCG in October 2005, the can help by spreading the word to local user groups, forums,
distribution of questions is pretty evenly distributed among the schools and universities, etc.
above domains, and it covers the four BSD versions- FreeBSD, To find out more about how you can help visit the website
OpenBSD, NetBSD, and DragonFly BSD. at www.bsdcertification.org.
iXsystems has announced the launch of its Professional components from accidental spills. The Invincibook will ship
Enterprise Services and Support Division for FreeBSD and with Fibonacci, the upcoming release of PC-BSD, a powerful
PC-BSD. We feel that offering Professional Level Support OS running FreeBSD 7 under the hood and featuring a
for FreeBSD and PC-BSD is one of the main barriers powerful GUI for graphical system installation. PC-BSD
that the platforms face to expand adoption. While there installs applications via the Push Button Installer (PBI), a
may be some companies that are capable of supporting graphical utility to remove and install software in a simple to
them, there are none, to my knowledge, currently offering use, self-contained format.
services and support on an Enterprise Class level specific PC-BSD Fibonacci Edition also features various new server
to FreeBSD and PC-BSD, says Matthew Olander, CTO of tools and enhancements including speed improvements with
iXsystems. This is a barrier we are happy to remove. The the ULE Scheduler, experimental ZFS support during install,
service and support offerings will include customer support and UFS Journaling through GEOM.
as well as customized offerings across a wide range of
issues such as installation support, large deployments and Who are these Guys?
kernel tuning. Formerly BSDi's hardware division, iXsystems, Inc. is a premier
It is also worth noting that iXsystems decided to open builder of FreeBSD-certified servers, storage, and related
its own support center in the Midwestern United States as products. iXsystems develops custom hardware solutions that
opposed to using an outside customer service firm. This address a company's technical and budgetary needs within
has a number of advantages that company officials believe their specific network architecture.
will enhance customer satisfaction. We have in-house OS compatibility is a key component of iXsystems' Open
professionals who have been working on various levels of Source Hardware Design process. This means that they will
the FreeBSD and PC-BSD projects for a very long time, who work backwards to develop a custom solution ideal for the
will be much more concerned about providing successful customer, instead of requiring the customer to compromise
solutions for our customers and much more responsive their specific hardware requirements and limit their choice of
than an outside firm, explained iXsystems CEO Michael OS to fit within the parameters and specifications of a product
Lauth. line.
iXsystems is also the corporate sponsor of the PC-BSD
A FreeBSD Laptop with Everything (mostly) Working? Operating System and recently acquired FreeBSD Mall and
In addition to launching its support division, iXsystems is BSD Mall, two providers of high quality BSD software, apparel,
currently putting the finishing touches on the Invincibook, a and literature. For more information visit the iXsystems website
FreeBSD compatible laptop that will soon be available. The at http://www.ixsystems.com.
Invincibook is made with an anti-shock mounting design that
protects the LCD and Hard Drive from damage and data
loss. Additionally, it is water resistant to protect the internal
www.bsdmag.org 7
dvd contents
OpenBSD 4.3
This is a partial list of new features and API for pulling out meta data in the form • Completely rewritten bootloader and
systems included in OpenBSD 4.3. For a of XML documents. boot manager without an 8 GiB limit
comprehensive list, see the changelog The latest version – Ampache 3.4.1. and with Soekris support
leading to 4.3. contains many changes such as: • Slim base system (without NIS,
Kerberos, Bind, i18n, BSD games,
• New/extended platforms: • Complete re-write in PHP5, etc.), Bind and the BSD games being
• OpenBSD/sparc64 SMP support. • AJAX’d interface, available as a port
This should work on all supported • Active Playlist concept added, • Binary security updates for stable
systems, with the exception of the • XML API, releases
Sun Enterprise 10000. • Dynamic Playlists, • ISDN support
• OpenBSD/hppa K-class servers like • vastly improve browsing system. • IPv6 support in the web server
the K200 and K410 are supported software
now. For more infrmation please see: • wtf, a database of acronyms
• OpenBSD/mvme88k SMP support http://www.ampache.org/ • Some of the GNU tools (like gzip and
on MVME188 and MVME188A *roff) were replaced by original UNIX
systems. 88110 processor, and thus DragonFly 1.12.2 code released by Caldera
MVME197LE/SP/DP boards, are DragonFly is
supported now. an operating For more infrmation please see:
• OpenBSD/sgi Contains many new system and http://www.mirbsd.org/main.htm
drivers, however the kernel requires environment
an important errata fix. originally F-PROT Antivirus for BSD
based on FreeBSD. Workstations
New tools: DragonFly branched For home users using the BSD open-
from FreeBSD in 2003 source operating system, we offer
• snmpd(8), implementing the Simple in order to develop F-PROT Antivirus for BSD Workstations.
Network Management Protocol. a radically different F-PROT Antivirus for BSD Workstations
• The snmpctl(8) program controls the approach to concurrency, SMP, and most utilizes the renowned F-PROT Antivirus
SNMP daemon. other kernel subsystems. scanning engine for primary scan but
• The pcidump(8) utility displays the DragonFly belongs to the same class has in addition to that a system of internal
device address, vendor, and product of operating system as BSD and Linux heuristics devised to search for unknown
name of PCI devices. and is based on the same UNIX ideals viruses.
• ldattach(8) is used to attach a line and APIs. DragonFly gives the BSD base F-PROT Antivirus for BSD was
discipline to a serial line to allow for an opportunity to grow in an entirely especially developed to effectively
in-kernel processing of the received different direction from the one taken in eradicate viruses threatening workstations
and/or sent data. the FreeBSD, NetBSD, and OpenBSD running FreeBSD, NetBSD, or OpenBSD. It
series. provides full protection against macro
For more information about OpenBSD 4.3 For more infrmation about 1.12.2 viruses and other forms of malicious
please visit http://www.openbsd.org/. release please visit: software – including Trojans.
http://www.dragonflybsd.org/community/ F-PROT Antivirus for BSD Workstations
Ampache 3.4.1 release1_12.shtml is FREE for Home Users
Ampache is a Web-based Audio file F-PROT Antivirus for BSD Workstations
manager which is implemented with MirBSD is FREE for use by personal users on
MySQL and PHP. It is one of the oldest MirOS BSD is a secure computer operating personal workstations
applications of that type. Ampache’s goal system from the BSD family for 32-bit i386
is to maintain a secure and fast web front and sparc systems. It is based on 4.4BSD- Features
end that will run on platorm that supports Lite (mostly OpenBSD, some NetBSD). It F-PROT for BSD Workstations features:
PHP and any hardware. It allows to create is a derivative of OpenBSD. Source code
user accounts and share the music with from OpenBSD is regularly imported and • Scans for over 1001738 known
other Ampache servers. It also allows merged. MirOS BSD often anticipates viruses and their variants
you to modify your audio files via the web bigger changes in OpenBSD and includes • Ability to perform scheduled scans
and it has support for playlists, album them before OpenBSD itself. For example, when used with the Unix cron utility
art, artist and album views, playback ELF on i386 and support for gcc3 were • Scans hard drives, CD-ROMS,
via Http/On the Fly Transcoding and available in MirOS first. Controversial diskettes, network drives, directories
Downsampling, Integrated Flash Player, decisions are often made differently from and specific files
Vote based playback, Icecast and Mpd, OpenBSD; for instance, there won’t be • Scans for images of boot sector
as well as per user themes and song any support for SMP in MirOS. The most viruses, macro viruses and Trojan
play tracking. Ampache also provides an important differences to OpenBSD are: Horses
8 BSD 2/2008
dvd contents
Contents description
If the DVD content cannot be accessed and the disc is not damaged, try to
run it at least two DVD-ROMs.
2/2008
www.bsgmag.org 9
If you have encountered any problems with DVD, please write to: cd@software.com.pl
get started
OpenBSD 4.3
Installation& Configuration
Gilles Chehade
This issue of BSDMAG comes with a DVD containing the installation program for the
OpenBSD 4.3 operating system. This article will help you go through the installation
process and first steps at configuring and making use of this increasingly popular system.
O
penBSD is one of the four major BSD systems and project. Also, they are cool looking and come with stupendous
follows the long tradition of giving away quality stickers. To start installation, boot your computer on the DVD.
software without any strings attached. It is known You will be facing a boot prompt which is the entry point for you
for having a strong goal of security and advertising either to boot the system or the installer. You can simply press
only two remote holes in the default install in more than ten enter or wait for the bootloader to boot the default image. The
years, but to be honest this is a side effect of a strong focus installer will then load the kernel and you will see a lot of lines
on keeping the code clean and not accepting dirty hacks for scrolling with information as to which devices were found or/
convenience. In the last few years, with other systems accepting and supported. After that, the following prompt will appear:
to incorporate more and more closed-source objects (also
known as blobs) in their systems, OpenBSD has gained another I)nstall, (U)pgrade or (S)hell? <i>
reputation of strong commitment to free software by refusing
to sign non-disclosure agreements, removing support for non- The options are quite self-explanatory, you can proceed to install
friendly vendors and reverse-engineering drivers when other by simply typing 'i'. Next prompt will request for terminal type
systems accepted the closed drivers provided by vendors and and keyboard mapping:
eventually made their integration easier. This is a rather short
description but there are plenty of goals and going through all of Terminal type: [vt220] <enter>
them would probably make an article by itself. kbd(8) mapping? ('L' for list) [none] <enter>
So, let's get started with the installation !
Again, no dark magic, the terminal can be left to default if you
Installation are not doing the intall in a weird setup (from another machine
OpenBSD has a reputation of having a very difficult installer connected to the setup machine through a serial cable for ex-
for those who are used to the so-called modern GUI-based ample). The keyboard mapping is up to you for obvious reasons,
installers. In practice, despite the fact that it is console-based, default will be an US qwerty. Even though I am a froggy, I happen
the installation process is very easy if you take time to follow to have a qwerty so no need for fr in my case. Make sure not to
the instructions that are available in the FAQ and on-screen use any incorrect mapping or you may end up in an uncomfort-
as installation goes on. After you are familiar with the very few able position when requested to enter a password.
steps, you will be able to perform complete installs in just a few The installer will then remind you that the install process is
minutes and amaze your friends. a destructive operation and that you should do backups. Seri-
ously, do it.
Getting the media
OpenBSD is as free as can be and you can download it from Proceed with install? [no] <y>
the several FTP, HTTP, AFS and RSYNC mirrors listed on the of-
ficial website; however it is strongly encouraged that you buy Next step is where things get trickier and where reading
yourself a cd set as it is the main source of revenue for the skills are required in order not to break things. First, you are
10 BSD 2/2008
OpenBSD 4.3
prompted for the disk you will be install- populated, /usr will be growing with each • / be 150MB as there is not really
ing OpenBSD on: third party application or library you install, any need for more – swap be close
/var will be growing with each email, logs enough from your memory size so
Available disks are: wd0 and runtime data that are going to be writ- that in a worst case scenario where
Which one is the root disk? (or done) ten to disk (runtime data includes databas- your kernel would crash, the core
[wd0] <enter> es if you plan on installing a package such could be written on disk
as postgresql & friends). It is not too im- • /tmp, this depends on your needs for
In this case I only have one disk so the list portant that you get partitions right, but it is temporary files, usually it can remain
of available disks is pretty short. Once you important that you do not get them wrong quite small; I usually make them
validate the disk, you are asked if the disk as it is easier to deal with adding a new 128MB and consider them already
will be fully dedicated to OpenBSD or not. slice than to deal with a disk full error. So, way too big.
Replying no will drop you into the fdisk util- try to think from the beginning about what
ity where you can manage your partitions. I your computer will do and make sure each The remaining space has to be bal-
have not done a dual boot in years so I can slice has enough space to work with. anced with your need to provide users
only suggest you read the OpenBSD FAQ There are no standard sizes, but if you with space for their home directories,
which explains the steps to do so, but to create the five (+ swap) recommanded your need to use third party applica-
summarize you need to select which parti- slices, a good rule is to have: tions and/or get a copy of the OpenBSD
tion to use, set its type to A6 (OpenBSD)
and write the MBR. These are three com- Listing 1. Configure the network
mands I will leave as an exercise to you.
After the disk has been selected (and Configure the network? [yes] <enter>
eventually partitions set up), we will be Available interfaces are: rl0.
dropped into the disklabel utility to slice Which one do you wish to initialize? (or 'done') [rl0] <enter>
the disk and define the mount points: Symbolic (host) name for rl0? [lappy] <enter>
The media options for rl0 are currently
Initial label editor (enter '?' for media: Ethernet autoselect (100baseTX full-duplex)
help at any prompt) Do you want to change the media options? [no] <enter>
> IPv4 address for rl0? (or 'none' or 'dhcp') dhcp
Issuing hostname-associated DHCP request for rl0.
The help menu here should be sufficient DHCPDISCOVER on rl0 to 255.255.255.255 port 67 interval 1
to get you going, but to make it even more DHCPOFFER from 192.168.0.1
simple, here is the hint: DHCPREQUEST on rl0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.1
(a)dd a slice bound to 192.168.0.42 -- renewal in 1800 seconds.
(d)elete a slice IPv6 address for rl0? (or 'rtsol' or 'none') [none] <enter>
(p)rint informations regarding the No more interfaces to initialize.
slices DNS domain name? (e.g. 'bar.com') [my.domain] poolp.org
DNS nameserver? (IP address or 'none') [192.168.0.100] <enter>
Each time you add a slice, you are Use the nameserver now? [yes] <enter>
prompted for information regarding the Default route? (IP address, 'dhcp' or 'none') [dhcp] <enter>
slice: Edit hosts with ed? [no] <enter>
Do you want to do any manual network configuration? [no] <enter>
> <a>
name: [a] <enter> Listing 2. Useradd comand live
offset: [0] <enter>
size: [78165360] 80M # useradd -s /bin/sh -d /home/gilles -m gilles
Rounding to cylinder: 164304 # userinfo gilles
FS type: [4.2BSD] <enter> login gilles
mount point: [none] / passwd *************
> uid 1000
groups users
It is recommanded that you create slices change NEVER
for /, /home, /usr, /var, /tmp and the swap class
though as long as you have a / slice gecos
OpenBSD should be happy. The sizes dir /home/gilles
are really up to you and very dependent shell /bin/sh
of what you plan to do with your system. expire NEVER
Keep in mind that if you create all the #
recommanded slices, / will not be very
www.bsdmag.org 11
get started
source tree (installed in /usr/src), and formatting of our slices which will erase like an ftp server for example, the net-
your need to store email, databases, disk content: work can be configured at install time.
logs, websites, and other random data The next step *DESTROYS* all existing The configuration will be saved so that
in /var. No one can make the choice for data on these partitions! Are you re- there is nothing to do post-install. Here
you, you are on your own. ally sure that you are ready to proceed? I will use DHCP, but the configuration
Once we are done with the slicing, [no] <y> of a statically assigned IP address is
we only need to save and quit disklabel Then the installer will set up its slices in straightforward: see Listing 1.
to go on. That is respectively the (w)rite an operation that takes more or less time At this point, the network is configured
and (q)uit commands. This was the depending on slice’s size. When done, you and you are already able to ping the pc
trickiest part of the installation process: are prompted for the system hostname: from another computer if you want to. Be-
fore going further, we are prompted for the
> <w> System hostname (short form, e.g. root password:
> <q> 'foo'): <lappy>
• Password for root account? (will not
Next step will have us confirm our slices Since the installer allows installation echo)
and make sure we want to proceed to the through other media than a CD or DVD, • Password for root account? (again)
12 BSD 2/2008
OpenBSD 4.3
• Start sshd(8) by default? [yes] <y> face so it really is a matter of taste. Since gilles and leave root as soon as pos-
• NTP server? (or none or default) I am not a big fan of interactive tools, my sible. To do so, I lack a password:
[none] <default> example will use useradd and you will get
• Do you expect to run the X Window to read a couple man pages [adduser(8), • # passwd gilles
System? [no] <y> useradd(8)] to see what other options I • Changing local password for gilles.
• What timezone are you in? (? for list) have not told you about. Happy? You’d bet- • New password: <foo>
[Canada/Mountain]? <Europe/Paris> ter be, because in OpenBSD-land you will • Please enter a longer password.
be reading a lot. See Listing 2. • New password: <foo123>
After a few seconds you should see: Here, I only created the account • Please use a more complicated
gille' and specified it is shell and password.
• CONGRATULATIONS! home, the -m option being to force • Please use a different password. Un-
Your OpenBSD install has been suc- creation of the home directory in case usual capitalization,
cessfully completed! it does not exist. useradd has plenty of • control characters, or digits are sug-
• To boot the new system, enter halt at configuration options to ease account gested.
the command prompt. Once the sys- creation. One could for example set up • New password: <IlUvBsD42>
tem has halted, reset the machine an expiry time for account or password, • Retype new password: <IlUvBsD42>
and boot from the disk. or even a user class or group. the user- • #
• # <halt> info can, amongst other things, display
a short summary with all information In the example above, the passwords
That is all, OpenBSD is now installed and regarding a particular account. There enclosed in <' and '> did not show up
I will be able to log into it right after I issue is more use to it, but guess what ? Yup, on the terminal, however now that you see
a reboot. It took me what, five minutes ? [userinfo(8)] what I typed, you get to realize that a strong
Talk about an unfair reputation. For now, we do not really care about password policy is enforced by the passwd
all this, all we want is to log in as user utility. It must not be too short, it must not
Post installation
Creating an account. After I boot for the Listing 4. Interface name
first time on my brand new system, the
following prompt welcomes me: $ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208
• OpenBSD/i386 (lappy.poolp.org) groups: lo
(ttyC0) inet 127.0.0.1 netmask 0xff000000
• login: inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
I can now log in as user root to start set- rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ting up the system. First thing to notice is lladdr 00:19:21:4c:6e:eb
that I got mail and that I am prompted for groups: egress
a terminal type. No need to argue, I will media: Ethernet autoselect (100baseTX full-duplex)
accept the default: status: active
inet 192.168.0.42 netmask 0xffffff00 broadcast 192.168.0.255
• You have new mail. inet6 fe80::219:21ff:fe4c:6eeb%rl0 prefixlen 64 scopeid 0x1
• Terminal type?: [vt220] vt220 enc0: flags=0<> mtu 1536
• #
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
In case you cared, the mail was from groups: pflog
Theo de Raadt, OpenBSD's project lead- $
er. A lot of useful information was in it. I
would be happy to sum it up, but I guess Listing 5. Configure the network
it would spoil your fun. Now that I am
logged in as root, first thing to do is create for dhcp:
myself an account so that I can stop be- $ sudo tcsh
ing logged as root. There are (more than) # echo "dhcp" > /etc/hostname.rl0
two tools which will allow me to do that: # exit
$
• adduser is an interactive utility, a perl for my statically assigned address:
script if you are curious $ sudo tcsh
• useradd is a command line utility # echo "inet 192.168.0.42 255.255.255.0 NONE" > /etc/hostname.rl0
# exit
Both will get me through my goal of setting $
up an account, but they use different inter-
www.bsdmag.org 13
get started
be too easy, it must be a real password. password prompting, but keeping it OpenBSD system and logging in to your
Obviously there is a way to get around this, makes it annoying enough that you account is to actually read a man page
but that kind of trick I will not tell you. do not end up doing sudo commands [afterboot(8)]. It holds a description of
Now, I am able to log out from root all the time. It forces you to think about the first checks to perform after the first
and login in as user gilles, but I still what you are doing in your session boot. It will tell you about files that were
need to do one last thing. Since being instead of blindly prepending sudo configured during installation as well as
logged in as root is unsafe, and since everywhere, as a side effect a session files and commands that you should re-
my main account is gilles, I will config- that you would forget to lock will not ally know how to use as soon as possible.
ure the sudo utility to give me the ability make your system compromised. A Since repeating its content here would be
to execute privileged commands as user user that shares your computer and a waste of bytes, I will only suggest that
gilles. The command visudo will allow attempts to brute force your sudo you read it and follow the pointers to other
me to edit the sudoers file. account will trigger mail being sent man pages that are in the "READ ALSO"
to root. We will later see how to alias section of the man page.
