WebServer Magazine IAN DARWIN

Ian Darwin is a consultant, developer A Good Web and trainer specializing in operating systems and the Java Platform at the Right Price . A key decision in setting up and maintaining a Web site is the choice of and hardware platform. Now, before you say, “I’ll just use Windows NT” or “I’ll just use Solaris,” think about this: The operating system needs to be affordable, reliable, secure, fast, scalable, have software available for it and have a list of satisfied users. chunks; on UNIX, a second program assigns individual partitions within the UNIX partition. At least one is required for swapping, because UNIX gains some efficiency by swapping directly to a disk partition instead of into a as, say, Windows 95 does. UNIX reserves swapping to a file for when you don’t allocate a big enough swap partition. The one trick to this step is getting the sizes and offsets of the partitions exactly right. It may be easier (and safer, if you are sharing your boot disk with another PC-based OS) to use DOS fdisk to create the partition, then change it to an OpenBSD partition using disklabel. Please read the accompanying installation documentation for the gory details on disk partitioning. The install script also lets you set penBSD, the newest variant of 4.4BSD or “Berkeley UNIX,” meets up the network, is necessary only the criteria, plus, it runs on nine hardware platforms. Of course, every if you are using it to install. Yes, in fact, Ooperating system vendor wants you to believe that its OS is best (for you can install with just a boot floppy all purposes). Let’s leave discussion of commercial UNIX systems’ and NT’s and a network card. The main install (in)security to the Bugtraq list (http://www.geek-girl.com/bugtraq/ files, of which there are five, plus a copy index.html), and here concentrate on how OpenBSD fits the above criteria. of the generic kernel, can be installed from CD-ROM from a local disk in any OpenBSD Installation of several formats–including DOS/Win- The OpenBSD installation has some very nice features. First, on four archi- dows FAT, or from a network via NFS, tectures (Sun Microsystems Inc. SPARCs, Corp. i386s, Digital Equipment FTP or even HTTP Corp. Alphas and Advanced RISC Computing, or ARC, machines), there’s the Indeed, if you are patient, you can do ability to boot directly from one of the two CD-ROMs in the kit. For example, your entire installation over the , on my SPARCstation IPX, I just said boot cdrom. My PC did not support this given a copy of the boot floppy and a option, so I had to boot from a floppy. The floppy image is provided and can be direct connection. (Don’t try this at copied to floppy either using dd or using a DOS program rawrite, also provided. home, kiddies, if your Internet link is When you boot from the floppy, you first see a UNIX-style boot listing. After the 56 Kb/s or under. It might work, but kernel is initialized, the version of init(8)on the floppy asks which shell you you’ll probably die of old age first.) want; hitting return gives the (which is really PDKSH). At this point, I didn’t get to try the network install, you type install and you’re off to the races. but on one machine I did have to copy The install script asks the usual questions about which boot disk to the install files to a Windows partition install on and lets you run its fdisk and disklabel programs to set them and run them from there. It worked like up. You probably know that on a PC, fdisk breaks the disk into larger a charm!

