OpenBSD users out there?

[hokatichenci]

I'm looking for something very secure to replace my gentoo hardened selinux machine that currently runs some basic services (rsync+non transparent squid). I'm toying with OpenBSD 3.9 at the moment, though I'm running into a few issues.

Primarily, how hard is it to update the base system? I see theres 11 errata security warnings out, but it seems the only way is to on at least one system download the 3.9 source, patch, and compile/install. So is it really that challenging to do? It doesn't sound so bad, but I'm used to having some package management of the base system.

LDAP Authentication - has anyone gotten this working? Since OpenBSD lacks PAM/NSS, it seems like the only option is using a plugin for bsd auth for authentication, and there is no way to get user names/id's off ldap. Am I right?

Ports vs. Package - A lot of sites point to using the binary packages, though a lot of others point to using ports. Is there any difference between two of the same versions besides binary vs compiled? Are security issues addressed quicker in one or the other?

Thanks in advance for any help.

 

[Xipher]

I am currently using OpenBSD 3.9 on my NAT/Firewall, I haven't tried updating it though
The base system does use packages, they simply don't rebuild the base packages between releases, and they are pretty broad in what they contain.

I don't know about LDAP Authentication, they probably don't include it for personal reasons, but I do believe an OpenLDAP package is available (don't know if it includes any way of pluging into the Authentication system). After googling around I found a page covering some one setting up OpenBSD to use a Radius server with LDAP as it's back end to get it working.
http://www.ezunix.org/modules.php?o...ns&file=index&req=viewarticle&artid=35&page=1

I think the only difference between ports and packages are that packages have been premade, ports have not, and with packages you can install them on lower end hardware without having to do any compilation. Neither of them get the same level of auditing that the OS's code itself does, as mentioned on their site http://www.openbsd.org/ports.html

 

[/dev/null]

I have about 10 years of OpenBSD experience. Ask all your questions here.

The security patches are easy to apply. The docs are very good.

If you can't understand something ask here. I think you will find everything much easier than Linux (I do).

I have not used LDAP under OpenBSD, sorry.

I generally go for Ports before packages as it saves compile times.

Rob

 

[hokatichenci]

I've gotten a fair bit of stuff to work (I havn't managed to run ports or patch the default system)... but I hit one major pothole. Small file performance over openbsd seems to be really slow. I get fine transfer speeds to the disk for one big file, but I've got a folder with ~150,000 small files. Running a 'find .' on that directory takes about 2 minutes, from what I've seen this isn't really weird behavior, but I'd really like to improve successive hits. I've tried messing around with sysctl a lot (ffs dirsize caching, inode translation caching) but nothing really works. Is OpenBSD just slow in this regard or is there a way to improve speeds. Sadly, changing the format from 150,000 small files to one big file is not an option.

 

[Xipher]

I generally go for Ports before packages as it saves compile times.

Rob

Sure you didn't get that one turned around?

 

[tdg]

It's been several years since I've used OpenBSD, but upgrading isn't too hard, theres a good doc on their page on how to do it, if you follow it verbatim, you shouldn't have any problems. Patching is easy as pie too, grab the patch, follow the instructions included in the patch, and off you go.

Never messed with LDAP, so can't help you there.

Ports vs. Packages is a endless debate with BSD users, many times they are in sync, but many times ports could be fresher than the package. Reason being they have to complile the port to make the package, sometimes the compile que gets behind and a package is a minor version behind. I typically use ports myself, easier to upgrading using certain port tools to make it more automated.

I've gotten a fair bit of stuff to work (I havn't managed to run ports or patch the default system)... but I hit one major pothole. Small file performance over openbsd seems to be really slow. I get fine transfer speeds to the disk for one big file, but I've got a folder with ~150,000 small files. Running a 'find .' on that directory takes about 2 minutes, from what I've seen this isn't really weird behavior, but I'd really like to improve successive hits. I've tried messing around with sysctl a lot (ffs dirsize caching, inode translation caching) but nothing really works. Is OpenBSD just slow in this regard or is there a way to improve speeds. Sadly, changing the format from 150,000 small files to one big file is not an option.

Use locate instead of find. If the data in the directory changes frequently, add a cron job to update the locate database at a fitting interval.

 

[unhappy_mage]

Use locate instead of find. If the data in the directory changes frequently, add a cron job to update the locate database at a fitting interval.

But that's not the issue. Sure, if he wants the contents of the directory listed, it makes sense to use locate. But if he wants to, say, read the list of files in a single directory, that's not something you can use slocate for easily in a programmable manner. For example, "for i in *; do dos2unix $i; done" would presumably take a long, long time.

 

[/dev/null]

Sure you didn't get that one turned around?

You are correct, I meant packages first instead of ports doh!

 

[/dev/null]

I've gotten a fair bit of stuff to work (I havn't managed to run ports or patch the default system)... but I hit one major pothole. Small file performance over openbsd seems to be really slow. I get fine transfer speeds to the disk for one big file, but I've got a folder with ~150,000 small files. Running a 'find .' on that directory takes about 2 minutes, from what I've seen this isn't really weird behavior, but I'd really like to improve successive hits. I've tried messing around with sysctl a lot (ffs dirsize caching, inode translation caching) but nothing really works. Is OpenBSD just slow in this regard or is there a way to improve speeds. Sadly, changing the format from 150,000 small files to one big file is not an option.

What filesystem options are you using?

 

[Xipher]

What filesystem options are you using?

Probably the default one that installer uses, and I don't know if the installer even gives you a choice, UFS.