Moving to OpenBSD

UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things.

Doug Gwyn

Since my initial venture into the world of self-hosting, web services, and this website, I have been running my servers on Linux. At first this was because I was hosting on a Raspberry Pi 4B, an at-the-time newly released system which lacked proper support from other UNIX operating systems. Afterwards it was a matter of familiarity – I had been using Linux on the desktop for some years and was extremely comfortable administering Linux machines.

It wasn’t all sunshine and rainbows though, when hosting my web services I followed the advice of others (which one often does when one is exploring a new field) and went with nginx(8). It worked, but it wasn’t great. It was complicated and it took me quite a while to feel like I really understood what was going on. At the very least, the nginx.conf(5) manual page was quite extensive and very useful in figuring out how to configure my sites.

There were also issues with my init system systemd(1). Don’t get me wrong, it definitely worked, but a lot of the services I was running didn’t integrate out of the box with systemd(1) which required me to write my own service files. This is of course not at all a problem – as a programmer it should be expected of me to be able to write such things – but that didn’t stop them from being in my opinion, far too complicated (see systemd.service(5)).

The whole thing also just generally felt messy – setting things up based on the advice I was finding online, most of my dæmons were running as a random mixture of my regular unprivileged user, the root user, or their own user (which is generally not easy to distinguish from a regular user).

Tux to Puffy

For a long time I have had an interest in the BSDs. I first discovered them in my highschool computer science class when a day one quiz had us trying to identify different operating systems by their logos. Alongside the classic MacOS, Windows, and Linux logos was a horned red ball – a logo that my research would lead me to identify as that of FreeBSD. Of course my professor proceeded to tell us it was the logo of UNIX, but that’s besides the point.

Part of my interest was a result of the (in my opinion) very cool FreeBSD logo, but for the most part it was an appreciation for the philosophy and design of the various BSD systems. Linux is famously just the kernel, but the BSDs are complete operating systems, shipping with their own userlands, manual pages, and so on. As a result this creates a system that to me feels a lot more complete and less hacked together – something that I find to be one of the big downsides I’ve experienced since switching to Linux. That is of course not to say that there is no fragmentation – these are still POSIX systems where you’re running a bunch random software from Codeberg – but the integration of the init system, the core system utilities, and manuals, etc., all feels a lot more clean.

Just as an example of the above, OpenBSD ships with httpd(8), its own HTTP server. Alongside this, an example configuration comes shipped in /etc/examples/httpd.conf. In the case that you copy this example config to its proper location and mess up (for example) the file permissions on this new file, the built-in cron(8) dæmon will automatically run the daily(8) script which itself will run security(8). This in turn will detect your erroneous file permissions and send a mail warning the root user which can then be read with mail(1).

The important part to emphasize is that none of this had to be manually setup – it was all just done for me as part of the base OpenBSD install. On top of that, every single component was properly documented via high-quality manual pages using consistent formatting and terminology. On a typical Linux system half your software won’t even have a manual, and each manual will be structured in a slightly different manner that just feels sloppy. That is not to mention the total aversion most open-source developers have to actually providing examples in their manuals.

So what motivated the move? Well for a while now I’ve both wanted to move towards self-hosting my own server instead of renting a VPS, and also just reconfigure a new server from scratch. My existing VPS was setup at a time when I wasn’t as familiar with what I was doing, and while it worked, it was extremely sloppy and I often spent more time than I’d like debugging issues that shouldn’t exist to begin with. Given both of these factors I recently decided to take the plunge and actually purchase some parts and put together my own server, and while I was at it, I ensured that all my hardware would be OpenBSD compatible because I knew I would want to at least try OpenBSD, and see what it’s all about.

The Experience

The experience so far has been nothing short of great. The initial installation was extremely simple with the installer handling just about everything for me, and the post-install setup was also great. OpenBSD ships with the afterboot(8) manual which provides you with a list of everything to do after your initial system install. Afterwards I just had to setup a webserver to host this site. I thought it would take me a while to get a webserver, TLS, and everything else up-and-running, but it was actually all very easy. The httpd(8) and relayd(8) dæmons are well documented along with their relevant configuration files httpd.conf(5) and relayd.conf(5). TLS was setup with acme-client(1), and the manual even includes relevant examples for configuration with httpd(8).

Remember the security(8) and mail(1) example from earlier? That was setup automatically, and detected multiple errors for me. Setting up a filewall via pf(4) was also trivial – my entire pf.conf(5) configuration is as follows:

set skip on lo
block return
pass out
pass in on egress proto tcp to port { 22, 80, 443 }

I also cannot emphasize enough the usefulness of good examples. Not only to OpenBSD manuals often feature helpful examples for tasks I actually want to accomplish, but just about every configuration file on the system has a relevant manual page, and the /etc/examples directory is also full of useful example configurations for various dæmons that aren’t overwhelming and show you how to do things you actually want to do.

I am of course still very new to all things BSD, but so far things are looking good. To experiement I even installed OpenBSD on my laptop and was surprised to find that it ships with a pretty nice window manager cwm(1) out of the box. I won’t be switching completely away of course – Gentoo is still what I run on my home PC and I am extremely satisfied with it – but at least for a server OS OpenBSD has been a fantastic experience so far.