This details my first OpenBSD desktop. The configuration work is incomplete and there are probably mistakes in the notes below, but it is working and in live use and I expect some of my notes will help others.
First, I purchased a copy of OpenBSD, partly because supporting the project makes me feel virtuous, but also because it is easier to install from the CDs. OpenBSD is published under a BSD licence which means that when using it you are free from commercial constraints. Unlike some open source software, you can modify and then resell BSD licenced software without having to disclose your modifications or pay royalties, you just have to leave a message in your software to say you have used it. This may be useful for my business and was one of my reasons for choosing OpenBSD. I also like the OpenBSD emphasis on good documentation, removing bugs, stability, evolutionary change and of course security. This is what I need for my web server.
I will try not to repeat the manual, information pages nor the README files. These are already good resources and are better read in the original, where they are maintained accurately and under the control of the OpenBSD project. You will need to browse these and read the instruction leaflet carefully. My notes below are the bits that may not be so obvious from the manual or are good starting points for your reading. I do not cover every detail. The commands and configuration files I provide are for studying and adapting for your purposes, not for blindly typing. These notes all relate to OpenBSD version 4.0.
I changed my BIOS settings to boot from the CD, put in CD1, read the booklet and followed the instructions. (Note, the text on pages 2 and 3 of the 'Installation Instructions' section have been accidentally transposed.) I scaled up the disk partition sizes to consume the whole of my hard drive and shovelled in the required network parameters. Often you will find settings in OpenBSD, such as log file sizes, that start off with safe low values, for a modern computer you can increase them appropriately. Take notes while installing to allow a rapid repeat of your install in future. I installed all the sets which started 'x', these are parts of the X Window System (abbreviated to X). X is nothing like MS Windows, it would be more accurate to think of it as a glorified device driver for your mouse, keyboard and screen. It also renders fonts and lets you run programs on other computers and have them look as if they were running on your computer. Other programs run on top of X to give a desktop like MS Windows. After the install :
# Note that all commands and filenames are case-sensitive. mail ? # Have a look at the help for mail. t # Type the message. more . # Paginate it. q # Quit. This is the usual way to exit from a program. help man man man afterboot info man -k pwd man pwd # Look up any unfamiliar commands in the manual. pwd cd / ls -Flo man hier df -hi man halt man exit
Having got my bearings I created a simple script. I use vi to edit small text files - there is brief introduction on my server page. You do not need to learn much of it to become useful.
A broken-vertical-line character immediately following a command 'pipes' the output from it into the next command. (On my keyboard this character is next to the left-hand shift key.) You can pipe the output of 'ls -Flo' into the paging mechanism 'more' to allow you to read a long list of files. I have omitted piping into 'more' from various following commands for brevity. The up-arrow key gets back to previous commands.
env # Shows your PATH - the directories for programs. man ksh # Have a quick look at this. Come back later. cd /usr/local/bin # This is on the PATH. They are searched in order. vi l # Create a new file. i # Get into insert mode. pwd # Type whatever commands we want in the script. ls -Flo|more [Escape] # Escape from insert mode. :wq [Enter] # Write the new file and quit vi. cat l ls -Flo # You can see there are no execute permissions yet. chmod +x l # Give it execute permissions. l # The new script will now run. whereis l # Shows the location of the program that would run. cd /etc # Most configuration files are in this directory. cat rc # A script that runs when the computer is started. man rc # Configuration files often have manual pages.
If you want the startup process to do more than the existing 'rc' script it is better to put your extension to the script into 'rc.local' to make upgrading OpenBSD easier. Likewise, the parameters for 'rc' which you can see in 'rc.conf' are best changed by adding the ones you want to alter to 'rc.conf.local', which will override the corresponding settings in 'rc.conf'.
At this point I switched on pf in 'rc.conf.local' and created a very simple firewall configuration. My OpenBSD desktop machine sits behind my OpenBSD server firewall so a more elaborate firewall configuration would be overkill.
/etc/pf.conf ExtIf="xl0" # Use my slower ethernet card for the web. IntIf="bge0" # Gigabit ethernet for my local network file sharing. set skip on lo0 scrub in block in pass out keep state pass in on $IntIf # Share files and time-keeping with MS Windows.
At this point I created a new user, mainly with defaults, for normal activity on the machine. I will use this for Firefox and Thunderbird. Ideally I would not use 'root' privileges after establishing the initial configuration, but this is not always possible.
man su adduser
Then I edited /etc/mail/aliases and gave it my new username for the 'well-known aliases' and updated with 'newaliases' (which takes a little time to run).
