Secure by default
First of all you should familiarize yourself with the concept of secure by default. A simple way of explaining it is, everything is turned off until you turn it on. That means that the Web server is not going to start until you manually add the
httpd daemon to the startup script; OpenSSH services will also be unavailable unless specifically enabled; and even when a service is enabled, it must be configured to allow potentially insecure operations.
Because it is secure by default, you may have to do more initial configuration with OpenBSD than with most other Unix and Unix-like operating systems, but you'll spend a lot less time securing it -- maybe no time at all, if you follow the instructions in the manual pages.
Quick OpenBSD facts
- Default shell: Korn shell (ksh) for root; Bourne shell (sh) for users; the C shell (csh) is also included by default, and others are available as extra packages.
- Default text editor: vi.
- File system: BSD Fast File System (FFS) with soft updates (no journalling or defragmenting necessary).
- Kernel: 4.4BSD-based, monolithic, SMP-capable, does not support external kernel modules by default.
- Binary support: OpenBSD, FreeBSD, SCO/ISC, SVR4, Linux, BSD/OS.
- Supported architectures: Alpha, AMD64/EM64T, Arm, hp300, hppa, i386, luna88k, mac68k, macppc, mvme68k, mvme88k, sgi, sparc, sparc64, vax, zaurus.
- Hardware support (i386)
Making it easier to mount CD drives
To mount an optical drive, you have to know what the device node is, then you have to have an empty directory to mount it on. Rather than do this every time you need to access a CD or DVD, it's easier to modify the
/etc/fstab file to do most of the work for you. To do this, start by creating a mount point for your CD or DVD drive. From a root terminal, run this command to create a mount point called
/etc/fstab file does not have a line for optical drives. Most drives use the
/dev/cd0a device node, though there are a few other possibilities. Type
ls /dev/cd* to see other CD device nodes if
cd0a doesn't work for you. You may want to test mount them with a CD in the drive if you are unsure which node is the right one.
Once you have a directory to mount to and you know which device node corresponds with your optical drive, it's time to add a line to
/etc/fstab. Edit it with your preferred text editor and add this line at the end of the file:
/dev/cd0a /mnt/cdrom cd9660 ro 0 0
Save and quit the editor. From now on, all you have to do to mount an optical disc is type
Setting up Ports and packages
OpenBSD doesn't include much software in the default system, so you'll probably have to add most of the programs that you need. There are two ways to add software to OpenBSD: through the Ports tree, and through precompiled binary packages. Neither is necessarily better than the other, but here are some basic observations about both systems that will help you decide which approach to take:
- Ports compiles each program from source code, which allows you to modify the Makefile to accommodate specific needs; packages are already compiled with the default options.
- Packages are installed moments after they are downloaded; Ports can take a long time to compile.
- Packages are easier to upgrade when it comes time to switch to the next OpenBSD release; Ports are trickier to upgrade, and will take much longer to reinstall.
- There are about 200 more programs in Ports than there are in the package repository. Many of these extra programs are proprietary (the Sun Java Development Kit, for instance).
- It's easier to find programs in Ports than it is the package database, especially when you're offline. You can, however, use the Ports tree to find a program you want to install, then use
pkg_addto install the package.
My recommendation is to install the Ports tree (see below for instructions), but use it primarily as a method of finding and installing packages whenever possible. If you do not install the Ports tree, installing packages by guessing at their package names can be a frustrating experience.
If you bought the official OpenBSD CD set, you can install a number of packages directly from the packages disc. To do this, mount your OpenBSD CD and then switch to its directory so that you can browse it. Assuming you mounted it on
/mnt/cdrom, the i386 package directory is in
/mnt/cdrom/4.1/packages/i386/. Use the
ls command to look through the directory and find programs that you want to install. Use the
pkg_add command to install a package.
Beyond the small collection of frequently used packages on the OpenBSD disc, installing more packages will require some extra configuration work. You'll be retrieving package files from an OpenBSD FTP package mirror; if you do it right, all of the dependent packages will be retrieved for you as well. Start by specifying where the package tools should look for package files. By default it takes a command line argument, so you have to specify an address and file name for every package you want to install plus all of its dependencies. Obviously that is not a very efficient way to do things, so let's add a default path for the
pkg_add command to look in.
First find a mirror in this list that is closest to your location. Then add it to
/root/.profile as in this example:
The mirror site above is only an example and may not be optimal for your situation; use one from the list linked to above. If you like, you can even set the package CD as a source (make sure it's mounted before you use it, though):
Log out for the changes to take effect. The next time you log in,
pkg_add will automatically retrieve any packages you tell it to, plus their dependencies. Additionally, whenever you try to install a program from Ports, OpenBSD will try to retrieve the package first; if it can't find a package, it'll compile the program from source code.