# visudo the root account to my unprivileged
account as root happens to receive Configuring the network
This will launch a text editor, vi by default, mail we DO care about. One of the first thing you will want to do
and by adding: is configuring the network since you will
Just a few words before we go further probably want to interact with the rest of
gilles ALL=(ALL) SETENV: ALL As I said in previous section, in the world. Depending on your network
OpenBSD-land we get to read a lot. configuration, this is going to be easy, or
in the User privilege specification section This is a habit that is kind of strange super easy. First of all, you will need to
of the file, I will be able to execute to newcomers who are used to having know your interface name: see Listing 4.
commands as root by prefixing them with their hands herd and being walked from Here, my interface is rl0 (lo0 being
sudo. Beware that executing commands a problem to its solution. However, in the loopback interface, enc0 and pflog0
through sudo is not safer than executing OpenBSD-land you do not get helped being of interest to you only when you
them through root, but this forces you to if you do not try to get to a solution by will be familiar enough that you will want
ask yourself the question do I really want yourself. Since a lot of work is done to setup ipsec or pf). This means that my
to do this? every time you start typing sudo on keeping documentation up-to-date, network card is attached to the rl driver
in your shell. the first step to a solution is often to [rl(4)]. Good, now:
Now is time to kiss root goodbye! (see start reading the documentation that is
Listing 3) shipped with the system. • If I have a DHCP server: $ sudo dh-
It seems to work pretty well. Note Why do I mention this? Well, the very client rl0
that there is a way to disable the first thing you get to do when booting your • If I want to statically assign my
address: $ sudo ifconfig rl0
Listing 6. The list of ports 192.168.0.42
14 BSD 2/2008
OpenBSD 4.3
$ sudo vi /etc/resolv.conf Some services are even able to coop- OpenBSD project to host them on a public
search poolp.org erate with the packet filter to provide ftp server and redistribute them. This does
nameserver 192.168.0.2 elegant solutions to problems which not necessarily mean that they are free
nameserver 192.168.0.3 usually force admins to rely on hacks, software, it only means that they are
lookup file bind such as ftp-proxy, spamd or relayd. software that is allowed to be distributed.
$ It makes a great development station. Packages are managed through a set of
Xorg is available by default in a more commands:
Once you get more familiar with the sys- secure OpenBSD-ized version. vi and mg,
tem, you can run the shipped named server an emacs-like editor, are there out of the pkg_add, pkg_delete and pkg_info
and configure your system to use its own box, as are cvs, gcc, gdb and more. The
name server. documentation is probably the best out Actually there is more, but by now you
Wi-Fi is slightly more difficult, you there with every function documented, should be use to me telling you to read
must... no, actually in OpenBSD Wi-Fi some even providing examples of correct man pages.
is configured using ifconfig which rec- and incorrect uses. It is not rare that I rely To install a package, you need to tell
ognizes a few additional Wi-Fi-specific on OpenBSD man pages while develop- pkg_add where to find it. This is done by
options. I would love to put an example, ing for Linux, and I know of many people setting the PKG_PATH environment variable
sadly I do not have wifi so you will have to with the same habit. to the ftp directory that contains the pack-
trust my word. As you can see, the system comes age you want to install. A list of these serv-
with a set of applications which are avail- ers is available at [1]. Since we want to be
What is in OpenBSD able out of the box and which will allow nice to with the main server and we want
Now that we have a network, let's see you to do quite a few things in many the application to install fast, I will chose
what tools we have at hand and even- areas without having to install third party a server that's geographically close to me,
tually install from the Internet additional applications. ftp.arcane-networks.fr, to install the screen
software. utility that I like so much:
Contrary to popular belief, OpenBSD Ports and packages
comes with many tools which makes it At some point, you will feel limited because $ export PKG_PATH=
usable out of the box to achieve many of you need a particular tool to do your job, ftp://ftp.arcane-networks.fr/pub/
the goals you would expect from a UNIX- or you will miss an application you are OpenBSD/4.3/packages/i386/
like system: familiar with and which does not ship with $ sudo pkg_add screen
OpenBSD can be configured as a the system. I tried a lot in the past to limit Ambiguous: screen could be screen-
simple firewall with simple rules to block myself to base applications but in the end 4.0.3p1 screen-4.0.3p1-shm screen-
incoming and outgoing traffic, just as I always end up needing something that's 4.0.3p1-static
it can be used to control bandwidth or missing. Fortunately, OpenBSD provides $
provide high availability redundant setups, two mechanisms to ease the installation
multihoming or ipsec gateway. It is the of third party applications and have them The pkg_add utility detected that there are
system of choice to use as a gateway installed and running painlessly: packages 3 different packages for screen, and it is
between a network and another, a very and ports. up to me to decide which one I will want
robust system with advanced network Packages are a collection of archives to use. In this case, I do not really care
related features. containing software and libraries that about the various versions and will go for
It can also be configured as a are under a license which allows the the default:
server for a wide variety of services
including http, smtp, dns, dhcp, pop,
ftp, ssh, ntp, and more... Services are
integrated and for the most part will run
out of the box if you enable them as will
be shown in this article. Services which
cannot work out of the box because
they require specific configuration
come with examples that will allow an
unfamiliar admin to get them running
in minutes. It should also be noted that
most of these services are either writ-
ten by OpenBSD hackers or are modi-
fied to improve their overall security
with techniques that have proved to
be efficient such as privilege separa-
tion and chrooting, privilege dropping,
use of safe alternatives to potentially
dangerous code constructs, and so on. Figure 1. Emacsm player
www.bsdmag.org 15
get started
$ sudo pkg_add screen-4.0.3p1 $ sudo pkg_add screen-4.0.3p1-static building the port will result in the package
screen-4.0.3p1: complete screen-4.0.3p1-static: complete itself. Ports are handy when you are dealing
$ $ with situations which cannot be solved by
packages, for example if you need to build
Just note that usually, the existence of The screen example is simple because with a particular option, or if the application
more than one flavor of a package is it does not have dependencies, but to has a restrictive license that does not allow
an indication that you should educate be honest it does not make a difference OpenBSD to distribute a package.
yourself as to what the different versions as pkg_add resolves and installs all of the To install the ports subsystem, you
do. In many occasions, a flavor is here to dependencies transparently. need to extract the ports.tar.gz that you
compensate for the lack of an option in Unlike packages, ports are a will find on every mirror inside /usr/ports:
the default package. collection of Makefiles that are organized
Whoops, what I really wanted was the in a hierarchy of directories (typically $ sudo mkdir /usr/ports
-static flavor. No problem, uninstalling it is under /usr/ports) and which allow you $ ftp ftp://ftp.arcane-networks.fr/
simple and will clean up every file that to download, build and install any of the pub/OpenBSD/4.3/ports.tar.gz
was created at install time: (slightly more than) 5000 ported software $ sudo tar -C /usr/ports -zxpf ~/
and libraries by typing make install in the ports.tar.gz
$ sudo pkg_delete screen appropriate directory. To obtain the ports, $
screen-4.0.3p1: complete you need to download the ports.tar.gz
Clean shared items: complete archive that is available on every mirror, or This will create the ports hierarchy where
$ use cvs. There is not really any advantage application are classified by category. For
to use ports if a package already exists example, if I wanted to install the tcsh
Now I install the right version: for the application you want to install as shell, I would issue a make install in
/usr/ports/shells/tcsh/ which would in
turn download the source for tcsh from a
master site, compile it, create a package
out of it, and install the package like we
have seen earlier. The list of ports is in
/usr/ports/INDEX which can be parsed
easily from the command line or searched
through with make commands, for
example: Listing 6.
With this knowledge, you should al-
ready be able to customize your OpenBSD
system and set up an environment that you
will enjoy working in within a few minutes.
Basic administration
X configuration – I am pretty sure you want
X running by now. OpenBSD ships with an
Xorg and you should not need any con-
Figure 2. kde figuration as settings are auto-detected.
The only thing you may want to do if the
default window manager, fvwm2, does not
suit you is to install the window manager
of your choice:
16 BSD 2/2008
OpenBSD 4.3
www.bsdmag.org 17
get started
Peter N. M. Hansteen
A freshly installed machine nice, but it’s when you start using the package tools that
the real visitas open. Read on for a kickstart on packages.
I
nstalling OpenBSD is easy, and takes you maybe 20 system administrators found that even with full featured operating
minutes. Most articles and guides you find out there will systems such as the BSDs, there were sometimes things you
urge you to take a look at the files in /etc/ and explore the
would want to do that was not already in there. The way to get
man pages to make the system do what you want. With a that something else was usually to fetch the source code, see if
modern BSD, the base system is full featured enough that you it would compile, make some changes (or a lot) to make it com-
can in fact get a lot done right away just by editing the relevant
pile, possibly introduce the odd #ifdef block and keep at it until
files and perhaps starting or restarting one or more services. If
the software would compile, install and run. In the process you
all you want to do is set up something like a gateway for your most likely found out what, if any, other software (tools or libraries)
network with basic-to-advanced packet filtering, everything you needed to be installed to complete the process. At that point, you
need is already there in the basic install. could claim to have /ported/ the software to your platform. If you
Then again, all the world is not a firewall, and it is likely
had been careful and saved a copy of the original source files
you will want to use, for example, a web browser other than somewhere, you could use the diff utility to create a patch you
the venerable lynx or editing tools that are not vi or mg. That's
could then send to the program maintainer and hope that he or
where packages and package systems come in. I will skip a she would then incorporate your changes in the next release.
little ahead of myself and make a confession: The machine I But then, why wait for the next release? Why not share those
am writing this piece on reports that it has some 260 packages diffs with others? How about putting it into a CVS repository that
installed. would be available to everyone? That idea was tossed around
Before we move on to the guts of this article, some ceremonial
on relevant mailing lists for a while, and the first version of the
words of advice: If you are new to OpenBSD or it is your first time in
/ports system/ appeared in FreeBSD 1.0 in December 1993.
a while on a freshly installed system, you could do a lot worse than The other BSD systems adopted the basic idea and frame-
spending a few minutes reading man afterboot. That man page work soon after, with small variations. On NetBSD, the term
serves as a handy checklist of things you should at least take a'port' was already in use for ports of the operating system it-
peek at to ensure that your system is in good working order. self to specific hardware platforms, so on that operating system,
Some packages will write important information, such as the ports tree is referred to as 'package source', or /pkgsrc/ for
strings or stanzas to put in your rc.conf.local, rc.local or short. The ports and packages tools are still actively maintained
sysctl.conf files, to your terminal. If you are not totally confi-
and developed on all BSDs, and most notably Marc Espie re-
dent what to do after the package install finishes, it may be a wrote the pkg_* tools for OpenBSD's 3.5 release.
good idea to run your ports and packages installs in a script Parallel development has lead to some differences in the
session. See man script for details. package handling on the various BSDs, and some of the opera-
tions I describe here from an OpenBSD perspective may not be
When dinosaurs roamed the Earth... identical on other operating systems. Around the same time the
The story of the ports and packages goes back to the early days BSDs started including a ports tree and packages, people on
of free software when we finally found ourselves with complete the Linux side of the fence started developing package systems
operating systems that were free and hackers^H^H^H^H^H^H too. With distributed development taken to the point where the
18 BSD 2/2008
OpenBSD Packages!
kernel, basic system tools and libraries is quite straightforward. What it does is one or more pieces are missing, you will
are maintained separately, perhaps the mainly to define a number of variables see that the process fetches, configures
need there was even greater than on such as the package name, where to and installs the required package before
the BSDs. In fact, some Linux distribu- fetch the necessary source files, which continuing with the build process for the
tions such as the Debian based ones programs are required for the compile to original package.
have taken the package management to succeed and which libraries the resulting After a while, the package build
the point where everything is a package program will need to have present in most likely succeeds and the install
- every component on a running system order to run correctly. completes. At this point you will have a
is a package that is maintained via the The file defines a few other variables new piece of software installed on your
package system, including basic system too, and you can look up the exact mean- system. You should be able to run the
tools, libraries and the operating system ing of each in the man pages, starting with program, and the installed package will
kernel. In contrast, the BSDs tend to treat man ports and man bsd.port.mk. With all turn up in the package listings output by
the base system as a whole, with the relevant variables set, at the very end the pkg_info, such as:
package management tools intended file uses the line:
solely for managing software that does $ pkg_info | grep lyx
not come as a part of the default install. .include <bsd.port.mk>
lyx-1.4.3p2-qt graphical frontend
The anatomy to pull in the common infrastructure it for LaTeX (nearly WYSIWYG)
of ports and packages shares with all other ports.
The ports system consists of a set of 'reci- This is what makes the common tar- This information is taken from the pack-
pes' to build third party software to run on gets work, so for example, typing: age's subdirectory in /var/db/pkg, where
your system. Each port supplies its own the information about currently installed
Makefile, whatever patches are needed $ make install SUDO=sudo packages is stored.
in order to make the software build and If you paid close attention during the
optionally package message files with (probably the most common port-related make install process, you may have no-
information that will be displayed when make command for end users and ticed that the install step was performed
the software has been installed. administrators) in the port directory will from a binary package. This is one of
So to build and install a piece of start the process to install the software. the distinctive features of the OpenBSD
software using the ports system, you But before you type that command and version of the package system. The pack-
follow a slightly different procedure than press Enter, you may want to consider age build always generates an installable
the classical fetch - patch - compile cycle. this: This command will generate a lot package based on a 'fake' install to a
You will need to install the ports tree, either of output, most likely more than will fit in private directory, and software is always
by unpacking ports.tar.gz from your the terminal’s buffer. If the build fails, it is installed on the target system from a
CD set or by checking out an updated likely that the message about the first package.
version via cvs, or for that matter cvsup thing that went wrong will have scrolled
or the rewritten version called csup. With a off the top of your screen and out of the But you do not need to do that!
populated ports tree in hand, you can go terminal buffer. For that reason, it is good This means several things. If you have
to the port's directory, say sysadmin practice to create a record of built and installed a package by typing
lengthy operations such as building a 'make install' in the relevant ports direc-
$ cd /usr/ports/print/lyx port by using the script command. Typing tory and later run the 'make deinstall'
script in a shell will give you a subshell or pkg_delete to remove the software, any
to see about installing lyx, the popular latex where everything displayed on the screen subsequent install of the software will take
front end. On a typical OpenBSD system, will be saved in a file. Escape sequences, place from the package file stored in a
that directory contains the following files: asterisk-style progress bars and twirling subdirectory of /usr/ports/packages. But
batons will end up a bit garbled, but that more importantly, in most cases you can
$ ls -l essential message you are looking for will keep your system's packages up to date
total 8 be there too. man script will give you the without a ports tree on the machine. (See
-rw-rw-r-- 1 root wheel 1825 May details, and unless you are an incurable Note [1]) For each release, a full set of
18 21:57 Makefile packrat, do remember to delete the packages is built and made available on
-rw-rw-r-- 1 root wheel 274 Apr typescript file afterwards. That process the OpenBSD mirrors, and by the time
5 2007 distinfo will start with checking dependencies, go you read this, there is reason to hope that
drwxrwxr-x 2 root wheel 512 Nov on with downloading the source archive running updates to -stable packages will
1 2007 patches and checking that the fetched file matches be available for supported releases too.
drwxrwxr-x 2 root wheel 512 Nov the cryptographic signatures stored in the The way to make good use of this is
1 2007 pkg distinfo file. If the signatures match, the to set the PKG_PATH variable to include the
source code is extracted to a working packages directory for your release on
here, the Makefile is the main player. If directory, the patches from the patches/ one or more mirrors close to you and/or a
you open it now in a text editor or viewer directory are applied, and the compilation local directory, and then run pkg_add with
such as less, you will see that the syntax starts. If the dependency check finds that the -u flag. (See Note [2])
www.bsdmag.org 19
get started
My laptop runs -current and I am in OpenBSD as comfortable and flexible as install databases/sqlports. And of course,
Europe, so the PKG_PATH is set to possible. The tools come with readable searching the ports mailing list archives
man pages, and may very well be the (http://marc.info/?l=openbsd-ports) or
PKG_PATH=ftp://ftp.eu.openbsd.org/pub/ topic of future BSD Magazine articles. asking the mailing list works too.
OpenBSD/snapshots/packages/`machine When you have determined that the
-a`/ More information on the net software you want to port is not already
The main source of information about the available as a package, you can go on to
On a more conservatively run system, you OpenBSD ports and packages system is prepare for the porting effort. Porting and
may want to set it to something like to be found on the OpenBSD project’s package making is the subject of much
web site. The FAQ’s ports and packages usenet folklore and rumor, but in addition
PKG_PATH=ftp://ftp.eu.openbsd.org/pub/ section at http://www.openbsd.org/ you have several man pages with specific
OpenBSD/4.3/packages/`machine -a`/ faq/faq15.html has more information information on how to proceed. These
about all the issues covered in this are, ports, package, packages, packages-
Once your PKG_PATH is set to something article, and goes into somewhat more specs, library-specs and bsd.port.mk.
sensible, you can use pkg_add and the detail than space allows here. If you Read those and use your familiarity
package base name to install packages, encounter problems while installing or with the code you are about to port to
so a simple managing your packages, it is more find your way. The OpenBSD web offers
than likely that you will find a solution or a quite a bit of information too. You could
$ sudo pkg_add lyx a good explanation there. And of course, start with re-reading the main ports and
if nothing else works or you can’t figure it packages page at http://www.openbsd.org/
would achieve the same thing as the out, there is always the option of asking faq/faq15.html, and follow up with the
'make install' command earlier, and the good people at misc@openbsd.org pages about the porting process at http:
most likely a lot faster too. Once you have or ports@openbsd.org or search the //www.openbsd.org/porting.html, testing the
a set of packages installed, and keeping corresponding mailing list archives. port at http://www.openbsd.org/porttest.html
in mind that you need a meaningful PKG_ and finally the checklist for a sound port at
PATH, you can keep them up to date using How do I make a package then? http://www.openbsd.org/checklist.html.
pkg_add -u. If you want more detailed That is a large question, and the first All the while, try first to figure out the
information about the package update question you should ask if you think you solution to any problems that pop up,
process and want pkg_add to switch to in- want to port a particular piece of software read the supplied documentation, and
teractive mode when necessary, you can is, Has this already been ported?. There only then ask port maintainers via the
use something like this command: are several ways to check. If you are ports mailing list for help. Port maintainers
thinking of creating a port, you most likely are generally quite busy, but if you show
$ sudo pkg_add -vui already have the ports tree installed, so signs of having done your homework first,
using the ports infrastructure’s search there is no better resource available for
I have at times tended to run my pkg_add infrastructure is the obvious first step. helping you succeed in your porting or
-u with some of the -F flags in order to Simply go to the /usr/ports directory port maintenance efforts.
force resolution of certain types of conflict, and run the command: One fine resource for the aspiring
but given the quality of the work that goes porter is Bernd Ahlers’ ports tutorial from
into the packages, most of the -F options $ make search key=mykeyword OpenCon 2007, you can look up Bernd’s
are rarely needed. slides at http://www.openbsd.org/papers/
pkg_add and its siblings in the pkg_* Where mykeyword is a program name or opencon07-portstutorial/index.html, and it
tools collection has a number of options keyword related to the software you are is possible he can be persuaded to repeat
we have not covered here, all intended looking for. One other option with even the tutorial at a conference near you.
to make your package management on more flexible search possibilities is to
20 BSD 2/2008
get started
OpenBSD
the best development platform
Gilles Chehade
Amongst the many goals of OpenBSD, there is one which is important enough that it
is listed in the first position of the goals page: "Provide the best development platform
possible."