SunExpert Magazine ■ June 1998 81 WebServer Magazine

Apache – No Muss, No Fuss other is the Navigator in Open- licenses you buy). Solaris Server Edi- First, let’s look at software, because BSD’s Linux emulation. View them tion also costs more than $500 per without it you won’t be able to use side by side and see if you can tell CPU. OpenBSD costs $30–yes, that’s OpenBSD as a Web server platform. which is which. thirty bucks–if you want the full distri- The most popular Web server on the What about , the language used bution on CD-ROM. If that’s too Internet is the free-software Apache by many Webmasters for CGI script- much (and if it is, how did you ever server (http://www.apache.org). ing? No problem! OpenBSD is one of afford a PC to run it on :-)), you can After you’ve installed OpenBSD, copied the few systems that ships with Perl download OpenBSD over the Internet. its “ports” tree from the CD to disk and preinstalled, ready to use. And what In either case, there’s no per-CPU have a connection to the Internet, it’s about Java? Of course you don’t need licensing. So if you add a second or just a matter of typing Java support just to install applets on third server, or decide to run it on your pages that you serve; they are just data notebook PC (having given up on cd /usr/ports/www/apache files to the server. But you might want Windows 95 after having to reinstall install to develop your own applets. it for the 95th time), there’s no cost. Or you might want to run “servlets,” However, the OpenBSD Project’s and you’ve got a recent version of Apache which are Java fragments that blend into main source of funding is from sales of compiled and installed, ready to config- your Web server, avoiding the overhead the CD-ROM, which pays for develop- ure. No muss, no fuss. of starting a new process each time a ment, timely patches from its Web site I didn’t test either Netscape Commu- user posts a form. But Java is a new and the like. So if you’re using Open- nications Corp. or Corp. Web language: Some love it, some leave it. BSD on dozens, hundreds or thousands servers because neither is readily available If you’re in the former camp, you’ll be of machines, you really should make in a form usable on OpenBSD. happy to know that there’s a FreeBSD a contribution to the project–cash, There is other software readily avail- port of Sun’s Java Developer’s Kit 1.1, machinery or software (your faithful able for Linux, and OpenBSD has a which works reasonably well (that com- scribe ported a kernel-level device good “compatibility” mode for Linux, patibility mode, again). There should driver for the Connectix QuickCam SVR4 and other systems. This compat- soon be an OpenBSD native support. from another UNIX platform and ibility mode is not system-call mapping Of course if you’re in the latter camp, donated it to the project. Why? I like (with the overhead that that implies) but you won’t care beans about Java. In [some!] WebCams, I like QuickCam a method of loading a different set of either case, OpenBSD delivers the goods and I had the hardware handy). shared libraries and system-call entries. in terms of server software support. As you will have gathered, Open- For example, Figure 1 shows a 43-KB BSD is , and there is no GIF image of two Netscape Navigator Cost and Support guarantee of support. However, the 4.0.x screens. Both are displayed on a Windows NT Server costs more source is in the hands of many deve- Solaris workstation. One is Netscape than $500 per server (depending on lopers. Peter Honeyman of the Center running locally (Solaris version), the where you shop and how many client for Information Technology Integra- tion, an applied research and develop- ment center at the University of Mich- igan, chose OpenBSD as the platform for a large research project. He says, “we run OpenBSD because it runs AFS [the Andrew , an alternative to NFS], has had a lot of attention paid to security vulnerabilities, is really UNIX and has a friendly and open developer community.’’ As an example, while my Cyrix Sys- tems Pentium 166 system works fine off the CD-ROM distribution of OpenBSD 2.2, my Dell Computer Corp. notebook’s ATAPI CD-ROM wasn’t recognized. An email to the mailing list brought a reply from a developer in Europe, including a patch, within about 10 minutes. How many commercial OS vendors even read their email, let alone respond the same hour Figure 1. Can you tell the Solaris from the Linux version? or the same day?

82 SunExpert Magazine ■ June 1998 WebServer Magazine

For the Security Wary? Benchmark X86 Running Solaris 2.6 X86 Running OpenBSD Today’s Internet has its full share of Arithmetic 6.6 7.6 vandals and crackers. To stay alive, you Drhystone 2 (nonregister) 9.0 10.5 need a secure OS and a secure Web Execl throughput 5.4 32.9 server. The Apache server team keeps a File copy (30 seconds) 3.4 5.0 close eye on the Bugtraq list and pub- Pipe-based context switch 7.1 13.9 lishes patches. The OpenBSD people Shell scripts (8 concurrent) 2.2 9.2 are very security conscious. And because Average 5.6 13.2 their base code is derived from 4BSD, it has been worked over by many of the Figure 2. Benchmark results (comparable to other runs of Byte Benchmark 3.0). best developers in the UNIX and inter- networking communities for years. OpenBSD’s security policies, see the the Internet, you want your machine as Then, in 1997, OpenBSD itself was OpenBSD security page at http:// secure as possible. In addition, given a thorough going over for security, www.openbsd.org/advisories. IV is there to allow sec- from head to toe. Oliver Friedrichs, vice Friedrichs’ company produces some ure network logins, as for updating files president of engineering at Secure Net- exciting security software that is based on the Web server. works Inc., Calgary, Canada, wrote to on OpenBSD. This, and many others, And has not been me in January 1998: are listed in the OpenBSD software overlooked. The IPSec protocols ESP “We have been using OpenBSD in users list at the OpenBSD Web site, and AH are preinstalled on the system, our development of security software for which includes companies using Open- and a pair of tools (a manual configur- the past one-and-a-half years. We devel- BSD internally, many OpenBSD-based ation process and a for pro- op a network security assessment tool ISPs, companies developing or offering viding standard mappings) lets you which identifies weaknesses in computer software for OpenBSD and so on. control what type of security is used networks. Our main interest in using and on which connections. This is a OpenBSD was its security benefits. We very powerful feature for use on extra- have assisted the OpenBSD develop- nets. Overall, OpenBSD security is ment team in a fairly large capacity to arguably the best available. find and solve many security problems As for reliability, it generally just which were present in OpenBSD and keeps running. Unlike Windows 3.1, other BSD operating systems. That which needs rebooting every hour or so, being said, it’s quite some time later or Windows 95, which needs rebooting now, and in my opinion, OpenBSD has OpenBSD also features a range of daily, Berkeley UNIX systems tend to been ‘victim’ to one of the most strin- cryptographic software, including Ker- stay up for months at a time. gent software reviews (that beros and IPSec, compiled and installed In the early days of 4.2BSD, a bug is, looking for and discovering security as part of the base system. One could in the “uptime” code was detected flaws), that I know of, occurring in any even say the main focus of OpenBSD when a system had been up for six operating system. Many individuals development is on operating system sec- months without a reboot and a small worldwide have spent much of the last urity. It is, according to the OpenBSD integer variable wrapped around. We year piling through source code, ident- Project, “the only significant OS ship- have not kept our test system up for six ifying and fixing security problems. ping with full crypto support included.” months (otherwise, you wouldn’t see “… if you want a stable and secure Because OpenBSD ships from Canada, this review until the end of the year) environment, there are definitely many it is only indirectly subject to the U.S. but, apart from flaky or unsupported benefits to using it. Most of the security Commerce Department’s vagaries and hardware, we have never had a system problems found in other free operating can ship with features that you may crash or lock up in normal operation. systems were fixed first in OpenBSD. never see from SunSoft Inc., The Santa And in case you do have problems, For reference, many of these vulnerabili- Cruz Operation Inc.or Microsoft. you can build a kernel with a debugger ties apply to other operating systems Even password security is expanded built in; instead of crashing, system fail- as well, and have been documented as beyond most conventional UNIX vari- ures will drop it into a debugger. In security advisories at SecNet.com/ eties. Not only is the shadow password short, OpenBSD is reliable and secure advisories [see http://www.secnet. format mandatory, but there are four enough for use as a Web server platform. com/advisories].” algorithms for encoding login - The result is that, according to Open- words, one of which is compatible with Testing Its Speed BSD Project Leader Theo Deraadt, not standard UNIX and the rest of which We ran the “Byte UNIX Benchmark, a single remote root security problem are more secure. Normally this is not Version 3.1” against the same machine was detected between the release of 2.1 much of an issue because a machine running Solaris and OpenBSD. The and 2.2 (2.3 is scheduled for release dedicated to Web serving won’t have machine is a Pentium (Cyrix) 166 with this month). For more information on many interactive users. But being on 32 MB of RAM (see Figure 2).

