=> home
I have been wanting to use OpenBSD for a while after hearing everyone prazing it's superior security. Until then, my only exposure to OpenBSD was installing it on a VM and maintaining Drogon on it. Needless to say, VM performance sucks. Not even Linux can do video playback on a VM without graphics acceleration. Now I finally got the motivation to install it on real iron afer building and hosting some services on my hardware.
Not goint to lie. Took me evertal tries to finally got OpenBSD installed. The OpenBSD installer is quite good and easy to follow. It asks for your hostname, network interface, passwords, etc.. Then you're asked to select where to install the system. By default OpenBSD partitions the disk into a lot of partitions. /, /usr, /usr/local ... But I want to store everything in a single partition. So not running out of space when I install packages. But manually doing that makes the OpenBSD installer very angry and fail to install the boot loader. After several tries, I gave up and uses the default partitioning. Hope it's not going to bite me later.
Now the installer asks where are the "sets" are located. Unlike most Linux installers, OpenBSD installs by decompressing prebuilt tarball (sets) into the partition. The "install" image from the OpenBSD website includes the basic sets. I was stuck for a while because I couldn't locate the sets in this prompt. Turns out even though I ran the OpenBSD installer from a USB stick. The sets partition wasn't mounted by default. So I had to reply "no" to the "is the partition mounted" question. Then select the partition where the sets are located. Installation goes smooth after that.
Overall, Installing OpenBSD is slightly easier than installing Arch from CLI manually. But it is technical and different enough that I won't recommend if you can't install Arch.
After installing. A new probiem appears. My PC is connected exclusively via WiFi. AP is too far away. Yet running ifconfig iwx0 up causes OpenBSD to complain about missing firmware. Ohh.. dang, that's a chicken and egg problem. I can't invoke the fw_update to install the firmware I need. But I can't get to the internet because of missing formware. I ended being lazy and got some help from Linux. OpenBSD, installed on a hard drive, will happly boot in a VM just by setting /dev/sdc as the emulated drive (yay! everything is a file rocks):
sudo qemu-system-x86_64 -m 1024 -enable-kvm -smp 4 \
-drive file=/dev/sdc,format=raw,index=0 \
-device e1000,netdev=net0 \
-netdev user,id=net0 \
-bios /usr/share/ovmf/OVMF.fd \
-display sdlHere I encountered a weird keymap bug. Somehow the default frontend (GTK) has the wrong keymap. Any keys I press are converted into some european characters. After some messing around. The SDL frontend is fine. Then I login to install the firmware.
doas fw_update iwx
I also installed Gnome and Firefox since I'm at it. I disabled xenodm because I want to use GDM. I know GDM is not as secure as xenodm. But I don't want to be dealing with secipts to setup dbus. Especially since this is the first time I'm using OpenBSD.
doas pkg_add -i gnome gnome-extra firefox rcctl enable gdm messagebus multicast rcctl disable xenodm
Reboot into OpenBSD.. I got into the command prompt.. Ugh.. where's GDM? At this point I assumed I screwed up something. So I tried to downgrade a bit. Installed XFCE. Disable GDM abd enable Xenodm again. Reboot. Nice! Xenodm and XFCE does work. Immediately I noticed sevear screen tearing. glxinfo | grep OpenGL shows that I'm llvmpipe (CPU rendering) and not my 6700XT GPU (which is supported in OpenBSD 7.1). After some toying around. I found out that I need to install the firmware, again.
doas fw_update amdgpu
Yet again, reboot. login to XFCE and how glxinfo shows I'm using AMDGPU driver now. Yessss. Reenable GDM and reboot. Even nicer, both GDM and Gnome is working perfectly. Firefox also works.
