Hacker News new | past | comments | ask | show | jobs | submit login

I run OpenBSD as my border firewall which it handles very well.

One thing I wish that OpenBSD devs would change in their philosophy is the --help messages. Many commands simply offer a list of switches, as if that's somehow helpful. Sometimes you need the detail in a man page, but a lot of times you don't and it would save so much time and energy to have a succinct list in the --help message itself.

# syspatch --help usage: syspatch [-c | -l | -R | -r]




Read the manpage.

One thing I really dislike about modern UNIXes is their lack of decent manpages in place of standins like --help.

I love the BSDs and especially OpenBSD for their attention to manpages. It's the main reason why I don't use Linux anymore unless I have to.

Adding detailed --help messages would take time away from maintaining manpages, it also presents a duplication of information. If you want to know what the switches do, read the manpage.


> I love the BSDs and especially OpenBSD for their attention to manpages. It's the main reason why I don't use Linux anymore unless I have to.

I completely agree. The difference in the quality of manpages between OpenBSD and Linux alone is enough for me to prefer OpenBSD.


Indeed, as an example "ls --help" on Linux prints at least 3 pages of information on stdout. I would rather read top quality man page and have a succinct "-h" message.


How do you live without docker containers? The fact that docker doesn’t run on BSDs is what drove me away.


...the same way the world has managed to survive for decades without Linux containers in general (let alone specific wrappers around that like Docker is)?

With OpenBSD specifically, you can get 90% of the way there with chroots, standard process isolation, and a bit of shell scripting to handle deployment automation.

Yeah, Docker's cool, but it's really not that hard to run multiple applications/services on the same physical machine while keeping them from clobbering each other or the OS in general (step 1 being to make sure each service/daemon is running under its own minimally-privileged user).


> With OpenBSD specifically, you can get 90% of the way there with chroots, standard process isolation, and a bit of shell scripting

This is a classic case of "THAT HackerNews response to Dropbox" [1].

If it's that easy, why isn't there a prepackaged wrapper with simple switches, rather than leaving developers to fight for themselves among piles of custom hacks?

The problem is not just deployment, the Docker differentiation is simplification of the development pipeline. OpenBSD should seriously look at their story in that area, because it's one of the few where they could still potentially compete (because Docker is still fundamentally a pile of hacks, and pretty insecure too).

Unless, of course, everyone is happy to remain "the little project that could" and crack jokes like the BCHS stack.

[1] https://news.ycombinator.com/item?id=9224


OpenBSD should seriously look at their story in that area, because it's one of the few where they could still potentially compete (because Docker is still fundamentally a pile of hacks, and pretty insecure too).

I’m pretty sure the Open BSD developers are completely comfortable with their story. They develop this software for themselves first. If you like it and it’s useful to you you are welcome to it. If not, look elsewhere. That’s been their working philosophy all along and if you ask me that’s what makes it so great to use. Every piece of the system is carefully thought out and organized so it doesn’t suffer from nearly as much feature creep as other systems.

And as far as setting up chroit and isolating processes; it’s not hard and sometimes you don’t need someone else to write a script for you when you can do it yourself in 10 steps or less.


> I’m pretty sure the Open BSD developers are completely comfortable with their story.

They were pretty comfortable with their patching story -- until enough people complained and lo, syspatch(8) appeared.

Beyond the posturing, nobody likes to run a project that nobody else uses; and sometimes even lusers are right.

> Every piece of the system is carefully thought out and organized

I am not saying they should rush out a crap docker clone, but rather a "carefully thought out and organized" docker alternative.

> you can do it yourself in 10 steps or less.

It's still 5x the steps you need with docker. As I said, it's about simple reproducibility rather than just isolation. Even if it were easy to write my own docker-compose (and indeed many people argued the same, when docker first emerged, because it actually was little more than shell scripts), having one well-defined set of tools helps tremendously with kickstarting adoption and to avoid reinventing the wheel every few weeks.


I would be surprised if user complaints were the motivation for syspatch. More likely, the author built something he found useful, and contributed it to the project.

Most of the time on the openbsd email list, when a "user" suggests a feature or asks for a change to something, the reply is something along the lines of "sounds great, where is your patch?"


Exactly this. Unless of course you became an Iridium level donor with the caveat that someone promised to build a Docker clone for you.

Edit: And in response to toyg's comment, here is a link to a video of a talk by the developer in question, who mentions in passing that he builds things for OpenBSD that help him put it into production. This is less than a minute into his talk. Please educate yourself about the project before making ridiculous demands on the devs' time and falsely assigning wrong motives to them. It's unfriendly.

https://archive.fosdem.org/2018/schedule/event/openbsd_base_...


> Please educate yourself about the project

Oh, I am educated enough, don't worry. Which is why I was so surprised to see it finally adopt a solution for a problem that had been pointed out for 20 years, after spending those 20 years replying to everyone that it was just the wrong thing to do in principle.

> It's unfriendly

It's also unfriendly to gaslight away blatant problems, for whatever reason, until they get fixed -- at which point they are admitted as actual problems. Then again, OpenBSD is hardly a friendly project, culturally speaking.


I've read through this subthread with objective concern.

