Deweloperzy OpenBSD: Henning Brauer

Henning Brauer

On October 18, twenty years ago, the first commit landed in the OpenBSD CVS repository. On the anniversary of this event, the team invited all readers to a series of interviews conducted by our team with project developers.

Trzynasty Henning Brewer

On October 18th 20 years ago the first commits to the OpenBSD project landed in the CVS repository. On the anniversary the team invited all readers to a series of interviews that our staff conducted with the project developers.

We continue with our thirteenth interview – Henning Brauer.

1. For the readers who don’t know you, can you shortly introduce yourself?

I’m Henning, not 20 any more, OpenBSD developer since 2002. I architected & wrote large parts of pf, started, architected and wrote large parts of bgpd and ntpd. The imsg & privsep framework I wrote for bgpd is in almost all newer OpenBSD daemons. I also worked a lot in the network stack, including many redesigns. One of the last bigger projects I did was the replacement of the queueing subsystem.

2. Why did you choose to run OpenBSD? How long have you been using it?

I started using OpenBSD around 2.6 or 2.7 times. Basically, we had a DoS attack against a linux webserver and it behaved poorly. Around the same time a colleague was telling me about their very positive experience with switching their Nameservers to FreeBSD, so I looked at FreeBSD, and OpenBSD + NetBSD while on it. OpenBSD behaved very well against the replayed attack and generally attracted me, things were just Done Right.

We had a pair of OpenBSD firewalls with ipf shortly after, with manual failover of course, nothing like carp was even remotely on the radar – at these times, a „cold standby” scheme was common for many things with higher availibility requirements. I had performance problems. When OpenBSD 3.0 with the first pf incarnation was published, I tried it right away. It was very fast – both at runtime and to crash. In a long debugging session with Daniel Hartmeier we eventually found the problem and fixed it; from that point on I was running pf instead of ipf and the very same machines that were pegged on CPU for hours every day peaked at some 10% CPU load. I wrote an email to misc@ giving a short rundown of the story, and received an invitation to the upcoming hackathon from theo in return. They haven’t let me off the leash since then 🙂

Honestly, besides the incredible technical expertise in the OpenBSD hackers group, this is just and awesome crowd that is a lot of fun to work with, and more than just work with. It is still an honour for me to be part of this group.

3. For those readers that still haven’t joined the OpenBSD community, why should they try OpenBSD?

Well, I’m not into marketing really, but I can easily tell why I use OpenBSD almost everywhere.


That goes much further than „not crashing”. Running internet-facing services with often high availability requirements means you need a software stack that just works, all the time, and doesn’t surprise you. „Just works” here includes a very very important bit: not getting taken over by third parties. Security is critical.

Reliability also means that the software stack has to be user friendly in the sense of not surprising the admin – you neither want sudden reboots, sudden death of daemons providing essential services and so on. The consistency that OpenBSD delivers gives me that, whatever I do in the scope of the OpenBSD base system doesn’t lead to surprises but works exactly how you expect it to (and minor derivations are getting fixed when encountered). Having to add a tiny bit to a production system that shall not fail and not having to fear that this addition causes havoc is worth a lot.

I could write on and on, there is so much I count on the positive side. Very noteworthy before I stop to not digress too much of course is the security OpenBSD delivers. I don’t have to worry about machines being taken over while I have beer with friends, sleep, sit in an airplane, or whatnot. OpenBSD’s defense in depth approach, last not least through the many mitigation techniques, helps a lot there, even with 3rd-party software that is sometimes questionable from the security standpoint but you can’t escape from – php probably being the prime example. Getting all that without major performance impact is impressive.

4. Is OpenBSD your daily driver at home & at work?

Yes, my workstation at work runs OpenBSD (and even hosts my personal homepage), so do all my laptops. I have work to do and don’t want to fiddle with the OS in the process, it needs to Just Work. OpenBSD gives me that.

The vast majority of the many many many many machines at work also run OpenBSD. The fact that these don’t need babysitting but generally just require attention for upgrades every now and then makes a real difference. Of course we have extensive monitoring to not run into surprises, but generally, OpenBSD machines required very very little manual maintenance.

But there’s so much more. Even my little media server at home runs OpenBSD. The microcontrollers driving the door locks at work interface with OpenBSD, so do the ones controlling the lights. All money runs through OpenBSD – the bank interfaces run on it. So does all billing including invoice generation.

I think it is pretty appropriate to call OpenBSD my daily driver.