Contributed by jason on from the chasing-each-other-around-with-a-blunt-object dept.
The release of OpenBSD 4.3 is right around the corner. A group of Undeadly editors was overheard in IRC discussing their favorite new features. We've compiled their list here for you to review. Which are your preferred features, and do you have any unique uses for them?
The new snmpd in base is a blessing for those of us managing networks with OpenBSD. We currently have a dozen or so firewalls and VPN servers in production, and they all use net-snmp's snmpd. Net-snmp's configuration is usable, but unwieldy. I really appreciate the simplicity of this new snmpd implementation (along with snmpctl(8)), and am grateful for Reyk Floeter's (reyk@) hard work on this new feature.
I've been using carp(4) for years. It's an immensely useful feature and has saved my cookies numerous times. But one thing that's always been a minor inconvenience is setting up CARP load balancing. You'd have to create multiple interfaces with the same address, manage those hostname.carp* files, and make sure to get the advskew just right. While much of the underlying design hasn't changed, Marco Pfatschbacher (mpf@) recognized the complexity and made numerous changes to simplify usage. Rather than creating multiple interfaces with the same address, we can now just create a single carp interface and assign it multiple carpnodes with their respective advskews. This is a time-saver and should ease troubleshooting across CARP members.
Peter Hessler (phessler) is looking forward to the new Intel 2.2.0 Xorg drivers...
New laptop means new quirks and bugs to deal with. This time around, the biggie was the screen. Intel 965 with 4.2 defaulted to 1024x768, which defeated the purpose of me upgrading to the really nice screen. Poked around and I found a tool in ports that let me use the native resolution. Inelegant, because I couldn't dynamically resize my screen, use accelerated 2d, or other nifty features of X.
But then the 2.2 Intel drivers were imported, and all of that melted away. No need for 915resolution, the screen was natively supported. Changing resolutions is now as easy as changing my pants. Watching movies in mplayer is snappier, and uses less CPU. Connecting to a projector is as simple as running xrandr(1). Fitter, Happier, More Productive.
Paul Greidanus (paul) likes the new includes directive for pf.conf(5)...
The ability to include multiple files into pf.conf will aid greatly in complex PF rulesets. For example, an administrator can now have a single ruleset per network, rather then hundreds of lines in their primary pf.conf. Personally, I have a 550 line pf.conf in front of six interfaces filtering three class-C networks worth of IP addresses. Being able to distribute filtering logic and policies to dedicated ruleset files will ease administration and increase efficiency.
From pf.conf:Additional configuration files can be included with the include keyword, for example: include "/etc/pf/sub.filter.conf"
The include feature is useful for administrators who might otherwise use anchors, but wish to also store macros and tables in there as well. There's probably a lot of interesting uses for this that will be revealed as users adopt OpenBSD 4.3 in production.
I host a small mail/web server for family and friends. I've always wanted to provide a means for my users to manage their websites without giving them access to the whole system. Along with Match, AllowTcpForwarding, X11Forwarding, ForceCommand and ChrootDirectory (previously reported), I can provide the access I want without relying on FTP+chroot, FTP+ssl+chroot (w/ pure-ftpd), scponly, some systrace hack or some third party ssh hack.
Here's a quick list of steps I used to make ChrootDirectory work:
- mkdir -p /var/www/sites/user1/home/user1/www
- Add user1 to wwwusers in /etc/group
- Add to /etc/ssh/sshd_config:Match Group wwwusers X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory /var/www/sites/%u
- If using public-key authentication, copy authorized_keys file to /var/www/sites/user1/home/user1/.ssh and create a symlink to /var/www/sites/user1/home/user1 in /home.
- Configure web server to point to /var/www/sites/user1/home/user1/www for user1's website.
Using /var/www/sites/%u ensures that user1 can only see user1's home directory. The lines in sshd_config also prevent ssh tunneling and X11 forwarding. To add more users, add them to wwwusers and create, for example, /var/www/sites/user2/home/user2/www.
For backing up my systems, I chose to use an external USB disk with Bacula to store the monthly full backups. I'll take that disk off-site during the month while incremental backups are stored on a local disk. Because I'll be storing my USB disk offsite where others may have access to the drive, I want to encrypt the disk:
- sd0a already exists, is empty and takes up the entire disk
- Create the encrypted "disk": vnconfig -ck svnd1 /dev/sd0a
- Partition the encrypted "disk": fdisk -i svnd1
- Create a disklabel on svnd1 (I used the whole disk for a)
- Format the disk: newfs -O2 /dev/rsvnd1a
Lastly, I mount /dev/rsvnd1a as /usb and configure Bacula to use File Media Type storage in /usb.
Janne Johansson (jj), on large filesystem (>2TB) support and spinlock improvements for SMP arches...
I like the incremental way support has been added in order to support large (2TB) file systems. The way is has been done at other places seems to me to have included far too much bridge-burning decisions and handling the inevitable fallout, whereas the OpenBSD devs in this case made neat step-by-step evolution even when the results weren't visible in order to finally reach a point where all parts simultaneously support really large file systems and small file systems beyond the 2+ TB boundary.
OpenBSD 4.3 will have spinlock improvements for SMP arches. This one, even though it might not be the shocker of the century, is one of my favourites. Sometimes, someone decides not to go for the sexy stuff but rather dig into one particular hot spot and comes out with a performance improvement no one knew was to be found. So for this point, looking at how the SMP system behaves while spinning (which of course is a major point for kernels that don't have fine-grained locking yet) gives us a neat boost while waiting for non-biglocked kernels. The fact that the improvements are good and usable for all the current SMP platforms also adds bonus points in my book.
Johan M:son Lindman (johan), on ACPI and sparc64 SMP
ACPI is as of the 4.3 release turned on by default. This means that a fair amount of newer computers that would previously require manual configuring by means of UKC or config will now "just work". As with most large changes acpi(4) is still a tad rough around the edges but the fundamental pieces are in and this should make it easier for developers to further extend and add features to it. One much anticipated feature will be suspend/wake, it is not yet working so a lot of OpenBSD laptop users will be looking forward to this being added in the future.
Sparc64 gained SMP support in time for 4.3 and this is something many of us have been waiting for a long time, so here it is, go throw it at all your SUN UltraSPARC gear out there and report back if you encounter problems.
(Comments are closed)