T
his is a goal that works hand in hand with the hard all developments. For example, malloc() had changed to
focus on code quality. If the system provides good rely on mmap() and while at it enforced a strict releasing
tools and documentation for the developers, then so that the assumptions that a memory chunk is still
they will be more likely to contribute good code. usable after being freed would no longer remain valid.
Looking at the tech@ mailing list shows this behaviour The result was that applications that did a poor job at
with thousands of diffs being called incomplete for not managing their memory would crash (way) more often
providing the associated documentation, or being asked for and help people spot the bugs and fix them rather than
changes if they are not doing things the appropriate way. leave them around. This produces a higher quality code
Undocumented code does not get in and bad code does and more robust applications as people who want their
not get in either. code to be portable to OpenBSD will eventually find out
As a direct result, OpenBSD has become an amazing their memory related bugs as they port.
development platform:
In this article I will give an overview of how you can make use
• Functions are documented through complete man of OpenBSD for both a development server and workstation.
pages which often show some examples of correct and Obviously, it cannot be complete and I cannot go through all
incorrect uses when it is easy to do things wrong and the different setups for all the different needs, this is just a way
misuse an API. For example, the realloc() function is to introduce you to OpenBSD as a development platform, and
often used in a way that leads to a memory leak and make you familiar with some of the tools that can get you
the man page reflects this with a short explanation. It started. So... Here is my own setup !
is common that people who are not writing code for
OpenBSD still use its man pages rather than the ones Development Station
provided by the system which they write code for (I My workstation is just a plain setup with all of the tools I
know that myself and many other OpenBSD-oers do need to write, compile, debug and commit code to a remote
• All of the source code is available and it can be server. Since I often work with other people and they do not
used as a reference for many different projects and necessarily use the same tools as I do, I tend to install popular
algorithms. This can also be said of other open source tools so that they can grab a terminal and work without being
systems, but the strong position adopted on what code annoyed by my own environment.
gets in makes it safer to assume that an example is
correct. If the code went in, it means that at some point Text editors
many people decided it was correct. Errors do happen By default, OpenBSD provides nvi, a vi variant, and mg, an
sometimes as no system is bug free, but they are less emacs-like editor without all the kludge and written in C. Both
likely can be used to write code and are actually used by many
• As a means to improve code correctness, some developers out there, however they are limited by design and
features were implemented for OpenBSD which benefit will not provide some of the features many hackers expect
22 BSD 2/2008
OpenBSD
from a text editor used for programming, C compilers include the well-known Debuggers
like syntax highlighting for instance. GCC (Gnu CC) with local extensions True hackers code bug-free to save time.
While writing this article, I went polling which aim at improving security and However, true human beings fail to think
around and it turns out that the first tool easing error detection in code at of all the implications of slight changes
many developers install is a feature- compile and run time. It also includes to code, just as they can not write code
rich text editor with support for syntax the PCC compiler that was recently for hours and hours and hours without
highlighting and programming modes. imported and can already be used to introducing slight errors, just as coding
The two most popular editors cited build most of the OpenBSD userland. at night increases the risks of typos,
were vim and emacs. PCC works fine but is still a work wrong arithmetics and interesting logic.
Both of which are available as in progress and as such is not the OpenBSD ships with two debuggers, the
OpenBSD packages: compiler by default, however it is often full blown gdb for the hackers that need
a good idea to use it aside and make plenty of features and the simple pmdb if
$ export PKG_PATH=ftp://insert.your/ sure that the code that compiles under the bloat of gdb needs to be avoided.
favorite/ftp/mirror/here/ GCC does not contain and spread To be honest, my use of pmdb was
GCC-isms. rather limited, and it is my understanding
$ sudo pkg_add vim More compilers, including more that it is usually used to debug kernels at
$ sudo pkg_add emacs recent versions of GCC are packaged an early stage of development for new
but I do recommand you to use the architectures. However, it is interesting
Since I use emacs for coding, here is a versions that ship with the system to know that there is a simple debugger
configuration file that i'm willing to share unless you have a very specific need and hopefully it can bring more people
and which helps writing readable KnF that cannot be fullfilled with these. to improve it.
style code: Considering that a full operating
system including kernel, userland and Versioning
http://www.poolp.org/~gilles/emacs/ ports works with the default compilers, OpenBSD comes with cvs which is the
attempts at explaining why one NEEDS versioning tool used by developers of the
Code browser the latest GCC is a usual source of fun project. Despite a lot of criticism from
Another useful utility is Cscope, a tool and excitement. supporters of alternative version control
which helps developers browse code
and search for references to symbols, Listing 1. Obtaining the anoncvs shell archive
definitions, declarations and quite a lot
more. This is a very handy tool which $ lynx http://www.poolp.org/mirrors/OpenBSD/anoncvs.shar
makes it easy to browse through a Then extract it in its own directory:
large amount of code and eases the
understanding of how things work in $ mkdir anoncvs
code you are not too familiar with. $ mv anoncvs.shar anoncvs/
Luckily, Cscope is also available as a $ cd anoncvs/; sh anoncvs.shar
package: x - Makefile
x - README
$ export PKG_PATH= x - anoncvssh.c
ftp://insert.your/favorite/ftp/mirror/ $
here/
$ sudo pkg_add cscope Listing 2. Building the anoncvs shell
www.bsdmag.org 23
get started
systems, cvs does quite a good job and improve developer experience at the Using Cscope can turn this copy of the
encourages communication between same time. source tree into a large library of code
hackers. samples and examples. Definitely a good
If you really feel the need to install Source tree tool.
another versionning utility, there is a few Wether you plan to work on OpenBSD
available as packages, including the related code or not, it is always a good Development Server
widely used subversion: idea to have a checkout of the system's A development server can do many things,
source tree at hand. and has a different meaning depending
$ export PKG_PATH=ftp://insert.your/ When you do not know or have on who sets it up. My development server
favorite/ftp/mirror/here/ a doubt about how a programming provides the following:
$ sudo pkg_add subversion interface works, you can bet a piece of
code provides a clear and functionnal • A repository shared between a group
The OpenBSD project has been using example of use. of coders with read-write privileges.
CVS for over 10 years and it has proven Since you are free to reuse the code • Anonymous read-only access to that
to work, which is why there is not really and modify it, you can even prevent same repository.
any interest in using alternatives. There having to roll a new version of something • CVS log notifications through mail.
is an ongoing project to provide a more that already exists and save yourself time
sane CVS implementation, OpenCVS, and bug tracking efforts. Since it is a bit trickier to setup than a few
which plans on providing compatibility pkg_add, I will explain how you can achieve
with GNU CVS in a first release. OpenCVS $ cd /usr the same result:
will then work on providing new features $ sudo cvs -d anoncvs@your.local.mirr
that do not break compatibility and that or:/cvs co -P src Setting up CVS
OpenBSD has a shell archive,
Listing 3. Setup the chroot environment: anoncvs.shar, which is available directly
from one of the mirrors and which
$ sudo mkdir bin dev tmp usr var etc provides all we need to setup a CVS
$ sudo cp /bin/{cat,pwd,rm,sh} bin/ repository that can be written to by
coders and read by anonymous users.
$ sudo mknod dev/null c 2 2 You can start by downloading the
$ sudo chmod 666 dev/null archive: see Listing 1.
anoncvssh.c, when built, is a special
$ sudo cp /etc/{group,hosts,passwd,protocols} etc/ shell that is really a wrapper to the cvs
$ sudo cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ utility. All it does is setup the environement
for read-only access and execute cvs.
$ (cd var && sudo ln -s ../tmp tmp) First, edit the Makefile to change the
$ sudo chmod a+rwx tmp following lines as suits you. To increase
readability, I prepended removed line
$ sudo mkdir usr/{bin,lib} with -, and added lines with +: see
$ sudo cp /usr/bin/cvs usr/bin/ Listing 2.
Now, it would be too easy if that was
$ sudo mkdir usr/libexec it. The README file explains all of the
$ sudo cp /usr/libexec/ld.so usr/libexec/ steps to create the chroot jail, and to
populate it with a mirror. We will follow
Finally, copy all of the libraries that ``cvs'' depends on inside the the steps but ignore mirror stuff so that
chroot at their identical location. we simply have an empty repository
i.e: cp /usr/lib/libz.so.4.1 usr/lib/libz.so.4.1 inside the chroot jail.
I like my repositories to be accessed
$ ldd /usr/bin/cvs at /cvs, so we will simply create the
/usr/bin/cvs: base directory and initialize a repository
Start End Type Open Ref GrpRef Name named 'cvs' inside of it. When a user
00000000 00000000 exe 1 0 0 /usr/bin/cvs executes anoncvssh, he will be chrooted
0a1fa000 2a202000 rlib 0 1 0 /usr/lib/libz.so.4.1 to the base directory and the repository
08243000 28248000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0 can then be referenced as /cvs.
0c9fb000 2ca0b000 rlib 0 1 0 /usr/lib/libkrb5.so.16.0
086d7000 28706000 rlib 0 1 0 /usr/lib/libcrypto.so.13.0 $ sudo mkdir /var/cvs
0f363000 2f368000 rlib 0 1 0 /usr/lib/libdes.so.9.0
0d734000 2d768000 rlib 0 1 0 /usr/lib/libc.so.45.0 Then, create the anoncvs account by
09377000 09377000 rtld 0 1 0 /usr/libexec/ld.so adding the following line to the passwd
database, using the command vipw:
24 BSD 2/2008
OpenBSD
$ sudo vipw the repository using the anonymous group coders can create modules in the
account, the CVSROOT will look like repository.
Copy/paste the line: this:
$ sudo chgrp -R coders /var/cvs/cvs
"anoncvs::32766:32766::0:0:Anonymous anoncvs@cvs.poolp.org:/cvs $ sudo chmod 775 coders /var/cvs/cvs
CVS User:/var/cvs:/usr/local/bin/
anoncvssh" It is a bit annoying because if you're Whenever we need to add a new
not connecting as anoncvs and you developer, we can simply add her to
You may need to tweak your SSH do have read/write access, you will not coders, then she'll be able to commit
configuration to PermitEmptyPasswords execute the anoncvssh shell which will to any module inside the repository.
or else all attempts to log in as anoncvs not chroot you and your CVSROOT will Also, we can restrict commit to specific
will fail. look like this: modules by creating a group specific
Now that the account is set, you need to the module, make the module group-
to setup the chroot environment. While anoncvs@cvs.poolp.org:/var/cvs/cvs writable for the new group and making
this may look tricky it is quite simple the new developer part of that group
when you understand what you're doing The fix is trivial ... instead of coders.
and you can always use the README as
a reminder. Create base directory: $ cd / Mail notifications
$ sudo ln -s /var/cvs/cvs /cvs When working with other developers,
$ cd /var/cvs it is nice to be notified by mail when a
Voila, CVS repository is setup. change is made to the tree. This can be
Create a few files for the anoncvs account, setup in a matter of minutes and only
you may want to edit .profile and .plan to Setting up the accounts requires the setting up of an alias for
display proper information: At this point, we have a CVS that's sendmail and a one liner to a file in /cvs/
installed with a repository that can CVSROOT. See Listing 4.
$ sudo touch .hushlogin .profile .plan be accessed read-only by the user Sending mail to anoncvs will now send
anoncvs, but this is quite useless mail to everyone listed in the /etc/mail/
Setup the chroot environment: see Listing without a real user with write access to lists/anoncvs file. Adding new people will
3. the repository. only require us to execute newaliases so
Once this is done, edit /etc/fstab to How you create developers accounts that the database is rebuilt.
make sure the /var filesystem doesn't is up to you, and there are as many Now, we need to tell CVS that it has to
have the nodev option or else things ways to deal with this as there are send mail to anoncvs whenever a commit
won't work too good when attempting administrators with creative ideas. I like is done to the repository. This is done by
any operation on dev/null. If it was nodev, to keep things simple so I make use of adding the line:
remove the option and ... reboot. groups and permissions.
What do we do from now ? Well, we First, I create a group called coders: DEFAULT (echo ""; echo %{sVv}; cat)
have just created the environment to host | mail -s 'CVS: cvs.poolp.org' anoncvs
the anonymous access but we still do not $ sudo groupadd coders
have a repository initialized ! To the file /cvs/CVSROOT/loginfo. You can
Then I make myself part of the group: actually do notifications that are more
$ cd /var/cvs precise and that apply to certain modules
$ sudo cvs -d /var/cvs/cvs init $ sudo usermod -G coders gilles and directories, but I will let you read the
header of the loginfo file which explains
This is not a typo, our base directory Finally, I change permissions and group how this works.
is /var/cvs, and the repository uses ownership on the repository we have There are many other things you
cvs as its name. When accessing created earlier so that members of the could do depending on your need and
with more or less effort. Many tools
Listing 4. Creating the mailing list are available to browse through a web
interface, create graphs and statistics,
$ sudo mkdir /etc/mail/lists/ or create snapshots. The loginfo file
$ sudo sh could even be used to implement some
kind of continuous integration bot, it is
# echo "gilles" > /etc/mail/lists/anoncvs all about your needs and the ideas you
# echo "anoncvs: :include:/etc/mail/lists/anoncvs" >> /etc/mail/aliases come up with to solve your problems ;)
# newaliases
/etc/mail/aliases: 47 aliases, longest 52 bytes, 714 bytes total
# exit
$
www.bsdmag.org 25
get started
Machtelt Garrels
This article is not about just any BSD certification. We will discuss the certification that
is being developed by the BSD Certification Group Advisory Board.
T
he Advisory Board and the rest of the group consists Note
of people who are actively involved in the different We call it *BSD because we do not test any specific BSD distri-
BSD projects (DragonFly BSD, FreeBSD, NetBSD and bution. *BSD includes all distributions of the BSD family.
OpenBSD) – many of them are key figures in their There are some problems with traditional certifications that
communities and help develop their systems. The BSDCG we do not want for our *BSD certification:
is working with Subject Matter Experts (SMEs) and a psy-
chometrician to ensure that both the question items and the • Certifications are made to sell software.
testing method are a fair and unbiased assessment of the • Certifications are accompanied by official course materi-
candidate's abilities. als that examinees more or less are forced to buy. There is
Why is it important to have a *BSD certification? no free documentation, it is not freely distributable and not
easy to find.
• We need to break the myth that says that *BSD is offering • Certifications, like software, expire in order to sell upgrades.
no support. • Knowledge of tools is tested instead of knowledge of
• We need to ease and fasten adoption of BSD in business techniques.
world: match companies that are using or that want to • There is no input from examinees.
use *BSD with people who are up to the task of manag-
ing a BSD environment. There is a chicken and egg prob- Value of a
lem: people think that there is no support, so the business certification for employers
world does not like BSD, so there is no interest in support- Some reports, trivially from Microsoft but also from members of
ing BSD. more or less independent analyzing businesses, like for instance
• There is a need for (standard) objectives for training cen- IDC, point out that employees for a UNIX-like environment on the
ters, course developers and publishers. A (standard) certifi- average cost 30% more than normal employees. Hence they
cation encourages development of course materials. jump to the conclusion that the total cost of ownership of such
• Companies need help when hiring BSD people. To put it an environment, which can be equipped for instance with freely
blunt, we need to point out for them which words to do a available BSD software on PC hardware, is more expensive,
keyword search on in a CV. even though it is cheaper in almost every other respect.
• We need a revaluation of IT professionals: after the boom
of the nineties, we now get the lash-back of the phenom- Note
enon where everybody went into IT without really knowing BSD is part of the UNIX family, a collection of robust operating
what they were doing. Now, IT environments are running systems that where originally designed for big environments.
slow and are badly managed, because most IT profes- Since many names of family members end in -NIX, they are
sionals are not up to the job. As a result, they are always sometimes called *NIX to refer to all UNICES together.
busy and as a result of their busy schedule, they do not However, these reports fail to mention (on purpose?) that
want to change, update or migrate to better solutions. *NIX professionals have a much wider knowledge, while e.g.
26 BSD 2/2008
BSD certification
Microsoft professionals tend to be niche • It is relatively cheap. find more reasons, things get harder.
specialists – and that you need only 1/3 • It is rather difficult, a good test for Maybe you could say that you want to get
of the people normally required to main- the candidate's experience: there are a certificate in order to prove your knowl-
tain a Microsoft environment, when you not only multiple-choice questions, edge, or maybe you want to know for
have a free *NIX environment. but also multiple answer questions, yourself where you stand, or you decide
Employers tend to forget that finding which make it nearly impossible to with a couple of friends to do a contest
adequate personnel, not so much as pass without experience. and see who gets the highest score.
costs, is the real problem. Somebody • BSDCG values community input You might also get a certificate
who knows how to do the job, somebody and candidates can provide new because you are confident as to what
who can start on the job right away, rath- questions or new objectives through the future will bring, or because you want
er than going through a learning period, regular update requests. The next to protect your career. If we believe the
is to be preferred by far above someone update round is currently scheduled predictions of economic analysts, free
who has to learn on-the-job. for the last quarter of 2008. software is going to expand dramatically
Without wanting to be an evil • BSDCG is vendor-independent, so during the decade to come. We are
gossip aunt, whom would you prefer: there is a large item pool of exam already past the file and print server
the freshman (or worse, the would- questions and a high variation in phase, and well into the database or
be graduate who quit college) who questions. This has a positive effect Java development platform stage, as
installed Linux at home and who has on the level of difficulty of the exams. more and more companies admit to.
learned everything on his/her own, or You can probably name some
the veteran who has enough practical Some people say that it is a disadvantages cases of adoption right off the top of
experience to get a certificate? not to have a practical test. BUT: your head. Even the newspapers are
The problem with certificates, of telling everybody who wants to hear
course, is that there is no consensus. • Time is limited. that free software is really making it in
Which certificate proves that a candidate • Practical tests require expensive the business world. It is obvious that we
has a professional *NIX experience? infrastructure and the extra costs have reached a tipping-point: there will
Remember not to always believe the would be charged to candidates be more free software systems, more
hype. For instance, bsdcertification.com taking the exam. *BSD professionals or people claiming
comes to mind. From their name, it is obvi- • Having a practical test would to be so, and more incentive to divide
ous enough that this is a commercial orga- almost certainly pinpoint the them into the good and the bad.
nization, and not a community-driven one. certification to a specific BSD If you are smart, you will make sure
Their last press release is from distribution or version. that when that time comes, you fall into
2006, testing is for FreeBSD only, and • We have to get rid of the idea of per- the right category and make sure that
an old version for that. Certifications for formance based testing and move you can show some paper.
OpenBSD and NetBSD were promised, towards performance based learning I would have to think really hard to
but were never created. As far as we can instead: learn students how to use come up with more reasons to certify...
tell from the web site, this organization is their experience instead of learning When it comes from your own pocket,
dead. them how to use their memory. it is still an investment, however small it
Even though we have to deal with the may be. After the boom of the nineties,
little details, a BSD certification remains Pros and cons for employees wages in IT are back to normal or at least
a good investment if you do not know yet The most important reason for certification seriously reduced.
what additional bonus you can offer your remains of course that you will acquire an You will probably want to study a bit,
employees. extra asset when compared to that other too, and that takes time. Time off from
All BSD systems are focused on applicant for your dream job. Especially work, be it with the approval of your boss,
evolution, contrary to for instance when you just finished school or univer- or you would have to sacrifice your own
Microsoft, which is based on revolution. sity, a certificate is a nice addition to your free time. And all that to prove that you
BSD/UNIX competence hardly becomes education. But let's be honest, among the can do something that you know for
outdated: you can build on it and what working crowd in the BSd world, who re- yourself you are capable of doing...
you learned in the past will still be ally needs a certificate? BSD people know And then there is the risk that you
valuable in ten years time from now. what they know and they do not need to don't pass, and maybe you will have to
Knowledge acquired is not invalidated prove anything to anybody, do they? explain that mishap to your boss, who
because of new things that you have to No serious BSD user or administrator meant so well with you and sponsored
learn now in order to survive in today's has ever needed to provide prove of what your exam.
