logo

7.4 Updated!

November 10th, 2023, proudly hosted by ARP Networks. Follow me on Twitter.

history

Forked from NetBSD. Theo de Raadt is the founder and leader of the OpenBSD project. The first OpenBSD release 1.1/CVS appeared on October 18, 1995.

why use openbsd?

openbsd use cases

  • Firewall (PF)
  • Router
  • Mailserver (OpenSMTPD)
  • Webserver (httpd)
  • Hypervisor (vmd)
  • NAS (softraid)
  • As a desktop

openbsd innovations

Software and ideas developed or maintained by the OpenBSD project: https://www.openbsd.org/innovations.html

openbsd version numbers

  • Semiannual release cycle
  • New release is incremented by 0.1

openbsd flavors

  • -release, shipped every six months
  • -stable, -release plus patches (support for 7.3 & 7.4)
  • -current, active development branch

cvs repository

Choose your repository at: https://www.openbsd.org/anoncvs.html

cvsweb

CVSweb is a WWW interface for CVS repositories with which you can browse a file hierarchy on your browser to view each file's revision history in a very handy manner: https://cvsweb.openbsd.org

manual pages


            # How to read a man page, for example foo(5) ?
            man 5 foo

          

Or view it on your browser at: https://man.openbsd.org

supported hardware

Some dmesgs

installation

Really simple, ready in 5 minutes (KISS). The response file is emailed to the root user on next boot.

Get more information: https://www.openbsd.org/faq/faq4.html

auto-install

For a full unattended install/upgrade process, you can easily use autoinstall(8).

filesystem overview

OpenBSD use by default FFS2 (Enhanced Fast File System).

Read: newfs(8)

networking configuration files

/etc/myname Default hostname
/etc/mygate Default gateway
/etc/hosts Known hosts on the network
/etc/resolv.conf Resolver (DNS)
/etc/hostname.if Configuration for each network interface, for example: /etc/hostname.bge0
Read: myname(5), mygate(5), hostname.if(5), resolv.conf(5), hosts(5)

networking


            # Display the current configuration of network interfaces
            ifconfig

            # Set DHCP for 're0' interface, on the fly
            ifconfig re0 autoconf

            # Perform network (re)initialisation
            sh /etc/netstart

          

networking (set at startup)

Example 1: configure static IP address for re0


            ## File: /etc/hostname.re0
            inet 192.168.0.58 255.255.255.0

          
Don't forget to run sh /etc/netstart re0 to apply changes to running system.

networking (set at startup)

Example 2: configure DHCP for bge0


            ## File: /etc/hostname.bge0
            inet autoconf

          
Don't forget to run sh /etc/netstart bge0 to apply changes to running system.

networking (set at startup)

Example 3: configure wireless


            # First, see a list of available wireless networks:
            ifconfig iwn0 scan

          

            ## File: /etc/hostname.iwn0
            nwid ACCESS_POINT_NAME wpakey THE_SECRET_KEY
            inet autoconf

            # Or, for multiple access points
            join AT_HOME wpakey THE_SECRET_KEY
            join AT_WORK wpakey THE_SECRETKEY
            inet autoconf

          
Don't forget to run sh /etc/netstart iwn0 to apply changes to running system.

routing


            # Show the routing table (ipv4)
            route -n show -inet

            # Show the routing table (ipv6)
            route -n show -inet6

            # Delete all gateway entries from the routing table
            route -n flush

          

packet filter (pf)

(Useful commands)


            # Disable PF
            pfctl -d

            # Check the rules
            pfctl -nf /etc/pf.conf

            # Enable PF and load the rules
            pfctl -ef /etc/pf.conf

            # Just load the rules (apply changes)
            pfctl -f /etc/pf.conf

            # View the loaded rules
            pfctl -s rules

          
Read: pfctl(8)

pf ruleset sample


            ## File: /etc/pf.conf
            # Protect a laptop (allow only ping/ssh from anywhere)

            set skip on lo
            block log all
            pass in on egress inet proto icmp all icmp-type echoreq
            pass in on egress inet proto tcp from any to any port ssh
            pass out

          
Read: pf.conf(5)

debugging pf with tcpdump


            tcpdump -nettti pflog0

          
Read: tcpdump(8)

pf user's guide

OpenBSD PF FAQ

PF and Networking Tutorial (EuroBSDCon 2023)

user management


          # Manually
          user [add|del|info|mod] foobar

          # Add users interactively
          adduser

          # Remove users interactively
          rmuser

          
Read: adduser(8), rmuser(8)

group management

File: /etc/group


            group [add|del|info|mod] foobar

          
Members in wheel group can use su(1) to become root.
Read: group(8), group(5), rmgroup(8)

sudo replaced with doas(1)


            ## File: /etc/doas.conf
            # Permit the user 'marc' to reboot the box
            permit nopass marc as root cmd /sbin/reboot

          

            # Marc can now reboot the box
            $ doas reboot

          
Read: doas(1), doas.conf(5)
Try doas mastery (blog).

package installation


            # By default, the /etc/installurl file already contains an OpenBSD mirror server URL
            https://cdn.openbsd.org/pub/OpenBSD

            # Search for packages
            pkg_info -Q foobar

            # For example, to install Squid
            pkg_add squid

            # Update packages
            pkg_add -u

          
Look in /usr/local/share/doc/pkg-readmes for extra documentation.
Read: pkg_info(1), pkg_add(1), installurl(5)

package management


            # List packages installed
            pkg_info

            # List files installed by a package
            pkg_info -L foobar

            # View install-message for a specific package
            pkg_info -M foobar

         
Read: pkg_info(1), packages(7)

package management


            # Delete a Package
            pkg_delete foobar

            # Show unused dependencies
            pkg_delete -an

            # Delete unused dependencies
            pkg_delete -a

            # Delete all except 'nginx'
            pkg_delete -X nginx

          
Read: pkg_delete(1)

install non-free firmware packages


            fw_update

          
Firmware is downloaded from release-specific directories at: http://firmware.openbsd.org/firmware
Read: fw_update(8)

managing daemons & services

File: /etc/rc.conf.local


            rcctl [enable|disable|start|stop|reload|restart] foobar

            # For example, to start the apmd(8) daemon for CPU scaling, you might do
            rcctl enable apmd
            rcctl set apmd flags -A
            rcctl start apmd

          
Read: rcctl(8), rc.conf(8), rc.conf.local(8)

What's enabled on your system?


            rcctl ls on

          
Read: rcctl(8)

running scripts at startup

File: /etc/rc.local

Read: rc(8), rc.firsttime(8), rc.local(8), rc.securelevel(8)

updating openbsd (-stable)

Any security or reliability fixes can be found at:
https://www.openbsd.org/errata.html

Errata patches are generated for the 2 last releases (7.3, 7.4).

tools for updating openbsd (-stable)

Use syspatch(8) to update your kernel and userland, available for the last 2 release.

And pkg_add -u to update packages.

upgrading openbsd

To upgrade 7.2 to 7.4, you need to follow instructions from: https://www.openbsd.org/faq/upgrade73.html
and then
https://www.openbsd.org/faq/upgrade74.html

sysupgrade(8), is a utility to upgrade OpenBSD to the next release or a new snapshot.

list obsolete files between OpenBSD upgrades


            pkg_add sysclean

          

Run sysclean to generate a list of obsolete elements. Review the list and manually remove unwanted files. Be careful.

openbsd filesystem

The most important to know!
/ Root directory
/home User home directories
/root Default home directory for the superuser
/mnt A temporary mount point

openbsd filesystem

/etc System configuration files and scripts
/etc/examples Example configuration files for base system daemons
/etc/skel (dot) files for new accounts
/etc/signify Key files used for signify(1)

openbsd filesystem

/tmp Cleaned after a reboot
/var/tmp Symbolic link to the system /tmp
/var/log Log files
/var/run pid, socket files, utmp, dmesg.boot

openbsd filesystem

/var/db Database files
/var/www chroot directory for httpd(8)
/var/www/htdocs Web repository for httpd(8)
/usr/local Third-party software goes here
/usr/src BSD and/or local source files
Read: hier(7)

openbsd kernels

/bsd
Kernel executable (the operating system loaded into memory at boot-time).

In case of multiple processors, installer will rename /bsd to /bsd.sp and finally /bsd.mp to /bsd

openbsd kernels

/bsd.booted
Kernel executable, a resume from hibernation (handled by the bootloader).

openbsd kernels

/obsd
Old kernel, next boot it will use the new kernel /bsd (kernel relinking).

openbsd kernels

/bsd.sp
Kernel executable for single processor machines.

openbsd kernels

/bsd.mp
Kernel executable for multiprocessor machines.

openbsd kernels

/bsd.rd

Installation kernel. The built-in RAM disk contains utilities which can be run without an external file system, so this kernel is useful for limited system maintenance too.

kernel troubleshooting

config(8) allows editing of the kernel binary specified by infile. Devices may be enabled, disabled, or modified without recompiling, by editing the kernel executable. Editing can also be done at boot-time, using the in-kernel editor, as described in boot_config(8).

*These changes will be lost during upgrades and prevent a newly linked kernel from being installed at boot time. To avoid this, use the bsd.re-config(5) configuration file.

system tuning

sysctl.conf(5) sysctl variables to set at system startup
sysctl(8) get or set kernel state
&
config(8) modify a kernel

setting laptop hibernation (sysctl)

machdep.lidaction=0 do nothing
machdep.lidaction=1 suspend
machdep.lidaction=2 hibernate

full openbsd startup described!

OpenBSD system startup
DOWNLOAD (PDF)

system maintenance

doas pkg_check -F Checks that there are no other random objects under /usr/local
doas dmesg -s Review rc(8) system startup messages
ldd foobar List dynamic object dependencies
df -h See disk usage
top -s .1 Check load (cpu/mem)
Read: pkg_check(8), dmesg(8), ldd(1), ld.so(1), df(1), top(1)

system maintenance

reset reset your terminal when it gets messed up by control sequences
rcctl ls on what is enabled on your system
doas rcctl ls started what is running on your system
Read: tset(1), reset(1), rcctl(8)

ktrace/kdump sample usage

ktrace -f ping.out \ ping openbsd.org proceed process tracing
kdump -f ping.out interprets the data from ktrace into a human readable format
Read: ktrace(1), kdump(1)

useful packages

screenfetch Display system information in the terminal
w3m Text-based web browser
noice minimalistic file browser

useful packages

pstree List processes as a tree
tmate Share your terminal on the web without open any ports
testdisk Scan and repair disk partitions

presentations & papers

https://www.openbsd.org/events.html

getting more help

FAQ: https://www.openbsd.org/faq/
Manual page: afterboot(8)
Web IRC Channel: #openbsd
Mailing list: misc@

You can manage your OpenBSD mailing list membership at lists.openbsd.org.

openbsd vps hosting

It's time to create your own OpenBSD VM !

ARP Networks logo

OpenBSD Amsterdam logo

** bonus content

Join us on Telegram!
(Nice people, I promise.)

merci.

You can contribute, give me your Feedback or
Buy Me A Coffee