FreeBSD vs Debian

by

When I started in the world of systems administration more than two decades ago, my path quickly oriented toward Linux/GNU and specifically Debian. It was my simplest approach to the philosophy and concepts behind Unix systems. Over time I discovered systems like OpenBSD for its security, NetBSD and FreeBSD (and some of its notable derivatives such as PfSense). They always caught my attention for their more “pure” approach to the KISS concept that is intrinsically linked to UNIX. But the inertia of the already known and the excellent performance in all its aspects of Debian, left no room to venture into a more general use, beyond specific tasks, with BSD systems. And then the systemd intrusion arrived.

I do not want to enter a debate already much talked about and worn between defenders and detractors of systemd. Each one has their arguments for and against. I have mine and systemd does not appeal to me. I use it daily in my work as it has been forcibly introduced into almost the entire Linux ecosystem, but I thank it for being the motivation to venture more seriously into the use of FreeBSD.

After many years with Debian and fewer with FreeBSD I want to try to share the differences from a practical point of view for the systems administrator who does not live in a utopian world and needs to have the work done quickly and efficiently. I want to clarify that what is detailed is always from the perspective of server administration and not a desktop environment.

My first production use with FreeBSD (excluding pfsense) was the installation of a server to host various websites in a typically PHP environment and the management of mail for several domains with spam protection and other subtleties that are currently needed in any modern SMTP server. The result has been very positive and has allowed me to encounter head-on the many particularities required to maintain FreeBSD day to day. I also have a FreeBSD server running for backups in production enjoying the benefits of ZFS. The result equally unbeatable.

With this introduction I want to try to capture what differences, pros and cons each system offers. I will not go into details about installation, any competent systems administrator will be able to deal with any installer from both without any problem to have a correctly operational base system.

Base System

This is the first thing you encounter when arriving at FreeBSD. There is a perfect separation between what should be a complete and functional basic system and the extra functionalities you want to add to it. Everything is exquisitely well thought out, you can appreciate the good work of decades, it is a predictable, coherent system, without drastic changes between versions and perfectly documented with its own independent update system that works perfectly between minor and major version changes. It is the dream of any systems administrator.

Debian on the other hand, like any Linux distribution, is a conglomerate of applications and libraries with their own management utilities + a kernel that pretend to create a coherent system. And generally Debian does it very well, but it does not reach the level of FreeBSD, neither in official documentation nor in perfection, with changes in basic functionalities between versions (read systemd) making it complicated to update a server from one version of Debian to a higher one. Another clear example in this regard are the networking tools and firewalls with several drastic changes in different versions of Linux and therefore Debian.

Hardware Support

Here the general advantage of Debian is clear, its Linux kernel has much greater support from both manufacturers and a wider community which gives it greater power to have drivers for different devices. But this will be more important to consider in a desktop use. For the case of servers there will be practically no problems and the majority of dedicated and cloud/VPS server providers will be compatible with FreeBSD. And if you are the one who chooses the hardware, verify beforehand that it is compatible if you want to use it with FreeBSD.

ZFS

If you do not know this filesystem, you should. It is not the universal filesystem for all cases by any means. It has its advantages and disadvantages and this is not the article to talk about ZFS. But if you want to use this filesystem, currently there are few operating systems that integrate it in their base as masterfully as FreeBSD. ZFS can also be included as a module in the Linux kernel, even some distributions integrate it by default although Debian decided not to do so interpreting its license as incompatible.

But the question is not whether you can use it or not, the question is “how” and in this sense the advantage of FreeBSD is absolute. It is perfectly integrated in its base, system updates and documentation.

Virtualization / Containers / VPS / Cloud

Simplifying, there are basically two options to have a system independent of the host/hypervisor: virtualization with independent kernel or containers with shared kernel. Both cases can be used both in Debian and FreeBSD.

Regarding virtualization, in Debian the most common is to use KVM, FreeBSD has Bhyve. In this regard we can say that KVM currently has an advantage by having greater support from both the community and large companies, Bhyve is younger but advances at a good pace with more current technology and perhaps in the future with better results than KVM. Personally I have a couple of virtualized machines in Bhyve with Debian installed in them and I have not found major performance problems, nor are they critical machines. One of them runs the Collabora Online suite for Nextcloud which does not offer a simple way to install it on FreeBSD.