IT world. Exams become exponentially he or she knows. Once you have a job
more difficult and standards are raised, and experience, the rest follows.
guaranteeing that fiascoes like the one Another reason to take the exam,
with the MCSE certification can not which is becoming more fashionable as
occur in our world. we speak, is that your employer asks you
Other reasons to prefer a BSD to get the certificate. That is also one that
certification over a traditional one: is easy to understand. But if we want to
www.bsdmag.org 27
get started
One of the less evident disadvantages in English only. During the beta-testing As for the BSD flavors that we check
of certification is that you force an upper period, hundreds of testers with all for, the exam questions currently deal
limit onto your own competences. kinds of competences took the exam. with FreeBSD, NetBSD, OpenBSD and
Imagine: Another applicant has a master The results were then used to make a DragonFlyBSD.
level certificate, while you only have an statistically valuable analysis that can When tested, the candidates will
entry level certificate because you never be used to compare examinees. be asked questions about all types of
felt like going further. Who will be chosen The exam objectives are already BSD systems, there is no possibility to
for the job? The candidate who is more translated in Mexican Spanish and opt for a specific distribution or version.
experienced, or the candidate who has Russian. As a consequence, we are probing for
more certificates? So once you start on Currently, the BSDCG is focusing on understanding, not for knowledge of
a given certification path, you need to go the BSD Associate (BSDA) exam, which details and memory capacity. Also, the
through to the highest level that you can is oriented towards beginning users and BSDA is not a requirement for the BSDP.
reach, or you run the risk to ruin your administrators. Later the BSDCG plans to In cooperation with the communities,
chances on the job market. release a BSD Professional (BSDP) exam, we arrived at the conclusion that test
which will test advanced administration objectives can be divided into 7 categories
Progress report skills. The details about this exam will be with the following weighting:
The BSDCG did not just come up with available by the end of 2008.
a bunch of questions. In order to be In order to bring the exam to the • Installation and upgrading the
credible, first the needs were analyzed candidate, the BSDCG is developing a operating system and software: 13%.
with the help of a professional test test platform which consists of a Live • Securing the operating system: 11%.
developer (a psychometrician). She CD and a secured environment, lead • Files, file systems and disks: 15%.
made us perform a Job Task Analysis by one or more of the proctors of our • User and group management: 12%.
(JTA), were we assembled input from network. A proctor is somebody who • Basic system administration: 12%.
many people. has signed a Non-Disclosure Agreement • Basic network administration: 15%.
That makes our certification a and who leads the exam and makes • Basic UNIX knowledge: 17%.
good one: it does not only contain the sure candidates respect our security
opinions of individual BSDCG Advisory procedure. The BSDA exam has 100 questions
Group members, it also has the input of We are currently looking for covering these subjects. From the web site,
thousands of others who expressed their sponsoring and translators to make this you can download a command reference
opinions about the subjects to test (the platform available in different languages mapping each of the BSDA commands
exam objectives). and countries. We specifically choose to the four operating systems covered
The initial exam, which got out of for this method of exam delivery, as we by the BSDA. Furthermore, the BSDCG
beta-testing by the end of November are on a tight budget and do not want to conceived a document describing the
of 2007 and is now ready, is available waste our money on commercial exam BSDA Certification Requirements, which
centers like Vue or Prometric. Besides, we can also be downloaded from the web
do not want to run our test environment site.
on MS Windows. In order to gather funds, the BSDCG
Until the test platform is finished, we created a courseware DVD that
work with paper-based exams forms. gathers all the study materials from
Apart from anything else, this helps us to the web site. The collection consists
reduce costs. We are very concerned that of the exam objectives, the command
the certification remains accessible for reference, an explanation on our quality
everyone who wants to take the exam. control mechanisms, and software and
Hence the candidates' contribution documentation for FreeBSD, OpenBSD,
is really only a small part of the total NetBSD and DragonFlyBSD.
cost to publish an exam. The tests,
needed for NOCA certification and Certification standards
thus for credibility, cost about 35.000 We want our exam to be a quality test.
USD - NOCA being the quality control Therefore, we apply the rules as defined
organization for certifications bodies. by NOCA, the National Organization for
Vue and Prometric, the traditional Competence Assurance, which defines
certification bodies, charge +/- 8.000 the standards for certification bodies.
USD per exam per language (and Among other criteria, NOCA
per version of the same exam!). We certification requires that you use
calculated that the development of our psychometrics for the analysis and
own test platform would cost about quality control of your exams. According
15.000 USD. Copyrights and trademark to the dictionary, psychometrics is the
registration would be another 4.000 Mathematical analysis of psychological
Figure 1. bsds USD. processes. In other words, psychometrics
28 BSD 2/2008
BSD certification
is the science that measures human documents knowledge and experience. the use of psychometrics is useful for
variables: not only knowledge, but also For the development of their tests, them.
practical experience. This science is also psychometricians use scientific methods
devoted to the development of tests by to assure that the exam complies with Recertification
means of statistics. the four rules of a good test: Once you get your BSDA, it will not
A test is just a tool to measure expire. BSDP on the other hand is testing
the amount of Knowledge, Skills and • The questions are fair: no trick somewhat more volatile subjects. The
Abilities (KSAs) that a person has questions, only objective answers are BSDCG is as yet undecided what the
in some area. It is often difficult to possible, brain dumpers and others recertification scheme will be for this
comprehend a quantity of knowledge, who do not play the game in a fair certificate.
since it seems to be so abstract. But in way stand no chance.
actuality, any quantity of measurement • The questions are accurate: they are Summary
is just an abstraction. updated regularly, especially in the BSD Associate (BSDA) Certification
For instance, the measurement of volatile world of IT. Language: English
height in inches, feet or meters appears • The questions are clear and the Available: 2008
on the surface to be a real and concrete wording specific, they can not be Re-certification: 5 years
measurement. But if you think about it, misinterpreted and all candidates can Requirements: good knowledge of UNIX,
the inch was simply created and defined understand them without difficulties. at least 1 year of
by people. There is no naturally occuring • The questions allow the test body to experience on BSD systems
inch and there are no natural units of perform precise measurements of Domains covered:
measurement at all. One cannot hold an the competence of the examinees.
inch, and it really is just an abstraction • Installing/Upgrading OS/Hardware
that is generally agreed upon. It is this The psychometrician also uses scientific • Securing the OS
general agreement that makes the inch methods to determine the following: • Files, Filesystems and Disks
a useful measurement tool. It is this • User and Account Management
common frame of reference that makes • Scoring procedures: when do you get • Basic System Administration
a unit of measurement functional and points for a good answer, and how • Network Administration
useful. Psychometricians do the same many? • Basic UNIX Skills
with exams: they create a common frame • Passing score levels: how much do
of reference that enables us to measure you have to score in order to pass the BSD Professional (BSDP) Certification
knowledge about a given subject. test? Subject matter experts assist Language: English
A psychometrician has a university the psychometrician to determine Available: estimated Q4/2008
degree in psychology and usually this. Re-certification: 5 years
additional degrees in the measurement • Different versions of a test are It is not necessary to be BSDA certified
of the human mind, in industrial equal: by means of statistical as a prerequisite.
psychology or in quantitative psychology. calculations the exam is compiled. The BSDP certification is for system
He or she is trained in the development New questions are piloted first: administrators with extensive knowledge
of questions that test human features, the answers to those questions of UNIX and BSD Systems. Experienced
including those features that indicate are not scored until the validity system administrators of BSD systems
mastery of a given field of competence. A of the question has been proved can register for the exam directly.
trained psychometrician is the difference statistically, during this test phase Registration process:
between a bunch of questions and the statistical information about the
a tool that accurately measures and quality of the item is gathered. • Get a BSDCG-ID at http://register.
• Planning of the rotation scheme, which bsdcertification.org/register/get-a-
is important for the security of an bsdcg-id
exam (again a measure against brain • Choose an exam location
dumpers). • Pay the fee by credit card or Paypal
(USD 75, Eur 50).
While other certifications (like
RedHat and Novell) might also use
psychometrics (they did not answer our
questions), given the lower numbers of About the Author
certified examinees, it is unsure whether
Machtelt Garels is in the Advisory Council of
the BSD Cert Group. He gives presentations
More information
about the certification and helps promote
• http://www.bsdcertification.org it, among other at conferences in Berlin,
• Mailinglist: bsdcert@lists.nycbug.org Istanbul, Kopenhagen etc.
Figure 2. Metan
www.bsdmag.org 29
how-to’s
Building an OpenBSD
SAMP server with content
filtering proxy
Rob Somerville
In this article we will build an OpenBSD server from scratch with Squid, Apache,
MySQL, PHP and Webmin (for remote management) which will allow you to serve
web pages from your own network and cache the content reaching your browser.
O
penBSD is very secure, and while it does not use the configuration of the server. You will need to modify these to
bleeding edge applications, is very stable. As a de- reflect your own internal network and personal requirements.
fault, OpenBSD has a specially hardened version of
Apache that runs in a chroot jail. This means if an Stage 1 – Get network settings
attacker were to compromise the site, they would be unable to Before we proceed, you will need to find a free IP address on your
access anything outside the jail and cause considerable dam- internal network and both the gateway and DNS settings. Use
age. While this is very good practice, it is down to the systems ifconfig to discover your current IP address, route to discover your
administrator to ensure that security is kept tight by not running default gateway, ping to discover if an IP address is in use and dig
unwanted daemons, processes or software etc. to discover your DNS settings.
Once you have collected the required network settings, note
Prerequisites them down as you will need them later on in the install.
OpenBSD runs on many platforms including Intel i386 based pro-
cessors and AMD 64. As the majority of people will have access Stage 2 – Download
to the i386 platform, this will be the basis for the server. For the test and burn OpenBSD 4.2 boot CDROM
box I am using an AMD Athlon 64 bit PC with a single 15GB SCSI OpenBSD 4.2 can be downloaded via HTTP or FTP from a mirror
hard drive with 256MB of RAM and a single 100MB Ethernet card. site. To preserve bandwidth, download the ISO image from the mir-
Obviously the higher specification the better the performance and ror closest to you. See http://www.openbsd.org/ftp.html for further
the more flexibility (e.g. to use the server to store backups etc.), details. The image you will require is install42.iso and will be in the
so your mileage may vary depending on the hardware you have i386/4.2 directory of most mirror servers. NOTE: If you are outside
available – certainly a larger hard disk and more RAM would not the USA, do not use a USA mirror as this will contravene US law
be wasted. You will also need a working ADSL or cable connec- due to export restrictions. Once you have downloaded the image,
tion to the internet via an Ethernet router, a blank CDR and a PC you will need to burn this to CDROM using CD writer software that
or laptop with a CD writer and software that is capable of writing supports the burning of a CD ISO image. It is important that the
ISO images to CDROM. Please note that a USB cable modem image is written correctly, as copying the ISO image will result in
or a wireless internet connection is not suitable for this install. a CD that will not boot. Suitable software for this purpose includes
To perform the initial installation you will need a keyboard and K3B on the BSD / Linux platform, and Nero Burning ROM on the
monitor connected to the host machine, but once the machine is Microsoft platform.
configured it is possible to run in in headless mode, that is without
a keyboard and monitor. Stage 3
– Install Operating system
Preparation Insert the newly created CDROM into the CDROM of the host
Preparation is the key to any successful project and we will machine and reboot. After a short while you will be presented with
need to perform the following actions to configure our server the following Figure 1. After a short while, OpenBSD will boot and
box (Table 1). Table 2 shows the default settings I have used for you will be prompted with (I)nstall, (U)pgrade or (S)hell?. At
30 BSD 2/2008
OpenBSD
this prompt press I [ENTER] then [ENTER] configurations, this is beyond the scope of tions already installed on the disk these
again to accept the default terminal type. this article and we will be allocating all of
will have to be removed. Type p [ENTER]
For the keyboard mapping I will be using the hard drive to OpenBSD. Press [ENTER] to view all partitions defined. If any parti-
uk as I am using a UK keyboard. To see the to accept the default configuration. You will
tions other than c: are present, delete
available list of keyboard mappings, press then be asked if you wish to use all of the them by pressing d [ENTER] followed by
L [ENTER] and select what is appropriate hard drive, answer yes [ENTER] to access the partition letter until only the c: parti-
for your keyboard Figure 2. the label editor Figure 3. tion remains Figure 4.
You will be warned that OpenBSD To add a partition type a [ENTER] at
is about to modify the contents of your Creating the partitions and mount points the > prompt and accept the default free
hard disk. Type yes [ENTER] to proceed Referring to table 2, we will configure partition by pressing [ENTER]. You will
and you will be prompted for the root the partitions prior to formatting the be asked for the offset, press [ENTER]
disk. While OpenBSD can run in dual boot hard disk. First of all, if you have parti- again and you will be prompted for the
size. Type the partition size in Gigabytes
Table 1. Installation steps
you require (e.g. 2.5G for the root parti-
Description
tion) and press [ENTER]. You will be
1 Get network settings prompted for the file system type, press
2 Download and burn OpenBSD 4.2 boot CDROM [ENTER] to accept the default. You will
3 Install operating system then be prompted for the mount point,
4 Check networking enter this (e.g. / for root, /tmp for tmp
5 Download and install packages
etc.) and press [ENTER] to finish the
partition entry. Repeat this process for
6 Configure Apache, PHP, MySQL Squid and Webmin
the swap, tmp, var and usr partitions
7 Test
but do not specify a size for the final var
partition – OpenBSD will calculate the
Listing 1. Output of ifconfig showing current IP address remainder for you.
NOTE: You will not be prompted for a
eth0 Link encap:Ethernet HWaddr 00:0D:61:49:7D:E1 mount point for the swap partition.
inet addr:192.168.0.147 Bcast:192.168.0.255 Mask:255.255.255.0 Finally type w [ENTER] then q [ENTER]
inet6 addr: fe80::20d:61ff:fe49:7de1/64 Scope:Link followed by done [ENTER] and yes [EN-
TER] to commit the changes to disk and
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 format the drive.
RX packets:29460 errors:0 dropped:0 overruns:0 frame:0
Configuring networking
TX packets:14026 errors:0 dropped:0 overruns:0 carrier:0 You will then be asked for a short host-
collisions:0 txqueuelen:1000 name and if you want to configure the
RX bytes:37093437 (35.3 MB) TX bytes:1104087 (1.0 MB) network. Type your domain name and
Interrupt:19 Base address:0xa000 press [ENTER] and continue to press [EN-
TER] until you are prompted for the IPv4
Listing 2. Output of route -v showing default gateway address. In our test rig, this is 192.168.0.1,
but your network will probably be differ-
Kernel IP routeing table ent from this. Type the desired IP address
and type [ENTER] and press [ENTER]
Destination Gateway Genmask Flags Metric Ref Use Iface again to accept the default netmask if
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 this is appropriate. When prompted for
link-local * 255.255.0.0 U 1000 0 0 eth0 an IPv6 address press [ENTER] and for
default border 0.0.0.0 UG 0 0 0 eth0
Listing 3. Output of the ping command showing an allocated IP address and a free IP address
WARNING
PING border (192.168.0.254) 56(84) bytes of data.
FOLLOWING THE INSTRUCTIONS
64 bytes from border.merville.intranet (192.168.0.254): icmp_seq=1 ttl=64
BELOW WILL RESULT IN THE TOTAL
time=0.115 ms
DESTRUCTION OF ALL DATA ON THE
HARD DRIVE INSTALLED ON THE
....
HOST MACHINE. ENSURE YOU HAVE
AN ADEQUATE TESTED BACKUP IF
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
YOU WANT TO RETAIN ANY DATA ON
From 192.168.0.147 icmp_seq=2 Destination Host Unreachable
THE TARGET DRIVE OF THE HOST
MACHINE.
www.bsdmag.org 31
how-to’s
the domain name type your domain Installing software sets are not using X. Respond by pressing
name (in our example merville.intranet) When asked for the location of the [ENTER] when prompted for the default
and press [ENTER] to accept. Enter sets, accept the default location of console, and enter your timezone and
the IP address of your nameserver the CD by pressing [ENTER] 3 times. press [ENTER] to accept this option. If
(192.168.0.254 in our example) and You will be prompted for a set name, you are unclear as to what timezone
press [ENTER]. When prompted to use type xbase42.tgz [ENTER]. The xbase42 to use, type ? [ENTER] to view a list of
the nameserver, press [ENTER] and you software set should now have a [X] timezones.
will be asked for the default gateway. En- next to it Figure 6. Type done [ENTER] At this point we are ready to reboot,
ter this IP address here (in our example [ENTER] to install the software from type halt [ENTER] at the prompt, and
192.168.0.254) and press [ENTER]. Press cdrom. Once the sets are installed, when the blue text with please press
[ENTER] twice to accept the defaults and press [ENTER] to perform the final con- any key appears, eject the CDROM and
you will be asked for the root password. figuration. When prompted to use sshd press [ENTER]. The machine should
Type in test [ENTER] and test [ENTER] press [ENTER], press [ENTER] to ac- now boot into a clean OpenBSD in-
when prompted again Figure 5. cept no ntp server and [ENTER] as you stall.
Table 2. Default settings for the installation
Setting TEST.MERVILLE.INTRANET Value Recommended value
Hostname test Whatever you choose provided this name is not used by another server or
client on your network.
Partition sizes
Root (/) 2.5G Small root partition as we will not have any user data in /home. Use a
larger drive if you intend to use the server for storage and create a sepa-
rate /home partition
Swap (swap) 0.5G 2 times installed memory
Tmp (/tmp) 1G Temporary storage area cleaned at each reboot
Var (/var) 9G Largest partition used for web server and proxy cache. the bigger the
better
User (/usr) ~ 2G Binary system files are stored here. Shouldn't need more than this unless
you are install other software
Other
Keyboard uk Use you country code
32 BSD 2/2008
OpenBSD
Stage 4 – Check Networking Table 3. Generic commands for discovering network settings
Once we have configured networking Operating system Commands
and rebooted, we need to check that Linux ifconfig, route -v, ping, dig www.google.com
we have access to the internet to
FreeBSD ifconfig, route get www.google.com, ping
download the package files. Login
as root with the temporary password Microsoft XP ipconfig /all, ping
(test), and at the shell prompt, type ping
-c3 www.google.com [ENTER] and you Listing 4. Output of dig command showing DNS server in use
should get a packet back from google
Figure 7. Some notes on the default ; <<>> DiG 9.4.1-P1 <<>> www.google.com
shell. If you type part of a command, ;; global options: printcmd
pressing [TAB] will attempt to complete ;; Got answer:
the command for you. For example, to ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29756
change to /etc, type cd /et [TAB] will ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 10
change the line to cd /etc.
