I've spent the last several weeks writing, revising, and editing a project called The OpenBSD 4.0 Crash Course for O'Reilly Media. It is designed to quickly teach you the basics of how to install, configure, use, and upgrade the OpenBSD operating system as a desktop or server. It's specific to version 4.0, and I plan on writing a new version for each future OpenBSD release. If you've wanted to learn OpenBSD or are anxious to get into the BSDs in general, this is your best starting point. I decided to pitch it as an electronic guide because it doesn't need to be particularly long, it's possible to copy-and-paste commands from it to your terminal window, and you can print out a hard copy if you want. It's now available for download for U.S. $9.99 from O'Reilly, and I plan on donating a portion of my royalties to the OpenBSD Project so that it can continue to produce great software. Each section is designed to be like my how-to articles -- concise and easy to understand. There are no preambles or politics; just good information. Below is a sample from the book to show you what you can expect from it.

Server Installation and Service Configuration

OpenBSD comes with some services available through the base system, and many others available through Ports or packages. Special notes concerning each kind of server are detailed below. Remember that this guide is only here to familiarize you with these services as they apply to OpenBSD; actually configuring, running, and managing the services is well beyond the scope of this Short Cut.

It goes without saying that security is the primary focus of outward-facing servers. Even on OpenBSD, you will want to remove (or simply not install) unnecessary components, disable unused services, and disconnect unused devices.

The inetd Internet Super-Server

All Internet and local network services on OpenBSD can be started manually from the command line, or you can add a line to /etc/rc.local to start them at boot time. Some already have default entries in /etc/rc.conf, and others can have their own configuration lines in rc.conf.local. There is nothing inherently wrong with starting each daemon individually and letting it do its own thing quietly in the background. There could be a performance advantage to using the inetd Internet super-server, however. This program acts as a sort of router, monitoring incoming network requests and directing them to the proper services. Be careful that you don’t try to use more than one method to start services at boot time, or else you could run into strange problems.

inetd is itself started through /etc/rc.conf, and it’s configured through /etc/inetd.conf. Each inetd entry must be listed as a service in /etc/services and use a protocol listed in /etc/protocols. If your server is not doing well under heavy network loads, you may want to experiment with using inetd to start and manage some or all of your services.

For the most part, the rest of this guide will cover only the rc.conf and rc.local methods of starting services, as they are the easiest and probably most oft-used methods to start the servers outlined below. That doesn’t mean that you should totally ignore inetd, though. At the very least, you may want to look through /etc/inetd.conf to make sure that it isn’t running any unnecessary services. If you’re configuring OpenBSD as some kind of specialized network server, inetd is almost certainly running services that you can and should disable.

Apache

Apache 1.3.29 is installed by default as part of the OpenBSD 4.0 base system and includes many extra patches to enhance its performance and security. Apache 2 cannot be included with OpenBSD because of some unacceptable terms in version 2 of the Apache software license. Because of this limitation, the OpenBSD Project has concentrated on doing more with Apache 1.3, to the point that it is almost a different web server in its own right. However, some people may have a specific need for Apache 2 because of the requirements of other software. Those people can download the Apache 2 source code from the Apache web site and compile it on OpenBSD without any extra concern. The OpenBSD-modified Apache 1.3 comes with the following modules installed by default:

• mod_cern_meta
• mod_info
• mod_rewrite
• mod_auth_anon
• mod_define
• mod_log_agent
• mod_speling
• mod_auth_db
• mod_digest
• mod_log_referer
• mod_unique_id
• mod_auth_dbm
• mod_expires
• mod_mime_magic
• mod_usertrack
• mod_auth_digest
• mod_headers
• mod_mmap_static
• mod_vhost_alias
• mod_ssl

If you need to add more modules, you can do so through the Ports tree, generally in the /usr/ports/www directory.

You can start the Apache HTTP daemon manually by typing apachectl start and pressing Enter. If you’d like to start it at boot time automatically, edit the /etc/rc.conf file and replace the NO with "" in this line:

httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))

Obviously if you need to use mod_ssl, you need to use the -DSSL flag inside the quotes. See the httpd manpage for more information on loading extra modules here. Specific Apache modules may have their own manpages as well.