OpenBSD has 2 update mechanisms. One for updating packages added via pkg_add and another for patching the system/kernel called syspatch. I feel weird that it's a separate thing. On Linux kernels and the base system is managed by the same package manager that handles packages. I guess this is a BSD thing as FreeBSD also has freebsd-update.
doas syspatch
Installing custom fonts on OpenBSD is not as stright forward as on Arch. Though it's the same process, most Linux distros have a font installer and abstract the process. To install fonts on OpenBSD, you've to put the fonts in the /usr/X11R6/lib/X11/fonts/<folder> folder and reevaluate the font cache.
doas mkdir -p /usr/X11R6/lib/X11/fonts/doas cp /usr/X11R6/lib/X11/fonts/ doas /usr/X11R6/bin/fc-cache
IMO Awaita is a bad theme. It looks gray and unpleasing. I have been using the Arc theme for a while. On Arch Linux installing is as easy a pacman -S arc-theme. On OpenBSD, there's no pacage for it. So I had to install it from source. Arc was previously maintained by horst3180. It got abandoned and I'm using jnsh's fork.
doas pkg_add sassc meson inkscape # for building the theme git clone https://github.com/jnsh/arc-theme meson setup --prefix=$HOME/.local -Dvariants=light -Dthemes=gnome-shell,gtk3,gtk4 build/ meson install -C build/
For security reasons, OpenBSD disables SMT by default. I get why they do it. But I am not that paranoid with CPU side channel attacks. And the performance loss is quite huge. So I decided to re-enable SMT.
# as root echo "hw.smt=1" >> /etc/sysctl.conf
=> Sane YouTube FPS on FireFox on OpenBSD
FireFox is my prefered browser. But on OpenBSD, for security reasons, it doesn't do GPU acceleration. The performance is sluggish at best. I can't even play a 1080p video at 60FPS. But Chromium does have GPU working. So I switch to Chromium. It's worth noting that both Firefox and Chromium are unveild to only read their config files and the Downloads folder. This pervents any browser exploits potentially reading your SSH keys in the home directory. But also makes so you have to copy files to the Downloads folder inorder to upload them. It's a tradeoff that I can live with.
Unlike Linux having cpu frequency scaling built in to the kernel. OpenBSD uses an external daemon. By default it's not installed. Installing and enabling it is as easy as:
doas pkg_add -i apmd doas rcctl enable apmd doas rcctl set apmd flags -L doas rcctl start apmd
Thanks to Keith Burnett's writeup installing OpenBSD on a laptop[1]. I learned that in OpenBSD 7.1 apmd disabled frequency scaling when using wall power. obsdfreqd is needed to restore automatic scaling.
=> [1]: Running OpenBSD 7.1 on your laptop is really hard (not)
cd /tmp/ && git clone https://tildegit.org/solene/obsdfreqd.git cd obsdfreqd make doas make install doas rcctl enable obsdfreqd doas rcctl start obsdfreqd
This is what my desktop ends up looking like:
=> Screeshot of my OpenBSD installation.
The sound server sometimes crash during video playback. I can't yet manually restart it. At that point the only thing I can do is just reboot.
Some of my C++ projects requre GCC11. I OpenBSD does have a package for it. And the compiler part does work. But sometimes it fail in linking with error undefined reference to 'undefined reference to __cxa_throw_bad_array_new_length'. Some searching online shows this is caused by GCC11 linking against an older libstdc++. But I can't figure out how to explicitly link against the a newer one.
Unlike Linux's LUKS and FreeBSD's GELI, OpenBSD's full disk encryption isn't something you setup during installation. Instead, you have to pre-setup an encrypted OpenBSD Area before installing. So I just ended up with a non-encrypted installation. It's fine for my test run. But I'll definitely need to do full disk encryption in future installations.
Whenever compiling larger projects. Looking at htop, I often see the kernel taking up more than 50% of the total CPU capacity. It makes dragging windows feel sluggish. I've searched online but couldn't find a solution. This seems to be a kernel issue, I assume how OpenBSD doesn't do fine-grained locking well. Still, I can simply reduce the number of threads I use and leave one or two cores free.
OpenBSD is suprisingly usable. There's less magic in it. Which is a good thing. That means I have more control over what my system looks like and is doing. I can do ~95% of my daily tasks on it. Basically
All while having the peace of mind that I basically am immune to any kind of attack. Even if someone tries to pwn my browser, pledge and unveil[2] will protect me against serious damage.
=> [2]: Pledge, and Unveil, in OpenBSD
Seems like I'll be trying to use OpenBSD as my daily environment. Maybe I'll eventually switch to it completely. Who knows.
text/geminiThis content has been proxied by September (ba2dc).