The CD and floppy disk drives are the next things to configure. These have to be 'mounted' after a disk is inserted and 'unmounted' before removing the disk, which is both tedious and a security risk because it has to be done with root privileges. (Note the command is 'umount' not 'unmount'. I guess a request to rename it 'dismount' might not be approved.) I have automated this with the Automounter Daemon (amd). We can see the available drives with these commands.
sysctl -A # Look for hw.disknames dmesg # A copy of the messages you see when booting. cd /dev l # These are not all physically distinct disk drives of course.
The letter on the end of the device in /dev is the partition, which is by convention on the i386 architecture 'a' for root, 'b' for swap and 'c' for whole disk. I do not understand the intricacies of this but read that 'c' is the one I want.
If I put disks into the drives I can do
atactl cd0c # Access the CD (actually a DVD) drive and shows its make. disklabel fd0c # Check the floppy disk drive.
To manually mount the disks
cd /mnt # A directory by convention used for mounting disks. mkdir cd0 # Create a subdirectory for mounting the CD drive. mkdir fd0 # Likewise for the floppy drive.
and each time we want to look at a CD/DVD
mount -t cd9660 -r /dev/cd0c /mnt/cd0 cd /mnt/cd0 l # List the files on the CD. etc. cd / # Change out of the directory before umount. umount /dev/cd0c
and similarly for a floppy
mount -t msdos -r /dev/fd0c /mnt/fd0 cd /mnt/fd0 l # List the files on the floppy. etc. cd / # Change out of the directory before umount. umount /dev/fd0c
The first step is to put some of this into /etc/fstab. Here is mine after adding the bottom two lines. (The other lines about wd0 are my hard drive partitions created during the install.)
man fstab /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0g /home ffs rw,nodev,nosuid 1 2 /dev/wd0d /tmp ffs rw,nodev,nosuid 1 2 /dev/wd0f /usr ffs rw,nodev 1 2 /dev/wd0e /var ffs rw,nodev,nosuid 1 2 /dev/cd0c /mnt/cd0 cd9660 ro,nodev,nosuid,noauto /dev/fd0c /mnt/fd0 msdos rw,nodev,nosuid,noauto
This gets picked up when we reboot and we can now do
mount # Shows the mounted file systems. mount /dev/cd0c # Mount the CD. mount # etc. umount /dev/cd0c # Unmount it.
Which is easier, but still requires root privileges. We are now ready to configure the Automounter Daemon (amd). This will run the mount and unmount commands for us when we access the CD and floppy through amd. Amd is usually used to simplify and optimise networked file systems, but it does not need NFS or YP to be switched on. Amd can operate on purely local disks to mount and unmount them depending on whether they have been accessed recently.
info amd man amd
I added these lines to /etc/rc.conf.local to start amd at boot.
portmap=YES # amd needs portmap. amd=YES amd_master="/etc/amd/params"
I created this file. This is read by the rc script and fed as parameters into the amd daemon.
/etc/amd/params /amd /etc/amd/mastermap
and created this file - referenced in the file above - for amd to pick up as its configuration
/etc/amd/mastermap
/defaults type:=host;fs:=${autodir}
# autodir = -a parameter of amd call = amd_mnt in rc.conf = /tmp_mnt
# Be careful with 'umount' and 'unmount' in the following.
cdauto type:=program;fs:=/mnt/cd0;\
mount:="/sbin/mount mount /dev/cd0c";\
unmount:="/sbin/umount umount /dev/cd0c"
fdauto type:=program;fs:=/mnt/fd0;\
mount:="/sbin/mount mount /dev/fd0c";\
unmount:="/sbin/umount umount /dev/fd0c"
This will all be picked up at reboot. For some reason - probably a time-out parameter somewhere - it sits for a minute in the boot sequence at 'amd'. I expect this can be solved with a bit more configuring. Some commands for testing it
cat /var/run/amd.pid # amd's process id - from the rc script. ps -aux # Shows running processes. Should see amd. df -hi # Should see amd and its process id. mount # ditto. amq -ms # More detail. rpcinfo -p # Should see portmapper and amd.
To auto-mount a CD put it in the drive and
cd /amd # You can cd straight to /amd/cdauto but show this oddity : l # Shows nothing! But we can cd into the invisible directory : cd cdauto # This automounts the CD. The CD will spin. l # Shows the files on the CD. cd /amd/fdauto # Likewise the floppy. cd / # After a while the disks will auto-unmount.