If all is well, we can proceed to install ;; QUESTION SECTION:
the packages. If at this stage you cannot ;www.google.com. IN A
ping google, you will not be able install
packages from the mirror site so further ;; ANSWER SECTION:
investigation will be required. Check www.google.com. 539223 IN CNAME www.l.google.com.
your network settings are correct by www.l.google.com. 281 IN A 64.233.183.99
typing cd /etc [ENTER] and typing the ...
commands at the # prompt Figure 8. ;; AUTHORITY SECTION:
NOTE: Your network card may not be com. 34990 IN NS A.GTLD-SERVERS.NET.
called pcn0 – look for a file in the /etc ...
directory called hostname.xxx where xxx
is your network card name. If the set- ;; ADDITIONAL SECTION:
tings in resolv.conf or hostname.xxx are A.GTLD-SERVERS.NET. 28376 IN A 192.5.6.30
incorrect, change them by using the vi
editor (vi filename). Using vi is beyond ...
the scope of this article, but there are ;; Query time: 51 msec
plenty of resources on the web to help. ;; SERVER: 192.168.0.254#53(192.168.0.254)
;; WHEN: Sun Jan 20 13:46:14 2008
Stage 5 ;; MSG SIZE rcvd: 508
– Download and install packages
If networking is OK, we need to set up the
package source. At the prompt type:
export PKG_PATH=ftp://
ftp.mirrorservice.org/pub/OpenBSD/
4.2/packages/i386/ [ENTER]
pkg_add -r nano-2.0.6 [ENTER] Figure 1. Instal Operating System
www.bsdmag.org 33
how-to’s
Download packages MySQL configuration mysql -uroot -ppassword123 [ENTER]
pkg_add -r wget-1.10.2p0 [ENTER] /usr/local/bin/mysql_install_db This should display the MySQL prompt.
pkg_add -r squid-2.6.STABLE13 [ENTER] Type exit [ENTER] to return Using nano
[ENTER] /usr/local/bin/mysqld_safe & [ENTER] or an editor of your choice, create a file
pkg_add -r mysql-server-5.0.45 and after a few seconds [ENTER] again /etc/rc.conf.local and add the following
[ENTER] /usr/local/bin/mysqladmin -u root line:
pkg_add – php5-core-5.2.3 [ENTER] password 'password123' [ENTER]
MYSQL=YES
Install Webmin
cd /usr/local/share [ENTER]
wget http://prdownloads.sourceforge.n
et/webadmin/webmin-1.390.tar.gz
tar -xvzf webadmin/webmin-1.390
.tar.gz [ENTER]
cd webmin-1.390
./setup.pl [ENTER]
/usr/local/sbin/phpxs -s [ENTER]
cp /usr/local/share/examples/php5/
php.ini-recommended /var/www/conf/
php.ini [ENTER]
pkg_add -r php-mysql-5.2.3 [ENTER]
/usr/local/sbin/phpxs -a mysql [ENTER]
Figure 4. Configoring networking
Edit /var/www/conf/httpd.conf and
uncomment (remove the # from) the
following:
34 BSD 2/2008
Configure Squid Add this below the http_access allow
Create the cache: manager localhost:
Add the below at the end of /etc/rc.c/local: Add this line below acl CONNECT method CON-
NECT (replace network range as required):
/usr/local/sbin/squid
acl local_network src 192.168.0.1-
Edit the /etc/squid.conf file: 192.168.0.254
www.bsdmag.org
how-to’s
Please remember to save before you prompts. When prompted to add user to Testing
quit. other groups, add the wheel group. Change Now reboot the machine with a HALT
the root password to something secure: then press [ENTER].when prompted.
Add default user First, point your browser to http://
and change root password passwd [ENTER] 192.168.0.1 you should see a web page
At the shell prompt execute the following: similar to Figure 9.
adduser merville [ENTER] and follow the And follow the prompts. Point your browser at http:
//192.168.0.1/phpinfo.php. You should
see a web page similar to Figure 10.
Point your browser at http://192.168.0.1:
10000 You should see a web page
similar to Figure 11. Finally, change your
proxy server settings on your browser to
192.168.0.1 using port 3128. You should
be able to browse the net. Point your
browser at http://z and you should see a
screen similar to Figure 12.
Further reading
Figure 10. Apache Web Server
● http://www.openbsd.org
● http://www.apache.org
● http://www.squid-cache.org
● http://www.mysql.com
● http://www.php.net
36 BSD 2/2008
how – to’s
OpenBSD
as Desktop
Petr Topiarz
This guide is intended for people who use Linux or FreeBSD and would like to give
OpenBSD a try on the desktop. The guide does not claim to be en expert's advisor, so
intentionally some general unix routines are also explained, while others simplified.
M
any tutorials have been written on using OpenBSD $ useradd -u 501 -g friends -G wheel,operator -s /bin/sh
as a server, however, few deal with OpenBSD as the -d /mnt/usb/my_data peter
main desktop and everyday office work and internet
box. Surprisingly, that is what OpenBSD can do very Now to set a password and allow people to login you need to:
well too. The jump from 4.1 release to 4.2 was great for Gnome
users, as Gnome has been updated from 2.10 to 2.18. The new 4.3 $ passwd caroline
release has besides the update of Gnome 2.18 to 2.20 brought a
lot of useful packages especially in printing area, e.g. Gutenprint or which will ask you for the password and then for repeating it.
HPLIP has been introduced and Firefox and Thunderbird updated Noticeable thing is that the system, for security reasons, does not
too. For the coming release, Ekiga is in the ports for telephony and show anything while you write the password, it does not even print
the KDE users can finally enjoy the advantage of K3B for burning stars or other cryptic symbols, however it accepts your typing.
CDs. So overall the improvements are huge. Now we will allow Caroline to access usb and cdrom de-
However in this article we are going to see more practical vices. First we need to create mounting points
information on how to make life with an OpenBSD desktop really
easy. Let's start with the basics. We will add a group, user, mount $ mkdir /mnt/usb /mnt/cdrom
devices, deal with the network and set up a printer.
Adding a group is basic if more people login to the PC, so then we have to dedicate these to caroline
that they can share documents:
$ chown caroline /mnt/usb /mnt/cdrom
$ groupadd -g 1200 friends
similarly we have to adjust the permitions in /dev
creates a group with id number 1200 and name friends and the
following: $ chmod 660 /dev/sd0i /dev/cd0a
$ useradd -u 500 -g friends -G wheel,operator -k /etc/ and now we are going to send the information about mounting
skel -s /bin/sh -d /home/caroline -m caroline points to /etc/fstab
creates a user caroline as a member of friends and with ad- $ echo "/dev/sd0i /mnt/usb msdos rw,nodev,noexec,nosuid,n
ministrative power (wheel,operator). Interesting is that with a oauto 0 0 " >> /etc/fstab
-d switch you can identify a different home directory than the
default. Another practical stuff is to omit -m if your home directory and
already exists.
Similarly, you can add other users. Of course, change the -u $ echo "/dev/cd0a /mnt/cdrom cd9660 ro,nodev,noexec,nosui
number and -d directory. e.g.: d,noauto 0 0" >> /etc/fstab
38 BSD 2/2008
OpenBSD as Desktop
and finally there is one and last change, but basically it will work. Maybe you will $ ifconfig wi0 nwid CoffeShopNetwork
we need to inform the kernel about our argue, that KDE environment is not part nwkey Jimmy
idea to let users mount devices. So we of the OpenBSD release, of course not, so $ dhclient wi0
write to the configuration: lets add it:
and there you go really straight to the
$ echo "kern.usermount=1 $ export PKG_PATH=ftp:// internet! In case you want your PC to
# enable user mounting devices" >> ftp.openbsd.org/pub/OpenBSD/4.3/ remember this setting, then
/etc/sysctl packages/i386
$ touch /etc/hostname.wi0
and if you want to try that immediatelly: as you see I am expecting you to run a $ echo " dhcp nwid CoffeShopNetwork
regular simple PC, so change the archi- nwkey Jimmy " >> /etc/hostname.wi0
$ sysctl -w kern.usermount=1 tecture at the end of the line if you have
PPC or AMD64 and after the restart, if the network is run-
now feel free to plug in a usb stick and $ pkg_add -v kdebase kdemultimedia ning, you will automagically connect to it.
you do not have to be a root to type: mozilla-firefox mozilla-thunderbird amarok OpenBSD is definitely a leader in us-
gwenview ing wireless technologies and allows you
$ mount /mnt/usb Ok, I have made a random choice, but to use cards such as those with Prism
you can similarly add many more, you will Intersil, Asus or TNETW chipsets with their
and you are there! find them at http://openports.se/ which is a native drivers. They have been reversely en-
To make the nice feeling more com- very clever web interface providing detailed gineered by geeks and experts to avoid us-
plete, KDE, Gnome, and Rox environments info about packages and their sources ing the Windows' driver with ndiswrapper,
will allow you to mount these devices just called ports. A very important point here is as Linux and Freebsd or Netbsd tend to do.
by clicking at the mounting points, which to read the post install messages and do Now the last thing that you need to have
makes it even more fun. Now our Caroline what they instruct you to do. Advices are running on a laptop or a desktop is printing.
can login, mount CD, or USB. So, how do simple and exact. That used to be a real issue earlier, how-
we start the graphics? We need to make a Now having such a nice graphical ever with the latest releases of OpenBSD it
configuration file where we tell the system environment it would be a shame to be is merely fun. Just add few packages and
which graphical environment we would without a network. configure it with a web interface:
like to use. Let's be very spoiled:
Make sure you are in your home $ ifconfig -a $ pkg_add -v cups foomatic-db
directory: foomatic-filters ghostscript hplip
will show you the interfaces, among them,
$ cd /home/caroline for example the ethernet fxp0 or wireless that should be enough for most usual print-
wi0 will appear. $ dhclient fxp0 will con- ers, then you enable and start the cups
create the config file nect you to the net if you have the line print-server:
plugged in and the net is not blocked.
$ touch .xinitrc If you want it after every start of the $ /usr/local/sbin/cups-enable
system, we need to write a configuration: $ /usr/local/sbin/cupsd
This will ensure, that our settings is valid
both for graphical login and the black ugly $ touch /etc/hostname.fxp0 fire up your web browser and type:
command line: $ echo " dhcp NONE NONE NONE " >>
/etc/hostname.fxp0 http://127.0.0.1:631/
$ ln -s .xinitrc .xsession
If you come to a place with wireless net- which will bring you to a very friendly web
Now the command to start kde session: work you can enjoy the advantage of the interface, that allows you to add a printer
genius simplicity of OpenBSD. or configure the print-server to share print-
$ echo " exec startkde " >> .xinitrc ers.
$ ifconfig wi0 up An OpenBSD machine can also
And finally we can happily type: $ ifconfig -M wi0 run JAVA, FLASH plugin, play realplayer
streaming, and emulate Linux environ-
$ startx will provide you with a list of networks ment, but that would need a little more
around, you can pick one time to describe. If you are interested and
and if things go well we will enjoy a nice cannot wait, then I strongly recommend
environment, almost like in the spoiled $ ifconfig wi0 nwid CoffeShopNetwork http://www.openbsd101.com/ and http://
Linux distros of today. $ dhclient wi0 www.softwareinreview.com/bsd_tutorials/
If you want to enable graphical login using_openbsd_4.2.html as well as the
by default, go to /etc/rc.conf and change and there you go... Well unless the network famous http://www.onlamp.com/ server,
xdm_flags=NO to xdm_flags=''. For a really is marked private, then you need the where you can learn a lot of wisdom from
nice look this would need a little tuning, password, in our case Jimmy, and then: the real BSD gurus.
www.bsdmag.org 39
how – to’s
Inside the
PBI system...
Svetoslav P. Chukov
PBI stands for PC-BSD Installer. It is a unique and very useful package management
system. If you are familiar with other systems, you will notice some similarities and
also some differences that make it unique.
I
f one just clicks on the .pbi file, an automated installer other big plus for PBI is the support for advanced scripting. That
appears and offers to guide the user through the is a very huge plus for it.
installation process. On the whole this is probably like a PBI offers:
wizard that helps people install the program, and I would
say it is very successful in that task. • A completely graphical installation in step-by-step style.
• Scripting support - a really powerful feature that makes PBI
Features not only an executable installer, but an installer that can
Every operating system is based on some small parts of think.
software that create the whole solid foundation of the OS. So, • A check for package integrity.
I would say that these small pieces in the GNU/Linux world • Icon Management - this allows developers to set icons for
are the packages, but it is interesting how this question is both the desktop and the K-Menu.
answered in the PC-BSD world. What are these parts that • Error Detection, if something goes wrong with the
PC-BSD is built on? The packages of FreeBSD and of the installation
PBI. They create the system and everything that lies on it; • Easy installation and un-installation. There is a utility to do
libraries, applications and all other data need to be used. this in the graphical environment, but a command line tool
For successful integration of an operating system into the is also available.
market, the OS needs to be designed for that market. So, a
server OS is designed with the main goals of being secure Understand what is inside
and stable, a desktop OS is designed to be user-friendly and Basically, the front side of PBI is a visible-to-the-user, nice,
easy to use. Everything is built for and aims to be used in a user-friendly graphical interface, but the engine under the
particular target market. PC-BSD itself is a desktop-oriented hood is nothing more than FreeBSD packages. Yes, PBI is
OS. Yes, and I would say that it really achieves that goal something like an upgrade of FreeBSD packages, and it
pretty well. But this is not all. The basics of its success are adds additional functionality. So, instead of being just a binary
mostly because of the great system called the PC-BSD package that should be extracted to result in useful files, PBI
installer. What exactly is so great in PBI? What makes it consists of several parts that empower the plain packages
special for installing software? The answer: its ease of use with extra features. And these extra features make the PCBSD
and its simplicity. The basic reason why I think PBI is so installer flexible and scalable. What I want to do is to show
successful is that it contains all the data it needs to install you what exactly is inside a PBI package, how it works, how it
the application. So, if the application needs library X, then the processes data, and how it decides to do this instead of that.
installer should contain that library.In the installation process After this article you will be able to understand what actually
it should extract and prepare that library to work, and that is a PBI package and the magic inside it.We will start with the
makes the application work properly. setup script. The purpose of the setup script is to setup the
This design concept solves an entire pool of problems and first actions and configurations of the subsequent operations.
troubles with package dependencies and inconsistencies. One And, the next-executed script sets up the environment and
40 BSD 2/2008
Inside the PBI system...
www.bsdmag.org 41
how – to’s
Listing 2. Code fragment of PBI.SetupScript.sh
ln -s /Programs/${PROGDIR}/.sbin/gftp /usr/local/bin/gftp
ln -s /Programs/${PROGDIR}/.sbin/gftp-gtk /usr/local/bin/gftp-gtk
ln -s /Programs/${PROGDIR}/.sbin/gftp-text /usr/local/bin/gftp-text
ln -s /Programs/${PROGDIR}/man/man1/gftp.1.gz /usr/local/man/man1/gftp.1.gz
ln -s /Programs/${PROGDIR}/share/gftp /usr/local/share/gftp
sed 's:prefix=/usr/local:prefix=/Programs/gFTP2.0.18:g' /Programs/${PROGDIR}/bin/gftp > tempfile && mv -- tempfile
/Programs/${PROGDIR}/bin/gftp
# Copy over all the LANG files
LANGFILE="gftp.mo"
cd /Programs/${PROGDIR}/locale
for i in `ls`
do
mkdir -p /usr/local/share/locale/${i}/LC_MESSAGES >/dev/null 2>/dev/null
cp /Programs/${PROGDIR}/locale/${i}/${LANGFILE} /usr/local/share/locale/${i}/LC_MESSAGES/${LANGFILE}
done
chmod +x /Programs/${PROGDIR}/bin/gftp
echo "LAUNCHCLOSE: /usr/local/bin/gftp"
#!/bin/sh
if [ -e '/Programs/gFTP2.0.18/PBI.RemoveScript2.sh' ]
then
sh /Programs/gFTP2.0.18/PBI.RemoveScript2.sh "${@}"
fi
rm -rf '/Programs/gFTP2.0.18'
#!/bin/sh
rm -fR /usr/local/bin/gftp-gtk
rm -fR /usr/local/bin/gftp-text
rm -fR /usr/local/bin/gftp
rm -fR /usr/local/man/man1/gftp.1.gz
rm -fR /usr/local/share/gftp
# Remove the old locale files since we are uninstalling
LANGFILE="gftp.mo"
cd /Programs/${PROGDIR}/locale
for i in `ls`
do
rm /usr/local/share/locale/${i}/LC_MESSAGES/${LANGFILE}
done
if [ ! -z "$DISPLAY" ]
then
# Ask if we want to remove the user profiles
kdialog --yesno "Do you want to remove gFTP user settings?" --title "Remove user settings"
if [ "$?" = "0" ]
then
cd /home
for i in `ls`
do
if [ -e "/home/${i}/.gftp" ]
then
rm -rf /home/${i}/.gftp
fi
done
fi
fi
42 BSD 2/2008
Inside the PBI system...
www.bsdmag.org 43
admin
Connecting
to Other IM networks
Eric Schnoebelen,
Michele Cranmer
You have taken the plunge, you have adopted Jabber as your instant messaging
system of choice. How do you keep in contact with all your poor, un-enlightened
friends who are still using the proprietary walled garden networks?
T
he solution is designed into Jabber/XMPP. The YIMt in pkgsrc-wip on Source Forge. The packages are py-
solution is transports, a mechanism to allow the jabber-aim-t, py-jabber-msnt, and py-jabber-yahoo-transport.
creation of a gateway between the jabber network Changing into the appropriate directory, and typing [b]make
and closed/proprietary networks, such as Yahoo! install will download, will build and install the packages and
Instant Messenger, Microsoft Live Messenger, AOL Instant all their dependencies. FreeBSD has pyAIMt and pyMSNt in the
Messenger, ICQ, China's QQ, FaceBook, Poland's GaduGadu ports collection as net-im/jabber-pyaim and net-im/jabber-
and other networks. GTalk is not listed as GTalk is XMPP- pymsn. Ok, now for building things the hard way.
based and already federating, all it takes to converse with
friends on GTalk is to add them to your roster. Listing 1. Needed Packages and where to find them
Unfortunately, you can't connect to the Walled Garden
networks without having an identity on those networks.
However, using the transports, you can use your favorite Jabber Twisted-2.5.0
client, and connect to all the networks you have identities on. http://tmrc.mit.edu/mirror/twisted/Twisted/2.5/
All the roster information is contained in one location, on your
jabber server. pyOpenSSL-0.6
http://dl.sourceforge.net/sourceforge/pyopenssl/
Why not use a multi-protocol client?
Multi-protocol clients have to focus on supporting lots of Imaging-1.1.6
protocols, and probably don't support them all as well they http://effbot.org/downloads/
might. Jabber-only clients support Jabber extremely well, and
leave the supporting of the other protocols to the transport, dnspython-1.6.0
installed on the jabber server. Granted, the Jabber transports http://www.dnspython.org/kits/1.6.0/
probably wouldn't be nearly as good as they are, if it weren't
for the people working on reverse engineering the proprietary xmpppy-0.4.1
protocols for the multi-protocol clients. yahoo-transport-0.4
http://dl.sourceforge.net/sourceforge/xmpppy/
Lets build some transports
We are going to look at building the following transports and pyaim-t-0.8a
configuring them to work with the jabberd2 server we have been http://pyaimt.googlecode.com/files/
configuring. The transports are for AOL, MSN and Yahoo!.
The transports we're building are all written in Python. The pymsnt-0.11.3
AOL and MSN transports use the Twisted framework while the http://delx.net.au/projects/pymsnt/tarballs/
Yahoo! transport uses the xmpp.py framework. Obligatory pkgsrc
recommendation: I have packaged all of pyAIMt, PyMSNt and
44 BSD 2/2008
IM networks
<!-- The TCP port that the web admin interface will
pyaim-t-0.8a answer on -->
Twisted-2.5.0 <!-- (uncomment to enable) -->
Imagine-1-1.6 <!-- <webport>12345</webport> -->
pyOpenSSL-0.6
<!-- The authentication token to use when connecting
pymsnt-0.11.3 to
Twisted-2.5.0 – the Jabber server -->
Imagine-1-1.6 <secret>***************</secret>
pyOpenSSL-0.6
<!-- The authentication token to use when connection
yahoo-transport-0.4 to
xmppy-0.4.1 – the web interface -->
dnspython-1.6.0 <websecret>letmein</websecret>
Listing 3. Working pyaim-t configuration from jabber.cirr.com <!-- The default language to use (for error/status
messages) -->
<pyaimt> <lang>en</lang>
<!-- The JabberID of the transport. -->
<jid>aim.jabber.cirr.com</jid> <!-- The hostname of the AOL login server you wish
to connect to -->
<!-- The JabberID of the conference room handler. <aimServer>login.oscar.aol.com</aimServer>
-->
<!-- GROUPCHAT IS NOT STABLE YET --> <!-- The port of the AOL server you wish to
<confjid>chat.aim.jabber.cirr.com</confjid> connect to -->
<aimPort>5190</aimPort>
<!-- The component JID of the transport. Unless
you're doing <!-- Send message on successful registration -->
– clustering, leave this alone --> <registerMessage>You have successfully registered
<!-- <compjid>aim1</compjid> --> with PyAIMt</registerMessage>
<!-- The location of the spool directory.. if <!-- You can choose which users you wish to have
relative, relative to --> as administrators.
