
17 minute read
Using OpenBSD for the Server Infrastructure
from n Source ...ber 2012
by Hiba Dweib
Using
for the Server Infrastructure
Advertisement
Some regular readers of have probably used Linux as a desktop, while others may have even done programming on it. This article gives readers an overview on using OpenBSD, a UNIX operating system. Read on to find out how this amazing OS can be put to good use.
You can download this OS for free from www.openbsd. org and install it on a laptop or desktop, using the CD ISO image. Installing OpenBSD is not hard, and may involve some trial and error.
OpenBSD is a very clean OS, with a lot of great ideas and discipline having gone into its design and coding conventions. It is slim, neat, clean and elegant in every way. It lacks support for a few of the fancy and frivolous things that some end users may think necessary, but appears to meet the goals of most scientists and engineers. OpenBSD, though a generalpurpose OS as UNIX has always been, is an out-and-out developer’s OS or engineer’s friend.
The differences between OpenBSD and Linux
Linux comprises the kernel (begun by Linus Torvalds) plus the GNU userland, Bash shell, GNU compiler suite, applications and glibc. The projects involved are different, maintained separately and follow different timelines and release schedules, making it hard for end users to do a combination of these themselves— so various distributions and vendors like Debian, Red Hat, Slackware or Ubuntu blend these elements to make end userviable operating systems. Also, obtaining the source code for every part of the OS is difficult, since it is not a single project.
In contrast, for OpenBSD, the entire OS, the base system, the kernel, the userland, the packages and the glue code -- all go into the same project. They are developed and maintained by the same team. A particular release of OpenBSD (say, 5.1) is unique, and depending on the hardware architecture you can get the exact set of binaries and source. (This is also true of NetBSD and FreeBSD.)
My tryst with OpenBSD
I have been using OpenBSD for my personal and commercial activities since 2003. I am a cryptographer, and I had to develop the IPsec kernel crypto code for my former employer’s router device. I looked at the IPsec implementation in FreeSWAN, the KAME project in FreeBSD, and also looked at NetBSD and OpenBSD. I finally settled on OpenBSD, and ended up working in the kernel C code. That is how I started my journey—and I have never looked back since. For this article, I will only cover IT infrastructure usage, using OpenBSD as a server and desktop OS, and as a developer platform. I will not be too concerned with kernel or C coding and development (other than once in a while). By and large, I will cover real-world personal and business use of this platform.
I have created my own USB installer, and I have my own USB release of OpenBSD, which I maintain in eight separate projects. You can access it at http://liveusb-openbsd.sf.net.
Package management
Linux has distribution-specific package management tools and formats for installing additional packages from the Internet or from a CD—like Red Hat RPM, while Debian and Ubuntu use DEB, and so on. The package management system in OpenBSD uses what is known as the pkg_add toolkit. Like everything else in OpenBSD, this is tightly integrated with the OS itself, and all the tools necessary for installing, maintaining, upgrading and removing packages are installed as part of the OS install. The package management system is written in Perl, which is preinstalled for OpenBSD. You can install packages from an install CD (which needs to be purchased) or off SSH, FTP or HTTP mirrors. It’s simple to install a package. For example, pkg_add socat (as the super-user) will install the package socat.
Certain packages come with ‘flavours’, which determine whether they are built with Python or Lua support for X. For example, if you wish to install the multimedia application mplayer, then you could try pkg_add -i mplayer. The extra ‘-i’ switch is important—it turns the installation into an interactive session, which will prompt you to choose a specific flavour of mplayer.
I normally install a certain minimum set of packages after a base install, which takes about 10 minutes, by issuing the following command:
# pkg_add -i mplayer vim socat colorls qemu windowmaker pidgin firefox
Your choices may differ. In fact, if you end up using my LiveUSB project images, they come pre-built with a certain configuration, packages, etc.
Now I guess you are fairly familiar with OpenBSD and are ready to explore its potential to address basic and slightly advanced needs like running your own mail server, NAS backup system, and a very simple Web server. Doing this obviously requires domain knowledge and experience, which you can slowly acquire—or if you already have it, you can now do things in a new way using OpenBSD. First examine what problem you are trying to solve and then go about the implementation.