By default Apache runs in a chrooted environment -- in other words, Apache operates as though nothing exists outside of the ServerRoot, which is by default /var/www. So if you have extra Apache modules installed that need to use programs or configuration files in any directory outside of /var/www and its subdirectories, then they will not be able to function properly. More details are available in the httpd manpage, but if you just need to get this working right now by eliminating the chroot jail, start Apache with the -u flag, either from the command line, or in the quotes in the previously mentioned Apache section of /etc/rc.conf. Circumventing the chroot jail will make your system less secure if Apache is compromised. For optimal security, the www user should not be able to write to any files or directories in ServerRoot.

The Apache 1.3 configuration files are kept not in /etc, but in /var/www/conf/. You should look over httpd.conf and adjust it for optimal performance on your computer. By default, the settings may be a little too limited for web sites that get thousands of visitors per day.

Databases

No databases are installed by default in OpenBSD, but you can find MySQL, SQLite, and PostgreSQL in /usr/ports/databases along with several database-specific Perl modules and other extras and add-ons.

MySQL

Once installed, you can find the global MySQL configuration in /etc/my.cnf, but if you want to set server-specific configuration options, you can create an override my.cnf in /var/mysql. User-specific configurations can be stored in each user’s home directory.

Be warned that the default my.cnf is designed for old, low-power, low-memory servers and does not scale well under moderately heavy loads. This is more or less the standard default configuration for MySQL, though, so if you’ve configured it before, you should already know what you’re doing.

To make mysqld start automatically at boot time, add these lines (or something similar that fits your needs) to /etc/rc.local:

if [ -x /usr/local/bin/mysqld_safe ]; then
    echo -n ' mysql'; /usr/local/bin/mysqld_safe &
fi

SQLite

There are two versions of SQLite available for OpenBSD: 2.8.17 and 3.3.6, and they can be installed from /usr/ports/sqlite and /usr/ports/sqlite3, respectively. The sqlite or sqlite3 executable is located in /usr/local/bin, and there is no configuration file because SQLite is by definition “zero-configuration.”

PostgreSQL

You can install the PostgreSQL client via Ports from /usr/ports/databases/postgresql, but if you want the server and documentation, you’ll have to add them yourself:

pkg_add postgresql-server postgresql-docs

Automatically starting and stopping PostgreSQL is not quite as easy. Add these lines to /etc/rc.local to start it at boot time (that’s one line between the if and the fi, not two, so be careful when you copy and paste this text):

if [ -x /usr/local/bin/pg_ctl ]; then
    su -l _postgresql -c "nohup /usr/local/bin/pg_ctl start -D /var/postgresql/data -l /var/postgresql/logfile -o '-D /var/postgresql/data'" echo -n ' postgresql'
fi

And to automatically shut it down cleanly when the system shuts down, add these lines (this time it’s two lines between the if and the fi) to /etc/rc.shutdown:

if [ -f /var/postgresql/data/postmaster.pid ]; then
    su -l _postgresql -c "/usr/local/bin/pg_ctl stop -m fast -D /var/postgresql/data"
    rm -f /var/postgresql/data/postmaster.pid
fi

You can find the PostgreSQL configuration files in /var/postgresql/data/. By default, the system is not tuned to accept a large number of database connections, so you’ll have to modify some kernel parameters if you’re expecting a fair amount of database usage. Check out the documentation in the /usr/local/share/doc/postgresql directory for more details. Of particular interest is the README.OpenBSD file, which has the aforementioned advice on system tuning for PostgreSQL.

The OpenBSD 4.0 Crash Course

That concludes the sample from the book. The rest of the PDF is just like this -- concise explanations that will get your computer up and running quickly, with proper resources and references for you to learn more if necessary. You can download it for $10 directly from O'Reilly.

Discuss this article or get technical support on our forum.

Copyright 2007 Jem Matzan. This article is comprised of a book excerpt, and may be reprinted on Web sites and in newspapers or magazines without royalty, provided the content is not modified, this notice is preserved, and proper attribution is given.