Supervision on the BSD's

Supervision on the BSD's

[Scott Colby]

Hello,

I'm planning to set up a router on an old x86 box with a couple of
NIC's for the fun/experience of it. I'm looking at using one of the
BSD's as the operating system, since I haven't used those before.

I started looking at how to configure daemons/services on OpenBSD
and FreeBSD and am a little surprised at what I found. As far as I
can tell, OpenBSD's rc assumes that services will background
themselves and does no supervision at all. It seems like FreeBSD's
daemon(8) has some supervision capabilities with the -r flag, but
it is unclear to me how widely used that is.

Given the apparently poor state of supervision, I'm considering
using s6 when I configure this system.

In searching, I found some messages on the Skaware lists about
running s6 as PID 1 on FreeBSD; has that work been published anywhere?
I'm not sure if I want to go so far as replacing PID 1 right out
of the gate, but having some existing service directories would be
nice.

Have I correctly understood how daemons/services work on the BSD's?
If not, what am I missing? Are the daemons included with the
distributions so incredibly stable that they don't need supervision
in order to keep the system functional?

Finally, if you wanted to create a router that you could (metaphorically)
put in a closet and forget about for 5 years, what approach would
you take? My initial thought was OpenBSD + s6, but I worry now that
there could be an impedance mismatch between these systems.

Any thoughts people have on this will be greatly appreciated.

Thanks,
Scott Colby

Re: Supervision on the BSD's

[Alexis]

"Scott Colby" <scott@scolby.com> writes:

> I started looking at how to configure daemons/services on 
> OpenBSD
> and FreeBSD and am a little surprised at what I found. As far as 
> I
> can tell, OpenBSD's rc assumes that services will background
> themselves and does no supervision at all. It seems like 
> FreeBSD's
> daemon(8) has some supervision capabilities with the -r flag, 
> but
> it is unclear to me how widely used that is.
>
> Given the apparently poor state of supervision, I'm considering
> using s6 when I configure this system.

i run two OpenBSD servers, one of which i'd be happy to do some 
s6-related tinkering on, so i'm following this discussion with 
interest. :-)


Alexis.

Re: Supervision on the BSD's

[Ramarro Marrone]

I too had been surprised by the lack of supervision in OpenBSD.

On Sat, Apr 9, 2022, at 05:38, Scott Colby wrote:
> As far as I
> can tell, OpenBSD's rc assumes that services will background
> themselves and does no supervision at all.
> ...
> Have I correctly understood how daemons/services work on the BSD's?

About OpenBSD, almost: You can set rc_bg if the daemon doesn't
background itself. See rc.subr(8).

> If not, what am I missing?

/etc/daily runs "rcctl ls failed", so you get an email of the failed daemons.
This is not supervision, but it is close enough for me.
Maybe I prefer it actually.

> Are the daemons included with the
> distributions so incredibly stable that they don't need supervision
> in order to keep the system functional?

Yes

Re: Supervision on the BSD's

[Laurent Bercot]

>In searching, I found some messages on the Skaware lists about
>running s6 as PID 1 on FreeBSD; has that work been published anywhere?
>I'm not sure if I want to go so far as replacing PID 1 right out
>of the gate, but having some existing service directories would be
>nice.
  I have done some experiments and my conclusion was that to replace
pid 1 on FreeBSD, a real s6-freebsd-init package was needed, because
the way the BSDs organize their init and shutdown is radically
different from the way Linux does it, and the conversion is far from
obvious.

  However, you don't need to replace pid 1 to run s6 on a BSD. As
mentioned in https://skarnet.org/software/s6/s6-svscan-not-1.html , you
can start a supervision tree from /etc/ttys, and run your services
under it. It will work like on any other system.

  Quite a few people on the #s6 channel on IRC (OFTC network) are using
s6 on a BSD, so if you're looking for example service directories, and
various tips and tricks, I suggest you join the channel and ask them. ;)


>Have I correctly understood how daemons/services work on the BSD's?
>If not, what am I missing? Are the daemons included with the
>distributions so incredibly stable that they don't need supervision
>in order to keep the system functional?

  The BSDs are tightly integrated systems, more than "distributions", and
especially with OpenBSD, daemons are carefully audited and patched so
they are indeed super stable. Which is a very good thing - but because
of that, the BSD community tends to look down on supervision, without
understanding that it has other benefits than auto-restarting crashed
daemons.


>Finally, if you wanted to create a router that you could (metaphorically)
>put in a closet and forget about for 5 years, what approach would
>you take? My initial thought was OpenBSD + s6, but I worry now that
>there could be an impedance mismatch between these systems.

  OpenBSD + s6 will definitely work. Just make sure not to get in the
way of how OpenBSD does things; run an s6 supervision tree at boot
time and start your services under it as you see fit, independently from
OpenBSD's rc.

  Since the BSDs don't care for supervision, though, depending on
upstreams it may be difficult to find options for your packaged daemons
that stop autobackgrounding and that are not debugging options. Just a
small practical hurdle, but when it happens it can be infuriating.

--
  Laurent

Re: Supervision on the BSD's

[Oliver Schad]

[-- Attachment #1: Type: text/plain, Size: 1350 bytes --]

On Sat, 09 Apr 2022 11:36:35 +0000
"Ramarro Marrone" <rm@allmail.net> wrote:

> I too had been surprised by the lack of supervision in OpenBSD.
> > Are the daemons included with the
> > distributions so incredibly stable that they don't need supervision
> > in order to keep the system functional?  
> 
> Yes

It's just a question of chance and big numbers. So if you're
responsible for a big fleet of things and you have costs to handle
every failure, it makes sense to have supervision to reduce these costs.

Most users with a few machines never observed any failure ever,
independent of the operating system and (server) software.

If this would be the argument to decide if supervision is necessary,
nobody would need it.

And yes, the BSD world tries to be conservative compared to Linux and
yes, OpenBSD tends to be the most conservative BSDs related to changes.
But I think that isn't the most important thing for decision.

I.e. your super stable BSD doesn't help against DoS attacks (read as
overload), unstable hardware, misconfiguration of services, packet
loss, ...

Best Regards
Oli

-- 
Automatic-Server AG •••••
Oliver Schad
Geschäftsführer
Hardstr. 46
9434 Au | Schweiz

www.automatic-server.com | oliver.schad@automatic-server.com
Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: Supervision on the BSD's

[J. Lewis Muir]

On 04/09, Scott Colby wrote:
> Finally, if you wanted to create a router that you could (metaphorically)
> put in a closet and forget about for 5 years, what approach would
> you take? My initial thought was OpenBSD + s6, but I worry now that
> there could be an impedance mismatch between these systems.
> 
> Any thoughts people have on this will be greatly appreciated.

Hi, Scott!

Re putting it in a closet and forgetting about it for five years, one
thing to note is that according to

  https://www.openbsd.org/errata70.html

OpenBSD's stable branch is supported for one year, so if you were
tracking that, you'd have to upgrade every year.

NetBSD's stable branch is supported for longer than one year based on

  https://www.netbsd.org/releases/formal.html#history

but they don't say exactly how long.  The trend to me looks like
at least three years.  They currently support their 8 and 9 stable
branches which were released on July 17, 2018, and February 14, 2020,
respectively.

FreeBSD's stable branch is supported for five years according to

  https://www.freebsd.org/security/#sup

And of course there are other BSDs that I haven't listed.

Regards,

Lewis