1. 6

    Anyone know of cloud providers (either virtualized or real hardware) that either offer OpenBSD, or allow you to install OpenBSD easily and without hacks?

    I only know of prgmr.com, RootBSD and ARP Networks. I am interested in companies offering real professional support running on server grade hardware (ECC, Xeon, etc) with proper redundant networking, etc, so amateur (but cheap) stuff like Hetzner doesn’t count.

    Somewhat tangential, but I am also interested in European companies. I only know of CloudSigma, Tilaa, Exoscale and cloudscale.ch. Are they any good?

    EDIS and ITL seem to be Russian companies or shells operating in European locations, not interested in those.

    Many thanks!

    1. 5

      https://www.vultr.com/servers/openbsd

      I wouldn’t consider Gilles’ method a hack at this point, now that online.net gives you console access. Like usual, you first have to get the installer on to a disk attached to the machine. Since you can’t walk up to the machine with a stick of USB flash, copying it to the root disk from recovery mode makes all the sense.

      1. 2

        Thanks, I forgot about vultr.

        As for installing, I would vastly prefer PXE boot. It’s not just about getting it installed. It’s about having a supported configuration. I am not interested in running configurations not supported by the provider. What if next year they change the way they boot the machines and you can’t install OpenBSD using the new system anymore? A guarantee for PXE boot ensures forward compatibility.

        Or what if some provider that is using virtualization updates their hypervisor which has a new bug that only affects OpenBSD? If the provider does not explicitly support OpenBSD, it’s unlikely they will care enough to roll back the change or fix the bug.

        You’re not paying for hardware, as Hetzner showed, hardware is cheap, you’re paying for support and for the network. If they don’t support you, then why pay?

        1. 2

          Yeah I share your concerns. That’s why I’ve hesitated to pay for hosting and am still running all my stuff at home. It would suck to pay only to hear that I’m on my own if something changes and my system doesn’t work well after that change.

          Given how often OpenBSD makes it to the headlines on HN and other tech news outlets, it is really disappointing how few seem to actually care enough to run or support it. It’s also disappointing considering that the user base has a healthy disdain for twisting knobs, and the system itself doesn’t suffer much churn. It should be quite easy to find a stable & supported hardware configuration that just works for all OpenBSD users.

          1. 1

            It should be quite easy to find a stable & supported hardware configuration that just works for all OpenBSD users.

            Boom! There it is. The consumer side picks their own hardware expecting whatever they install to work on it. They pick for a lot of reasons other than compatibility, like appearance. OpenBSD supporting less hardware limits it a lot there. I’ve always thought an OpenBSD company should form that uses the Apple model of nice hardware with desktop software preloaded for some market segment that already buys Linux, terminals, or something. Maybe with some must-have software for business that provides some or most of the revenue so not much dependency on hardware sales. Any 3rd party providing dediboxes for server-side software should have it easiest since they can just standardize on some 1U or 2U stuff they know works well with OpenBSD. In theory, at least.

      2. 4

        https://www.netcup.de/

        I run the above setup on a VPS. OpenBSD is not officially supported, but you can upload custom images. Support was very good in the last 3-4 years (didn’t need it recently).

        1. 2

          Looks nice, especially since they are locals :) Do you mind answering some questions?

          • Do they support IPv6 for VPS (/64)?
          • Have you tried to restore a snapshot from a VPS?
          • Mind sharing a dmesg?
          1. 3
        2. 2

          I have two OpenBSD vservers running at Hetzner https://www.hetzner.com . They provide OpenBSD ISO images and a “virtual KVM console” via HTTP. So installing with softraid (RAID or crypto) is easily possible.

          Since one week there is no official vServer product more. Nowadays, they call it … wait for it … cloud server. The control panel looks different, however, I have no clue if something[tm] changed.

          Here is a dmesg from one server: http://dmesgd.nycbug.org/index.cgi?do=view&id=3441

          1. 2

            Joyent started providing a KVM OpenBSD image for Triton last May: https://docs.joyent.com/public-cloud/instances/virtual-machines/images/openbsd

            (This has been possible for some time if you had your own Triton cluster, but there was no official way until this was published.)

            1. 1

              What’s the deal for cloud providers for not making OpenBSD available? Is it technically complex to offer, or just that they don’t have the resources for the support? Maybe just a mention that it’s not supported by their customer service would already help users no?

              1. 11

                As far as I know, it’s a mix of things. Few people ask for OpenBSD, so there’s little incentive to offer it. Plus a lot of enterprise software tends to target RHEL and other “enterprise-y” offerings. Even in the open source landscape, things are pretty dire:

                OpenBSD also seems to have pretty bad timing issues on qemu/KVM that have fairly deeply rooted causes. Who knows what other horrors lurk in OpenBSD as a guest.

                OpenBSD doesn’t get people really excited, either. Many features are security features and that’s always a tough sell. They’d rather see things like ZFS.

                For better or for worse, OpenBSD has a very small following. For everybody else, it just seems to be the testing lab where people do interesting things with OS development, such as OpenSSH, LibreSSL, KASLR, KARL, arc4random, pledge, doas, etc. that people then take into OSes that poeple actually use. Unless some kind of Red Hat of OpenBSD emerges, I don’t see that changing, too. Subjectively, it feels very UNIX-y still. You can’t just google issues and be sure people have already seen them before; you’re on your own if things break.

                1. 9

                  Rust’s platform support has OpenBSD/amd64 in tier 3 (“which are not built or tested automatically, and may not work”).

