OpenBSD 6.0 - an exercise in precision



The OpenBSD project is well known for its strong focus on security and for its precise documentation. The OpenBSD operating system generally gives preference to security and properly behaving software over features. OpenBSD is lightweight, sparse and relatively locked down by default. This makes the platform particularly popular among administrators who need a firewall or other minimal and stable platform.



OpenBSD 6.0 introduces many small changes and a handful of important ones. Looking through the release notes we find support for the VAX platform has been dropped. There have been several security updates to the OpenSSH secure shell service. Perhaps one of the more interesting security features in the operating system is strict enforcement of W^X: " W^X is now strictly enforced by default; a program can only violate it if the executable is marked with PT_OPENBSD_WXNEEDED and is located on a file system mounted with the wxallowed mount option. Because there are still too many ports which violate W^X, the installer mounts the /usr/local file system with wxallowed. This allows the base system to be more secure as long as /usr/local is a separate file system. If you use no W^X violating programs, consider manually revoking that option. "



I decided to play with the 64-bit x86 build of OpenBSD which is 226MB in size. Booting from this ISO presents us with a text console where we are asked if we would like to install OpenBSD, upgrade an existing copy of the operating system or perform an auto-install. I chose to perform a normal installation.



At first, OpenBSD's system installer can seem a bit intimidating. It uses a text interface and will ask us a bunch of technical questions and this can put off newcomers. However, there are two nice aspects of OpenBSD's installer. One is that the installer almost always provides a sane default for us to use. This allows people to simply press Enter at most prompts. One of the few times we cannot get by simply pressing Enter is when we provide a password for our account. Otherwise we can fly through the installation process more or less on autopilot. The other nice feature is OpenBSD's installer is fast. We can get through the prompts in a minute and the copying of package files only takes a few minutes more. Even on older computers, a fresh installation of OpenBSD is likely to take less than ten minutes.



The installer walks us through choosing a keyboard layout, configuring the network, creating a root password and (optionally) creating a regular user account. We also have some choices to make regarding packages. The installer lets us decide whether we want to install graphical software and a window manager. We can also pick whether to install console games and documentation. I decided to install just about everything and enabled the graphical environment. Partitioning can be set up for us or we can manually divide up the disk. By default, OpenBSD creates many smaller partitions for /usr/local, /var, /tmp and the X11 display software as well as swap and /home partitions. While there are some security benefits to more fine-grained partitions, many people will probably prefer to set up a root partition and two more for /home and swap, assigning more space to each mount point. When the installer finishes setting up the operating system we are asked to reboot the computer.



OpenBSD boots to a graphical login screen where the user can sign into their account. OpenBSD, by default, uses a fairly minimal graphical environment. Upon signing in a virtual terminal opens on a blank background. A grid in the bottom-right corner of the screen shows the available virtual workspaces.



Apart from the window manager, OpenBSD is fairly minimal. We have access to the usual collection of Unix/Unix-like command line utilities, detailed manual pages and a package manager (pkg_add). Other tools, such as a minimal web server, the doas privilege assignment utility and the PF firewall are available too. With all of the base components installed, OpenBSD can still squeeze into a file system about 1GB in size.





OpenBSD 6.0 -- Installing packages from the command line

(full image size: 827kB, resolution: 1024x768 pixels)



Most people, at least those like me who like to run desktop environments, will want to add additional software to the operating system. OpenBSD offers users a large collection of third-party ports and, for popular architectures, pre-built binary packages are also available. The pkg_add command line package manager requires that we select a package mirror before we can install new software. The OpenBSD website provides documentation which explains how to set a mirror using an environment variable. Once we have selected a mirror, pkg_add will install packages for us and resolve any dependencies automatically.



I decided to set up my usual collection of desktop applications, installing such extras as Firefox, the GNU Image Manipulation Program and LibreOffice. I also wanted a fuller desktop experience and installed Lumina, a Qt-based desktop environment with minimal dependencies. With OpenBSD's default configuration, the graphical login screen does not present the user with available desktop session options the way most Linux distributions do. Instead, each user can list their preferred desktop environment in their ~/.xsession file. I found the Lumina desktop, along with the other packages I wanted, installed and functioned without any problems. The only package I wanted and was unable to find was the Qupzilla web browser.