Adding the Ports tree and OpenBSD source code
OpenBSD does not install the Ports tree or the operating system source code by default. To install them yourself, just copy them over from CD #3 or download the source files from the OpenBSD FTP site. You can find them in the
/pub/OpenBSD/4.1/ directory. The files are called
Unzip and untar the
src.tar.gz file to the
/usr/src/ directory, and the
ports.tar.gz file to the
/usr directory (it will unpack to a new
/usr/ports/ directory). That's basically all there is to it. Here are example commands, which will work if you followed the above instructions for optical drive mounting:
tar xvfz /mnt/cdrom/src.tar.gz
tar xvfz /mnt/cdrom/ports.tar.gz
Installing a Java Development Kit on OpenBSD is more difficult than on most other OSes. On the other hand, most other OSes don't really care about licensing to the degree that OpenBSD does. Since proprietary packages cannot be distributed with OpenBSD, you'll have to use the Ports tree to install the Sun JDK. There is currently no option to install a standalone Java Runtime Environment without the development kit.
To install a JDK (and by association, a Java Runtime Environment as well), first you're going to have to manually retrieve the JDK binaries, source code, and BSD patch sets from a few Web sites, then you're going to have to compile them through the Ports system. It takes a long time to compile, so I suggest fetching the files all at once, then letting OpenBSD work on compiling them overnight.
Here are all of the files you'll need for the Sun JDK 1.5 in OpenBSD 4.1:
From this address: http://wwws.sun.com/software/communitysource/j2se/java2/download.html
you need these files:
From this address: http://www.eyesbeyond.com/freebsddom/java/jdk15.html
you need this file:
From this address: http://java.sun.com/products/archive/j2se/5.0/index.html
you need this file:
And from this address: http://www.apache.org/dist/xml/xalan-j/
you need this file:
If you can't fetch these ahead of time, you can use the Lynx text Web browser to retrieve them from the OpenBSD command line. To find out what files require manual fetching from within the OpenBSD command line, go to
/usr/ports/devel/jdk/1.5 (assuming you want Java 5.0 -- versions 1.3 and 1.4 are also available) and type
make. Any initial dependencies will be fetched and compiled, and when it reaches a point where your intervention is required, the exact names and Web addresses of the files you need to retrieve will be printed on the screen. Go to the addresses with the Lynx browser, download the files to
/usr/ports/distfiles/ (or copy them there once you've downloaded them), then continue the build. If you miss a file or two, the build process will tell you which files you're missing.
Once the Java Port is finished compiling and has been installed, you'll see some instructions on the screen for creating a symlink to the JRE Web browser plugin. If you want to use Java plugins through a graphical Web browser, follow those instructions.
Lastly, you will have to add the Java executable path to your shell configuration file; if you don't, it will be difficult to run Java programs or the Java compiler. Assuming you are using the default Bourne (sh) or Korn shells (ksh), the file to edit is
~/.profile. If you're using the C shell (csh), the file is
~/.cshrc. Bash is
~/.bashrc, and the Z shell (zsh) is
~/.zshrc. Somewhere in one of these files you will find a
PATH environment variable. Add
/usr/local/jdk-1.5.0/bin to it (or whatever Java version you installed). Some programs may require a
JAVA_HOME setting as well, so add this line someplace:
Log out for the changes to take effect.
Enabling FreeBSD and Linux binary support
OpenBSD comes with a variety of binary compatibilities compiled into the kernel. They are, however, disabled by default. To enable them, edit /etc/sysctl.conf and skip down to the end of the file where the binary emulation section is. Uncomment any lines that you need support for. Most people will want Linux binary support:
FreeBSD binary support is in the same section. Again, just uncomment it to enable it. Feel free to look through the rest of the file to see if there are any other options you might be interested in (I usually enable
wsmouse, the console mouse driver).
To achieve optimum Linux binary compatibility, you will also need to install the
redhat_base package, then create a
/proc directory and a line in
/etc/fstab to mount it at boot:
/proc /proc procfs rw,linux 0 0
Full FreeBSD binary compatibility can't be done without the
freebsd_lib package, so install that if you want to run FreeBSD programs.
SMP support for multi-core, multi-CPU, and Hyper-Threaded machines
If you're on a multi-core or multi-CPU system and want to use the SMP kernel, you do not need to recompile anything to get SMP support. While OpenBSD uses the single-CPU kernel by default, you have the option of installing the
bsd.mp kernel during the installation process. If you choose that option,
bsd.mp will be copied to your root directory.
Before you switch to
bsd.mp, test it out by typing it in at the boot prompt when the system starts (before OpenBSD starts its init process). If all goes well, you can make this switch permanent by going to the root directory and moving
mv bsd.mp bsd
OpenBSD has the most thorough, easy to follow native documentation of any Unix-like operating system. To access it, just use the
man command to look up nearly anything that is included with the base system or installed packages. If you're new to OpenBSD, type
man afterboot to get some tips and instructions for setting up and configuring various services and devices. If you don't know what command you need, but have an idea of what it might do, use the
apropos command to let the system make some suggestions.
If you're still stuck after reading the documentation, a great source for online BSD help is the OpenBSD section of the BSD Forums Web site.