On 2015-09-28 00:22, Matt Hamilton wrote: >> On 27 Sep 2015, at 22:57, Theo de Raadt <dera...@cvs.openbsd.org> wrote: >> >>>> On 27 Sep 2015, at 22:38, Eric Furman <ericfur...@fastmail.net> wrote: >>>> >>>> You really don't get it. Running OpenBSD in a VM gives you no >>>> security benefits of OpenBSD. Your base security will be your >>>> host, in this case FreeBSD. And on top of that you are running >>>> a very complex piece of software, the VM. Who knows what >>>> security holes are in it. >>> >>> I do get it. I guess you wrote this before reading my last reply. That >>> explains the situation. >>> >>> Yes, the base security will be my host. Putting an OpenBSD VM on there >>> does not (IMHO) significantly decrease the security of that host. I >>> agree that it is adding complexities and there could be potentially >>> unforeseen security issues due to the combination. e.g. something like >>> OpenBSD's ability to generate random number could somehow be >>> affected by the underlying VM that would not be present on bare metal. >> >> Any additional code you run, beyond the minimum, increases your exposure > > Indeed. Which is why you are typing this on a typewriter, right? I mean, I > don’t know what editor you use, emacs, vi, mg, whatever… but that is > additional code right? That has increased your attack surface. But you deem > that an appropriate compromise to absolute security as you want feature and > convenience. > >> You are so clueless. It's amazing. > > No. The fact that I have tried an experiment and have a setup that has > different priorities on it’s requirements to someone else’s setup or > requirements is not clueless. It is different. OpenBSD just does not offer > the functionality (e.g. a large, redundant filesystem, ala ZFS) I need to get > the job I want to do done on it’s own. So I need additional software to > achieve that. End of story. Yes it is a larger attack surface, yes it is > added complexity. I fully understand that. But I need additional software to > achieve my end goals. > > This thread started with someone who is starting to learn and wanted to know > which OS, OpenBSD or FreeBSD would be best for their requirements. I don’t > feel putting forward an idea that you could run OpenBSD as a VM and have both > is so unreasonable.
I run a similar setup to yours in my co-located environment, with a number of large-ish FreeBSD hosts running a number of vm guests (although I'm using VirtualBox), and it all works surprisingly well with a mixture of OpenBSD, FreeBSD and Linux guests. However, in front of the whole shebang I have a pair of carp'ed redundant firewalls running on their own dedicated hardware, of course running OpenBSD and pf. I never ever EVER expose anything that is not running OpenBSD directly to the Internet. Why? Because I am human and I make mistakes. With OpenBSD at the border I sleep well knowing that even if I do slip up there are more attack mitigation elements built in, a smaller exposed footprint and a higher quality code base meaning fewer outright bugs to exploit in OpenBSD than, in my opinion, in any other operating system in existence. Anywhere. And that's not something I say lightly. I rent half a rack (21 U) in one co-locate facility and space for one machine in another, for backups and redundancy of vital functionality. When designing my infrastructure I briefly entertained the idea to set the secondary location up like you have done, but I quickly came to my senses. It just presented too big of a potentially vulnerable attack surface to the world to be acceptable to me. So I have now made sure I can have two physical machines there, too. I have a 1U Supermicro Twin for that purpose, so I can have two carp/pf/openbsd firewalls there as well, with as much redundancy as that setup allows (the two computers in the 1U system share power supply, but everything else is autonomous. But that whole site is a redundancy measure, so it is not a disaster if it goes offline for a while). I would also like to comment on the "large, redundant file system" issue. As I said, I run several FreeBSD servers, but I run them, as well as (obviously) my OpenBSD servers, with FFS and not ZFS. I run several servers with 30-40 TB or more of storage (mostly using FreeBSD but also a couple of OpenBSD servers), and I have never had the need for ZFS in my environment. I have never lost a single byte of data either, despite several bad crashes due to various hardware and software failures. (And not just because I am dead serious when it comes to my backups...) To put it bluntly, I have never liked ZFS. It is an order of magnitude too complex for my needs, and even if I would need what it can offer I still wouldn't like it and would likely avoid it. And it is not like I am new to ZFS. Rewind ten-fifteen-twenty years and I ran a lot of Solaris. I was as enthusiastic about ZFS as anyone when it first appeared in Solaris 10, but I soon realized it was waay overdesigned for most needs. In contrast, UFS/FFS/FFS2 I know by heart. If I need to, I can repair a broken file system by hand using a hex editor and/or fsdb. With ZFS, I'm lost in the woods should something happen that would require emergency surgery... Like Peter, I run OpenBSD for everything I possibly can, only resorting to other operating systems when absolutely necessary, out of performance or software availability needs. The one thing OpenBSD is lacking in the file system department as far as I am concerned is journalling, for quicker post-crash recovery. Softraid is not feature-complete either, but it's getting there. The other week I got the idea to set up a new workstation to play with some GUI stuff I haven't used in a long time. I had a nice PC laying around with plenty of horsepower, lots of memory, two really nice graphics cards and three 24" monitors hooked up to it (it had previously run Windows, I was using it to run flight simulators). So I thought, maybe I'd try PC-BSD - it seemed easy enough to get up and running with a decent X environment, and it supported my hardware. And it was easy, no doubt about it... but I soon realized that they are now mandating ZFS, and THERE IS NO WAY AROUND IT because some of their GUI system management stuff depends on ZFS functionality. *sigh* So... now that machine is yet again sitting here in a corner of my office, collecting more dust, because I just can't bring myself to go through the effort of configuring it into something that is a comfortable working environment for *me*, when I know I'm just waiting for an excuse to throw PC-BSD out again. Just because of ZFS... Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / "Words must Benny Lofgren / mobile: +46 70 718 11 90 / be weighed, / fax: +46 8 551 124 89 / not counted." / email: benny -at- internetlabbet.se