But if we talk about containers the tables are turned. In Linux there have been and exist multiple options: Linux-Vservers, OpenVz, lxc, systemd-nspawn, lxd, docker… and many more. I have used Linux-Vservers for quite a few years, a pity it did not attract the necessary community attention. In FreeBSD we have the famous Jails, a true gem perfectly integrated in the system (as is customary in FreeBSD).

Comparing FreeBSD with Debian/Linux in this case I see an advantage for its simplicity, ease and integration in the base system in the former. LXC (with cgroups, apparmor…) is the underlying technology for most containers and is a complex system that depends on the distribution implementation and you are tied to using systemd whether you want to or not and the different management layers of the manager. FreeBSD I grant here a clear advantage, UNIX philosophy and KISS principle. Yes, then there is Docker which is very easy in Linux and can simplify the administrator life and automate processes… but it is not the same objective as a complete system and has its design problems.

Applications and Package System

This is an important section to take into account. A coherent base system is fundamental but then we have to add what is necessary for our objective. This is where the advantages and disadvantages of each OS must be weighed more carefully.

Debian on one hand, offers one of the widest repositories in terms of applications. Among its features:

  • large number of applications to install
  • packages differ from the original in their configuration in the “Debian way”
  • fast vulnerability security support
  • the application version does not change to newer higher versions and you stay anchored to the installed version throughout the life of your Debian version, if you need new versions you have to resort to “backports” or external Debian sources that have compiled the package for you (with the security risks that may imply) or find a way to compile it yourself
  • for each application there are different versions of it according to different compilation options (postfix-sqlite, postfix-mysql, postfix-ldap…).

On the other hand, FreeBSD has historically been based on the “ports” system where each user “compiles” the application for their system, ports are Makefiles (and a bit more) that help and automate this task. Currently the pkg system (packages derived from ports with specific options) has advanced a lot and it is possible to have almost everything installed as binaries. Notable:

  • The number of different ports/packages for FreeBSD is comparable to Debian and uses the “rolling release” concept in which they do not maintain the same initial version of the package applying security patches but go in parallel with the original application version.
  • There is practically no and no need for the concept of external third-party sources since you compile what you need and can easily create your own repositories if required.
  • Unlike Debian, there are no different versions of the same package for different compilation options, a basic one is included and if you need something else… you compile.
  • To help manage ports and packages there are multiple tools like poudriere and synth that ease this task but it can still be tedious.
  • If you use precompiled pkgs you may take longer to receive security updates because FreeBSD resources are smaller and compiling everything for all supported platforms takes time.
  • If you use binary packages you have two different repositories: “latest” and “quarterly”. The first always incorporates the latest update made in the ports, especially new versions. “Quarterly” on the other hand stays “stable” for three months without changing version unless there is a security problem or other serious issue, in which case an update is applied.

It is difficult to decide which system is better in this regard. Three illustrative examples managed with FreeBSD and Debian: postfix, php, percona.

1. Postfix/Dovecot/Rspamd

When I installed my SMTP server for my domains I decided to use FreeBSD. For my particular configuration I required postfix with sqlite support, the same for dovecot and also specific options for rspamd. In Debian, by default, I have the postfix-sqlite package as well as for dovecot. Installation would have been straightforward. In FreeBSD on the other hand, the default compiled pkg is very basic and to have sqlite support I needed to compile. To do this I created my own repository with synth where I maintain and compile the packages I need for the various FreeBSD servers so that transparently for these I always use pkgs. The downside is that it forces me to compile every time there is a security update, it is usually quick, but you have to keep an eye out as you can end up compiling the last package on the server (they are all related, I will go into detail about this in a future post). The advantage, that for rspamd the option I needed did not exist in Debian and it would have been much more tedious to compile and maintain by hand without the help of a system like the FreeBSD ports/synths/poudriere.

2. PHP

With PHP we will see clear conceptual differences between both package systems. Generally, in a hosting environment multiple versions of PHP usually coexist, even some very old and unsupported for some years. Say you want to have available from version 5.6 to 7.4. In Debian, from the base, it is very complicated, there is only one supported PHP version in the Debian version you have installed, in Buster for example you would have to settle for just php7.3, what do you do then? you need to use an external source (sury.org), an external repository in which you deposit your trust to install binaries on your server that altruistically dedicates itself to preparing and compiling different PHP versions for a specific Debian version. Without this “altruistic” repository you would have to see about compiling PHP from scratch without the help of a system like ports with all the complications and extra maintenance time that may imply.