<!-- the src dir. Do not include the jid of the – These users can perform some tasks with Ad-Hoc
transport. --> commands that
<spooldir>/var/spool/jabberd</spooldir> – others cannot -->
<admins>
<!-- The location of the PID file. if relative, <jid>eric@jabber.cirr.com</jid>
relative to the src dir. --> </admins>
<!-- Comment out if you do not want a PID file -->
<pid>/var/run/jabberd/pyaimt.pid</pid>
<!-- You can select which event loop PyAIMt will
<!-- The IP address of the use. It's probably
main Jabber server --> – safe to leave this as the default -->
<mainServer>jabber.cirr.com</mainServer>
<!-- Use epoll for high-load Linux servers running
<!-- The JID of the main Jabber server --> kernel 2.6 or above -->
<mainServerJID>jabber.cirr.com</mainServerJID> <!--<reactor>epoll</reactor>-->
<!-- The website of the Jabber service --> <!-- Use kqueue for high-load FreeBSD servers -->
<website>http://jabber.cirr.com/</website> <!--<reactor>kqueue</reactor>-->
<!-- The TCP port to connect to the Jabber server on <!-- Use poll for high-load Unix servers -->
--> <reactor>poll</reactor>
<!-- (this is the default for Jabberd2) -->
<port>5347</port> </pyaimt>
www.bsdmag.org 45
admin
Dependencies -zopeinterface, -web, and -words sub- xmpppy, dnspython, and python expat,
The first, and probably biggest modules of Twisted are required. All are which is sometimes optional portion of
dependency is python itself. I am part of the Twisted-2.5.0 archive. The the python distribution.
assuming you have already gotten python python OpenSSL (pyopenssl) module Build and install all the modules
built and installed. pyaim-t and pymsnt is also required. If you want to support using the standard python mechanism
require the python Twisted framework, avatars, the Python Imaging module is of changing in the package directory,
at least 2.5 or later. The Twisted -core, also required. Yahoo transport requires and executing:
46 BSD 2/2008
Listing 5. Working yahoo-transport configuration file from jabber.cirr.com
<spoolFile>/var/spool/jabberd/yahoo</spoolFile>
<!-- The location of the PID file, relative to the PyYIMt directory -->
<!-- Comment out if you do not want a PID file -->
<pid>/var/run/jabberd/yahoo-transport.pid</pid>
<!-- The IP address or DNS name of the main Jabber server -->
<mainServer>127.0.0.1</mainServer>
<!-- Allow users to use the Yahoo! chat rooms with this transport -->
<enableChatrooms/>
<!-- You can choose which users you wish to have as administrators.
These users can perform some tasks with Ad-Hoc commands that
others cannot -->
<admins>
<jid>eric@jabber.cirr.com</jid>
</admins>
<!-- The file to log to. Leave this disabled for stdout only -->
<debugFile>/var/log/jabberd/yahoo-transport.log</debugFile>
</pyyimt>
www.bsdmag.org
admin
• python setup.py build with <enableChatrooms/> will set up the the registration dialog. You will need to
• sudo python setup.py install gateway into the Yahoo conference fill in your legacy network username and
rooms. Once again, the name given password.
Build the transports in <jid> (and <confjid> if you want Once you have registered, all of your
Once all the prerequisites are built, now conference rooms) must be resolvable in contacts on the legacy system should
its time to move on to building/installing DNS if you want off site jabber servers to start showing up in your jabber roster.
the transports themselves. be able to use it. Warning, you may be asked to Add/Auth
All of the transports are meant to be a lot of users, the entire contents of your
executed out of the extraction directory, Starting the transports legacy system roster. Do not worry, your
so choose well. (The packages in pkgsrc- Ok, we've got them built, and we've got contacts on the legacy system won't
wip have been modified to install into a them configured, hopefully. Now it is see anything. And you will only have the
common tree, and execute there.) Thus, time to start the servers. Each of them annoyance once.
there is not a lot to do for building. was designed to run out of their source Congratulations, you have successfully
directories. built the transports, and used them to
Configuring First up, make sure the user you've connect to the legacy systems. Now you
All the transports use XML files for chosen to run the servers has write can do all your instant messaging through
configuration, and use many of the same permissions in the program directories. your jabber server and your jabber client.
tags. We will start our configurations All of the transports store their spool And your frends on the legacy systems
with pyaim-t. Change into the directory files and directories as sub-directories won’t know the difference I have been
pyaim-t-0.8a and start by copying of the current directory (unless modified doing just that for over 3 years.
config_example.xml to config.xml. Now by the configuration file). Now, it’s up to you to start enouraging
fire up your favorite editor on config.xml. So, as the user you are going to run them to migrate to an open-standards
The most interesting fields to be the transports as, iteratively change into messaging system, XMPP/Jabber.
checked and modified are: <jid> the id/ each directory, and start the transport. In the coming issues, we’ll talk about
name of the transport. Usually something For pyaim-t and pymsnt, it is PyAIMt.py setting up conference room services,
like aim.jabber.<domain name> If you want and PyMSNt.py respectively. For yahoo- file transfer proxies, and an overview of
off site users to be able to use your AIM transport, it is yahoo.py. several popular Jabber capable clients.
transport, this name needs to exist in PyAIMt.py will go into the background If you have any ideas for future articles,
DNS. (become a daemon) if you specify the -b please send them to jabber@cirr.com.
or --background' flags.
• <mainServer> – the IP address of the
jabber server ./PyAIMt.py -b About the Author
• <mainServerJID> – the DNS listed
Eric Schnoebelen is a 25 year veteran
hostname of the jabber server Will fire up the AIM transport. Check
of the UNIX wars, using both System V
• <secret> – The shared secret your log files for errors if the background
and BSD derived systems. He's spent
between pyaimt and the program ends unexpectedly. PyMSNt.py
more than 20 years working with and
• jabber server (router component.) acts the same as PyAIMt.py. Change into
contributing to various open source
it is directory, and start it with the -b flag to
projects, such as NetBSD, sendmail,
Changing those elements will get you make it act like a daemon. pymsnt also
tcsh, and jabberd2. He operates a
up and running.. Reviewing the rest supports an XML element of <background/
UNIX consultancy, and a small, NetBSD
of the elements may be interesting, > to have the transport start as a daemon.
powered ISP. His prefered OS is
but not essential. Configuring pymsnt yahoo-transport is a bit different, in
NetBSD, which he has running on Alpha,
is essentially identical. The example that it has to be explicitly be put in the
UltraSPARC, SPARC, amd64 and i386.
configuration file is called config- background, as follows:
Michele Cranmer is a relativity new
example.xml. Copy it to config.xml, and
user to UNIX and Jabber, having been
edit the <jid>, <mainServer> and <secret> ./yahoo.py &
basically forced into learning it when
elements to suit. Again, if you want the
she met Eric. After having been a loyal
transport to be usable by people on other Using the transports
Windows and Yahoo Messenger user for
jabber servers, make sure the name To make use of your newly installed
many years, she finds that she prefers the
specified in <jid> is listed in DNS. transports, browse your local server from
new systems to the others because of
The last transport to configure your jabber client.
ease of use and reliability. Being a college
is yahoo-transport. For the yahoo- In Psi, right click on your account
student, getting her degree in Special
transport, the example configuration file name, and select Service Discovery from
Education, she plans on using the new
is config_example.xml, and is expected to the pop-up menu. Your newly installed
systems in her classroom as a way of
be config.xml in the application start up transports should show up as children
teaching the children that there are many
directory. of the server.
different ways to do things other then the
Again, the interesting elements are To register, select the registration
``normal'' ways and those ways are no
<jid>, <mainServer>, <mainServerJID>, function in the appropriate fashion (in Psi,
more strange or unusual then they are.
and <secret>. Setting <confjid>, along double clicking will do it) and then fill in
48 BSD 2/2008
SAVE $20!
su o
g r s cr r
b ffe
ea ibe
t r
Get your copy of BSD Magazine
and save $20 of the shop price
Three easy ways to order
• visit: www.buyitpress.com/en
• call: 001 917 338 3631
• fill in the form below and post it
Why subscribe?
• save $20
• 4 issues delivered directly to you
• never miss an issue
* if you already are Software-Wydawnictwo Sp. z o.o. client, write your client’s ID number, if not, fill in the chart above
** I enable Software-Wydawnictwo Sp. z o.o. to make an invoice
admin
Antti Kantee
P
reviously, specially written glue code was required to For instance, it might require a big application such as
make it possible to run the kernel code in userspace, OpenOffice or Firefox, or downloading and saving a file
but now the NetBSD Runnable Userspace Meta from some specific ftp site. This environment needs to
Program (rump) framework enables to run unmodified be recreated in the test setup before the problem can be
kernel file system code out-of-the-box in userspace and repeated.
with seamless integration. It can be thought of as being a
generalized superset of the functionality provided by Sun's ZFS This article is a tutorial for file system development using the
libzpool userspace testing library. Runnable Userspace Meta Program (rump) facility found in
After the developed code is dropped into the kernel, bugs NetBSD. In addition to explaining the necessary steps in a
are usually found in specific use cases and the code must practical hands-on manner, a brief introduction of the involved
be debugged in the kernel environment. Anyone who has ever technology is given.
done kernel debugging knows that it is far from the most trivial
and enjoyable task in the world. As the debugging session Technology overview
more often than not leads to a kernel panic, two different There are two different technologies involved in running kernel
environments are a common approach: one for running the file systems in userspace.
kernel being debugged and another one for controlling the
previous. There are multiple classic ways of accomplishing • Pass-to-Userspace Framework File System or puffs. puffs
this: two physical machines, an emulator, or a userspace is the NetBSD mechanism for implementing file systems
operating system. in userspace. The idea is similar to the Linux FUSE, but
The three ways listed above are fundamentally the same the interface is different and mimics the BSD file systems
thing. Creating an alternate environment and using that kernel interface enabling a more natural implementation in
for debugging. There are two common problems with this the kernel. puffs receives requests in the kernel, transports
approach. them to the userspace file server, waits for a result and
passes it back to the caller.
• Not enough isolation. The implementation under • Runnable Userspace Meta Programs or rump. File
development still runs in the same kernel environment as systems implemented in the kernel are free to call any
the system that hosts it. For example, error path testing is kernel routines. The rump shim layer makes sure these
difficult by introducing errors to common routines such as routines are available in userspace. For the most part, the
the buffer cache and disk drivers, since extra care must routines are directly compiled from kernel source modules.
be taken to make portions of the kernel that are not under Examples of these types of routines are the buffer cache
development (e.g. the root file system) not suffer from fault routines and virtual file system subroutines. Some parts,
injection. however, must be reimplemented for userspace. Examples
• Too much isolation. Repeating a bug often depends in the later category are the disk device driver and virtual
on a specific machine and application configuration. memory subsystem code.
50 BSD 2/2008
Kernel File System Development
There are two basic choices for running program library is that the compilation The server daemon implementation
kernel file system code in userspace. flags used for building this library are that is effectively just a matter of filling out
These are both presented in see Figure of the kernel. Most of the necessary steps the file system argument structure
1, in addition to a regular in-kernel file are already automatically handled by the and calling p2k library run routine. The
system architecture being given for build framework. The user should fill in the file system arguments depend on the
comparison. library name, source file path, and source file system in question, but for our efs
modules to be compiled. An example of example it is simply a matter of filling
• The case with a mounted file system this for the efs file system is presented in out the location of the file system image
shows what the configuration looks see Listing 1. to be mounted. As the server daemon
like when running a kernel file A directory called libyourfs should assumes this path is passed as the first
system in userspace with complete be created under src/sys/rump/fs/lib parameter to the program, the following
application transparency. The with the only content being the Makefile does the trick:
requests are passed from the kernel described above.
to userspace and back using puffs Additionally it might be necessary to struct efs_args args;
and translated from the puffs protocol specify file system specific compilation memset(&args, 0, sizeof(args));
to the kernel vfs/vop interface using flags for the library. This may be done args.fspec = argv[0];
a helper library called p2k (puffs-to- as with any other library. The following
kernel). example is from libffs: Calling the p2k library run routine mounts
• The standalone case invokes file the file system and jumps to a main loop,
system operations directly. This avoids CPPFLAGS+= -DFFS_NO_SNAPSHOT - which takes care of processing requests.
kernel involvement, but requires DFFS_EI The routine's signature is p2k_run_fs
specially written applications against CFLAGS+= -Wno-pointer-sign (fs_type, devpath, mountpath, mountflags,
a library called ukfs (user-kernel fs_args, fs_args_size, puffs_flags). As
file system). The advantage in this Next, the file server executable for our example, efs is used once again: see
approach is that the application is mounting the file system is required. Listing 2.
completely disjointed from the the host
kernel features, the only exceptions
being a handful of common system
������� ������������������������ ���������������������������
����������� ������������� ����������
calls such as read()/write(). This
means that NetBSD kernel file ������ ������
�����
system code can be run on virtually
���������
File locations
����
��� ��� �������� ��� �������
All rump source code is located in the ������ ���������
NetBSD-current source tree under src/ ��������� �������
sys/rump. It will be present in NetBSD �������
5.0 when it is released. This document
is written against the status present in Figure 1. Kernel file system
NetBSD-current at the end of May 2008.
The shim library is under src/sys/rump/ Listing 1. Kernel fs library Makefile
librump. The kernel file systems are build
as libraries under src/sys/rump/fs/lib # – $NetBSD: Makefile,v 1.2 2007/08/07 10:16:57 pooka Exp $
while the file server binaries themselves #
are located in src/sys/rump/fs/bin. For .include <bsd.own.mk>
example the efs file system's kernel portion LIB= efs
is built into src/sys/rump/fs/lib/efs and .PATH: ${NETBSDSRCDIR}/sys/fs/efs
the file server binary is found from src/sys/ SRCS= efs_genfs.c efs_ihash.c efs_subr.c efs_vfsops.c efs_vnops.c
rump/fs/bin/efs. None of the built binaries .include <bsd.lib.mk>
are currently installed anywhere, so they .include <bsd.klinks.mk>
must be run directly from the source tree.
Listing 2. p2k_run_fs() in efs
Adding a new mountable
file system: a walkthough rv = p2k_run_fs(MOUNT_EFS, argv[0], argv[1], mntflags | MNT_RDONLY,
To add a new file server to the rump &args, sizeof(args), pflags);
build, the kernel portion of the file server if (rv)
must first be built as a regular userspace err(1, "mount");
library. The only difference from a normal
www.bsdmag.org 51
admin
The mntflags and pflags variables the above steps were done properly The only difference to an in-kernel
have been parsed earlier from command and rump supports all the functionality file system is that the file system image
line arguments. As the kernel efs your file system uses, there will be an is being accessed in the comformt and
implementation is currently read-only, the
executable called yourfs in the object safety of userspace.
readonly flag is forced. The p2k_run_fs()directory of src/sys/rump/fs/bin/yourfs.
routine returns only after a fatal error This executable can be run to mount the Debugging Mounted
or when the file system is unmounted. file system: File Systems in Userspace
Unmounting can be done the normal way All of the regular userspace debugging
using umount(8), or the violent way by ./efs ~/img/efs.img /puffs tricks apply to rump file systems. It is
killing the file server. To build the file system possible to single step, send signals,
daemon, a similar Makefile as building As inferred by the previous example, an dump core, attach a debugger, ktrace,
the kernel portion library is required. additional advantage of using rump is that profile, stop and continue, add printfs, and
Most of the work is once again handled there is no need to vnconfig file system do iterative development very quickly.
by existing build infrastructure magic. images: they can be directly mounted
The daemon code should be located in as files. In case of accessing a device Dealing with "kernel" panics
src/sys/rump/fs/bin in a directory calleddirectly, it is recommended that the raw A kernel panic in a rump file system is
yourfs. The Makefile looks a lot like a device is used, e.g. /dev/rwd1e. In case merely a core dump. It can be loaded
standard program BSD Makefile, with the the block device node (e.g. /dev/wd1e) is into gdb like from any other userspace
exception that the kernel file system library
used, all access goes through the buffer program and the stack backtrace and
gets linked in. The pathmagic for this iscache. Since the buffer cache is fairly other state at the point of panic can be
handled automatically by the rump build small in size, this can negatively effect examined. The example below shows
framework. See Listing 3 for an example. the performance of all other file systems what happened when trying to mount a
Finally, the build system must be told
on the system in case heavy file I/O is slightly corrupted FAT file system image:
that your file system exists. This is done by
performed. The buffer cache is used by
adding yourfs to the RUMPFSLIST variable file systems only for metadata while file golem> ./msdosfs ~/img/msdosfs.img
in Makefile.rumpfs in the directory src/ contents are stored in the page cache. /mnt
sys/rump/fs. Currently the relevant line Therefore the buffer cache is of limited panic: buf mem pool index 23
looks like this: size. Block device node access goes Abort (core dumped)
entirely through the buffer cache, therefore golem>
RUMPFSLIST= cd9660fs efs ext2fs ffs caching also file contents in the buffer
hfs lfs msdosfs ntfs syspuffs tmpfs cache. For large files, this can quickly flush After examining the core dump it became
udf everything else from the buffer cache. clear which field caused the error. A check
After mounting it is possible to use the for a bad value added to the mount
After this, rebuild everything by typing file system just like a regular kernel file routine and now mounting of the image
make in the rump main directory. If all system: see Listing 4. is politely refused instead of causing a
kernel panic.
Listing 3. File system server Makefile
Single stepping
# $NetBSD: Makefile,v 1.1 2007/08/05 22:28:02 pooka Exp $ Single stepping rump file systems while
# being executed is easy, since pausing
PROG= efs the file system does not pause the entire
LDADD+= ${RUMPFSLD_EFS} kernel. Only applications accessing the
DPADD+= ${RUMPFSDP_EFS} file system will be frozen for the duration
.include <bsd.prog.mk> of the debugging operation. For example,
if one would like to trace/debug the
Listing 4. rump file system in mount lists execution of the ufs lookup routine, one
could do the following: see Listing 5.
golem> mount | grep efs In addition to the small teaser
/home/pooka/img/efs.img on /puffs type puffs|p2k|efs (read-only, nosuid, presented above, the regular gdb tricks
nodev, mounted by pooka) of course apply. A useful thing to note
golem> df /puffs from the stack backtrace is that vnode
Filesystem 1K-blocks Used Avail %Cap Mounted on operations go through RUMP_VOP_OP()
/home/pooka/img/efs.img 16214 9161 7053 56% /puffs instead of VOP_OP() as in the kernel. The
golem> ls /puffs former can be used to place a breakpoint
WorkSpace debug etc lost+found unix for a certain operation regardless of the
bin dev floppy stand usr type of file system being debugged.
cdrom dumpster lib tmp usr2 There is one catch. Since NetBSD
golem> currently has problems debugging
threaded programs, as a workaround for
52 BSD 2/2008
Kernel File System Development
attaching a debugger you must compile complex set of rules it met. This can be implemention. In addition, it allows the
rump so that it does not use threads. done simply with if (conditional) panic(hit writing fine-grained test programs and
This can be done by making sure the condition);. Taking a core dump of an the stress-test of file system code much
following is set in src/sys/rump/librump/ already running file server is sometimes more efficiently. Test functionality similar
Makefile.inc: required. The standard methods of using to Sun's ZFS ztest utility could also be
gcore(1) to generate a live core or kill written using ukfs, with the exception
CPPFLAGS+= -DRUMP_WITHOUT_THREADS -ABRT for terminating the program and that it does not need to be limited to just
creating a core have often been found one file system.
