Saturday, October 27, 2018

Style of server installation steps: OpenBSD versus CentOS

The current version of OpenBSD is 6.4. The current version of CentOS is 7 (1804).

I am talking about setting servers. There are many types of servers, for example, file servers, application servers and database servers. Both OpenBSD and CentOS can serve as one of these types of servers.

The first impression lets you know what the developers may think.

First of all, OpenBSD shows some text. CentOS 7 shows a graphical user interface (GUI). It is more manageable to answer questions in text because it gives a clear idea what I am doing when doing things which should not go wrong. A graphical user interface, on the other hand, confuses me since I need to understand the what the buttons do. I also need to understand if I click a button by mistake, how am I going to revert? A graphical user interface is not for everyone.

From an administrative point of view, things must be clear. If you ask me, "What is the best practice for administering a server?" I would say, "Follow instructions step by step." Graphics often create ambiguities. When you see the minus sign and the plus sign in disk partitioning, what do you expect? How do I use the button? Press minus first? Select the disk partition first? Why is the plus sign located on the left hand side or on the right hand side? It is matter of personal taste, perhaps.

The CentOS disk partitioning graphics force me to rethink. Here is a disk already partitioned. The installation screen shows a greater than sign with hidden information. I must click on the greater than sign to see the disk partitions. (Why?) Graphics are not that intuitive. Graphics can be confusing at times when you are in a hurry and need to figure out what buttons to press.

I think we need to learn a lesson on Android phones. Several years ago, Android developers changed the positions of "Yes" and "No". The original positions had been a left "Yes" and a right "No". Afterwards, the positions became a right "Yes" and a left "No". According to a YouTube video, Android developers believed that users read to the end of the line and it would be convenient for users to click the button near the end of the line. Users need to change the habit. Are CentOS developers implementing the same logic or should they?

Users of servers are practical users. They need to get things done as fast as possible. Changing the graphical user interface forces these users to learn again. Icons cause ambiguities. Users need to guess the answer. Users can guess right or wrong depending on their cultural and educational history.

We also need to learn a lesson in Microsoft Office 2007. (Eleven years ago? Am I correct?) The Office Button located at the top left corner of the application was a design flaw (or a design disaster). People did not know what the function of the button was. Graphics were eye-catching and made people (I was one of them) feel stupid again because they did not know what to do after looking at the graphics.

Some OpenBSD developers name the call for features "featuritis". "Featuritis" is a term people use to describe an "ongoing expansion of an excessive number of features in a product". Certainly, CentOS is meant for people who look for more and more features. (I admit that some people are not satisfied most of the time.) Now, the installation screen will make you think, "What does this button do?" Sometimes, you think, "How do the graphics organize? Intuitive? What does 'intuitive' mean for you, for him and for her?"

Using text only is an advancement in server administration. Why? Minimalist. If you prefer OpenBSD like I do, one of the reasons may be minimalist. Since OpenBSD developers often say that they audit the code in the base system, the number of lines in the computer code ought not to be so large. It is nearly impossible to review the code if the number of lines is very large. This is a principle of "less is more" when you benefit from the quality of the code (not necessarily quantity).

It is better for developers not to incorporate graphics in installation steps. OpenBSD does not invite more love from everyone. (OpenBSD avoids a shiny user interface in installation.) OpenBSD invites more people who care very much about the minimalist usage. OpenBSD is so different from CentOS in its minimalist approach.

OpenBSD installation asks the correct questions which can help to make it work in a minimalist way and make it secure. The default answer of "No" in using root to log in by SSH is sensible. With some settings (doas), after using a non-super-user account to log in, you can change your role to become root. Developers of CentOS may have a different rationale. CentOS does not focus on security and does not ask me if I want to use root to log in via SSH.

On OpenBSD, you can also answer "No" when asked to install X Windows. (X Windows helps you to use the graphical desktop.) You save some space by installing less and by installing less, you hit less ordinary bugs and hit less security bugs. When you select the packages to install, you can deselect games and x-related packages for the same reason. (by -ga* -x*) CentOS does not ask me if I want to install X Windows or other desktop features. I am forced to navigate and find where I can deselect or select the packages I want.

It is more possible to maintain security with less code. Minimalism removes the unnecessary confusion. I am a happy user of OpenBSD because I do not need to guess. The questions OpenBSD asks me to answer during installation are clear or concise.

CentOS with its ongoing expansion of features displays a graphical user interface and a graphical user interface makes me learn again how to do similar things or the same things (disk partitioning and networking, for example). My time is wasted.

Sunday, March 4, 2018

OpenBSD tests: file writing and download

Part 1: File writing

1 CPU vCore

mkdir -p test && cd test

# OS: OpenBSD

# Test 100: start here
  rm ../test/*
  while [ $x -le "$repeat_times" ]
    dd if=/dev/zero of=r.$x.bin bs=1024 count=4096 2>> testLogger.log
    x=$(( $x + 1 ))

  cat testLogger.log | grep secs | awk -v FS="(in|secs)" '{print $2}' >> tmpLogger.file
  echo 'Total time taken (in secs): '
  awk '{s+=$1} END {printf "%8.4f", s;}' tmpLogger.file

echo 'End of Test'
# Test 100: end here




# Test 1000: start here
  rm ../test/*
  while [ $x -le "$repeat_times" ]
    dd if=/dev/zero of=r.$x.bin bs=1024 count=4096 2>> testLogger.log
    x=$(( $x + 1 ))

  cat testLogger.log | grep secs | awk -v FS="(in|secs)" '{print $2}' >> tmpLogger.file

  echo 'Total time taken (in secs): '
  awk '{s+=$1} END {printf "%8.4f", s;}' tmpLogger.file

echo 'End of Test'
# Test 1000: end here

# OpenBSD 6.2

# Update (4 March 2018)


Test 100: Results: (4 attempts) (OpenBSD 6.2)

Test 1000: Results: (4 attempts) (OpenBSD 6.2)


# OS: CentOS, Ubuntu, Debian

mkdir -p test && cd test

# Test 100: start here
  rm -rf ../test/*
  while [ $x -le "$repeat_times" ]
    dd if=/dev/zero of=r.$x.bin bs=1024 count=4096 2>> testLogger.log
    x=$(( $x + 1 ))

  cat testLogger.log | grep bytes | awk -v FS="(copied,|s)" '{print $3}' >> tmpLogger.file
  echo 'Total time taken (in secs): '
  awk '{s+=$1} END {printf "%8.4f", s;}' tmpLogger.file

echo 'End of Test'
# Test 100: end here


# Test 1000: start here
  rm -rf ../test/*
  while [ $x -le "$repeat_times" ]
    dd if=/dev/zero of=r.$x.bin bs=1024 count=4096 2>> testLogger.log
    x=$(( $x + 1 ))

  cat testLogger.log | grep bytes | awk -v FS="(copied,|s)" '{print $3}' >> tmpLogger.file
  echo 'Total time taken (in secs): '
  awk '{s+=$1} END {printf "%8.4f", s;}' tmpLogger.file

echo 'End of Test'
# Test 1000: end here

# CentOS 7.4

# Update (4 March 2018)
yum -y update

# Test 100: Results: (4 attempts) (CentOS 7)

# Test 1000: Results: (4 attempts) (CentOS 7)

# Ubuntu 16.04

# Update (4 March 2018)
apt update && apt -y upgrade

# Test 100: Results: (4 attempts) (Ubuntu 16)

# Test 1000: Results: (4 attempts) (Ubuntu 16)

# Debian 9

# Update (4 March 2018)
apt update && apt -y upgrade

# Test 100: Results: (4 attempts) (Debian 9)

# Test 1000: Results: (4 attempts) (Debian 9)

Part 2: Download

2 machines
1 CPU vCore

download size : 4194304 (4.0M)

file created by:
dd if=/dev/zero of=filename bs=1024 count=4096

download by:
wget http://_ip_address_/filename

download from OpenBSD httpd server to CentOS client
(6 attempts)
49.2 MB/s
34.2 MB/s
36.6 MB/s
29.3 MB/s
42.9 MB/s
39.8 MB/s
Mean: 38.67 MB/s

download from CentOS Nginx server to OpenBSD client
(6 attempts)
39.3 MB/s
29.5 MB/s
25.7 MB/s
34.1 MB/s
31.6 MB/s
34.3 MB/s
Mean: 32.42 MB/s

download from OpenBSD httpd server to OpenBSD client
from A to B       from B to A
12.0 MB/s         24.0 MB/s
26.7 MB/s         31.5 MB/s
12.0 MB/s         11.8 MB/s
34.3 MB/s         26.8 MB/s
27.8 MB/s         30.7 MB/s
29.2 MB/s         28.0 MB/s
Mean: 23.67 MB/s  25.47  MB/s

Sunday, February 25, 2018

Install OpenBSD and use its httpd as fast as possible

This is an FAQ-style guide on installing OpenBSD and its httpd.

Difficulty to use this guide: beginner to intermediate.
Time spent on using this guide: around one to two hours.
Length of this guide: about 280 lines / paragraphs

Is this guide helpful?
To be helpful to you, you should be comfortable when you use the command line. (Type commands on Linux or OpenBSD)

Please back up your data before doing anything else.

httpd is the default web server of OpenBSD. OpenBSD's tradition to realize the developers' wishes causes httpd to be included in default OpenBSD installation.

Is httpd started by default? No. it is not started by default. You have to enable it first. In the file called /etc/rc.conf.local (not this: /etc/rc.conf), you should add httpd_flags= to enable it. You have just been correct that the line reads httpd_flags= with the equal sign at the end of the line. (httpd is not http.)

Let's get started by downdloading the ISO file for amd64. Most recent machines use amd64 as the CPU instruction set. So, if you use a machine bought after 2010, most probably your CPU supports amd64.

Where can we download an ISO file for amd64? The list of sites can be found here:
If your server is in the USA, choose the sites in the USA. This makes downloading faster.
Example: My server is in Canada, hence I click the Canada link.

As of 25 February 2018, the stable version is 6.2. I clicked 6.2. Then, amd64. (not arm64, which is something different) After that, get cd62.iso.

Okay, I have downloaded the ISO. I can burn a CD using the ISO file. Insert the CD into the machine and choose the CD when booting. (press Del or F2 key when booting and select CD as the first boot device)
Alternatively, as I am demonstrating, I mount the ISO file using a hosting provider's control panel.

After booting with the ISO file or CD, I should see many lines of text output in blue background. Then, I see:
Welcome to the OpenBSD/amd64 6.2 installation program.
(I)nstall, (U)grade,...

Now, press I and Enter.
Choose your keyboard layout -> Please press Enter.
System hostname? -> Press server001 and Enter
Which network interface do you wish to configure? [vio0] -> Press Enter.
IPv4 address for vio0? -> You need to consult your service provider. ( -> dot separated digits)
Netmask for vio0? -> You need to consult your service provider. ( -> dot separated digits, sometimes, sometimes or some other answers)

IPv6 address for vio0? -> You need to consult your service provider. (xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx -> colon separated digits, with 1,2,3,4...0 and a,b,c,d,e,f)
IPv6 prefix length for vio0? [64] -> You need to consult your service provider. (This is also known as netmask.)
IPv6 default router? -> You need to consult your service provider. (The default gateway.)
Which network interface do you wish to configure? [done] -> Press Enter.
Default IPv4 route? -> You need to consult your service provider. (The gateway.)
DNS domain name? -> Press Enter
DNS nameservers? ->

Password for root account? -> randomkieow10
Password for root account? (again) -> randomkieow10
Start sshd(8) by default? -> Press Enter
Do you expect to run the X Windows System? [yes] -> Press Enter
Do you want the X Window System to be started by xenodm(1)? [no]  -> Press Enter
Setup a user? [no]  -> Press Enter

WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? [no] -> yes (set up pubkey later)

What timezone are you in? -> UTC -> Press Enter

Which disk is the root disk? [sd0]  -> Press Enter
Use (W)hole disk MBR,... [whole]  -> Press Enter
Use (A)uto layout,... [a]   -> Press Enter

