I want to use BSDs, and I tried using OpenBSD, for my servers, but there are far too many missing features I rely on from Linux. One simple example is mount --bind. I want to allow some users to connect to my server via SFTP and put some files their $HOME/files which then goes to a physical disk used for user files. In Linux this is as simple as mount --bind /disk/userfiles/$USER /home/$USER/files. In OpenBSD they recommended using a localhost NFS share. That didn't seem to me like as good of a solution.
Just curious, why would symlinks not work here? That's traditionally how this sort of thing was done, even on Linux.
Is it a chroot issue? Interestingly, OpenBSD services seem to be moving away from chroot now that it has unveil. (Not that that would help you here and now.)
> Is it a chroot issue?
Yes. In my particular case I was setting up a server for some non-technical users to share files with me via FileZilla. So I use ChrootDirectory %h to restrict users to their home directory. Even if it wouldn't be a security issue to omit this, my users would be confused by seeing the whole /usr, /bin, /var etc. directory hierarchy show up in FileZilla. And even if they could learn their way around it, I don't want them to see the whole directory hierarchy. I just want them to see their own files.
Granted, this could be solved by symlinks if SFTP provided a way other than chroot to change the user-perceived home directory. But the fact that mount --bind works across filesystem namespace changes makes it more robust and useful in my book.
I didnt know what bind mount js, so I googled it.
https://unix.stackexchange.com/questions/198590/what-is-a-bi...
There is something here that might solve your problem: nullfs. Check the stack exchange link.
I don't use bsd, so this is just me sharing what I found out.
OpenBSD dropped nullfs a long time ago. See https://undeadly.org/cgi?action=article;sid=20050527155028 But it looks like DragonflyBSD, FreeBSD, and NetBSD have retained it.
Oh, hey, that's mine. Thanks for posting it. I have stopped posting all my articles to HN since most weren't getting any attention.
BSD always seems to be a popular topic on HN.
I think there are a fair few BSD users here, and there are also a lot of us who wonder whether we should be using it for its boringness.
I think Marinelli's blog post was discussed on HN earlier: https://news.ycombinator.com/item?id=41732415
I use it on my desktop and I love the boringness. It's not constantly trying to push new stuff I didn't ask for (eg ipconfig to ip, systemd, snaps, etc). It's just sticking with what works. I like that. Linux distros try to reinvent the wheel too much for my liking.
> there are also a lot of us who wonder whether we should be using it for its boringness
Yes.
By the nature of innovation of products on platforms, most HN readers are noisily building experiments on top of things rather than quietly building the stable things underneath.
Pizazz is interesting when hyping the new new things; boring is interesting when hosting the world.
I'd guess it's not that you're not getting any attention, I'd guess the handful of global infra builders don't stand out in your stats.
> I'd guess it's not that you're not getting any attention
I am a humble reporter. I don't have access to most of the Reg's internal stats about who is viewing a page, from where, etc.
I'm just going by the fact that most of my HN submissions got no upvotes and no comments.
One commenter in another discussion said my subs were getting [flagged] and/or [dead] as spam. I only see one sub ever as being flagged. I think it was this one:
https://news.ycombinator.com/item?id=38445020
... Which as it happens did get lots of engagement, then AFAICS due to a misunderstanding of the title got edited, then it got flagged. But I do not know the details.
Saying that, I suppose it's possible that normally this is invisible to me somehow, or that others see stuff as dead that I can't? I don't know.
Yes, a LOT of your submissions are dead. Email hn at ycombinator com and they will surely be able to give you some insight.
Meh. I have just stopped bothering.
Now I've got nostalgic ;( I missed my SysAdmin years when I was dealing with FreeBSD / NetBSD servers...I first learned about jail [1] around 2004 / 2005; since then, I was running a number of isolated apps within a cluster of FreeBSD servers and never once we went down after the implementation, until I left the company that is; afterwards what happened, I have no idea.
One thing FreeBSD jails have that Linux containers don't is a virtual, independent network stack via VNET. At least, I think that's a true differentiator. Am I correct, or is there similar Linux tooling for that?
The networking for Linux "containers" uses virtual veth devices combined with network namespaces that have their own routing table and packet filtering. Now, you are still dependent on what kernel modules the host is running for various capabilities, but otherwise applications running in those network namespaces effectively have their own network stack.
Is there a Proxmox equivalent for FreeBSD? I am interested to take it for a spin as a hypervisor (have always been drawn to BSD but aside from TrueNAS haven't used it in any real-world workloads). For a newbie I find that a GUI is great to understand what is possible, explore things, etc. Then transition to an infra-as-code approach later on.
Not directly but a team is working on one:
In terms of appliance standard there isn't much.
But CBSD is making trend.
https://www.bsdstore.ru/en/about.html - WebUI with the migration features and the likes.
As well as bhyve control panel (BVCP): https://bhyve.npulse.net/
bHyve is also supported libvirt so you should be able to use virt-manager with bhyve.
FreeBSD is my daily driver as well as OS fot colocation servers. I've have zero issues with bHyve running Linux and Windows virtual machines.
Not changing anything will be the most boring option. But yeah, if you are a BSD expert/fan, maintaining it is more boring than Linux.
My old blog was on Linux and had 10 y of uptime until Hetzner wanted to retire it. I think high uptime is easy.
I was surprised by the fact no one actually exploited it (though maybe they copied everything and didn’t tell me) because network traffic, running binaries were all normal.
That’s the difficult thing about high uptime with internet-connected devices. I remember watching uptimes go to astronomical numbers on netcraft, today all I can think about is how unpatched those systems must have been.
Well, uptime is usually about the kernel; it being high doesn't necessarily mean that the network-facing daemons (httpd, sshd, and so on) haven't been updated and restarted. Running an ancient kernel does mean you're more vulnerable to local privilege escalation, but an attacker would have to obtain local code execution first. It being an "old blog", there probably wasn't much more running than the SSH daemon and a web server, serving either static pages or some simple PHP pages; the attack surface wouldn't have been that large.
Not even local privilege escalation, though! I remember a couple notorious remote exploits being centered around ICMP ping. You're right that they are far less common.
I had the following:
- BIND
- an MTA/MSA (probably the riskiest thing)
- MySQL (local only)
- PHP + Apache2
- SSH
So the attack surface was larger than you’d think. I only had hundreds of blog visitors to be honest.
But the world has changed over the years. Even the existence of things like residential proxies makes fail2ban pointless nowadays. You have to be better. I was young and foolish and lucky.