This disables thread support completely. useful. The main documentation for the ukfs
This means that file systems which create library is currently available only in the
threads can no longer be run. It also Direct access form of a header in src/sys/rump/fs/
means that system threads such as the to file system code lib/libukfs/ukfs.h. However, most of
vnode release thread will not be started. The examples discussed so far mount the routines resemble system calls, so
For development operations besides live the file system as part of the host it is easy to figure out what each ukfs
program debugging, it is recommended system. If we recall, this means that call does. Calls typically take the file
that rump is compiled with this option accessing them requires control to system context structure (struct ukfs *), a
commented out to better emulate a proper flow through the kernel by making pathname, and whatever arguments are
kernel environment. Notably, there is no system calls. Accessing file system necessary. For instance:
problem in NetBSD with debugging core routines directly is done directly from
dumps created by threaded programs. ukfs without passing through the kernel. ukfs_rmdir(ukfs, dirpath)
It can be used for developing utilities
Creating code dumps such as mtools and NetBSD makefs(8) removes the directory dirpath, while:
Sometimes it is useful to add clauses to by directly employing the kernel fs code
the code to force a code dump if some and not requiring a separate userspace ukfs_read(ukfs, filename, off, buf,
bufsize)
Listing 5. using gdb on ffs
will read at most bufsize bytes into buf
golem> gdb ffs from the file filename from offset off.
GNU gdb 6.5 To use the ukfs library, two initialization
[...] routines must be called. ukfs_init()
This GDB was configured as "i386--netbsdelf"... initializes the global process state
(gdb) break ufs_lookup required for using ukfs and rump. After
Breakpoint 1 at 0x80697bc: file /usr/allsrc/src/sys/ufs/ufs/ufs_ this, the desired file system must be
lookup.c, line 115. mounted using ukfs_mount(fs_type,
(gdb) run -o ro ~/img/ffs.img /puffs devpath, mountpath, mountflags, fs_args,
Starting program: /objs/obj/sys/rump/fs/bin/ffs/ffs -o ro ~/img/ffs.img fs_args_size). The parameters are the
/puffs same as for p2k_run_fs() described
rump warning: threads not enabled, not starting vrele thread earlier. The mount routine returns the
rump warning: threads not enabled, not starting namecache g/c thread context structure to be passed to interface
routines.
[meanwhile, cause a lookup to happen from another window] All pathnames given to the library
can be relative or absolute. The current
Breakpoint 1, ufs_lookup (v=0xbfbfd1a0) directory can be changed by calling
at /usr/allsrc/src/sys/ufs/ufs/ufs_lookup.c:115 the ukfs_chdir() routine. The current
directory is per thread, so in case the
115 struct vop_lookup_args /* { process using ukfs has multiple threads,
(gdb) n each thread is initialized with the current
directory as the root directory and must
120 struct vnode *vdp = ap->a_dvp; be explicitly changed if desired.
(gdb) bt
#0 ufs_lookup (v=0xbfbfd1a0) at /usr/allsrc/src/sys/ufs/ufs/ufs_ Further information
lookup.c:115 Documentation, technical papers and
#1 0x0807ac38 in RUMP_VOP_LOOKUP (dvp=0x8148d00, vpp=0xbfbfd1ec, examples of use for puffs and rump can
cnp=0x80b2a20) at rumpvnode_if.c:132 be found from the NetBSD website:
#2 0x0806f725 in p2k_node_lookup (pu=0x80b7200, opc=0x8148d00,
pni=0xbfbfd290, pcn=0xbfbfd27c) at p2k.c:327 • http://www.NetBSD.org/docs/puffs/
#3 0x08076d7c in dispatch (pcc=0x80aea20) at dispatcher.c:277 • http://www.NetBSD.org/docs/puffs/
[etc.] rump.html
www.bsdmag.org 53
admin
Securing IM
using Jabber/XMPP and TLS
Eric Schnoebelen,
Michele Cranmer
XMPP/Jabber offers a number of features that make it different from the commercial,
closed messaging systems. This month, we'll talk how to secure client to server and
server to server communications.
A
re your private communications vi instant messaging released, and 2.2.0 was released during the writing of this
really as private as you think they are? This month, we article.)
will talk how to secure client to server and server to You can use either a self-signed certificate for securing your
server communications. jabber server, or you can use a commercial certificate. The XMPP
Have you ever been chatting with a friend or family member Foundation (http://www.xmpp.net) has set up an agreement
on one of the big instant messaging services, and wondered with Startcom to provide every Jabber server operator with a
who else might be seeing your conversation? Well, the truth certificate signed by a known signing authority.
is...it could be anyone! The major IM services seem to lack We will go through the common steps for generating both a
the mechanism for securing the communications between the commercially signed certificate and a self-signed certificate, as
client and server. they are common for most of the tasks.
Would not you rather use a service that you operate and
know is secure? One where you do not have to worry about if Creating the certificate signing request
the things you say to your Mother about your ex, will be read Some of the signing authorities, such as the one offered by
by someone who knows them? That is what Jabber can give xmpp.net, offer a web form to create the certificate signing
you! The security in knowing that what you chat about will be request.
between you and the person/people you are chatting with. Other signing authorities will require you to create your
In the last issue we showed you how to set up a Jabber/ own certificate signing request. If you are creating a self-
XMPP server, using the open source jabberd2 server. This signed certificate, you will need to create a signing request as
time we will talk about how to secure communications well. XMPP certificates require a bit of additional information
through that system. One of the features Jabber/XMPP offers not required for the more common HTTP/SSL certificate
that makes it different from the proprietary, commercial signing request.
IM services is the ability to secure client to server and Listing 1 shows the changes/additions needed to your
server to server communications. Secure server to server OpenSSL configuration file (/etc/openssl/openssl.cnf on
communications is an important feature of XMPP, and NetBSD) to get the extra OID's needed for XMPP's use. (this
the XMPP Foundation has a goal of having most of the listing can be found at http://wiki.jabber.org/index.php/XMPP_
interconnecting (federating) jabber servers using secure Server_Certificates).
channels by Jabber’s 10th anniversary, 4 Jan 2009 (see Listing 2 shows the OpenSSL configuration file I used to
https://stpeter.im/?p=2136). generate signing certificates and self-signed certificates for
jabber.cirr.com (along with my test jabber server, portnoy.cirr.com.)
Securing communications
First up, we are going to discuss securing communications Creating a self-signed certificate
between your Jabber/XMPP server and a client. We are Creating a self-signed certificate is fairly straight forward for
going to use the jabberd2 server we built/installed last anyone who has done it for web servers. Here is the command
time. (although, since then versions up to 2.1.24.1 have been line I used:
54 BSD 2/2008
Jabber/XMPP and TLS
openssl req -x509 -nodes -days 365 \ Select continue, and the sixth screen Self Generated CSR
-config /etc/openssl/xmpp.cnf -newkey appears, requesting the email address When generating the CSR yourself, you can
rsa:1024 \ to receive the validation request, and use Listing 2 as the start of a configuration
-keyout portnoy.cirr.com.key -out presents the certificate signing request file to generate your certificate signing
portnoy.cirr.com.pem generated. You should save the certificate request. Make sure the Common Name
signing request. is the fully qualified domain name of the
Before installing on the jabber server, Skip down to Validating the request for jabber server, as presented in the DNS SRV
make sure to concatenate the .key file the rest of the process. record or A record.
onto the .pem file.
Listing 1. Lifted from http://wiki.jabber.org/index.php/XMPP_Server_Certificates
Getting a certificate from xmpp.net
To receive a certificate from xmpp.net,
you will have to register with xmpp.net. oid_section = new_oids
Follow the registration directions at https:
//www.xmpp.net/account-request. [ new_oids ]
There are two mechanisms for
receiving a certificate from xmpp.net. # RFC 3920 section 5.1.1 defines this OID
The first is to use the web site to create
your private key, your certificate signing xmppAddr = 1.3.6.1.5.5.7.8.5
request, and finally your certificate.
The second is to create your own [ req ]
key and signing request, and submitting
it to the XMPP CA for the creation of the default_bits = 1024
request. default_keyfile = dotat.key
The first two screens on both distinguished_name = distinguished_name
processes are the same. The first screen req_extensions = v3_extensions
is selecting the request type, either letting x509_extensions = v3_extensions
the CA create the request, or providing
your own. Select as appropriate. # don't ask about the DN
The second screen is providing prompt = no
contact information. A street address
must be provided (post office boxes [ distinguished_name ]
are not acceptable.) The phone number
provided must reverse look up to the countryName = GB
street address provided. stateOrProvinceName = England
Now the processes diverge. localityName = Cambridge
organizationName = dotat labs
XMPP CA generated CSR
When letting the XMPP CA generate the commonName = dotat.at
certificate signing, the third screen in the
process will request a pass-phrase for [ v3_extensions ]
use on your key. It must be between 10
and 32 characters long, using mixed case # for certificate requests (req_extensions)
alphabetic letters and the digits. # and self-signed certificates (x509_extensions)
The forth screen presents the
private key that was generated. Copy basicConstraints = CA:FALSE
it from the text box, and record it keyUsage = digitalSignature,keyEncipherment
somewhere. Also remember to record subjectAltName = @subject_alternative_name
the pass-phrase to this private key.
Select continue to move to the next [ subject_alternative_name ]
screen.
On the fifth screen, the information DNS.0 = dotat.at
required for your certificate signing otherName.0 = xmppAddr;UTF8:dotat.at
request will be collected. The information
is your country, your state/province, your # Append the following for a server which handles multiple domain names:
city/town/locality, you organization,
and finally the hostname of the jabber DNS.1 = example.org
server. The top level domain is available otherName.1 = xmppAddr;UTF8:example.org
as a pull down.
www.bsdmag.org 55
admin
The following openssl command line After the certificate signing request has Validating the request
will generate the request: been generated, paste it into the text At this point the two certificate generation
box on the XMPP CA form, and submit it. paths converge.
openssl req -new -nodes -config /etc/ The next screen will ask for the domain Once the token arrives, enter it into
openssl/xmpp.cnf \ administrative email (hostmaster@, the the field on the screen, and submit
-newkey rsa:1024 -keyout postmaster@, or webmaster@) to receive the form.
portnoy.cirr.com.key \ the validation token. Patiently await it is The final screen will appear with your
-out portnoy.cirr.com.csr delivery to the respective mailbox. certificate. Copy it from the web page,
and also save the Certificate Authority
Listing 2. Openssl_conf intermediate certificates as well. Once
you have got all the certificates, chaining
openssl_conf = openssl_init certificates and keys, your key needs to
[openssl_init] have the pass-phrase removed (unless you
oid_section = new_oids want to enter your pass-phrase every time
one of the component start). To remove your
[ new_oids ] pass-phrase, use an openssl command
line similar to the following: (replace the key
# RFC 3920 section 5.1.1 defines this OID file names with your key file names):
xmppAddr = 1.3.6.1.5.5.7.8.5
openssl rsa -in jabber.cirr.com.key \
[ req ] -out jabber.cirr.com.key-no-passprhase
56 BSD 2/2008
������ ������
���� ����
���� ����
������ ������
Figure 1. XMPP
www.bsdmag.org
in business
OpenBSD
and making money
Girish Venkatachalam
Open Source is often alleged as being apathetic towards business and money.
Corporations often accuse open source for being unable to bring in the profits that run a
business. Nowadays everone knows that open source is serious and cannot be ignored.
I
am going to demonstrate in this article that open source • TMDA – cure worse than the disease (Only approved
can not only mean seriuos business but also make you senders can send mail)
rich. No kidding. There are many entrepreneurs among • RBL lists , spamhaus (politically sensitive spam control
OpenBSD developers and they use OpenBSD which has techniques)
the most liberal licensing that any OS has and still interestingly • Sender Policy Framework(SPF) (not a bad idea per se) but
they make a living out of it. I am going to show you how I use does not work well
OpenBSD to make a living in Chennai, India.
We are going to be talking three different topics but related This is more or less it.
to one another in a subtle way. And most of these techniques are based on content
scanning/filtering and actually reading e-mails with a computer.
Spam control Since this is an activity that requires a high end CPU and
Spam control is big business in organizations. Employees memory, spam control software and virus scanning software
having to deal with unsolicited commercial/bulk mail is typically end up grinding your machines to a halt or even slow
something that not only reduces productivity but also eats into down your legitimate e-mails.
the company's bottomline. Also there is the very scary possibility of losing e-mails due
Another thing that eats into the company's bottomline is to false positives.
the lack of productivity and disturbance caused by Microsoft OpenBSD's spamd uses a technique called greylisting. This
Windows due to its various vulnerabilities, viruses, worms , trap is a very smart way to combat spam since it is stopped right at
doors and other malwares not to mention crashes of course. We the MTA level. Since this never reads e-mail it is also very fast
will get to that in a minute. and highly efficient.
First spam control. It is impossible to get a false positive here though the first
mail from a domain will experience a delay.
Spam control with OpenBSD greylisting I have seen some problem with popular mail sites like
Spam control has to invariably fall under one of the following yahoo and gmail but they can be easily resolved by manual
categories. whitelisting.
Basically greylisting forces mail servers to be RFC 2821
• Bayesian filtering and contextual analysis compliant and retry mails until the receiving site is ready. This
• Heuristical filtering based on known keywords/bad words also has an added advantage of hurting spammers sometimes
• CRM114 Markovian chain based filtering (related to a) and also stopping the spam that is meant for some other sites.
• Vipul's razor approach of DCC (Distributed checksum The architecture of our solution is something like this (Listing
computation) with manual interference – gmail uses this 1). Here is a schematic to explain how OpenBSD greylisting
heavily works.
• Greylisting to stop spam right at the MTA level The firewall that works in the appliance redirects e-mail
• IP address blacklisting and e-mail address whitelisting traffic depending on three parameters:
58 BSD 2/2008
OpenBSD and making money
• Sending IP address (From IP) bandwidth receiving spam first and then Trojans, worms and other annoyances.
• Envelope sender (who sends you rejecting them. Overall a very brilliant idea Such mails usually propagate with
mail?) no doubt. reckless abandon and my firewall running
• Envelope recipient (who is mail ad- To configure spamd(8) all you have in the appliance can rate limit them.
dressed to?) to do is enable it in /etc/rc.conf.local by
adding these lines. Service Redirector
If the above 3 tuple are seen for the first Another need the big corporates have
time then the mail sender is subjected to pf=YES is ensuring 100% uptime for their critical
the torturous SPAMD filtering (running on spamd_flags="" servers. This could include web servers,
port 8025 above). There is a phenomenon spamd_black=NO mail servers, database servers or
called initial stuttering that happens here. spamlogd_flags="-i fxp0" anything else that forms the backbone of
Instead of talking at full speed the MTA a company's business.
accepts mail one character at a time. This I am of course assuming that your OpenBSD has two very simple ways
will piss off spammers and many go away. network interface is fxp0. to solve this problem – CARP and relayd.
But legitimate senders have just one mail And your pf.conf should have these CARP is a protocol that works at a
to send. Moreover they have to be RFC lines. very low level. Hence its ability to fail over
compliant. So they survive the test. is fantastic. Since it works at layer II, you
Once this process is completed, any table <spamd-white> persist can trivially fail over any service you offer
subsequent mails from this sending IP no rdr on fxp0 proto tcp from <spamd- since all services will be offered with an
address is assumed to be legitimate and white> to any port smtp IP address.CARP configuration is brain
they directly talk to the company mail rdr pass on fxp0 proto tcp from any to dead simple and anyone can get it
server. any port smtp -> 127.0.0.1 port spamd working within minutes.
There are several parameters that If you have two OpenBSD boxes
can be tweaked here. So we can tighten Of course there is more to it than meets that you want to fail over in case one
the screws a bit once we observe how the eye but you get the idea. goes down then all you have to do
this comes up in production. And you Anyway as a bonus this also stops is create the carp0 interface on both
don't waste your storage space and all sorts of irritating malware like virses, machines like this.
A D V E R T I S E M E N T
in business
## Host A (MASTER) copy it from place to another. relayd(8) is important component of OpenBSD
# ifconfig carp0 create another interesting daemon introduced networking that any networking product
# ifconfig carp0 192.168.1.10 vhid 1 in OpenBSD recently that can do quite a that uses OpenBSD will invariably use
carpdev fxp0 few interesting things. We are not going to it. pf can be used for NATing, blocking
discuss most of its cool features here. We certain ports or redirection. It can also be
and on Host B, will just take a look at its potential. The gory used for load balancing.
details are in the man pages of OpenBSD We talked about the various ways in
## Host B (BACKUP) as is the usual case with the OS. There is which Windows hurts a business in the
# ifconfig carp0 create no OS that places as much emphasis on beginning. OpenBSD based firewalling
# ifconfig carp0 192.168.1.10 vhid 1 correct documentation like OpenBSD. can be used to good effect using its
carpdev fxp0 advskew 100 ability to do passive OS fingerprinting. pf
What does relayd do? comes with an ability to detect the OS of
That is all there is to it. Now trying pinging It is a service redirector. It is also many a particular machine by inspecting its TCP
the virtual IP 192.168.1.10 you just created other things but for me it means that in SYN packet. So we can use this to make
from a different host.Then try something case the customer runs a web server on sure that Windows machines do not send
interesting. Plug out the ethernet cable an OS other than OpenBSD, then I can fail malicious traffic.
from Host A. You can check which one is over the web server using relayd. But then
master with the ifconfig command. you should remember that relayd works at Conclusion
You will notice that the BACKUP will a much higher layer in the OSI stack and We have very clearly seen how OpenBSD
take over within few seconds and start consequently you should always try to use helps you succeed in business and make
responding to ping requests. Once you CARP for fail over as much as possible. as much or even more money than
plug the cable back in you will see that Relayd can act as an SSL load balancer. companies that sell commercial software
the MASTER and BACKUP roles will get This is a very useful feature since what or hardware. The model of open source
interchanged automatically as per our we require is a secure connection only till software based appliances have a great
original intention. CARP is really simple to the point it reaches our internal network. potential since most businesses are
get working but there is more to it. You need Beyond that we can load balance using worried about support. If you can provide
to allow the IP CARP protocol as well as the unencrypted/unprotected sessions. So them support for the hardware and the
PFSYNC protocol in case you ar interested what relayd can do for us is finish the SSL open source software they will be willing
in synchronizing the firewall states before handshake at the entry point to our network to purchase your product. The reason is
fail over. And in most real world applications so that we can serve many customers even simple for businesses.
you have to take care that the state of the when using SSL. SSL based HTTP servers Open source software gives them
backup is up to date with the master or are typically highly loaded due to the crypto
unlimited freedom and there are no pesky
at least reasonably close. For instance if operations and other latency. This comes limitations like number of concurrent users
you are doing a fail over of the antispam as a boon for such businesses. and other irritations like license renewals
appliance then you need to ensure that the that are typically found in commercial
pf tables are in sync. And also the /var/ Firewall software.
db/spamdb database. You can easily ensure In the last issue I had covered firewalling In short, OpenBSD is serious business!
this by running a cron job to rsync or even with OpenBSD pf. pf forms such an
�������������������
����������������
�������
��������������������
�������������������������������������������
������������������������������������������
������������
�������������
����
������������������
�������������������������������������������
������������
��������������� �����������
�����������������
60 BSD 2/2008
review
Absolute
FreeBSD
2nd Edition
W
ritten by MICHAEL W. for both servers and clients, monitor and FreeBSD since 1995. Developer
LUCAS Jr (the W. in the your system with performance-testing himself, and as a long term contributor
middle is important, the and troubleshooting tools, run diskless of the FreeBSD system, he provides in
appended Jr is even better) systems, manage schedulers, remap his books a clear point of view of the op-
this 700 pages book is the updated opus shared libraries, optimize your system erating system. Written with the help and
of the famous FreeBSD bible from No for your hardware and your workload, advice of dozens of FreeBSD developers,
Stark Press. Known for their unique books build custom network appliances the answers are straights, the concepts
on technology, they give focus on Open with embedded FreeBSD, implement given clearly. Famous for is cool writing
Source, security, hacking, programming, redundant disks, even without special talent, the author of the Absolute series
alternative operating systems and hardware, integrate FreeBSD-specific makes it easy to read, very lively for a
Absolute FreeBSD 2nd Edition is no SNMP into your network management system administration guide. You can
exception. system. make yourself an idea with the chap. 8
You will learn to manage your The first edition is 7 years old, and available for free in the editor's webpage.
