On 2015-09-28 00:22, Matt Hamilton wrote:
>> On 27 Sep 2015, at 22:57, Theo de Raadt <dera...@cvs.openbsd.org> wrote:
>>
>>>> On 27 Sep 2015, at 22:38, Eric Furman <ericfur...@fastmail.net> wrote:
>>>>
>>>> You really don't get it. Running OpenBSD in a VM gives you no
>>>> security benefits of OpenBSD. Your base security will be your
>>>> host, in this case FreeBSD. And on top of that you are running
>>>> a very complex piece of software, the VM. Who knows what
>>>> security holes are in it.
>>>
>>> I do get it. I guess you wrote this before reading my last reply. That
>>> explains the situation.
>>>
>>> Yes, the base security will be my host. Putting an OpenBSD VM on there
>>> does not (IMHO) significantly decrease the security of that host. I
>>> agree that it is adding complexities and there could be potentially
>>> unforeseen security issues due to the combination. e.g. something like
>>> OpenBSD's ability to generate random number could somehow be
>>> affected by the underlying VM that would not be present on bare metal.
>>
>> Any additional code you run, beyond the minimum, increases your exposure
>
> Indeed. Which is why you are typing this on a typewriter, right? I mean, I
> don’t know what editor you use, emacs, vi, mg, whatever… but that is
> additional code right? That has increased your attack surface. But you deem
> that an appropriate compromise to absolute security as you want feature and
> convenience.
>
>> You are so clueless. It's amazing.
>
> No. The fact that I have tried an experiment and have a setup that has
> different priorities on it’s requirements to someone else’s setup or
> requirements is not clueless. It is different. OpenBSD just does not offer
> the functionality (e.g. a large, redundant filesystem, ala ZFS) I need to get
> the job I want to do done on it’s own. So I need additional software to
> achieve that. End of story. Yes it is a larger attack surface, yes it is
> added complexity. I fully understand that. But I need additional software to
> achieve my end goals.
>
> This thread started with someone who is starting to learn and wanted to know
> which OS, OpenBSD or FreeBSD would be best for their requirements. I don’t
> feel putting forward an idea that you could run OpenBSD as a VM and have both
> is so unreasonable.
I run a similar setup to yours in my co-located environment, with a
number of large-ish FreeBSD hosts running a number of vm guests
(although I'm using VirtualBox), and it all works surprisingly well with
a mixture of OpenBSD, FreeBSD and Linux guests.
However, in front of the whole shebang I have a pair of carp'ed
redundant firewalls running on their own dedicated hardware, of course
running OpenBSD and pf.
I never ever EVER expose anything that is not running OpenBSD directly
to the Internet. Why? Because I am human and I make mistakes.
With OpenBSD at the border I sleep well knowing that even if I do slip
up there are more attack mitigation elements built in, a smaller exposed
footprint and a higher quality code base meaning fewer outright bugs to
exploit in OpenBSD than, in my opinion, in any other operating system in
existence. Anywhere. And that's not something I say lightly.
I rent half a rack (21 U) in one co-locate facility and space for one
machine in another, for backups and redundancy of vital functionality.
When designing my infrastructure I briefly entertained the idea to set
the secondary location up like you have done, but I quickly came to my
senses. It just presented too big of a potentially vulnerable attack
surface to the world to be acceptable to me.
So I have now made sure I can have two physical machines there, too. I
have a 1U Supermicro Twin for that purpose, so I can have two
carp/pf/openbsd firewalls there as well, with as much redundancy as that
setup allows (the two computers in the 1U system share power supply, but
everything else is autonomous. But that whole site is a redundancy
measure, so it is not a disaster if it goes offline for a while).
I would also like to comment on the "large, redundant file system"
issue. As I said, I run several FreeBSD servers, but I run them, as well
as (obviously) my OpenBSD servers, with FFS and not ZFS.
I run several servers with 30-40 TB or more of storage (mostly using
FreeBSD but also a couple of OpenBSD servers), and I have never had the
need for ZFS in my environment. I have never lost a single byte of data
either, despite several bad crashes due to various hardware and software
failures. (And not just because I am dead serious when it comes to my
backups...)
To put it bluntly, I have never liked ZFS. It is an order of magnitude
too complex for my needs, and even if I would need what it can offer I
still wouldn't like it and would likely avoid it. And it is not like I
am new to ZFS. Rewind ten-fifteen-twenty years and I ran a lot of
Solaris. I was as enthusiastic about ZFS as anyone when it first
appeared in Solaris 10, but I soon realized it was waay overdesigned for
most needs.
In contrast, UFS/FFS/FFS2 I know by heart. If I need to, I can repair a
broken file system by hand using a hex editor and/or fsdb. With ZFS, I'm
lost in the woods should something happen that would require emergency
surgery...
Like Peter, I run OpenBSD for everything I possibly can, only resorting
to other operating systems when absolutely necessary, out of performance
or software availability needs. The one thing OpenBSD is lacking in the
file system department as far as I am concerned is journalling, for
quicker post-crash recovery. Softraid is not feature-complete either,
but it's getting there.
The other week I got the idea to set up a new workstation to play with
some GUI stuff I haven't used in a long time. I had a nice PC laying
around with plenty of horsepower, lots of memory, two really nice
graphics cards and three 24" monitors hooked up to it (it had previously
run Windows, I was using it to run flight simulators).
So I thought, maybe I'd try PC-BSD - it seemed easy enough to get up and
running with a decent X environment, and it supported my hardware. And
it was easy, no doubt about it... but I soon realized that they are now
mandating ZFS, and THERE IS NO WAY AROUND IT because some of their GUI
system management stuff depends on ZFS functionality. *sigh*
So... now that machine is yet again sitting here in a corner of my
office, collecting more dust, because I just can't bring myself to go
through the effort of configuring it into something that is a
comfortable working environment for *me*, when I know I'm just waiting
for an excuse to throw PC-BSD out again. Just because of ZFS...
Regards,
/Benny
--
internetlabbet.se / work: +46 8 551 124 80 / "Words must
Benny Lofgren / mobile: +46 70 718 11 90 / be weighed,
/ fax: +46 8 551 124 89 / not counted."
/ email: benny -at- internetlabbet.se