A criticism that seems fair has been presented here in a benign, non-antagonizing manner, and I am very perplexed as to why all comments arguing in favor of that view have been anonymously downvoted wholesale without anything approaching sufficient substantive explanation.

This is not the kind of behavior that (the) HN (community) is respected for.

Let me sum up what I see here.

- Someone argues in favor of Docker, and are downvoted by enough people their comment turned grey. I think this means it's at -5 or -10 or something. So, no explanation, no comments; just downvotes.

- The one reply that goes into a bit detail comes from a traditionalist UNIX standpoint, and is a bit passive-aggressive. (This comment isn't grey.)

- The next reply frames the parent as "THAT HackerNews response to Dropbox", and highlights that the implied simplicity and sense of "only one obvious way to solve this problem" is in fact not implied and that significant wheel-reinvention must (and presumably has) be done "on the ground". Docker's simplicity is highlighted along with its insecurity. This comment is grey.

- The next reply further brushes-off the stated arguments by (passive-aggressively) noting that the project seems successful enough, and maybe that's because they actually have it figured out. (This comment isn't grey.)

- I read the next reply as a gentle reminder of the importance of remaining relevant going forward - and the fact that this doesn't necessarily mean ground-up reinvention. This comment is also grey.

What is going on here?!

A nontrivial number of comments in this thread, and the other OpenBSD threads I've seen, are basically all chanting about OpenBSD's perfection.

Good customer service, good social skills and forward thinking are some of the most fundamental aspects of commercial success. Does open source think it can get away with "no shirt, no shoes" just because it's free? :(


> More likely, the author built something he found useful, and contributed it to the project.

It required a service set up by the project itself. And this after years (decades?) of explicitly rejecting the concept of automated patching (because it supposedly engendered "a false sense of security"). Come on.


There is one defined set of tools. It's called learn to use your OS. Docker is basically "I don't want to learn about init scripts, so I will write thousands of lines of Go code instead".

> ...avoid reinventing the wheel every few weeks

This is pretty ironic in this context.


"simplification of the development pipeline"

In my experience, "simplification" and "Docker" don't really go in the same sentence. Yeah, it's (maybe) simpler if you're just plugging things together that are already Dockerized, but if you're writing your own Dockerfiles, none of the actual complexity really goes away. If anything, you're making things even more complex by containerizing things that don't actually need containerized.

"why isn't there a prepackage wrapper"

Because nobody's gotten around to writing one yet, or perhaps because nobody's felt the need to do so yet. Not much stopping anyone from doing so. That's where the "bit of shell scripting" comes in. Writing an rc.d script [1] (using rc.subr to do away with the boilerplate normally associated with the sorts of initscripts normally strawmanned by systemd advocates) ain't any harder than writing a Dockerfile (in my opinion it's actually much nicer/simpler). Neither is creating a user under which your app will run. Hardest part will probably be around deciding what needs to go in your chroot.

Hell, if you include OpenBSD packaging [2] as part of that development pipeline, then tada, you're pretty much there. Install the package, run "rcctl enable your-app-name && rcctl start your-app-name", and you're good to go.

So the trick here would then be to extend that to install and run multiple isolated copies of that package, each instance having its own configuration and chroot. Or perhaps using a single package and writing your service/app such that it does the forking/chrooting for each isolated environment (which is what quite a few OpenBSD-focused daemons already do, from what I can tell/observe).

The overall point, though, is that comparing Docker to Dropbox is erroneous. Dropbox actually was simpler/easier than the "solution" posed by that comment. Compared to the OpenBSD way of doing things, Docker is not; if anything, it's more complexity.

[1]: https://www.openbsd.org/faq/ports/specialtopics.html#RcScrip...

[2]: https://www.openbsd.org/faq/ports/guide.html


Plenty of people live just fine without docker containers, even in the Linux world.


Plenty of people lived just fine without the industrial revolution, scientific method, cellphones, computers, fire...


None of which were branded Docker(TM) - https://www.docker.com/legal/trademark-guidelines

Don't get me wrong, sure it has its uses, but to pretend that Docker(TM) is just as big a leap (or as essential) as any of those things is laughable.


I view it as a trade-off for excellent man pages. Rather than waste time figuring out what the appropriate amoutn of and commands to list in the short help list (especially for commands that might have a lot of and/or complex options), they have very simple rules. List switched with help, list everything and very clearly in the man page.

Since I believe they don't accept code patches without relevant man page patches that explain them if they alter the behavior or add/modify an option, this seems like a sane way to avoid bikeshedding on what is essentially superfluous information, since the "appropriate" amount of info to include is ambiguous.


That's a GNUism, so you won't find it in BSD tools.


It's a good GNUism though, that I also wish the BSDs supported. No-one's saying that the BSDs should start supporting GNU style --long-options or switch to info instead of man, but friendlier help messages are always a nice thing.


Strictly speaking, those are usage messages not help messages.


> friendlier help messages are always a nice thing

That's not the dispute. It's a question of how much you value brevity.

syspatch --help usage: syspatch [-c | -l | -R | -r]

looks quite friendly to me, but YMMV.


Yeah, but why not adopt it? GNU has done a lot of things right.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: