First time installing OpenBSD and stuff I did

home

I have been wanting to use OpenBSD for a while after hearing everyone prazing it's superior security. Until then, my only exposure to OpenBSD was installing it on a VM and maintaining Drogon on it. Needless to say, VM performance sucks. Not even Linux can do video playback on a VM without graphics acceleration. Now I finally got the motivation to install it on real iron afer building and hosting some services on my hardware.

Installing OpenBSD

Not goint to lie. Took me evertal tries to finally got OpenBSD installed. The OpenBSD installer is quite good and easy to follow. It asks for your hostname, network interface, passwords, etc.. Then you're asked to select where to install the system. By default OpenBSD partitions the disk into a lot of partitions. /, /usr, /usr/local ... But I want to store everything in a single partition. So not running out of space when I install packages. But manually doing that makes the OpenBSD installer very angry and fail to install the boot loader. After several tries, I gave up and uses the default partitioning. Hope it's not going to bite me later.

NOTE: OpenBSD uses nested partioning. A big "OpenBSD Area" is created on the GPT/MBR partition table. Then internal partitioning is created inside the OpenBSD Area.

Now the installer asks where are the "sets" are located. Unlike most Linux installers, OpenBSD installs by decompressing prebuilt tarball (sets) into the partition. The "install" image from the OpenBSD website includes the basic sets. I was stuck for a while because I couldn't locate the sets in this prompt. Turns out even though I ran the OpenBSD installer from a USB stick. The sets partition wasn't mounted by default. So I had to reply "no" to the "is the partition mounted" question. Then select the partition where the sets are located. Installation goes smooth after that.

Overall, Installing OpenBSD is slightly easier than installing Arch from CLI manually. But it is technical and different enough that I won't recommend if you can't install Arch.

Troubleshooting

After installing. A new probiem appears. My PC is connected exclusively via WiFi. AP is too far away. Yet running ifconfig iwx0 up causes OpenBSD to complain about missing firmware. Ohh.. dang, that's a chicken and egg problem. I can't invoke the fw_update to install the firmware I need. But I can't get to the internet because of missing formware. I ended being lazy and got some help from Linux. OpenBSD, installed on a hard drive, will happly boot in a VM just by setting /dev/sdc as the emulated drive (yay! everything is a file rocks):

sudo qemu-system-x86_64 -m 1024 -enable-kvm -smp 4 \
    -drive file=/dev/sdc,format=raw,index=0 \
    -device e1000,netdev=net0 \            
    -netdev user,id=net0 \
    -bios /usr/share/ovmf/OVMF.fd \
    -display sdl

Here I encountered a weird keymap bug. Somehow the default frontend (GTK) has the wrong keymap. Any keys I press are converted into some european characters. After some messing around. The SDL frontend is fine. Then I login to install the firmware.

doas fw_update iwx

I also installed Gnome and Firefox since I'm at it. I disabled xenodm because I want to use GDM. I know GDM is not as secure as xenodm. But I don't want to be dealing with secipts to setup dbus. Especially since this is the first time I'm using OpenBSD.

doas pkg_add -i gnome gnome-extra firefox
rcctl enable gdm messagebus multicast
rcctl disable xenodm

Reboot into OpenBSD.. I got into the command prompt.. Ugh.. where's GDM? At this point I assumed I screwed up something. So I tried to downgrade a bit. Installed XFCE. Disable GDM abd enable Xenodm again. Reboot. Nice! Xenodm and XFCE does work. Immediately I noticed sevear screen tearing. glxinfo | grep OpenGL shows that I'm llvmpipe (CPU rendering) and not my 6700XT GPU (which is supported in OpenBSD 7.1). After some toying around. I found out that I need to install the firmware, again.

doas fw_update amdgpu

Yet again, reboot. login to XFCE and how glxinfo shows I'm using AMDGPU driver now. Yessss. Reenable GDM and reboot. Even nicer, both GDM and Gnome is working perfectly. Firefox also works.

Customization

Run syspatch

OpenBSD has 2 update mechanisms. One for updating packages added via pkg_add and another for patching the system/kernel called syspatch. I feel weird that it's a separate thing. On Linux kernels and the base system is managed by the same package manager that handles packages. I guess this is a BSD thing as FreeBSD also has freebsd-update.

doas syspatch

Font installation

Installing custom fonts on OpenBSD is not as stright forward as on Arch. Though it's the same process, most Linux distros have a font installer and abstract the process. To install fonts on OpenBSD, you've to put the fonts in the /usr/X11R6/lib/X11/fonts/<folder> folder and reevaluate the font cache.

doas mkdir -p /usr/X11R6/lib/X11/fonts/<some-name>
doas cp <font-file> /usr/X11R6/lib/X11/fonts/<some-name>
doas /usr/X11R6/bin/fc-cache

Install the Arc theme

IMO Awaita is a bad theme. It looks gray and unpleasing. I have been using the Arc theme for a while. On Arch Linux installing is as easy a pacman -S arc-theme. On OpenBSD, there's no pacage for it. So I had to install it from source. Arc was previously maintained by horst3180. It got abandoned and I'm using jnsh's fork.

doas pkg_add sassc meson inkscape # for building the theme
git clone https://github.com/jnsh/arc-theme
meson setup --prefix=$HOME/.local -Dvariants=light -Dthemes=gnome-shell,gtk3,gtk4 build/
meson install -C build/

Re-enable SMT

For security reasons, OpenBSD disables SMT by default. I get why they do it. But I am not that paranoid with CPU side channel attacks. And the performance loss is quite huge. So I decided to re-enable SMT.

# as root
echo "hw.smt=1" >> /etc/sysctl.conf

Switching to Chromium

IMPORTANT: This section is outdated. I figured out how to get GPU acceleration working with Firefox. See my new post:

Sane YouTube FPS on FireFox on OpenBSD

FireFox is my prefered browser. But on OpenBSD, for security reasons, it doesn't do GPU acceleration. The performance is sluggish at best. I can't even play a 1080p video at 60FPS. But Chromium does have GPU working. So I switch to Chromium. It's worth noting that both Firefox and Chromium are unveild to only read their config files and the Downloads folder. This pervents any browser exploits potentially reading your SSH keys in the home directory. But also makes so you have to copy files to the Downloads folder inorder to upload them. It's a tradeoff that I can live with.

CPU scaling

Unlike Linux having cpu frequency scaling built in to the kernel. OpenBSD uses an external daemon. By default it's not installed. Installing and enabling it is as easy as:

doas pkg_add -i apmd
doas rcctl enable apmd
doas rcctl set apmd flags -L
doas rcctl start apmd

Thanks to Keith Burnett's writeup installing OpenBSD on a laptop[1]. I learned that in OpenBSD 7.1 apmd disabled frequency scaling when using wall power. obsdfreqd is needed to restore automatic scaling.

[1]: Running OpenBSD 7.1 on your laptop is really hard (not)

cd /tmp/ && git clone https://tildegit.org/solene/obsdfreqd.git
cd obsdfreqd
make
doas make install
doas rcctl enable obsdfreqd
doas rcctl start obsdfreqd

This is what my desktop ends up looking like:

Screeshot of my OpenBSD installation.
Image: Screeshot of my OpenBSD installation.

Remaining issues

Sound suddenly stops working

The sound server sometimes crash during video playback. I can't yet manually restart it. At that point the only thing I can do is just reboot.

GCC11 Cannot compile some C++ applications

Some of my C++ projects requre GCC11. I OpenBSD does have a package for it. And the compiler part does work. But sometimes it fail in linking with error undefined reference to 'undefined reference to __cxa_throw_bad_array_new_length'. Some searching online shows this is caused by GCC11 linking against an older libstdc++. But I can't figure out how to explicitly link against the a newer one.

Forgetting to do full disk encryption

Unlike Linux's LUKS and FreeBSD's GELI, OpenBSD's full disk encryption isn't something you setup during installation. Instead, you have to pre-setup an encrypted OpenBSD Area before installing. So I just ended up with a non-encrypted installation. It's fine for my test run. But I'll definitely need to do full disk encryption in future installations.

Sluggish when FS under load

Whenever compiling larger projects. Looking at htop, I often see the kernel taking up more than 50% of the total CPU capacity. It makes dragging windows feel sluggish. I've searched online but couldn't find a solution. This seems to be a kernel issue, I assume how OpenBSD doesn't do fine-grained locking well. Still, I can simply reduce the number of threads I use and leave one or two cores free.

Conclusion

OpenBSD is suprisingly usable. There's less magic in it. Which is a good thing. That means I have more control over what my system looks like and is doing. I can do ~95% of my daily tasks on it. Basically

  • Browse the web
  • Remote into servers
  • VIM with plugins
  • Build and run projects locally

All while having the peace of mind that I basically am immune to any kind of attack. Even if someone tries to pwn my browser, pledge and unveil[2] will protect me against serious damage.

[2]: Pledge, and Unveil, in OpenBSD

Seems like I'll be trying to use OpenBSD as my daily environment. Maybe I'll eventually switch to it completely. Who knows.

Author's profile. Photo taken in VRChat by my friend Tast+
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict

I run TLGS, a major search engine on Gemini. Used by Buran by default.


  • marty1885 \at protonmail.com
  • Matrix: @clehaxze:matrix.clehaxze.tw
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df