Location of sets? -> http -> Press Enter
HTTP proxy URL? [none] -> Press Enter
HTTP Server? -> Press ? -> Press Enter -> Press Space bar to navigate -> I found my mirror -> I press q to quit, and press the number and Enter.
HTTP Server? []  -> Press Enter
Server directory? [pub/OpenBSD/6.2/amd64]  -> Press Enter
Select sets by entering a set name, a file pattern or 'all'. De-select sets by prepending a '-', e.g.: '-game*'...
Set name(s)? -> Press -game* and Enter
Set name(s)? [done]  -> Press Enter
Now, I see:
Get/Verify SHA256.sig    100% |**********...  2152   00:00
Signature Verified
Installing bsd ...
Location of sets? [done]  -> Press Enter
CONGRATULATIONS! Your OpenBSD install has been successfully completed!...

and hit Enter

Now, remove the CD or unmount the ISO file. (-> I clicked "Remove ISO" in my service provider's control panel)

That's all for installation.

login: root
Password: randomkieow10

To update the system:

Then, press Enter.

I see:
Get/Verify syspatch62-001_tc_inv... 100% |***... 465KB  00:00

Now, type
and press Enter to cause the updates to take effect.

login: root
Password: randomkieow10

# It's a good idea to change the default sshd port
# to help reduce the chance of automatic attacks
vi /etc/ssh/sshd_config

#Port 22   # -> Change this line
Port 10489

## create a public key
ssh-keygen -t rsa -C "sshkeyname" -b 4096

## Hit Enter
Enter file in which to save the key : /root/.ssh/sshkeyname
Enter passphrase : randomieold46
Enter same passphrase again: randomieold46

ls /root/.ssh

# /root/.ssh/sshkeyname is the secret you keep
# /root/.ssh/ is what the server should contain
# in authorized_keys

cd /root/.ssh
cat >> authorized_keys
cat authorized_keys
# I see:
ssh-rsa ...
# Then, I can copy the key with a password:

pkg_add zip

zip -e sshkeyname

# this is where I place the demo files
mkdir /var/www/htdocs/

# I will download the encrypted secret later:
mv /root/.ssh/ /var/www/htdocs/
ls /var/www/htdocs/

rcctl restart sshd

# Setting up OpenBSD httpd

echo 'httpd_flags=' >> /etc/rc.conf.local
cat /etc/rc.conf.local

cp /etc/examples/httpd.conf /etc/

vi /etc/httpd.conf

######### begin

server "default" {
      listen on $ext_addr port 80
      root "/htdocs/"

types {
      include "/usr/share/misc/mime.types"

######### end


# Create a sample file showing 1
echo 1 >> /var/www/htdocs/

rcctl restart httpd

Now, you can start your web browser such as Google Chrome.
Hit Enter

You should see 1.

# Getting your ssh secret key
# Use this key to connect.
# In your web browser:

# Back up your private secret key. Put it in a safe place.
# If you forget to back up, you will not be able to use it.

# Below is your client computer you are using
# to connect to the server.
# I am using a Linux desktop computer, not Windows:
# I installed unzip: apt install unzip # on Ubuntu, Debian

# Create destination folder
mkdir -p /home/CopyYourUserNameHere/.ssh/

unzip -d /home/CopyYourUserNameHere/.ssh/
# I see:
#[] sshkeyname password:
Hit Enter
#  inflating: sshkeyname

# restrict the permissions
chmod 600 /home/CopyYourUserNameHere/.ssh/sshkeyname

# You connect on Linux by:

ssh -p 10489 -i '/home/CopyYourUserNameHere/.ssh/sshkeyname' \

# On OpenBSD
# force people to use private secret key, not passphrase
vi /etc/ssh/sshd_config

PubkeyAuthentication yes  # remove # sign

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# To save this file:

# To apply the new changes:
rcctl restart sshd

# Test if passphrase authentication fails as expected (We use the secret key only)
# On your local computer:
ssh -p 10489 root@CopyYourIPAddressHere
# You should see:
Permission denied (publickey,keyboard-interactive).