FreeBSD system, from installation to was a complete guide to FreeBSD More than a book it's a manual aimed
configuration and lot's more, like how to 4.0 at that time. This second edition to the regular users who want to cleanly
build your own embedded devices, how is about the last FreeBSD version 7.0, handle their desktop and the sysadmins
to encrypt disk partitions, how to use with all the tools from 4.0. Of course who want to know how the machine
FreeBSD's multiprocessor features to this book applies also to earlier version thinks. Of course it's all about command
your best advantage, how to run diskless as well as for future version. Michael's line interface and configuration files,
servers, and more! coverage of GEOM, NanoBSD, FreeSBIE, those used with GUI environments and
Absolute FreeBSD, 2nd Edition covers journaling, memory file systems, click-here-and-then-there tutorials will
installation, networking, security, network filesystems in a file makes this book a discover the strength and the flexibility
services, system performance, kernel must have even for the readers of the of Unix and how the FreeBSD system is
tweaking, filesystems, SMP, upgrading, first edition. New readers will still get the organised.
crash debugging. It includes also a lot solid introduction they need, concepts This book covers almost everything
of tutorials and how to : Use advanced are explained clearly and with a lot of that appears in 7.0 except too recent
security features like packet filtering, examples in this easy-to-use book. It's a developments like binary updates. It is
virtual machines, host-based intrusion great first step for those who would like nonetheless a bible for FreeBSD users
detection, build custom live FreeBSD CDs to become committers or contributors and sysadmins. Now you don't have
and bootable flash , manage network in the future. to google for every little command or
services and filesystems, use DNS and MICHAEL W. LUCAS (Jr) has been us- single configuration detail you're looking
set up email, IMAP, web, and FTP services ing Unix systems for more than 20 years for.
www.bsdmag.org 61
PC-BSD
PC-BSD
in Schools
iXsystems
Security, Stability, and Ease of Use Make PC-BSD Deployment in Poulx School District
a Success. School District Deployment Sets the Tone for Future PC-BSD Deployments
Throughout France
P
C-BSD provided the stable and are continuously writing viruses for the available for PC-BSD. Hundreds of easily
secure solution we needed Windows environment, and these viruses installed PBIs are available for download
for a trouble-free deployment hamper the successful operation of a from http://www.pbidir.com, with updates
in the Poulx School District at network. And while Linux protects against made daily. Many are also available on
a negligible cost, say Marie Walrafen most viruses and is a low-cost open Disc 2 of PC-BSD. They also knew that
and Guillaume Fontaine, owners of source alternative, it doesn't feature the PC-BSD can be installed very quickly and
Chamanik.com. stability and security of FreeBSD. is easy to use, and can handle multiple
PC-BSD is a fully functional desktop users on a small school network. They
• PC-BSD is easy to install operating system running FreeBSD 6 made the recommendation to deploy
• PC-BSD is free and open source under the hood. Its graphical system PC-BSD in the schools, and have never
• PC-BSD is secure, reliable, installer makes the system installation looked back.
and provides excellent content process effortless. Its self-installing Marie and Guillaume downloaded
management software packages make loading PC-BSD Discs 1 and 2 free of charge
• PC-BSD is easy to support programs a snap. It is secure, reliable, and from http://www.pcbsd.org. Marie used
• PC-BSD can handle multiple users easy – a perfect tool for all basic needs the Disc 1 copy as the install disk on
on a small network and especially fit for use at a school, small all the machines. When each machine
• PC-BSD is based on FreeBSD business, or government office. had completed the install process, Marie
In February of 2008, Marie and removed Disc 1 from the machine and
Schools, businesses, and government Guillaume deployed PC-BSD in the Poulx inserted Disc 2. It took only a few minutes
offices have a basic set of needs when it School District in France. to install PC-BSD on each computer.
comes to deploying a desktop operating They installed PC-BSD on a small The final steps of the deployment
system. They need a solution that runs network that had previously been running process took about half an hour to
smoothly and efficiently, with minimal the Mandriva version of Linux. complete. Marie configured the internet
effort on behalf of the parties involved. The Marie and Guillaume were already access for the school network and
solution also needs to be safe, secure, familiar with PC-BSD and FreeBSD, installed the French language files from
and easy to implement and maintain. having deployed it for the wireless the second CD. She also installed the
The Poulx School District did not network in the city hall. They knew that PBIs for critical applications needed
have a need to run highly specialized the applications needed to run on the by the school. Through the use of the
applications. What they required was an systems in the school were compatible, PBI software Marie was quickly able to
operating system that is stable, reliable, and that all the applications could be run install Gimp, Planetarium, and various
and free of viruses. Unfortunately, hackers with existing PBI's (push button installers) educational games.
62 BSD 2/2008
PC-BSD in Schools
The school's requirement for PC-BSD so much that they have asked functions can be made to work on
preventing inappropriate site content from Marie and Guillaume how to install it on WINE (a compatibility layer for running
being accessed by students resulted their desktop at home. They appreciate Windows programs on top of UNIX). They
in the need to set up a proxy server the possibility that there is an available intend to eventually develop their own
as a filter. Methods and protocols were alternative to Windows, and even to solution that does not need WINE. Once
established so that teachers were able Linux. the switch-over is complete Poulx will
to log in and connect to the internet The solution deployed by Marie and have the unofficial title of FreeBSD City
without going through the proxy server Guillaume in the school can be easily bestowed upon it by its Mayor.
for unrestricted searches and research. replicated in an academic, government,
The systems were also set up so that the or small business environment. Marie General Advantages of PC-BSD
teachers could boot from their individual and Guillaume are in the process of In addition to some of the items listed
computers, instead of having to boot from setting up other deployment contracts above, there are a number of reasons
the general server. within the Poulx school district, as well to deploy a FreeBSD-based solution
Marie set up an individual profile for as throughout France. It is easy to sell when designing a network architecture.
each pupil on the school network, which the PC-BSD implementation solution to Because the underlying OS for PC-BSD
would allow documents saved on the other entities given PC-BSD's stability, is FreeBSD, these advantages apply to
network to be accessed by students reliability, and trouble-free system PC-BSD as well.
using any computer within the network. All administration. Marie says that even First of all, the FreeBSD license
software needs were accommodated by though she is the technically ignorant is unrestrictive and user-friendly, and
existing PBIs. half of the partnership with Guillaume, consists of only a couple of clauses. It
All in all, the deployment process was she was able to get up to speed on does not require people to make their
highly successful. Marie just laughed installing and using PC-BSD in no code changes public, which means
when asked to describe a technical time. PC-BSD is also significantly more that you can take BSD licensed code,
problem she had had during the cost-effective than its closest non-open change it, and sell it as closed source
deployment, as there were none. Support source competitor, which costs upwards software. The same is not true for Linux,
issues since the deployment have been of $200 per copy for the full version of another popular open source OS, which
minimal as well, consisting primarily of the operating system. is released under the GPL (GNU Public
hardware upgrades and other issues not Marie and Guillaume are also taking License) and requires that changes be
related to PC-BSD. their solution to the Poulx City Hall, contributed back to the source code. As
The teachers are very comfortable which previously contracted them to a result, when Linux code is modified,
using PC-BSD and appreciate its ease set up the city's wireless network. City these changes are not proprietary.
of use and trouble-free administration. Hall is currently running Windows on 8 Furthermore, FreeBSD eliminates
They have forgotten all about Mandriva of the 12 available computers but has most dependency issues through the
and Windows XP (which they were using agreed to gradually switch the remaining FreeBSD Ports System. The Ports System
before Mandriva). The students have computers over to PC-BSD. Marie and is a software management infrastructure
been able to access their files with Guillaume are confident that the software for easily installing, upgrading, and
ease, and some of them are enjoying used to run city hall's administrative maintaining software on the system.
With PC-BSD the PBI's can be
installed in addition to the over 18,000
ports of available applications. PBI's
are not part of the centralized repository
system. While the PC-BSD Project hosts
and maintains many popular programs
in PBI format, users can download
programs from anyone who has a PBI,
and anyone can build PBIs and host
them. This is different from Linux, where
software availability is mostly controlled
by the distro manufacturer.
Finally, FreeBSD is a centrally
developed and maintained operating
system, whereas Linux is a kernel
wrapped in mostly GNU userland utilities.
This means that with FreeBSD, a single
project comprised of various teams is
responsible for the kernel AND userland
while in Linux, userland utilities and kernel
versions are different from distribution to
Figure 1. Poulx School District distribution.
www.bsdmag.org 63
let's talk
Interview
with Damien
Bergamini
OpenBSD developer
One of the most requested features for wireless networking should be part of OpenBSD 4.4. I am talking
about WPA, and I had the pleasure to interview Damien Bergamini, the developer who made a huge work
for OpenBSD wireless subsystem.
D
amien worked on the drivers, Could you introduce yourself? must fully master that code and be
reverse engineering and I am French, I'm 28 years old. I'm an very comfortable with it. We prefer to
building some of the code OpenBSD developer since 2004. I have not support a feature rather than import
that can now be found in written numerous drivers for 802.11 code we cannot maintain. Although
most free OSes, even OpenSolaris! wireless devices, and lately, I added this may be frustrated for our users
The work he did on the WPA support for WPA-PSK (Wi-Fi Protected sometimes, this is a winning strategy
implementation follow a different design, Access using pre-shared keys) to our in the end.
as the code runs in the kernel, and generic 802.11 layer. Before beginning my work on
provide a very clear way of configuration: WPA, I studied various existing WPA
ifconfig. What type of difficulties did you have to implementations (mostly wpa_supplicant,
You could setup WPA-PSK in station overcome to implement WPA/WPA2? hostapd and xsupplicant) but I did not like
mode with a simple line: The reason it took a long time to their design so I decided to write my own
implement WPA in OpenBSD is that the implementation from scratch, taking a
# ifconfig ral0 wpa wpapsk \ various standards that make WPA are very different approach.
0x0e8de50e2a614dbd83df61db3e042b39617 fairly complicated. It's a steep learning
7e8cc8ef7e1f2e83e158a19ba5ea3 curve. What differences do you see in
Of course we could have thrown in OpenBSD's WPA implementation
or a WPA2-PSK setup for access point whatever existing WPA implementation compared with other BSDs' ones?
mode with: that would have made the trick but Other BSDs use wpa_supplicant for client
this is not the way we operate in mode and hostapd for AP mode.
# ifconfig ral0 mediaopt hostap nwid OpenBSD. The reason I chose to not go that
openbsd_ap chan 5 \ OpenBSD tends to be more quality- road is that wpa_supplicant and hostapd
wpa wpaprotos wpa2 wpaciphers ccmp driven than feature-driven. Before we are rather huge (in terms of lines of code)
wpagroupcipher ccmp wpapsk \ import a large piece of code in the and that they try to implement too many
0x0e8de50e2a614dbd83df61db3e042b39617 base system, we must make sure things at the same time (802.1X, 802.11i,
7e8cc8ef7e1f2e83e158a19ba5ea3 someone in OpenBSD can maintain EAPs).
that code and can fix it should it break. I particularly did not like the way
Keep reading for the other cool details! This means at least one developer those tools were reimplementing parts
64 BSD 2/2008
Interview
of the 802.11 management entity Is there any work on performance also provided some documentation for
(MLME) in userspace. This is very improvements or power saving for wifi their USB chipsets before they got bought
redundant with what we already do in drivers? by Atheros.
the kernel, and it requires that the kernel I'm currently adding hardware crypto There was some documentation
implement hooks to let the userspace support for more chipsets. This should available for the earliest Realtek chipsets
play with the 802.11 management state help a bit performance-wise. I'm also too, but I'm not sure it's still the case for
machine. working on supporting stations in power- their latest chipsets. Some vendors, like
In OpenBSD, support for 802.11i is save mode when operating as an access Intel or Marvell, provide open-source
fully implemented in the kernel (in our point. Linux drivers but no documentation. The
generic 802.11 layer) because this is worst players are Atheros and Broadcom,
the natural place to do it (this is where I remember that you used only software though things may change with Atheros
we keep all the information and states crypto for WEP, instead of the features in the future.
about APs and stations.) As a result, you included in some chips. Is this still true?
can setup a WPA-PSK network (AP or What about modern WPA-compliant From a security point of view what setup
client mode) without running any external chips? What advantages do you have would you suggest for a wireless network?
daemon. using software crypto and opensource For a home network, WPA2-PSK (with
You only need to know one command: drivers? 256-bit AES) is a good compromise
ifconfig. That is not exactly true. Some drivers between security and ease of
However, in OpenBSD, we do not were already doing WEP in hardware, configuration. WPA2-Enterprise or IPSEC
support WPA-Enterprise yet, while other however, because CCMP is more costly are equally good solutions for enterprise
BSDs support it. But this is something to do in software, it will become critical networks.
I'm actively working on. to support hardware crypto for more
I did like to implement the 802.1X devices. I have already implemented What reasons do you see to deploy an
PACP protocol in the kernel (both hardware crypto for TKIP and CCMP in OpenBSD based access point instead of
supplicant and authenticator state the Ralink RT2860 driver to make sure using one of those cheap little boxes?
machines) for both wired and wireless our net80211 design was clean enough Of course, you can always use a
interfaces. Then I will implement some to allow for both types of crypto. classical access point as a bridge if
of the most used EAPs. I am now working on other drivers, you want, but it is a bit of an overkill if
like wpi(4) and iwn(4). Some crypto you want to build something small. With
Does running WPA in the kernel increase engines are so badly designed though the support of more embedded systems
the security risk? that supporting them will offer little to in OpenBSD (armish, socppc ports), it
Not at all. In this particular case, I no performance benefit (because, for becomes even more important to have
would say quite the opposite because instance, even if the device supports a good support for AP mode. This way
implementing the 4-way handshake scatter/gather, the crypto engine you can for example setup a smaller
and group key handshake in userspace does not, and you have to copy every NAS with Wi-Fi support, and all the good
require that you to let the userspace outgoing packet). For these devices we things that OpenBSD brings to you (pf,
control the 802.11 kernel state machine will continue to use the software crypto etc).
which is very error-prone given that code.
the 802.11 state machine is quite Any thought on 802.11n?
complicated and that not all drivers OpenBSD developed a lot of drivers for 802.11n is not yet standardized at the
handle all the possible state transitions wireless chips using reverse engineering. time of this writing [May 2008]. It is not yet
properly, especially those that We saw some exploits for closed-source supported in OpenBSD.
implement the 802.11 state machine drivers provided by vendors. Were Although we already have drivers
in firmware. your drivers vulnerable? What type of for 802.11n devices, they only support
measures did you adopt to improve 802.11g mode for now. Some parts
Considering that your implementation wireless drivers security? of the 802.11n specification are very
runs in the kernel, do you see any Offering open-source drivers does not complicated to implement (like block
performance advantage over the other guarantee that no vulnerability will ever ACK sessions) while the performance
implementations? be found. However, you do not need to gain in a real-life setup is not clear at
No. Except for software encryption/ wait for the vendor (or the developer that all.
decryption (that other OSes do in the wrote the driver under an NDA) to fix that I don't buy the argument about the
kernel too), WPA is not performance vulnerability. improved speed in 802.11n at all. Anyway,
critical. I'm planning to work on 802.11n at some
It consists in the exchange of a small How are your relationships with vendors? point, but there are more important
number of packets (4 for the 4-way Do they offer you access to datasheets things to do first, like multi-bss support
handshake) between the supplicant (the and specs without NDA agreements? Do and improved power management.
client) and the authenticator (the access they let you redistribute their firmwares?
point). This does not require any special Only a few vendors provide datasheets by Federico Biancuzzi ed@bsd.it
optimization. without NDAs. Ralink is one of them. Zydas
www.bsdmag.org 65
column
A
pple’s emergence into the BSD might help reduce their overhead if they from the X community. With Leopard
Community has been a long were to adopt this approach. Apple made the shift from XFree86 to
and storied one. While they are Another interesting point would be X.org which was not a happy transition, to
quick to claim membership as to fully incorporate the MacPorts into the say the least. Here again Apple does not
they have derived much of Mac OS X base OS right from the installation. This treat X as a part of the OS with regards
from various points, most notably from could be especially true on their server to updates, and users had to wait for
FreeBSD 5, I often wonder how much version of the product, where it should quite a while before the version supplied
have they returned. Granted, there are not be a trivial matter to update the installed with Leopard was stable. Fact of the
any requirements for such participation in version of, say PHP, to add a new feature matter is numerous users installed the
the community, which is a major facet of not bundled in the original installation. Do version found in Tiger in lieu of the latter
BSD licensing as a whole. Still, it would not even get me started on sed, which version so that they could continue to
be nice to cite some examples of their is version 0.1 from 1987. While Mac OS run their favorite applications. This is yet
contributions, and respectfully offer some X updates fix the items they have added another example why Apple should just
suggestions. to the OS and eventually tie up the loose incorporate the ports directly into the
One of the most often overlooked ends in security issues, they typically do OS. Were they to provide the necessary
aspects of Apple’s BSD lineage is the fact not address that lagging UNIX under-belly. libraries, components and patches, users
that, as far as Open Source is concerned, Personally I would prefer the FreeBSD could keep their systems up to date
they single handedly launched FreeBSD model where you install the OS bare- without issue.
into the stratosphere, numbers-wise. BSD bones. Then install things like Apache To be fair, I have read that Apple has
can accordingly claim more desktop from the ports rather than have them been kind enough to donate hardware
installations than any other freely available installed by default, as you would on on occasion to Open Source projects.
OS, including all of the Linuxes combined. other overly bloated operating systems. However, I must admit they do not make
However, I am still left wondering, “Is this The obvious benefits of this approach that list of recipients well known. To sum
enough?”. This is especially so since Mac are well-documented and are discussed up their involvement in the Open Source
OS X, like DragonFlyBSD, is a fork off to death on the various FreeBSD mailing community, it appears to be little more
of FreeBSD 5, which has been officially lists and forums. than a marketing ploy, which is truly sad.
deprecated as of the release of FreeBSD Another Open Source project to feel If you compare their involvement to
7. I am not saying that either of these the touch of Apple’s broad borrowing is that of IBM or NOVELL, who both have a
products are flawed, just that I have to the KDE project, as they have adopted clear track record, Apple would look more
wonder what Apple’s game plan is. the KHTML engine, which is the basis of like a SUN rather than a true Open Source
When Apple made the shift to FreeBSD the Konqueror and their Safari browser. contributor. Sun has eked ahead only
5 as the base of their OS, many pondered Here again I can not find a direct example slightly with the recent purchase of MySQL
the possibility that Apple would simply where Apple has done anything more and the decision to keep it open (for now).
evolve their product along the line as than tell the world Hey we use KHTML as Finally, sad as it is to say, Microsoft has
FreeBSD itself evolved. Considering that the basis for our browser thus drawing a more clearly defined stance on Open
they use their own version of the Mach attention to the project that it would not Source; they made no bones about using
kernel, there may be little benefit for them have otherwise garnered on its own. What FreeBSD’s TCP/IP networking stack for
to incorporate FreeBSD’s major evolutions is truly interesting here is that a tangent years without any intentions of giving
into their product. Yet it would seem that with of the KDE project has devoted itself to a anything back to the community.
the switch to an Intel-based architecture, it natively deployable version on Mac OS X All in all, I must ponder what sorts of
would be possible one day to run FreeBSD without the requirement of X11 at all. leaps and bounds could be made if Apple
with an Apple UI; and that truly would be This, of course, leads me to Apple’s worked more closely with the community.
interesting. Considering that they were a bit touting the ability of running thousands Community membership application
tardy with the Leopard release, it certainly of ready made applications available status: Probationary Approval
66 BSD 2/2008
In the next issue: