Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Books Operating Systems Media Security BSD Book Reviews

Absolute OpenBSD 232

DrCarbonite (Jeff Martin) writes "I've used OpenBSD in the past, and benefitted from its extensive online documentation. Sometimes an off-line reference is useful (i.e. required), and Absolute OpenBSD fills this void." Read on for the rest of Martin's review, as well as a more critical one from Marius Aamodt Eriksen.
Absolute OpenBSD: UNIX for the Practical Paranoid
author Michael W. Lucas
pages 489
publisher No Starch Press
rating 8
reviewer Jeff Martin, Marius Aamodt Eriksen
ISBN 1886411999
summary Well-written guide to administering OpenBSD for the intermediate to advanced user.

OpenBSD is not your average open source operating system, and consequently it does not have an average user community supporting it on the Internet. Absolute OpenBSD (AOB) by Michael W. Lucas, bills itself as "the definitive guide to OpenBSD." In addition to detailing the operating system (OS), Lucas does a wonderful job of illustrating and preparing new users for the different community surrounding OpenBSD.

A book like AOB is going to introduce many new users to OpenBSD, and it would be a disservice both to the existing community and the newcomers to not explain OpenBSD's culture. Thus, the first two chapters discuss the OpenBSD philosophy and also show the user how to become self-supporting when it is time to solve problems rather than flooding the mailing lists with easily answerable questions.

Critics may feel OpenBSD's rugged individualism is an indictment of its usability, but then they may be better served by a different OS.

The next few chapters focus on the installation of OpenBSD. AOB covers both dedicated and multi-boot installations. Most serious users will likely choose the dedicated installation, however Lucas points out that may not be an option for someone looking to sample OpenBSD, or for those users who wish to share a common data partition. Both types are covered, allowing the reader to decide which is most appropriate. Important installation caveats are also mentioned, such as OpenBSD's requirement that its root partition must be completely contained within the first 8 gigabytes of the hard drive. Although OpenBSD supports several different hardware platforms, when specifics are required Lucas focuses on the i386 platform. Lucas does a good job explaining the concepts, so users of non-Intel hardware should have minimal difficulty installing on their particular hardware.

Following the installation discussion, Chapter 6 covers OpenBSD's booting process and its /etc/rc scripts. Lucas' explanations go beyond simply itemizing these different aspects, choosing instead to provide the reader with the reasons a certain option may be needed. Expert users will already know when they wish to boot in single-user mode, but others will appreciate the discussion on how to boot alternate kernels, run fsck, and boot from alternate hard disks.

OpenBSD is promoted as a secure OS, and AOB is diligent in covering this aspect. File flags and securelevels are introduced and discussed. Lucas does a good job explaining what they do and what acceptable scenarios would be for their application. OpenBSD's systrace utility is explained in detail. Writing systrace policies, generating them using the policy-generation tool, and obtaining predefined policies from the Internet is described in depth.

OpenBSD administrative information receives attention as well. Chapters 11 and 12 cover configuring and building custom kernels. The treatment in Chapter 13 of compiling ports and installing packages is very helpful-- and in fact necessary for those looking to install essential utilities such as fortune.

OpenBSD's ports system was originally adapted from that in FreeBSD, and users of that OS may see some similarities. Users from a different background will appreciate the primer.

Three chapters of AOB are devoted to OpenBSD's in-kernel packet filter, pf. This is arguably one of OpenBSD's best features, and Lucas suitably spends a lot of time discussing it. Chapter 17 covers basic pf usage, such as explaining pf's configuration file, tables, and macros. In addition, Lucas takes a timeout to also explain pf's suitability for particular tasks. Chapter 18 describes advanced applications of pf, including network address translation, load balancing, and bandwidth management. Chapter 19 concludes with managing live pf execution. Correctly managing a live firewall on-the-fly is important for sites requiring high uptime, and Lucas does well in explaining the various methods available for logging, viewing statistics, and rule management. Wrapping up, AOB also describes how to configure authenticated pf access by authorized users. "pf" has a lot of power, and spreading the material over 3 chapters worked well in presenting the reader with information at a manageable rate.

One of the strengths of an OS-specific book such as AOB is that the material covered benefits from a more focused approach. If it doesn't apply to OpenBSD, it doesn't need to be covered. Lucas has an experienced background in system administration, and this experience shines through well in the material. His remarks about the dangers of a system with open access via RPC seem especially prophetic in light of current events -- and not mindless ranting.

Overall, AOB is a well-written book that hits its market squarely on target. Those new to OpenBSD will appreciate the comprehensive approach that takes them from concept to functional execution. Existing and advanced users will benefit from the discussion of OpenBSD-specific topics such as the security features and pf administration. Lucas does well in his attempt to increase the number of those who would be practical paranoids.

Marius's turn:

Reviewer Marius Aamodt Eriksen also liked some aspects of Absolute OpenBSD, but found more faults in it; his critique may help you decide whether this book is for you (and he disagrees about the match between the book and its audience). He writes:

The book covers a very broad area, but it lacks depth in some parts. Perhaps my biggest problem with Absolute OpenBSD is that it should have focused more the features that make OpenBSD unique: its security features. For example, it does not cover IPsec. Many of the various security features of OpenBSD are mentioned, but few are covered in much detail.

Michael Lucas' writing style is quite relaxed and informal. However, this often gets in the way of content. The numerous rants about how Windows security sucks simply get irritating. It is distracting from the focus of the book and simply unneccessary. Also, the tangents on TCP/IP and various other underlying technologies likewise deviate from the focus of the book. Lucas also does not hesitate to express personal opinions and views on a range of subjects. Though I typically have no problems with authors expressing their views, Lucas' tend to be unfounded and not well argued; they too are simply distracting. At times, it almost felt like Lucas was trying to put down less experienced people, teaching them lessons they "should know." I cannot imagine that this is what the typical audience of the book are looking for.

Absolute OpenBSD makes little effort to cover the various architectures that are supported by OpenBSD. The install section only covers i386; though probably not an issue for most users, it would be nice to have a more complete reference.

Otherwise, I would consider the contents of the book to be quite complete, and most definitely sufficient to provide a good introduction to OpenBSD and many of its neat features. An entire chapter is devoted to how to find more help, covering the various documentation, man pages and mailing lists. This is an excellent idea, and makes up for most of the (content) shortcomings of the book.

The PF (Packet Filter) section was very good; it covered a very broad set of features that PF provides, while carrying sufficient technical detail. The examples were very illustrative and appropriate for the text.

I spotted a few technical errors while reading the book. The editing also seems a bit rushed: in addition to the technical errors, there a number of typos. Unfortunately, there isn't an errata section on the book's website; I strongly recommend Lucas and his publisher make one available.

My biggest problem with Absolute OpenBSD is that it is not true to its audience. I imagine that the audience is one which would like to know how to do something in OpenBSD without being told how "real system administrators" do it, or how much Microsoft sucks. My recommendation to Lucas would be to write Absolute System Administration and leave it out of Absolute OpenBSD. I do not mean to sound harsh, merely critical. The book has very many good sides, and by many counts is an excellent reference for people looking to migrate to OpenBSD. I would not have any problems recommending it to anyone who wanted to migrate to OpenBSD or see what it's about -- just be wary of the distractions.


You can purchase Absolute OpenBSD from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Absolute OpenBSD

Comments Filter:
  • by Anonymous Coward on Thursday August 14, 2003 @12:01PM (#6696401)
    • by Anonymous Coward
      Have you forgotten that the slashdot/opensource crowds were boycotting amazon cuz of their stupid patents. Its so funny how geeks forget to stand up to the good cause for a simple discount. That's why the RIAA and MPAA will win, because we are all noise and no action. ._segmond
    • by vergil ( 153818 ) <vergilb.gmail@com> on Thursday August 14, 2003 @12:57PM (#6696999) Journal
      I've noticed that a number of posters have regularly commented on the inevitable Barnes & Noble links that accompany Slashdot book reviews.



      Although I don't have any moral objections to any arrangements made between Slashdot and one particular online retailer, I feel that any website that purports to be in the business of disseminating "news" ought to be obligated to voluntarily divulge any links to for-profit enterprises that appear appended to articles and reviews.



      While an arrangement between Slashdot and Barnes & Nobel might not necessarily alter the objectivity of an article/review, it introduces some interesting questions. For instance, does Slashdot receive compensation for links to Barnes & Nobel merchandise appearing in published reviews? Would Slashdot turn down a reader submitted book review if a book was sold by Amazon -- but not stocked or sold by Barnes & Noble?



      Again, there isn't anything inherently wrong (in my mind) with Slashdot consistently linking to one retailer's products. However, if Slashdot readers consistently ask about the nature of any alleged relation between the Slashdot news site and another company, then perhaps Slashdot editors should make an effort to disclose any relevant details.

    • If you can get it at a physical Barnes & Noble in your own town, you could easily save $12 in shipping.
      • If you can get it at a physical Barnes & Noble in your own town, you could easily save $12 in shipping.
        Given that this book, by itself, qualifies for free shipping from Amazon, I find it unlikely that you will save $12 in shipping.
  • by Anonymous Coward
    A) The book

    or

    B) Sex with CmdrTaco's personal mare?
  • by bwdunn ( 85165 ) <bwdunn@gmail.com> on Thursday August 14, 2003 @12:04PM (#6696429) Homepage
    I find it interesting that /. always has links to Barnes & Noble - why not Amazon or Bookpool?

    Not a troll - just curious.
  • by mopslik ( 688435 ) on Thursday August 14, 2003 @12:04PM (#6696440)

    ...it does not have an average user community supporting it on the Internet.

    But I met both of them, and they seemed perfectly nice.

  • I'm going to spoil the enjoyment and give out the ending of the book. The last chapter ends by a dramatic sentence:

    "Red ink flows like a river of blood".
  • The OpenBSD Attitude (Score:5, Interesting)

    by Anonymous Coward on Thursday August 14, 2003 @12:15PM (#6696563)

    Jeff: Critics may feel OpenBSD's rugged individualism is an indictment of its usability, but then they may be better served by a different OS.

    Marius: At times, it almost felt like Lucas was trying to put down less experienced people, teaching them lessons they "should know." I cannot imagine that this is what the typical audience of the book are looking for.

    ... And yet this is the friendly face of OpenBSD towards its newbies. These line says it all about the OpenBSD culture, which is arguably the most hostile towards newbies of any of the major open source OSes. Requesting better usability means that you're an idiot who should use RedHat or one of those other "toy OSes." If you have a question that doesn't involve a honest need for a code change (for purposes other than usability), then you're a time-wasting moron who should've read more first. They don't just suffer no fools; they suffer nothing less than other true, dyed-in-the-wool experts on the system. I'll grant the system it's amazing technical merits, but the worst thing about OpenBSD is its vocal users.

    • I've found that if I do a search of OpenBSD.org for my problem and don't find it quickly, I can ask someone where to look for how to do whatever it is I'm trying to do and they've always been very nice and helpful. The OpenBSD community is not nice to people who want personalized hand holding through the most basic of tasks, but then again, it's not my desktop environment of choice. Furthermore, the online documentation is as good as the OS is solid. This isn't zealotry, I'm too much of a newbie to Ope
      • It really is true that people who can't read a HOWTO shouldn't be setting up servers, and therefore shouldn't be using OpenBSD.

        Truly insightful. Let me expand on it a bit and say if you want to use UNIX, but don't have a systems administor or the desire to be one yourself, then stick with OSX. Period.

        You don't have to be a great sysadmin, but you have to at least have the willingness to sit down read the documentation and attempt to understand it, and accept the fact that you will face difficult problems
    • As the admin of "openbsd dash newbies at sfobug dot org" I can assure you that we aren't hostile to newbies. Not everyone can be born a Unix Guru, so we try to help you learn Unix/OpenBSD. We don't do your work for you, but we'll tell you what FM to read. And we'll be polite about it.
    • These line says it all about the OpenBSD culture, which is arguably the most hostile towards newbies of any of the major open source OSes.

      I personally don't find OpenBSD hard at all. Two years ago, I installed OpenBSD for the first time on a spare machine to toy around with it. My experience with any *BSD was about nil, and my Linux knowlegde didn't get further than "stick in CD and wait". Later, I took a dedicated machine and made a firewall/NAT out of it. Did I find it hard? No, not at all. The

    • The (hostile) "vocal" users of the community do not represent the silent majority. They are VASTLY outnumbered by the nice guys and usually they back themselves up into a corner eventually and either finally shuts up or leaves the community altogether.

      To find friendly help you have to look in the right places. IRC channels are hardly that right place. The mailing lists are fine provided you respect the guidlines of the lists (e.g. don't post to the wrong list, don't crosspost...) and you should at least m

    • Like how to mount a native floppy. Stuff so basic it never occurred to anybody to put in an obvious form.

      I usually put my questions in the form: "I know this is basic, and here's what steps I've taken to find the answer....any clues to share?"

      I may have just lucked out or caught people at propitious times in their meds routine.

      My big project at the moment is setting up some sparc boxes with the newest rev. with some lovely anti stack-smashing, not avail on x86.
    • I've gotten quite a bit of help via IRC for OpenBSD; you just have to make sure you look for available resources online BEFORE requesting help. I personally don't think that is a big deal-- I don't want someone wasting my time with a simple question that is answered on the openbsd.org web page.

      Those who are flamed are often ones who don't do any due dilligence when it comes to solving their own problems. This isn't always the case, as there are morons out there who feel the need to flame every question-ask
    • Bullshit. Apparently you haven't read the FAQ [openbsd.org] or looked in the right people. [screamingelectron.org]

      OpenBSD was the easiest install I've ever done because I READ the FAQ. Setting up a DHCP server was simplicity itself because I READ the man page. Seriously, setting up DHCP took less time than my Linksys router's GUI. OpenBSD is EASIER than Linux because of the sheer quality of help that is already there waiting for you like the FAQ and man pages.

      When I asked for help w/ my OpenBSD firewall, people on the forums responded in

  • by Punk Walrus ( 582794 ) on Thursday August 14, 2003 @12:16PM (#6696579) Journal
    I pre-ordered this book, and poured through it the day it arrived. I have been using OpenBSD at work and at home, and this book filled numerous voids I had from my piecemeal of information from various Usenet postings, man pages, and HOWTOs.

    This is *the* book to get if you know a little about *NIX/*BSD and want to flesh out what you know. Maybe if I was some expert guru, I'd find the book's informalness and coverage over basics to be a distraction, but no book of this ilk is ever everything for everybody. I'd call this a sort of "middle knowledge" book: not for raw newbies, not for hardcore experts, but for a lot of people in between.

    Part of the problem I have had with OpenBSD is a lot of people in the OpenBSD community are strict RTFMA about any help, and the book even mentions that OpenBSD people ARE a bit aloof, and even WHY this is (a good explanation, IMHO, without making OpenBSD people look like eltist snobs). I think if people are told, "Look, this is an OS *by* hard-core programmers who don't have time to answer 'WTF is pf scroood up R wat? LOL!!' or 'set up my sendmail for me, or I'll have a tantrum,' but want more intelligent questions about in-depth subjects," they'd be more understanding, and maybe start with FreeBSD, and work their way towards OpenBSD. Or do like I did, and found some more newbie-friendly OpenBSD people to share accomplishments with.

    OpenBSD is a great complement to the *BSD family, and this book can really teach you a lot about how it works, the philosophy behind it, and why things are the way they are.

    ________________________________________________
    www.punkalrus.com - OpenBSD user for over two years

    • Part of the problem I have had with OpenBSD is a lot of people in the OpenBSD community are strict RTFMA about any help,

      If you follow the OpenBSD mailinglists you'll see that it's not quite the case. On the other hand, if you have not read the online FAQ they'll tell you so.

      Note that the man-pages in OpenBSD is very good, which is not quite the case for several Linux distros.

      As an example, try 'man starttls' on you favorite Linux distro, and compare it with man starttls [openbsd.org]. Now, which one gives you the

  • I've been using OpenBSD on and off for a few years and have always found it works exactly as its meant to. Secure, tight fast. It might no have any/some support for things like SMP but then again its not aiming to..

    It can all be summed up in that favourite sig.

    "UNIX is userfriendly. Its just really careful in choosing its friends"

    Rus
    • Yeah, SMP would be great. OpenBSD doesn't even boot on my Dual AMD Athlon. I did expect to boot and only use once CPU, alas it doesn't even do that.
      If you wonder why I wanted to do this: simple, my OpenBSD firewall/NAT is a Pentium 166. I though of compiling the patches on my fast machine and just copy the stuff over. Alas, I cannot do it, so I just compile on the P166.
  • devil mascot = freebsd
    blowfish mascot = openbsd

    huh?
  • 8GB Root Partition (Score:3, Interesting)

    by aking137 ( 266199 ) on Thursday August 14, 2003 @12:48PM (#6696860)
    It says in the review: ...such as OpenBSD's requirement that its root partition must be completely contained within the first 8 gigabytes of the hard drive.

    I've just set up OpenBSD 3.3 on a not-very-critical server, and, not knowing about this limitation, I've just created one big root partition of about 58GB. It's ran fine for the past four days though. Am I likely to run into problems, or has something been changed since the book was published?

    I know that there are good reasons for splitting your filesystem across multiple partitions, but is there a particular reason why I need to keep that root partition under 8GB in OpenBSD?
    • It will run fine until you cross over that 8G mark, and install a new kernel. Then you will have problems.

      OpenBSD is working on that, but no-one seems to be testing the code for it. :P
    • by Richard_at_work ( 517087 ) * on Thursday August 14, 2003 @02:02PM (#6697896)
      For the answer to your question, if you read this [openbsd.org] OpenBSD faq entry, it details fairly well why you should not have a / larger than 8gb.

      The following two sentances basically say it all:

      The OpenBSD i386 boot loaders (biosboot(8) and boot(8)) also have their own internal 8G limitation, from an older BIOS limit.

      For this reason, the entire /bsd file (the kernel) must be located on the disk within the boot ROM addressable area, or within the first 8G of the disk,



      Its just a "stupid" limitation that noone has seen a need to fix or work around in this case. But the results of violating this limit can be disasterous, as once the /bsd kernel file gets written outside this 8gb area, say after you have jsut rebuilt it, then the boot sequence dies with a bad magic error.
      Another good reason for partitioning your disks is so that a runaway process writing tonnes of log entries into /var/log/.log over night, while you are asleep and unaware of the issue, wont take down the system by filling up all your diskspace, jsut /var.
  • by imadork ( 226897 ) on Thursday August 14, 2003 @12:55PM (#6696960) Homepage
    I prefer Irish Whiskey myself, but if you're going to have a Vodka while administering OpenBSD, I'm not gonna stop ya...
  • Perhaps I missed it in the review, but what version of OpenBSD does the book cover?!
  • I haven't read the book yet, but this was one of the more informative reviews that I've read here.
  • Unique? (Score:1, Insightful)

    by AilleCat ( 178989 )
    There are very few things that make OpenBSD unique from other BSD OS's... security features like "IPSEC" are available in FreeBSD, NetBSD, and others as well. That certainly is not unique to OpenBSD. Cryptography is just as much a focus in FreeBSD development as it is for OpenBSD.

    I don't feel that OpenBSD's status for being the "most secure OS" is anything but general FUD, and I have news for you all, before you call me bigoted towards FreeBSD.... I rely on OpenBSD for fully half of what I do. I have sever
    • Re:Unique? (Score:5, Interesting)

      by Gregoyle ( 122532 ) on Thursday August 14, 2003 @01:34PM (#6697501)
      Maybe I'm biting at a troll, but I'll do it anyway...

      There are a few basic areas where OpenBSD is "unique" to my knowledge. It is certainly unique among the BSDs in these respects. The first is proactive security [openbsd.org]. They audit all code going into the OS and all code that was legacied (is that a word?) into the OS. I can't count the number of times I've heard something like "This problem was fixed in OpenBSD 6 months ago in a routine audit" as the page linked above states. Hell, people in the OpenBSD community were actually complaining about the routine security fixes not being released as actual security patches with alerts. The fact of the matter was that they had no idea if the old code could lead to an exploit or not; it was flawed so they fixed it. This leads into a second part of this aspect, which is full disclosure. Anytime there is any kind of exploit or potential exploit, you hear about it along wiith a bugfix immediately. None of this waiting 3 months for it to be recognized by the vendor and then another two for the patch to be publicly available.

      The second part is integrated cryptography [openbsd.org]. This doesn't mean just including IPsec. This means using 128-bit AES on the *swap* partitions to prevent them from being used against the system administrator in cases where the regular filesystem is also encrypted. I have never seen encrypted *swap* in an OS before. The design is ingenious; I've been looking at it very closely with an eye for porting it to another OS, and it's way cool.

      The third aspect, and perhaps the most important in my mind, is the ridiculously detailed and useful man pages [openbsd.org]. They are the best I've seen in any Unix, period. The FAQ on the website will answer almost any question you can think of for getting started. And if the man pages don't answer your question, you are probably looking in the wrong place or asking the wrong question. Well, that's what it's been any time I couldn't find stuff there.

      Oh and then there's the "Only one remote hole in the default install, in more than 7 years!" thing. Anyone can screw up a system, but OpenBSD sets you up for success where with the others it is truly a challenge to get the system as secure.
  • I've used OpenBSD in the past, and benefitted from its extensive online documentation. Sometimes an off-line reference is useful (i.e. required), and Absolute OpenBSD fills this void.

    This reminds me very much of the things I did before my first Linux installation in '96. I bought the book, "Red Hat Linux Unleashed", which just happened to have a RH 3.0.3 distro on one CD in a little envelope inside the cover. Skipping very few details, I read all 1100ish pages before even trying. I ran into enough t

  • I can recommend Sam's Teach Yourself Absolute OpenBSD Annoyances for Dummies in 24 Hours Unleashed -HOWTO.
  • ... an off-line reference is useful

    ...when the box gets h4ck3d? :)
  • I'm pretty happy with it. I'm just getting into OpenBSD, and this book makes it pretty easy to get started on complicated things. It's not for people with no experience, but neither is OpenBSD.

This is now. Later is later.

Working...