# Test if you connect successfully on Linux by:

ssh -p 10489 -i '/home/CopyYourUserNameHere/.ssh/sshkeyname' \

# Since I have backed up the secret elsewhere, I can remove the secret on server.

# Now remove the encrypted secret key on server
rm /var/www/htdocs/

# Now remove the private key on server
cd /root/.ssh
rm sshkeyname

# You can reboot to test if everything above works as expected:

# Just place fileA.html in /var/www/htdocs/
# Then, you can access it at http://CopyYourIPAddressHere/fileA.html

Saturday, August 26, 2017

A conservative general user is considering OpenBSD

Hello, I have tried different operating systems in the past ten years, Red Hat, CentOS, Ubuntu, Debian, Fedora, Apple Mac and Microsoft Windows. I would like to try something new. I would like to try OpenBSD.

What "try"? I try something to test if it suits my purpose, e.g. desktop usage including basic text editing in office software (OpenOffice / LibreOffice) as well as server usage including serving files and database connections.

I would say I am a general user because I have not participated in developing any of the operating systems. I developed some software on those operating systems in the sense of exercises or testing. Yeah, you can say that I am a conservative user. What does a conservative user do? He or she does testing most of the time before relying on some systems.

How does a conservative user test an operating system (OS)? He or she needs to know that the OS will boot correctly within a minute on a medium level personal computer, not necessarily using a very powerful central processing unit (CPU). Not everybody has a lot of money and will spend a lot of it on buying new computers and renewing computers every year, yes, I mean every year. Suppose you spent USD520 on buying a computer each year. You would have spent USD5200 on buying computers for ten years. Most computer users do not spend a lot of money all the time.

A conservative user needs to save some money for food, housing, clothes and transportation. The remaining amount could then be spent on computers. Microsoft Windows is expensive. It let me learn basic things out of the box.

Other OSes I mentioned are totally free of charge. I just needed more information or education to set up and they work very similarly. It was a workshop-like activity when I used Red Hat. The tutor gave me some practical set up advice from booting a CD to installing the OS. That means I could start installing an OS using a CD. A CD is an ancient tool where you can store some data. Some computers these days are not equipped with a CD ROM. They allow you to use USB devices to boot.

Apart from the economics a conservative user has to consider, he or she needs to think in the long run. After three years or four, will he or she be using the same computer and OS? He or she does not want to learn all over again. As technology evolves, human beings do not want to change the way they work with familiar things. People think of folders and files. They cannot think of other better ways of organizing the data. Artificial intelligence (AI) may help but not at this moment. AI needs to be trained to understand human beings.

Linux OSs _were_ quite good because they did not change very often, e.g. every 1.5 years. Now Linux OSes change every 1.5 years. The conservative user needs to test all over again to ensure that he or she can save files and can read files in addition to booting correctly. Since systemd was adopted on Linux OSes, e.g. Red Hat, CentOS, Fedora, Ubuntu and Debian, the OSes have become unreliable to the conservative user. The technical evidence includes being unable to boot and shutdown a computer correctly.

Thanks, Linux developers. I have learned to administer Linux servers and to user Linux on desktop computers.

Now technically OpenBSD does not change drastically to the point that a conservative user cannot boot a computer. Remember, "A job is running (seemingly forever)" systemd message.

The user needs to be sure that the system can boot correctly. He or she needs to consider OpenBSD. I have used OpenBSD for a few months and do not see any issues booting. I do not see any issues shutting down the machine either.

OpenBSD is the way to go. It has been a reliable system. I will continue to evaluate it because it has been reliable for a few months.

I know what I want. I want reliability. I do not want fancy features which do not work at all. Besides, OpenBSD is equipped with a better firewall than iptables on Linux OSes. The better one provides easier syntax and can reload firewall rules without halting current network connections. Everybody needs a firewall on the computer because the Internet has become a dangerous attack vector. Malicious software is so common, especially the one with a ransom note.

No one wants to be attacked. As the attack exists, the conservative user needs to do something to protect his or her data, e.g. photos taken many years ago. OpenBSD is a good choice. OpenBSD provides syspatch and pkg_add -Uu for updating software.

OpenBSD gives you good documentation. A conservative user needs to know where to look for help. Real help, I mean. Those commands not useful for fixing a problem are not real help. The documentation of OpenBSD really helped me from installing to using it as a basic computer.

A conservative user always focuses on doing basic things correctly. OpenBSD aims at correctness. I agree to the notion of correctness.

Saturday, August 19, 2017

Old admins think of systemd commands

My view echoes that of Carlos Fenollosa:

I had been riding the Linux wave for years, until I recently realized that my admin skills needed a total recycling. In a few years we've gone from /etc/init.d/sshd restart to service sshd restart to systemctl start sshd. That's a bit fast in my opinion, but I understand it's the price of progress, aimed to make computers boot faster and theoretically easier to administer for newcomers. Old admins, on the other hand, have a harder time adapting.

The writers of the systemctl commands and other systemd commands failed to consider the impact on old admins.

When you have hundreds of old scripts without systemctl commands, and you are forced to switch to systemd, what do you think?

Hello, command writers, please think of the impact on old admins before you write. If redirecting from service sshd restart to systemctl start sshd does the trick, please always keep this command redirection.

Sunday, August 6, 2017

Public key of Google Chrome changed leading to NO_PUBKEY error

My terminal output

... Fetched 12.4 kB in 5s (2,191 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6494C6D6997C215E

W: Failed to fetch 

W: Some index files failed to download. They have been ignored, or old ones used instead.

How to remove this warning

wget -q -O - | apt-key add -


Apt update error - “An error occurred during the signature verification” (Chrome) [duplicate]

Wednesday, June 14, 2017

Firefox print freeze solved by iptables rules on Debian Linux

Firefox is a web browser you use to view web pages.

Try these if Firefox hangs when you press Ctrl + P to print:

# allow local connections to port 631

iptables -A INPUT -p tcp --sport 631 -s -d -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -s -d -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -j DROP
iptables -A INPUT -p tcp --sport 631 -j DROP
iptables -A INPUT -j DROP

ip6tables -A INPUT -p tcp --dport 631 -s ::1 -d ::1 -j ACCEPT
ip6tables -A INPUT -p tcp --sport 631 -s ::1 -d ::1 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 631 -j DROP
ip6tables -A INPUT -p tcp --sport 631 -j DROP
ip6tables -A INPUT -j DROP

# save across reboot
netfilter-persistent save

iptables -L -n
ip6tables -L -n

Tuesday, January 24, 2017

A start job is running for Raise network interfaces (long time / 5 minutes)

This is January 2017. "systemd" should not be used for critical missions.

When the network was down (without electricity), I noticed:

A start job is running for Raise network interfaces (long time / 5 minutes)

In /etc/systemd/system.conf,





These settings did not work as expected. It was a long waiting time.

Thursday, June 9, 2016

Workaround: A stop / start job is running

A stop / start job is running ...

For this error, I do:

echo '' >> /etc/systemd/system.conf
echo 'DefaultTimeoutStartSec=6s' >> /etc/systemd/system.conf
echo 'DefaultTimeoutStopSec=6s' >> /etc/systemd/system.conf

systemctl reboot

This works for me.

Saturday, June 4, 2016

Print a page as a PDF file on Debian Jessie

For those people wondering how to print a page in a web browser as a PDF file successfully on Debian Jessie:

The command

aptitude install cups-core-drivers 

The following NEW packages will be installed:
avahi-daemon{a} bc{a} bind9-host{a} cups-browsed{a} cups-core-drivers cups-daemon{a} cups-filters-core-drivers{a} geoip-database{a} libavahi-core7{a} libbind9-90{a} libcupsmime1{a} libdaemon0{a} libdns100{a} libgeoip1{a} libisc95{a} libisccc90{a} libisccfg90{a} liblwres90{a} libnss-mdns{a} libqpdf13{a} poppler-utils{a} qpdf{a} ssl-cert{a} 0 packages upgraded, 23 newly installed, 0 to remove and 0 not upgraded. Need to get 4,620 kB of archives. After unpacking 13.4 MB will be used. Do you want to continue? [Y/n/?] y

An example

In Google Chrome, please see the example screenshot below after pressing Ctrl+P:

I click Save. I save the PDF file nearly immediately when the file is not too large. This is a virtual printer. It just prints to a file.

I can do something similar in Firefox.

Avoid cups-pdf in this case

In my experience on Debian Jessie, I should not use cups-pdf together with the setup above. Installation issues occur.