OpenBSD

What’s missing (in mid 2016)?

  • Bluetooth
  • TRIM support for SSDs
  • Adobe Flash

Filesystem tweaks

  • Configure soft updates everywhere (softdep)
  • Disable access time logging (noatime)
  • If possible mount with noexec, nosuid, nodev
<duid> /home ffs rw,nodev,nosuid,noatime,softdep 1 2

Ports and packages

  • Packages dont get security updates!
  • Therefore configure ports to use packages if possible
  • And follow the stable ports branch
echo "FETCH_PACKAGES=yes" >> /etc/mk.conf
cd /usr
cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_9 -P ports
  • Which packages / ports need to be updated?
/usr/ports/infrastructure/bin/out-of-date
  • Update a port
cd /usr/ports/<portname>
make update

Update base system

  • Follow patch branch
cd /usr
cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_9 -P src
cd /usr/src/sys/arch/$(uname -m)/conf
config GENERIC
cd /usr/src/sys/arch/$(uname -m)/compile/GENERIC
make clean && make
make install
reboot
rm -rf /usr/obj/*
cd /usr/src
make obj
cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
cd /usr/src
make build

Upgrade to a new release

Set clock to localtime

ln -sf /usr/share/zoneinfo/right/CET /etc/localtime
rdate -ncv time.fu-berlin.de

Increase / derease volumne

mixerctl outputs.master=100,100

WPA-PSK

  • Create /etc/hostname.<ifname>
nwid <ssid>
wpa
wpakey <passphrase>
dhcp

WPA enterprise

  • Install wpa-supplicant
  • Create /etc/wpa-supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

ap_scan=0
eapol_version=1
fast_reauth=1

network={
      key_mgmt=WPA-EAP
      proto=WPA2
      eap=PEAP # or TTLS
      pairwise=CCMP
      group=CCMP
      phase1="peaplabel=0"
#     phase1="tls_disable_tlsv1=1 tls_disable_tlsv1_1=2" # if only sslv3 is supported
      phase2="auth=MSCHAPV2"
      ca_cert="/etc/certs/QV2.pem"
      ssid="<ssid>"
      identity="<username>"
      password="<mysecetpass>"
}
  • You must setup wiki card before running wpa_supplicant!
  • It is better to set the bssid
  • wpaakms must be configure otherwise wpa_supplicant will fail!
ifconfig urtwn0 nwid <ssid> bssid <mac_of_ap> wpa wpaakms 802.1x up
wpa_supplicant -B -c /etc/wpa_supplicant.conf -D openbsd -i urtwn0

Connect to a Cisco Anyconnect VPN

  • Install vpnc
  • Edit /etc/vpnc/my.conf
IPSec gateway vpn-gw-name
IPSec ID groupname
IPSec secret grouppassword
Xauth username your-username
Xauth password your-password

UTF-8 system-wide

echo 'export LC_ALL="en_US.UTF-8"' >> /etc/profile
echo 'export LC_ALL="en_US.UTF-8"' >> ~/.xsession

Adjust max memory size

  • Edit /etc/login.conf
:datasize-max=1024M:\
:datasize-cur=1024M:\
  • Or set infinity: as value

NTFS

  • Built-in NTFS support is read-only
  • Install ntfs-3g from ports to get write support

Flash support

  • Adobe and Chrome flash plugins do not work on OpenBSD
  • But you can use Gnash in Firefox
pkg_add gnash
mkdir /home/<user>/.mozilla/firefox/<account_id>.default/plugins
cd /home/<user>/.mozilla/firefox/<account_id>.default/plugins
ln -s /usr/local/lib/mozilla/plugins/libgnashplugin.so

Permanently disable kernel features like ACPI

mv /bsd /bsd.old
config -e -o /bsd /bsd.old
ukc>disable acpi
ukc>quit

Automatically adjust cpufreq

  • Edit /etc/rc.conf.local
apmd_flags="-A"

Linux compatibility (untested yet)

  • Currently only works on i386!
  • You may need to build a custom kernel
cd /usr/src/sys/arch/$(uname -m)/conf
cp GENERIC.MP MYKERNEL
echo "option COMPAT_LINUX" >> MYKERNEL
config MYKERNEL
cd ../compile/MYKERNEL
make depend
make
make install
reboot
  • Now you can activate it with
sysctl kern.emul.linux = 1

List all available disks

sysctl hw.disknames

Ksh config

  • ~/.kshrc
export PS1='\[\t\] \u@\h:\w\$ '
export EDITOR=/usr/local/bin/zile

set -o emacs

alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -i'
  • If you use tmux or screen put the following into ~/.profile
export ENV=~/.kshrc

Which program is listening on port x?

  • Install lsof
lsof -i :<port>

Readmes for packages

  • Can be found in /usr/local/share/doc/pkg-readmes

Fix arrow keys in Emacs under Xorg

(if (not window-system)                        ;; Only use in tty-sessions.
  (progn
    (defvar arrow-keys-map (make-sparse-keymap) "Keymap for arrow keys")
    (define-key esc-map "[" arrow-keys-map)
    (define-key arrow-keys-map "A" 'previous-line)
    (define-key arrow-keys-map "B" 'next-line)
    (define-key arrow-keys-map "C" 'forward-char)
    (define-key arrow-keys-map "D" 'backward-char)))

Automatic installation over PXE

Tracing kernel calls

  • Comparable to strace on Linux
ktrace -t cn <program>
kdump | less

Building images for cloud and embedded devices