Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

how to build json from cli

we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping

add package

doas pkg_add jc

try ping

openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null
{
  "destination_ip": "1.1.1.1",
  "data_bytes": 56,
  "pattern": null,
  "destination": "1.1.1.1",
  "packets_transmitted": 3,
  "packets_received": 3,
  "packet_loss_percent": 0.0,
  "duplicates": 0,
  "round_trip_ms_min": 9.219,
  "round_trip_ms_avg": 9.826,
  "round_trip_ms_max": 10.158,
  "round_trip_ms_stddev": 0.43,
  "responses": [
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 0,
      "ttl": 59,
      "time_ms": 10.158,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 1,
      "ttl": 59,
      "time_ms": 9.219,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 2,
      "ttl": 59,
      "time_ms": 10.101,
      "duplicate": false
    }
  ]
}

Compatible platforms: linux, darwin, freebsd -> had to redirect the stderr to /dev/null because OpenBSD is not (yet) supported officially…

Enable Logging for Unbound

update unbound.conf

/var/unbound/etc/unbound.conf

server:
    logfile: /log/unbound.log
    verbosity: 1
    log-queries: yes
...

create folder/logfile

log=/var/unbound/log/unbound.log
doas mkdir /var/unbound/log/
touch $log
chmod 660 $log
chown _unbound:_unbound $log

restart service

doas rcctl restart unbound

tail logfile

tail -f /var/unbound/log/unbound.log

# tail -f /var/unbound/log/unbound.log
[1660208341] unbound[3279:0] notice: init module 0: validator
[1660208341] unbound[3279:0] notice: init module 1: iterator
[1660208341] unbound[3279:0] info: start of service (unbound 1.15.0).
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. A IN
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. AAAA IN

sha256: 2a8843dffec0d8bbd8ff1b2ab4748600dfc57ba00bd87707e1f505c849b89fa3

How to Enable Remote Control for Unbound

Setup Remote Control

doas unbound-control-setup

$ doas unbound-control-setup
setup in directory /var/unbound/etc
Generating RSA private key, 3072 bit long modulus
..................................++++
..................................++++
e is 010001 (0x65537)
Generating RSA private key, 3072 bit long modulus
........................................++++
........................................++++
e is 010001 (0x65537)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use

Enable in unbound.conf

/var/unbound/etc/unbound.conf

stumpled upon some thing cool, htmlq! It’s like jq, but for HTML.

Installation Rust

htmlq need rust. so, let’s install rust first.

doas pkg_add rust

Add Link to Path

cat << 'EOF' |doas tee -a /etc/profile
# Rust/Cargo
export PATH=$PATH:/root/.cargo/bin

EOF
. /etc/profile

Install HTMLQ

doas cargo install htmlq

some Examples

Extract Links

curl -s https://www.openbsd.org | htmlq --attribute href a |head

Example

user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head
goals.html
plat.html
security.html
crypto.html
events.html
innovations.html
faq/faq4.html#Download
anoncvs.html
https://cvsweb.openbsd.org/
https://github.com/openbsd

Extract complete links URL

curl --silent https://www.nytimes.com | htmlq a --attribute href -b https://www.nytimes.com

Example

there are a few Weeks until OpenBSD 7.2 will get released. Anyhow, running current is a good way to get a “preview” what’s in the pipeline and will come soon.

one of the painpoint was update packages on OpenBSD. Not because it was difficult, but it took quite a lot of time. Specially, when you run a bunch of machines in different networks.

Version and Time consumption

sysctl kern.version
pkg_info |wc -l
time pkg_add -Vu

OpenBSD 7.1 - Box 1

root@puffy202 RD:0 /bin# sysctl kern.version
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

root@puffy202 RD:0 /bin# pkg_info |wc -l
     188

root@puffy202 RD:0 /bin# time pkg_add -Vu

    2m07.46s real     0m14.82s user     0m09.70s system

OpenBSD 7.1 - Box 2

root@puffy203 RD:0 # sysctl kern.version
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

root@puffy203 RD:0 # pkg_info |wc -l
     214

root@puffy203 RD:0 # time pkg_add -Vu

    2m17.13s real     0m43.37s user     0m28.07s system

OpenBSD 7.2-Beta - Box 3

root@puffy204-current RD:0 # sysctl kern.version
kern.version=OpenBSD 7.2-beta (GENERIC.MP) #650: Tue Jul 26 08:30:28 MDT 2022

root@puffy204-current RD:0 # pkg_info |wc -l
     206

root@puffy204-current RD:0 # time pkg_add -Vu

    0m09.65s real     0m07.92s user     0m00.31s system

Did you see the difference ?

let’s play a bit with Redis. A In-Memory Data Store for Caching, Streaming, Message Broker

• https://redis.io/

Install

doas rcctl add redis
doas rcctl enable redis
doas rcctl restart redis

Package Summary

what did we got installed ?

doas pkg_info -L redis

$ doas pkg_info -L redis
Information for inst:redis-6.2.7
Files:
/etc/rc.d/redis
/usr/local/bin/redis-benchmark
/usr/local/bin/redis-check-aof
/usr/local/bin/redis-check-rdb
/usr/local/bin/redis-cli
/usr/local/bin/redis-sentinel
/usr/local/bin/redis-server
/usr/local/share/examples/redis/redis.conf
/usr/local/share/examples/redis/sentinel.conf

A Server, a Client, a configuration File, …

Keep Alive

send a ping …

https://github.com/Bratela/openbsd

Install Ruby

Install Ruby and set Symlinks

doas su -
pkg_add ruby-3.1.2
ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby
ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle
ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler
ln -sf /usr/local/bin/erb31 /usr/local/bin/erb
ln -sf /usr/local/bin/gem31 /usr/local/bin/gem
ln -sf /usr/local/bin/irb31 /usr/local/bin/irb
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc
ln -sf /usr/local/bin/rake31 /usr/local/bin/rake
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc
ln -sf /usr/local/bin/ri31 /usr/local/bin/ri
ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof

Install Nokogiri

pkg_add ruby31-nokogiri-1.13.1p0

Install Rails

pkg_add ruby-3.1.2

Install Rails

gem install --user-install rails

sha256: 8fe9d1423773886605a4b9cddc3e9e14a274f9431f7839274f5a2b6d7370f9f8

Let’s Compile a Custom Kernel for OpenBSD … and let’s check if we can tune the Process it with multiple Processors.

get Sources and prepare Custom Kernel

cd /usr/src
ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/sys.tar.gz
tar xfz sys.tar.gz
rm xfz sys.tar.gz
cd /sys/arch/$(uname -m)/conf
cp GENERIC.MP CUSTOM.MP
config CUSTOM.MP
cd ../compile/CUSTOM.MP

-> with config CUSTOM.MP, you can enable disable Components which will be built into your Custom Kernel. Wlan Drives for a VirtualServer, as example, does not make sense.

BGP Looking Glass with OpenBSD

something I’ve wanted to do for a long time and never got around to it …

Just give a try, it’s public available: https://bgp.stoege.net/

Prerequisite

• OpenBSD VM (at least 2G RAM)
• Public IPv4 / IPv6
• DNS Record / Static IP
• Full BGP Feed (don’t worry, you can get it for free)

httpd config

OpenBSD got their own HTTP Daemon in Base System. Let’s enable and configure it.