Mail server
A mail server sends and receives e-mail from various domains with multiple users, catering to the needs of local users and other e-mail servers. My company is in the business of creating OpenBSD-based products for email solutions, so I have personal experience of developing and maintaining a mail server for more than four years. If you are exposed to systems administration in your day job, then you probably already know that Internet email is very different from the simple local mail service that runs without any contact with the outside world. However, there is no need to worry. OpenBSD makes some things easy for us; while other things have to be learnt and only when you learn about them can you enjoy the benefits of the power of OpenBSD.
So you’re now faced with the choice of which MTA (Mail Transfer Agent) to use. There are several popular options available, and though OpenBSD does not yet have its own implementation, it will very soon—Gilles Chehade and friends are hard at work on one called OpenSMTPD. I settled on Wietse Venema’s Postfix MTA over alternatives like Sendmail, Qmail and Exim. Also, certain sites use Microsoft Exchange, which so far has never given me any pain. It is very odd—Windows machines often get virus-infected, sending out spam that can get your company’s mail server’s public IP blacklisted as a spam source. Other people on the Internet may abuse your mail server for purveying mail to unsuspecting third-party users. Yet, Microsoft Exchange, as an MTA, has not given me any trouble so far.
First, you obviously have to install Postfix, which is as simple as pkg_add -i postfix. It will throw up about eight choices, and you can select what you like. No big deal.
It is also very important to know that a mail server doesn’t just send and receive mail using SMTP; it also has ancillary functions like distributing mail using IMAP and/or POP3, and acting as a webmail server. All this is part of the bargain. You will end up using the very brilliant Dovecot open source package for IMAP and POP3, which can also interact nicely with MS Outlook and Roundcube, a PHP webmail package. One of my customers tells me that using Roundcube is similar to using Outlook. It is that great and user-friendly. So to install, issue a simple… pkg_add roundcube dovecot and you’re ready.
Roundcube
Easy going so far, right? Now, configuring Dovecot and Postfix is easy, but Roundcube presents certain difficulties, which we will look into. The first thing to do is identify the database Roundcube should use for storing mail—I normally use SQLite. Initialise a database with a script like what follows:
# sqlite -INIT SQL/sqlite.initial.sql sqlite.db sqlite>.exit #chmod o+rw sqlite.db
Then you have to configure Roundcube (edit db.inc.php) with the path to the initialised database file. You also have to configure the timezone, the domain, the default IMAP and SMTP server, the address-book (if using LDAP), enable the preview pane and so on, in the configuration file main.inc.php.
Following this, the kind souls who developed Roundcube have given an installer that tests the installation in many ways. Before you get to that, however, you have to enable PHP in Apache, and also add a section with directives for allowing the .htaccess magic within the webmail directory. Another very important thing to remember is that Roundcube will only run in a non-chrooted Apache server. Be very careful about that, since by default OpenBSD runs Apache in a chroot environment, jailed within /var/ www. Once all this is done, and the Roundcube installer is moved out of the way, you can access and use webmail. But you have to do some configuration tweaks to get there, which we tackle later.
Postfix
Now, let’s spend some time on the basics of Postfix configuration, though this is itself a fairly vast topic requiring a lot of knowledge about Internet mail, RFC, etc, which obviously cannot be explored in a single article. In short, Postfix uses two files, /etc/postfix/main.cf and /etc/postfix/master.cf, for configuring its e-mail service. The commonly edited file is main. cf. The default installation of Postfix on OpenBSD will run outof-the-box, and you can send and receive mail. In case you wish to enable the submission port TCP 587 for sending mail, you can do so by uncommenting (remove the leading hash) the following line in /etc/postfix/master.cf:
#submission inet n - - - - smtpd
After you modify the configuration, to activate it, run a postfix reload command. You still have to do some more work in /etc/postfix/main.cf to set the local network for relaying, selecting the relay domains and so on. Postfix has built-in controls to guard against becoming an open relay that can be abused by spammers on the Internet, requiring you to set the mynetworks parameter to specify from which networks it will accept mail to relay (for example, mynetworks= 127.0.0.1, 192.168.0.0/16).
