OpenBSD на рабочей станции

Материал из OpenBSD-Wiki
Перейти к навигации Перейти к поиску

Вольный перевод статьи Eric Radman An OpenBSD Workstation.

Power Button Shutdown

This nifty option in /etc/sysctl.conf can only be set before entering securelevel 1, and allows you to shut off your computer gracefully by pressing the power button.

hw.allowpowerdown=1

Больше никаких раздражающих сигналов

Одна из многих вещей, которую узнаешь прочитав Absolute OpenBSD - это как отключить раздражающий звонок (UNIX bell) в /etc/wsconsctl.conf

keyboard.bell.volume=0

Начиная с релиза 5.4 способ с wsconsctl больше не работает. Запретить звонок можно используя:

# .xinitrc
xset -b

или

# rc.conf.local
mixerctl inputs.spkr.mute=on

User-Mounted Media

It's nice to be able to mount DVDs or flash media without switching to root, which is what the operator group is for.

# usermod -G operator eradman
# chmod g=rw /dev/cd0*

Then flip a kernel option and you're all set.

# sysctl kern.usermount=1
$ mkdir -p mount/cdrom
$ mount /dev/cd0c mount/cdrom

Suspend & Resume

OpenBSD has very good ACPI support, see apmd(8). zzz and ZZZ are shortcuts for suspend and hibernate if apmd is run at startup.

apmd_flags=""

X Configuration: .xinitrc

# .xinitrc

redshift -O 5600

while true; do
    batt="$(sysctl -n hw.sensors.acpibat0.watthour3 | cut -f1,2 -d" ")"
    xsetroot -name "$batt"
    sleep 60
done &
xsetroot -solid steelblue  &
exec dwm

redshift is a utility that makes designed to adjust the color temperature of your screen based on your surroundings, but it works equally as well for a manual color temperature adjustment. My IBM T60p appears cold, so I adjust the default of 6500K to 5600K.

Next I run a loop in the background that read the available battery life (Wh) and updates the window manager's display area.

Finally set the background color and start your favorite window manager.

Switch to an External Monitor

My screen at work is a bit larger then my laptop display (1400x1050 - 1650x1050), but I use a little docking script to switch to the external display.

#!/bin/sh
xrandr --output LVDS --off
xrandr --output VGA-0 --off
xrandr --output DVI-0 --auto
redshift -O 6200

Connecting to a Projector

If you started X with the VGA connected, it probably picked a resolution common to both your screen and the external display. On my T60 it can be reset like so

xrandr --output LVDS --mode 1400x1050

Use --query to find out what modes each display supports, then I set up a viewport that pans with the mouse pointer

xrandr --output VGA-0 --mode 1024x768 --panning 1400x1050

I also add some additional logic in my .xinitrc to switch to the external display automatically if X is started while connected to an external monitor:

xrandr --query | grep "DVI-0 connected" && ~/bin/docked-dvi
xrandr --query | grep "VGA-0 connected" && ~/bin/docked-vga

tmux

There's only a few tweaks I make to my terminal multiplexor's configuration. I frequently run entr in a smaller pane on the bottom

bind-key C-t split-window -p 25

I don't know of a terminal color picker, but they can be printed with a shell loop.

#!/bin/ksh

for i in `jot 255`; do
  printf "\033[38;5;${i}mcolour${i}\n"
done

Then I set status background and active border to bright green

set -g status-bg colour118
set -g pane-active-border-fg colour118
set -g pane-border-fg colour30

Using Disk Encryption

OpenBSD provides software RAID by way of a virual host bust adaptor called softraid0. This HBA is also used for setting up disk encryption. To set use a disklabel (in my case for sd0g /home set the partition type to RAID

$ sudo disklabel -E /dev/sd0c
Label editor (enter '?' for help at any prompt)
  g:         55641600        100653824    RAID
> m g
offset: [100653824]
size: [55641600]
FS type: [4.2BSD] RAID

Now configure it for crypto using -c C

# bioctl -c C -l /dev/sd0g softraid0
New passphrase: My Crypto Pass Phrase
Re-type passphrase: My Crypto Pass Phrase
softraid0: CRYPTO volume attached as sd1

Mount it using the same command. The kernel log will show a new virtual device appear

sd1 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct fixed
sd1: 27168MB, 512 bytes/sector, 55641072 sectors

Now add a disklabel and format the encrypted volume

$ sudo disklabel -E /dev/wd0c
$ sudo newfs /dev/rwd0a

Devices in OpenBSD may be mounted by device name or by disklabel UID which is a random id generated when the label is created.

$ disklabel /dev/sd1c | grep uid
duid: 779d87bac3905122

It's this ID that we'll to mount the volume, in this way plugging in other drives won't confuse mount after we prompt the user for a password on boot. Adding the following to rc.local will ask for a password four times before giving up

#/etc/rc.local
for attept in 1 2 3 4; do
  bioctl -c C -l c3e2f405c96a8e10.g softraid0 && break
  sleep 1
done
fsck /dev/rsd1a
mount -o nodev,nosuid,softdep 779d87bac3905122.a /home

If you would like to enable crypto on the entire boot volume see this post by Ted Unangst.