SunExpert Magazine ■ June 1998 83 WebServer Magazine

The Byte UNIX Benchmark mea- thereafter), this adapter was not sup- seems always to have played fairly sures CPU time (where the two sys- ported (the reason I had to try out the with developers large and small, and tems did about equal), the throughput “install from local disk” option when the ATI boards are well supported at of execing another program (where installing on the notebook). As of 1,024 by 768 and higher. OpenBSD won hands-down) and this writing, we are still using a work- On the SPARC, the normal video other features. The numbers are the around–telling the system that the configurations (CG2, CG3, CG6, ratio of the machine under test to PCI-PCMCIA bridge is on the ISA BW2 and P4) are supported, as are some original, so higher numbers bus–on my notebook. It works just all of the other standard hardware. are better. fine but it’s a “bit of a hack.” There is something to be said for a While benchmarking Web server In addition, there is less likely to platform that doesn’t have 1,200 performance is a trickier proposition, be support for proprietary hardware. different and incompatible video we think these results indicate that To mention my Dell notebook one boards available, though cost isn’t it. OpenBSD is faster than Solaris at last time, it uses some contemptible For the latest word on hardware sup- many of the things that a Web server proprietary “NeoMagic” video adapter, port, check the OpenBSD Web site. does. This should extrapolate to peppy which works just fine under Windows There is no MP support at present. Web server response from OpenBSD, 95 and Solaris 2.6, because the big This might be an issue of scalability a measure confirmed by the number companies involved play together. on larger servers. of ISPs running OpenBSD systems. But NeoMagic will not give any of OpenBSD is a free UNIX-like sys- its undocumented programming infor- tem that runs on many platforms. It Hardware Support mation to organizations like XFree86, has Perl 5, gcc and many other tools Because OpenBSD is mostly a so it doesn’t support it. And it doesn’t bundled, and much freeware, includ- volunteer effort, the latest hardware appear to emulate anything other than ing the Apache Web server, can be may not be supported until somebody 640-by-480-by-16 VGA mode unless added easily. OpenBSD’s meticulous gets around to writing support for it. you have the secret documentation, and proactive approach to security For example, my Dell notebook has so that’s what I use on my notebook. means that your system is more likely a PCI-based PCMCIA bridge, but as On the deskside PC, I have an ATI to survive attacks via the Internet. of Version 2.2 (and for several months video board–ATI Technologies Inc. And the price is very right, too. ✒

OpenBSD

Company The OpenBSD Project 1933 6th St., S.E. Calgary, Alberta Canada T2G 2Y3

WWW http://www.openbsd.org

Best Features A good server OS. Runs on many platforms. Runs many popular Web servers, and Perl for CGI is preinstalled. Freely available in source code, reasonably priced on CD-ROM. Cryptographic and security software included.

Worst Features Limited support for the wide range of peripherals available on the PC, compared with some commercial operating systems.

Price $30

Circle 159

84 SunExpert Magazine ■ June 1998