You also need to set the mydomain, relay_domains and a few other minimal parameters for an excellent standardscompliant full-blown Internet mail server. So the complete configuration looks somewhat like what’s shown below:
mynetworks = 127.0.0.1, 192.168.0.0/16 myhostname = lfy.com relay_domains = $mydestination, lfy.com home_mailbox = Maildir/
You can make the most of these things if you already know and handle mail in your day job. You can opt for a 10/8 or 172.16/12 network style in the mynetworks parameter, if you have a lot of hosts on your LAN. Always remember that local users can send mail to any destination domain, but outside users can send mails only to those domains specified in the relay_domains parameter; be very careful about that. If you test for an open relay configuration, always test from an Internet location; Postfix should reply with a 554 relay access denied error when you try relaying mail using your mail server, but ‘as an outsider (from a network other than the local network)’. I emphasise this since this has tripped me up in the past, and I have suffered many hours of agony when spammers hit us. Anyway, only experience can teach you how to use OpenBSD and Postfix to your advantage—no article can do that for you.
Let us now move on to the other topics this article intends to cover.
Web servers
To enable the built-in OpenBSD Apache (there’s no need to install any package), one usually just issues the following line:
httpd_flags= in /etc/rc.conf.local
…before rebooting (though do not do so yet). That would run a Web server chroot-ed to /var/www. You can modify files under /var/www/htdocs, which is the document root of the Web server. However, for Roundcube, you need to run a nonchroot Web server, so use the modified flags line given below:
httpd_flags=”-u”
Now your Web server is insecure, so be careful about exposing it to the Net.
NAS
Next, you may wish to serve files and sometimes also support Windows file-sharing (what is usually meant by NAS), plus also back up and restore in some cases. For running an NFSmountable server, just modify/etc/exports as shown below:
/home -mapall=root -network=192.168.1 -mask=255.255.255.0
Then, you need the following lines in /etc/rc.conf.local:
portmap=YES nfsd_flags=””
After a reboot, run showmount -e to see if your machine can serve files via NFS.
There are excellent backup and restore utilities that can back up the entire file system. Read the man pages of dump(8) and restore(8). The typical usage for dump is as shown below:
# dump af file.dump /dev/rwd0a
For restore, use the following command:
# restore rf file.dump
It is actually more complicated than that, but you can get started with this. If in doubt, you can always Google to learn more.
I hope this was a good introduction to certain useful things that you can do with OpenBSD. You are even welcome to customise it to suit your unique needs. I’ll catch you later with more cool stuff.
By: Girish Venkatachalam
The author runs a company named Gayatri Hitech (http:// gayatri-hitech.com) that creates computer networking products like firewalls, mail servers, VPNs, etc. He may be contacted at girish@gayatri-hitech.com. He is on Twitter, Skype and GMail as girish1729.
Will Now Be
Before making a formal announcement about changing the name of the magazine, we checked with the industry and the community as to what they felt about the new title. The responses were overwhelming. Most industry experts and community members welcomed this change, which they felt was for the better, and would broaden the horizons of the magazine. Here are a few responses from the industry to the name of LINUX For You being changed to Open Source For You, with effect from its October 2012 issue:
Mandar Naik, director, Platform Strategy, Microsoft
I welcome this change in the name from LINUX For You to Open Source For You as it represents the increasing popularity of the open source development model on multiple platforms, both on-premise and on the cloud. It is important to note that the open source model has been very popular on platforms like Windows Server on premise and Windows Azure in the cloud.
At Microsoft, our increased commitment to working with open source has sparked tremendous momentum, and contributed to the rapid growth of open source software on Windows with the number of open source apps that run on Windows growing 400 per cent to more than 350,000— with 23 of the top 25 OSS projects running on Windows. Codeplex, Microsoft’s open source project community, has grown to more than 28,000 open source projects and more than 300,000 registered users. In Windows Azure today, the open source community has a very strong cloud platform that offers seamless support for open source development using technologies like Node.js and improved Linux support.
With the advent of the cloud and the changing landscape of information technology, I see the new and evolved Open Source For You expanding its horizon to provide even more impactful content on mixed source environments, both on premise and in the cloud. I wish Open Source For You the very best and look forward to the exciting content in the upcoming issues.