The unmount occurs after a certain time-out rather than when the button on the CD drive is pushed. There is probably a clever solution to this imperfection. We now do not have to gain root permissions and type 'mount' and 'umount' commands for the CD or floppy. To make things easier we can create links to avoid having to find the invisible directories.
cd / ln -s /amd/cdauto /cdrom ln -s /amd/fdauto /floppy cd /cdrom # To look at a CD. cd /floppy # To look at a floppy.
At this point I loaded the source code in case I need it.
# Insert CD3.
cd /usr/src # Running the next command in the root directory '/' will
# demolish your system. Nobody would do this of course!
tar xvzf /cdrom/src.tar.gz # amd works and fingers rest.
To this point I have consumed about 1Gb of disk space in /usr, 40Mb in /, 4Mb in /var and not much else.
Now to configure the X Window System (X) so I can exercise my graphics chips, screen and mouse. X runs beneath the programs the user normally interacts with such as KDE, Gnome or FVWM, insulating these upper layers from the details of the hardware and network and rendering the fonts for them. X also bundles a lot of programs such as a terminal emulator and a clock display. X needs to be configured properly before we try to run anything on top of it.
There are several ways of starting X, the two main ones seem to be xinit and xdm. Note that these use different configuration files. Xdm gives a graphical login, whereas xinit is text based but may be more flexible. I have not tried xinit. There are also several ways to give X its configuration, I put everything into the xorg.conf file. I have not tried the other methods.
Have a quick look at these and come back to them.
man X man xorg.conf man xdm # I am using xdm rather than the alternative xinit. man xinit cat /usr/X11R6/README cat /usr/X11R6/lib/X11/doc/README.OpenBSD
I switched on xdm by adding this line
/etc/rc.conf.local xdm_flags=""
This produced a graphical login screen and when I had logged in a terminal emulator, but the screen was low resolution and flickery and the keyboard was the wrong way round. If you do this and cannot see the graphical login screen at all you may be able to crash out to a text login with Ctrl+Alt+F2 to recover. So I went back to text and ran
xorgcfg -textmode # Produces an xorg.conf file.
I set my keyboard, screen resolution, mouse wheel, etc. I got stuck at the video card and had to do some digging afterwards. I discovered my video chips worked with an i810 driver.
dmesg # May help identify your video chips. man Xorg # Has a list of drivers in the 'see also' section. man i810 # The one I needed.
I edited this into my /etc/X11/xorg.conf file, switched xdm back on and rebooted. This gave a good resolution, refresh rate and keyboard. In the terminal emulator (xterm)
l # Gives "ksh: l: not found" env # My PATH has lost the last two directories.
I discovered the /etc/rc script runs /etc/X11/xdm/Xsession which, if one is available, will run /root/.xsession. (For a user other than root this would be something like /home/user2/.xsession.)
man xdm # Look for the 'session program' section. man fvwm # The window manager I am running.
Here is my first simple file
/root/.xsession PATH=$PATH:/usr/local/sbin:/usr/local/bin /usr/X11R6/bin/xclock -geometry 190x30-0+0 -d -update 1 & /usr/X11R6/bin/xterm -geometry 160x70+60+20 & /usr/X11R6/bin/fvwm
This file does not need to be executable. From here on it may be better to experiment in a less privileged user. You may also want to try to change from fvwm to another window manager/desktop environment such as kde, gnome, windowmaker, blackbox or icewm. I tried kde but could not get startkde to work properly with xdm. Startkde seems to work well from the command prompt and I guess it might work with xinit or kdm, though I have not attempted this. I am going to do some configuration work in fvwm to try to make it into a comfortable environment before I consider switching. I suspect the default fvwm configuration is hiding a very capable window manager.
As a single-user desktop I want my machine to power-down when I left-click the desktop and click Exit, rather than having to obtain root privileges. To make it do this I edited
/etc/X11/xdm/TakeConsole halt -p # Added this line at the end of the file.
Note however that after adding this to TakeConsole it will get upset if we do 'halt -p' in xterm. There are aspects of the shutdown process I have not yet explored, so there may be a better way to do this. There are other files in the same directory worth studying.
I got some messages in
/var/log/xdm.log (EE) Failed to load module "dri" (module does not exist, 0) (EE) Failed to load module "speedo" (module does not exist, 0) The XKEYBOARD keymap compiler (xkbcomp) reports: > Warning: Type "ONE_LEVEL" has 1 levels, buthas two symbols > Ignoring extra symbols
I think "dri" is a 3D graphics thing I do not need and "speedo" is an obsolete font. I commented them both out of xorg.conf. The other message could be something wrong with an obscure keyboard mapping - maybe the right-hand Alt key. I will eventually look at the keyboard mapping, but it works well enough for now.