OpenBSD 6.0 -- Running the Firefox web browser

(full image size: 321kB, resolution: 1024x768 pixels)



Soon, I had a comfortable desktop environment. I was able to work on documents, check e-mail, browse the web and watch YouTube videos via Firefox's HTML5 support. For people who need Flash support, the GNU Flash implementation, called Gnash, is available in OpenBSD's repositories. When the Gnash plugin is installed, Firefox automatically detects it and uses it to play Flash content.



I found the Lumina desktop components had changed a bit since the last time I used Lumina as part of a review. The configuration panel has been divided up differently and there appears to be more fine-grained control provided by the configuration modules. I also found the keyboard short-cut keys and settings were saved and utilized more reliably. The lightweight Lumina desktop (version 0.9.0) running on the minimal OpenBSD operating system provided a very responsive environment which required a mere 170 MB of memory.





OpenBSD 6.0 -- Running the Lumina desktop

(full image size: 925kB, resolution: 1024x768 pixels)



OpenBSD switched last year from using the popular sudo privilege assignment software to using the project's custom doas utility. The doas software has a simplified syntax and features less code than sudo. The functions of the two commands are similar, but I find configuring doas to be more straightforward and it involves less cryptic configuration files. While doas is available by default on OpenBSD, the utility rejects all attempts to use doas until a configuration file has been created by the root user. This prevents new users from accidentally getting more access than they should been assigned.



I attempted to run OpenBSD on my laptop and in a VirtualBox environment. I found the operating system performed quite well in VirtualBox. The system booted in a few seconds, the base operating system and its applications were stable. The system performed well and used less than 200MB of memory. OpenBSD did not boot on my laptop computer. I have heard OpenBSD tends to do well with laptop hardware, particularly wireless networking cards, but was unable to verify the operating system's reputation.





OpenBSD 6.0 -- Testing the Gnash plugin on Flash content

(full image size: 176kB, resolution: 1024x768 pixels)



Conclusions



OpenBSD is a project I think is great for firewalls and, in many situations, servers. However, I have been reluctant in the past to recommend (or even use) OpenBSD as a desktop operating system. OpenBSD is, out of the box, fairly minimal and, like do-it-yourself Linux distributions such as Arch Linux, it can take some time to get OpenBSD set up the way I want it. Desktop environments and most graphical applications are added to the system post-installation and even the package manager needs to be pointed at the proper mirror; it doesn't work without being configured.



That being said, there are several aspects of OpenBSD which can make it an appealing desktop system. The initial installation of OpenBSD happens very quickly, taking just a few minutes, and most of my set up time this week was spent just downloading third-party applications. OpenBSD defaults to secure configurations, locking things down. As an example, my regular user account was not able to shutdown the system while logged into Lumina with the default settings. Access to perform most tasks must be explicitly granted. This may be inconvenient at times, especially on a single-user system, but it does mean OpenBSD protects us with its default settings, so a user really needs to go out of their way to break things.



OpenBSD has very basic package management and security updates are often applied manually. There are third-party repositories that can be used to automate security updates, but I do not think they are officially supported at this time.



What I really like about OpenBSD though is its performance. The system is very light, runs on older equipment and on a wide range of architectures. The system requires relatively little disk space (the base system, Lumina and my applications totalled about 2GB in size) and only a few hundred megabytes of memory. This makes OpenBSD quite appealing for people running older equipment.



OpenBSD can be intimating with its do-it-yourself approach, but once one becomes familiar with the system, the user is rewarded with a very simple, consistent and well documented working environment. * * * * * Hardware used in this review



My physical test equipment for this review was a de-branded HP laptop with the following specifications: Processor: Intel i3 2.5GHz CPU

Display: Intel integrated video

Storage: Western Digital 700GB hard drive

Memory: 6GB of RAM

Wired network device: Realtek RTL8101E/RTL8102E PCI Express Fast

Wireless network device: Realtek RTL8188EE Wireless network card