Why OpenBSD?

The OpenBSD logo with the mascot, Puffy the pufferfish, above it.

Formerly, my thoughts on OpenBSD were scattered around my website. I’d allude to its strengths when needed. However, that approach made my argumentation feel disjointed as a result. Overall, it seems more sensible to have a central place to talk about these things that can be linked to from elsewhere.

Why not OpenBSD?

Firstly, I’d like to bring up the ‘dealbreakers.’ I wouldn’t recommend OpenBSD to those that:

If you remain unfettered by these, or at least aren’t bothered by them too much, continue on. Otherwise, perhaps Librehunt will be of more avail.

Simplicity

When I say simplicity, I mean architectural simplicity. OpenBSD follows the Unix philosophy and consciously avoids feature creep. There aren’t as many bells and whistles compared to other operating systems and that’s good! That means there’s less to sift through if something breaks.

Minimalism is another word that could be used to describe this concept.

Less decision paralysis

One of Linux’s strengths is also a grave weakness: the abundance of choice. Deciding what implementation to use for a mail/web/DNS/NTP server is a task in itself, as there are many out there. With OpenBSD, one already has a sane, powerful, and secure suite of software to choose from, also known as the base system.

For instance, a web server with HTTPS and automated certificate renewal can be had with httpd(8), acme-client(1), and cron(8), all without installing any additional software.

See OpenBSD’s “innovations” page for more cool software and ideas developed by the OpenBSD project. Did you know that OpenSSH is an OpenBSD project?

Great documentation

OpenBSD feels transparent and comprehensible. Between the FAQ, man pages, and mailing lists, as well as other resources like /etc/examples and /usr/local/share/doc/pkg-readmes, the user is not lacking in ways to understand how the system works under the hood. An OpenBSD installation is a didactic environment well-suited to anyone with a DIY attitude.

Security

Of course, no discussion of OpenBSD’s strengths would be complete without mention of its focus on security.

One example I like, albeit one not strictly focused on the base system, is how Firefox and Tor Browser are packaged with pledge(2) and unveil(2) in mind. Speaking to the latter system call, there’s no reason these browsers should be able to read ~/.ssh or ~/.gnupg, so they can’t. They can only interact with whitelisted paths (with permission to read, write, execute, create, or any combination thereof, depending on what’s stipulated). As a result, the amount of damage a malicious extension or browser exploit could wreak is much less than usual.

Privacy

kern.video.record and kern.audio.record are both set to 0 by default, meaning that no video or audio can be recorded without permission.

Stability

I mean this both in terms of system stability and how fast things change. A constantly changing system is a nightmare to maintain for system administrators.

Users can depend on a new release being made available about once every 6 months. Every new release comes with documentation on changes made and how to upgrade, which is a painless process with the sysupgrade(8) tool. Here is what the upgrade from 6.8 to 6.9 looks like.

Sane defaults

OpenBSD is very configurable, but usually it doesn’t really need to be configured. There’s no need to set up the plethora of things that minimal Linux distributions would demand of you, like time synchronization, cron, log rotation, local mail delivery, and so forth. I miss that seamless, integrated feeling every time I work with something that isn’t OpenBSD. The truly magical thing is OpenBSD does all this without feeling bloated.

Also, the things that do require intervention from the user are usually pretty straightforward. For instance, enabling power management and hibernate + suspend is a three step process involving apmd(8) and rcctl(8).

  1. Enable the service.

    # rcctl enable apmd
    
  2. Ensure that it’ll be started in automatic performance adjustment mode.

    # rcctl set apmd flags '-A'
    
  3. Finally, start the service.

    # rcctl start apmd
    

Other resources