Rajiv Sodhi, managing director, Go Daddy, India
I think this title is much more apt for the community. I think open source, in general, is a broader term than just Linux. I think it will be well received by the community.
Mayank Prasad, senior software engineer, Oracle
The new name looks okay to me. I don’t think any change in the title matters as long as the content is the same and good enough for me to pick up. Even if the name of the magazine changes to Open Source For You while it continues to offer the similar kind of content, I will continue to pick it from the stands.
Vinod Panicker, senior product architect, Wipro
I am a regular reader of the magazine and I don’t think the change will make any difference to me. I guess the change will broaden the scope of the magazine, so it will no more be just Linux-centric. It may change from being a onepoint magazine for Linux to becoming more broad-based, covering all open source technologies, like applications that are on the open source framework. So the content will not be restricted to the Linux kernel but will cover open source technologies, across the board. It will not be a niche magazine any more, and will connect to more people. Those who want to read about open source technology will see a wider area being covered in the magazine.
Yogesh Girikumar, open source evangelist
This is a welcome change. I think it is a nice move. Something that I would like to regularly see in the magazine is content for newbies. That’s a major reader segment, which is ignored by magazines and journals in this domain. It will definitely increase the scope of the magazine. You can now
add a lot of content that is not directly related with Linux and which is useful to readers.
Syed Anwaarullah, associate developer, Convergys
I think changing the name of the magazine to Open Source For You is better because it is more generic and will promote the magazine to a broader audience. After the name change, the magazine can cover a wide range of topics like Android, which is open source yet not directly linked to Linux. Android developers like me will be glad if you present more content on this growing section of open source technology.
Prajod Vettiyattil, lead architect, Wipro
I am a regular reader of the magazine and have actually wanted to see this change happen for quite some time, because ‘LINUX For You’ did not reflect the kind of articles published in recent issues. Initially, the magazine was only about Linux, but now it is about a lot more. The changed name is more representative of the content you are publishing. It is also good for the target audience. The new title has much wider scope as compared to the previous title.
Arun Tomar, open source evangelist
I think this will be a nice change as it will give readers a lot of technologies to mull over, ranging from the desktop and servers to mobiles, etc.
Joel Divekar, general manager, Information Systems with People Interactive
Open Source For You is an initiative that gives a fresh and broader perspective to your organisation, helping it to spread the word on open source. This also helps explain that open source is not specific to any operating system or distribution.
And here’s what our Facebook community says:
Anant Shrivastava:
Reminds me of the RMS interviews you published in your initial editions when he pointed out some issues with the magazine’s name and its impact. I, for one, support this change as this is what this magazine is about. It’s not only about Linux, but the whole open source ecosystem.
Pradeep Prakhar:
Yes, this name is more representative of the content we expect in this magazine— which leads open source enthusiasts towards overall growth. I am okay with the new name of the magazine.
Rakesh Mallick:
This is the correct name for the magazine.
Mohammed Shameem:
Good move. Rather than focusing on one project, i.e., Linux, the magazine can focus on all aspects of open source and hence the name change is apt.
Raghava Karthik:
Change the name to anything! We just need the magazine’s content to remain as it is (of course, some new topics are welcome)!
Harshad Joshi: Congratulations for expanding the focus of the magazine from just Linux to all open source projects. I hope to see lot of content on Free BSD, Open Solaris (smartos) and other related technologies like the cloud. All the best. And do make the magazine thicker.
Read more stories on security and surveillance in www.electronicsb2b.com

• CCTV camera manufacturers can look forward to a bright future • Is the industry ready for CCTV cameras? • Surveillance on mobile latest in security market • Sectors that contribute to the growth of surveillance vertical in India • Challenges that hinder growth of CCTV market in India • Surveillance Scenario: IP Cameras Outsmart Analogue Cameras • Demand for CCTV cameras soars in India TOPSECURITY STORIES Log on to www.electronicsb2b.com and be in touch with the Electronics B2B Fraternity 24x7
ELECTRONICS
INDUSTRY IS AT A