Reducing Password Fatique with YubiKey

Yubico makes a nice little hardware key that, among other things, can be used to generate one time passwords for user authentication. The yubikey-personalization-gui is a Qt-based program that can be used to write private keys to one of two "slots". Copy the 6-byte private identity and the 16-byte secret key without spaces to like so

echo "5c e1 e0 3e 63 a4" \
        | tr -d ' ' > /var/db/yubikey/$USER.id
echo "57 e3 af 3e 9b 51 2b 10 58 7d 33 fb d9 08 ef 7b" \
        | tr -d ' ' > /var/db/yubikey/$USER.key
chmod 600 /var/db/yubikey/$USER.*

Now set YubiKey as the authentication method for local logins as well as SSH.

# Default allowed authentication styles
auth-defaults:auth=yubikey,passwd,skey:

Finally rebuild the login DB

cap_mkdb /etc/login.conf

To reduce typing I use the second slot on the Yubikey as a relatively secure method of enabling ssh-agent in order to connect to remote systems where my public key (RSA, DSA, ECDSA) is installed. To start use the yubikey-personalization-gui to generate a random key, then set slot 2 to challange-response mode with this key

hexkey=$(echo "dd b6 68 81 c9 73 f9 64 84 21 7e f0 69 e8 2c 28 1b 6c ad e2" | tr -d ' ')
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a $hexkey

Next I create new ssh keys (ssh-keygen) using part of the reply from ykchalresp. I installed script script as bin/ykauth

#!/bin/sh
ykchalresp -2 "$(whoami)@$(hostname)" | cut -c 1-15

Finally add this bit of logic to .profile to automatically activate these keys when I log in

ssh-add -l > /dev/null 2>&1 || {
    eval `ssh-agent`
    DISPLAY='' SSH_ASKPASS='/home/eradman/bin/ykauth' ssh-add < /dev/null
    exec ksh
}

Run -current on a Second Drive

Setting up a new disk in a way that OpenBSD expects is not very difficult, simply run fdisk's reinit

$ sudo fdisk -e wd0
Enter 'help' for information
fdisk: 1> p
Disk: wd0       geometry: 4133/240/63 [62500000 Sectors]
Offset: 0       Signature: 0xAA55
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
*0: 83      0  32  33 -   3959  46  62 [        2048:    59860992 ] Linux files*
 1: 05   3959  79  30 -   4133 124  44 [    59865086:     2633730 ] Extended DOS
 2: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 3: 00      0   0   0 -      0   0   0 [           0:           0 ] unused

fdisk: 1> reinit
In memory copy is initialized to:
Offset: 0       Signature: 0xAA55
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
 0: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 1: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 2: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
*3: A6      0   1   2 -   4132 239  63 [          64:    62490896 ] OpenBSD
Use 'write' to update disk.
fdisk:*1> write
Writing MBR at offset 0.

Now Create a disk label on the second drive (wd0) based on the disklabel from the first drive (sd0)

$ sudo disklabel wd0
# /dev/rwd0c:
type: SCSI
disk: SCSI disk
label: HTS721010G9SA00
duid: 0dc2584c60057522
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 12161
total sectors: 195371568
boundstart: 64
boundend: 62490960
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize  cpg]
  a:          2104448               64  4.2BSD   2048 16384    1
  b:          2506143          2104512    swap
  c:        195371568                0  unused
  d:          4209024          4610656  4.2BSD   2048 16384    1
  e:          8385920          8819680  4.2BSD   2048 16384    1
  f:         45285344         17205600  4.2BSD   2048 16384    1

This roughly mirrors the layout I'm using on my first disk running -stable

$ df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a     1003M   49.7M    903M     5%    /
/dev/sd0d      2.0G   14.0K    1.9G     0%    /tmp
/dev/sd0e      3.9G   19.6M    3.7G     1%    /var
/dev/sd0f     44.2G    2.3G   39.8G     5%    /usr
/dev/sd0i     39.4G   26.3G   11.0G    70%    /home

Create new file systems and then clone the existing install with dump/restore

newfs /dev/rwd0a
newfs /dev/rwd0d
newfs /dev/rwd0e
newfs /dev/rwd0f

mkdir -p /mnt/drive2

mount /dev/wd0a /mnt/drive2
cd /mnt/drive2 && dump -0 -f - / | restore -r -f -

mount /dev/wd0e /mnt/drive2/var
cd /mnt/drive2/var && dump -0 -f - /var | restore -r -f -

mount /dev/wd0f /mnt/drive2/usr
cd /mnt/drive2/usr && dump -0 -f - /usr | restore -r -f -

You can install a bootloader like so

# /usr/mdec/installboot -v /mnt/drive2/boot /usr/mdec/biosboot wd0
fs block shift 2; part offset 64; inode block 64, offset 680
master boot record (MBR) at sector 0
        partition 3: type 0xA6 offset 64 size 62490896
/boot will be written at sector 64

After rebooting make sure /tmp has the right permissions

chmod 1777 /mnt/drive2/tmp

The only changes left are to mount the new drive and change change sd0 to wd0 in /etc/fstab.

From here refer to Following -current on the OpenBSD FAQ. Performance Tuning

There is no documentation on improving the responsiveness of an OpenBSD desktop. These are the tweaks I make. First I allow applications to consume more RAM

# /etc/login.conf
staff:\
        :datasize-cur=2048M:\
        :datasize-max=2048M:\
        :datasize=2048M:\
        :openfiles-cur=1024:\
        :stacksize-cur=16M:\

Add the noatime option to mount points

c3e2f405c96a8e10.a / ffs rw,noatime 1 1
c3e2f405c96a8e10.d /tmp ffs rw,softdep 1 2
c3e2f405c96a8e10.f /usr ffs rw,nodev,noatime 1 2
# ...

If you know of other strategies for tuning desktop performance. please send me what you know.