I also get warnings in
/var/log/Xorg.0.log
(WW) I810(0): Extended BIOS function 0x5f05 failed.
...
Could not init font path element /usr/X11R6/lib/X11/fonts/CID/,
removing from list!
I have not investigated the BIOS warning yet. The one about "CID" looks like another obsolete font.
Now to add some packages. Packages are less secure than the software we have used so far and should only be run in your unprivileged user if possible.
man packages man pkg_info man pkg_add # Put CD1 in the drive. cd /cdrom/4.0/packages/i386 l # Lots of packages, but what are they? pkg_info -d k* # Description of the kde related packages. pkg_add mozilla-firefox pkg_add mozilla-thunderbird pkg_add xpdf pkg_add samba pkg_info -A
And I configured them as appropriate.
Samba needs an smb.conf file and changes to some file/directory permissions to make them to accessible to MS Windows. Here is my rudimentary samba configuration.
man chown
man chmod
/etc/samba/smb.conf
[global]
workgroup = NEON # 'NEON' is my local MS Windows Workgroup name.
server string = Blue Samba
security = share
hosts allow = 10.0.0. 127.0.0.1
log file = /var/log/smbd.%m
max log size = 500 # I increased this.
socket options = TCP_NODELAY
interfaces = bge0 # My local network.
dns proxy = no
# Share files on this OpenBSD machine with the MS Windows machines.
# This gives the MS Windows machines read-write access to the directory.
[download]
comment = Download
path = /home/user2/download
read only = no
writable = yes
public = yes
# Let the MS Windows machines backup my Firefox bookmarks etc.
# This gives the MS Windows machines read access to the directory.
[firefox]
comment = Firefox
path = /home/user2/.mozilla/firefox
read only = yes
public = yes
# Let the MS Windows machines backup my Thunderbird emails etc.
[thunderbird]
comment = Thunderbird
path = /home/user2/.thunderbird
read only = yes
public = yes
I added these commands to start samba at boot.
/etc/rc.local
if [ -x /usr/local/libexec/smbd ]; then
echo -n ' smbd'
/usr/local/libexec/smbd -D
fi
if [ -x /usr/local/libexec/nmbd ]; then
echo -n ' nmbd'
/usr/local/libexec/nmbd -D
fi
My completed configuration file is now
/etc/rc.conf.local xdm_flags="" portmap=YES amd=YES amd_master="/etc/amd/params" pf=YES sshd_flags=NO ntpd_flags=""
Both rc and rc.conf remain unchanged from the default to make upgrades and administration easier.
/etc/ntpd.conf # Allow local machines to get the date and time from this machine. listen on 10.0.0.1 # Set the date and time on this machine from my server. server 81.2.66.10
For Firefox and Thunderbird I trawled through changing all the configuration settings in the GUI. Unlike OpenBSD some of these default to insecure. In Thunderbird I switched off moving images with, from the menu, Edit : Preferences : Advanced : General : Config Editor and changed 'image.animation_mode' to 'none'. The same in Firefox by typing 'about:config' in the address box. I silenced other movement by switching off Java and Javascript, but occasionally I need to switch on Javascript to operate poorly designed web sites. People familiar with Firefox and Thunderbird on MS Windows will find these applications look practically identical on OpenBSD. One or two options that are fixed on the wrong values can be set in 'about:config'.
To my relief the indispensible AdBlock extension installed perfectly in Firefox. Maybe all the extensions are platform independent, I have not tried any others yet. Occasionally I study the HTML to build my block file, but mostly I go to the Tools : Page info : Media page and produce generic kill rules for sites and URLs I do not want to access. AdBlock does not seem to tell you which rules have blocked which elements but a 'switch off AdBlock and web page reload' usually tells me what is happening. Here is a snippet from my block file to get you started.
[Adblock] */images/ads/* *doubleclick* */adimages/* *bluestreak.com/* http://ads.* */adlog/* *.mediaplex.com/* *mads.com.com/* *.akamai.net/* *.webtrendslive.com/* *.swf* *.google-analytics.com/* */advertisements/* *.googlesyndication.com/* */img/affiliate/* */bannerads/* *.a2.yimg.com/*
I moved across my emails and address books by creating new empty Folders and Address Books and overwriting the files this created with my historic files. I also copied across my bookmarks.html for Firefox. This could probably have be done by moving the whole directories across but I usually find there are little improvements I can make by doing a fresh install of an application and just copying the essential files.