I guess the title pretty much reveals the story. Tired of the direction Linux distros are going (e.g. dependency hell, bloat, tons of interdependent packages for doing simplest of things, inconsistent architecture, ridiculous changes like systemd, plague of security holes, etc.) and lusting for some new experience I decided to give the BSD family a try.
Initially I was strongly inclined towards OpenBSD with its legendary focus on security and a bunch of unique features such as out of the box ASLR, W^X, strong entropy in virtually all places that matter (packet identifiers, PIDs, port numbers, inode numbers, etc.), chroot-ed httpd and maybe most importantly (yeah we all remember heart-bleed) LibreSSL. I had my mind set on this idea to the point of writing fakescreen for usage in chroot jails and submitting a patch to OpenBSD’s httpd to support URL rewriting. The installation went really smoothly and I thought I was good to go when I remembered that I have a freaking HP LaserJet P1102 printer to set up in CUPS. Thankfully HPLIP works just fine in OpenBSD and foo2zjs does the job in terms of feeding the right stream to the printer. What went wrong then? After correctly printing the test page I was shocked to see “panic: ehci_device_clear_toggle: queue active” on the screen – clearly a USB problem. Apparently I was not the only one having this issue. As you can see I spotted a pretty promising diff to apply but then I realized – geez – this is exactly what I was NOT looking after in an operating system!!! I mean c’mon – a little bit of maturity – USB stack crashing? seriously? On the brink of 2016? Give me a break. Conciseness, great documentation and uniqueness make OpenBSD a wonderful piece of work and certain bits of code produced by this project (OpenSSH, OpenSSL, LibreSSL, packet filter) benefit the free software ecosystem at large. Nevertheless hardware support issues are still out there even for technologies (USB) introduced nearly 20 years ago running on hardware manufactured a couple of years ago. Sorry to say that but my best experience with OpenBSD was in a VM – and who knows maybe that’s even one of the intended niches for the OS. For my XS35V2 it’s currently a no-go.
A moment later I was already thinking about “lesser evil” and downloading Ubuntu 14.04. However I felt really bad about going back to that toy as well as the impossibility of running a BSD server. Are we doomed to Linux on servers now the same way we used to be doomed to Windows on desktops? Remembering FreeBSD and having considered it before making the move for OpenBSD, I decided to give it a try now. I was hoping that being a couple of times more popular FreeBSD would have those kinds of issues polished away. Luckily I wasn’t mistaken. The same CUPS configuration worked on FreeBSD as well only without the slightest sign of crashes. Hurray! This time I really was good to go. All that remained was to figure out how FreeBSD goes about security and naturally set up all the required services.
I believe the security keyword for FreeBSD is jails. Jails are OS-level virtualization technology resembling Linux Containers/Docker. Nullfs and symbolic links are doing the job of unionfs allowing to share some of the base operating system across multiple jails. On top of that system calls for managing network interfaces, routing and raw sockets are blocked. Each jail features as well separate lists of processes and users. Access to devices is limited by applying devfs rules allowing to cherry-pick device nodes visible to given jails. From inside a jail creation of device nodes is not possible. This turns out to be sufficient set of restrictions to treat jails as sort of lightweight VM. Currently my server runs all of its services in a set of 4 jails which are isolated from one another and from the local network. As unlikely as it is to have someone hack my server (I guess I’m not political enough ;)) if this came to be I would hope to have the damage somewhat contained.
All in all I’m quite happy with this 2-day adventure. I’ve learned quite a bit about FreeBSD and I liked what I saw. On top of that I’ve upgraded WordPress to 4.4 and changed the theme to a hopefully sexier minimalist one-column design. Since I’m not posting all that often – I decided to celebrate each time and take a suitable photo to be used with the featured image functionality of the theme.
To end this pretty long entry, let me just finish by writing Merry Christmas and A Happy New Year to everyone! Let’s hope that 2016 will be even more productive than 2015 and that we’ll enjoy together some reports of my deeds on this new sexy blog theme 😉