                  I can talk a little about this point, as a common problem: we could support OpenBSD better if we had more knowledge and more people willing to integrate it well into our CI workflow, make good patches to our libc and so on.

                  It’s a damn position to be in: on the one hand, we don’t want to be the people that want to inflict work to OpenBSD. We are in no position to ask. On the other hand, we have only few with enough knowledge to make OpenBSD support good. And if we deliver half-arsed support but say we have support, we get the worst of all worlds. So, we need people to step up, and not just for a couple of patches.

                  This problem is a regular companion in the FOSS world, sadly :(.

                  Also, as noted by mulander: I forgot semarie@ again. Thanks for all the work!

                  1. 7

                    semarie@ has been working upstream with rust for ages now… It would be more accurate to say ‘we need more people to step up’.

                    1. 3

                      Right, sorry for that. I’ll change the wording.

            1. 23

              Why is it necessary or even desirable to balance worker load? If the busy worker is still getting back to poll fast enough, whats the problem? If it were overloaded, then the other workers would pick up more connections. If anything, concentrating work in one process should aid cache hits. Is this a problem or did somebody just look at top and decide the numbers weren’t aesthetic enough?

              1. 7

                Allowing one process to stay hot vs spraying requests across every CPU seems way preferable to me too. Gives you some of the locality benefits of single threads while still allowing you to scale up. Every web server graph should look like the epoll one.

                1. 4

                  The BEAM’s scheduler tries to keep one process hot, for cache hits and (IIRC) it can reduce latency by keeping a core out of the lower-power states. Also, I think it will sometimes spin a core to avoid power state transitions, at least for a short while.

                2. 1

                  Someone on HN said that when you have one worker handling connections with Keep-Alive it can be bad. Because there can be a big request (or several) later on that would have to be handled by this single worker.

                1. 1

                  What’s the quality of the Octeons in terms of hardware? And of OpenBSD support for them and their accelerators? I thought the specs looked nice PCI-card-based, security appliances. Esp embedded link-level encryptors, monitoring for potentially-infected hosts, and so on.

                  1. 6

                    The main target, the edgerouter, is pretty wimpy, but good enough for basic home networks. (Does anybody still use the soho acronym?) They tend to ship with crappy flash which wears out quickly (mostly due to heat I think), but it’s easy to replace since it’s literally just a USB stick plugged into a port on the main board.

                    In the end, it doesn’t have a whole lot going for it over a PC engines APU, except it comes preassembled, and I can buy it with one click from Amazon.

                    1. 4

                      Mine fried a couple of USB sticks, and would not even detect some others, until I started using ‘usb reset’ in the bootcmd.

                      I have updated instructions inside the INSTALL.octeon file acccordingly in -current.

                      1. 2

                        I bought an Octeon, returned it, and bought an APU2c4 instead. I was building an IPsec gateway and it just didn’t feel up to the task when compared to the PC Engines units.

                        I still think it’s neat that you can run OpenBSD on it.

                        1. 1

                          Thanks for the review.

                      1. 4

                        Honestly the last point is really surprising that it wasn’t implemented sooner, especially after I learned about the callback for get_status/1-2. Although this might make the introduction for newcomers a bit more confusing, at least I was when I tried my hand at hot coffee loading for the first time.

                        1. 3

                          “Hot coffee loading” might be the best autocorrect mistake ever.

                        1. 2

                          How hard is OpenIKED to set up these days? Last I looked, the documentation looked solid, but there wasn’t a simple how-to guide, which made it look like a high barrier to entry.

                          1. 2

                            OpenIKED was easyish to set up… but I’ve set up the hard ones a few times so I may not have the best perspective. I am using it for a site to site VPN using two APU2e systems and it works flawlessly.

                            I’m also able to connect to iked using the built-in Windows 10 client.

                            I have patched iked to support DH group negotiation during the IKE_SA_INIT exchange. This allows stock StrongSwan on Android (from Google Play) to connect. I need to email the appropriate OpenBSD list to start getting the patch in shape for submission.

                            I don’t believe it supports MOBIKE, though I haven’t looked too deeply. Maybe someone else knows more details here.

                            (Updated to fix formatting.)

                          1. 0

                            Scalability is not such a big concern for many, but high availability often is. This is something NoSQL databases typically do much better out of the box than a SQL database, and is a very valid reason for picking NoSQL.

                            1. 2

                              While fully distributed systems are easier in NoSQL environments (often by giving up things like ACID), I’d argue that high-availability is easier with SQL- a Log Shipping, Primary/Secondary-type solution can be rigged for transparent failover, without the complexity of managing a distributed system.

                              If you need a distributed system (for throughput), then the high-availability of something like a Cassandra cluster is certainly preferable. But managing even a small Cassandra cluster is much more complicated than managing a SQL database with failover clones.

                              1. 1

                                What is the state of the art for fail-over in MySQL or Postgresql?

                                1. 5

                                  I like the approach that Joyent’s Manatee takes with Postgres HA. It offloads the job of tracking who the master is to Zookeeper and will automatically reconfigure the replication relationships accordingly.

                                  I merely have a test cluster set up, but I know that Joyent uses it in anger. It underpins much (all?) of the persistent storage within the Triton system.

                                  Manatee targets SmartOS and depends on ZFS, and this is how I run it, but I have seen a Linux port too.

                                  (Edited for clarity)

                                  1. 1

                                    Great, that is about the best I came up with as well.