FreeBSD on the other hand offers in its package list all currently PHP-supported versions, at the current date 7.2, 7.3 and 7.4 but raises other problems. It is not possible to coexist multiple PHP versions (I have reported a bug in FreeBSD requesting the PHP package maintainers to remedy this issue) so to use different versions it is necessary to either compile modifying options in the ports or use a “jail” for each version of php-fpm. For older PHP versions you can download the latest port of it from the subversion repository and compile it easily, as there are no more updates for being unsupported versions by PHP you will only have to compile once.

3. Percona MySQL

Some time ago a client asked me for a new server with the latest version 8 of Percona MySQL. My initial intention was to install FreeBSD but first I verified if Percona was available. Unfortunately it was not in version 8, yes versions 5.5, 5.6 and 5.7. In theory I could try to download the sources and compile manually without ports help and such… but in the long term this would have raised maintenance inconveniences in addition to the initial setup time that would not have been covered by the budget. For Debian, Percona is not available either (in any version) in its base but Percona itself provides an external repository which you have to trust and you can install Percona without problems (well, there were a few). The choice in this case was clear and shows that greater company support for Debian/Linux plays in its favor.

To close this section with an important concept in the basic configuration and interaction of the package system in updates. The default configuration of FreeBSD tends to be close to the default configuration of the application leaving much of the responsibility of configuring the app/service to the administrator, even in service upgrades these are not usually restarted by pkg and most of the time manual intervention is required. In Debian this aspect is much more automated and the postinstall and preinstall scripts, etc. try to minimize as much as possible and automate upgrades. The problem is that many times this, in complex interrelated services and systems, can result in errors. You can control a service automatically but hardly its interrelation with multiple other factors so in the end you usually need to pay attention to the possible automated tasks the package system will perform so it does not leave your system KO if you intend to automate the upgrade on multiple servers simultaneously. It is a personal matter, but I prefer FreeBSD way of intervening as little as possible in the system since in the end you always have the responsibility of verifying that everything happens correctly.

Security and Long Term Support

For the maintenance of a system for probably years it is necessary that it provides security support and updates, both to its base system and its applications (although you can always compile the applications yourself). Both Debian and FreeBSD offer an extensive support time for a major version.

FreeBSD. According to its own support/security page: “Under the current support model, each major version stable branch is explicitly supported for 5 years, while each individual point release is only supported for three months after the next point release.” So we have 5 years of guaranteed support for our system even if minor upgrades of the same major version must be made.

Debian. Offers a similar extended support of 5 years although once a new version of Debian has been released (generally before 5 years) it is not Debian directly who handles security support but a parallel volunteer project LTS. There is also a commercial project “ELTS” that provides support for some more years to an old Debian version but only to the system and packages used by customers of this company (Freexian) although then the updates are freely available to the entire Debian community.

The main difference in both supports are the application versions, for better or worse. In FreeBSD during the 5 years you will use the latest version of the application. In Debian versions do not vary and only security patches are applied to existing ones. In 5 years you may have fallen very far behind in features which on the other hand may be interesting if you have a stable stack that does not require possible new incompatibilities introduced by new versions. The latter in FreeBSD is also not critical, for example you can install python2 or python3 and will not be forced to change to python3.

Maintenance and Upgrades

Dealt with in part in the package system section, major system upgrades deserve separate mention. What I like most about FreeBSD is the ease of changing between major versions without major problems. Since the base system is independent and applications have a “rolling release” policy, the change between versions is usually simple. Additionally thanks to perfect integration with ZFS, tools like beadm allow you to take a snapshot before the upgrade and if something goes wrong return to the original version in a matter of seconds. In Debian on the other hand you have to think twice before moving from one major version to another… now init.d or systemd? ifconfig or ip? systemd-networkd or etc/network/interfaces? iptables or nftables?…

Performance

A thorny topic, if you search the internet you will find multiple benchmarks comparing Linux and FreeBSD and even more fanatics defending one or another system and honestly it does not matter. Both systems work extremely well and with optimal performance if well configured and the appropriate technologies are correctly chosen. If you do your work well the strict performance of one or the other will hardly be the deciding factor.

Conclusions

The perfect solution does not exist. With the arguments presented from my experience and your own research, choose the system that makes your life easier and best adapts to your objective.

Relacionado:

  1. How to run VSCodium + Remote-SSH with a FreeBSD (Bastille) jail
  2. SUDO hasta en la sopa
  3. Monter un volume ZFS zvol d’une VM Bhyve sur FreeBSD (valable aussi pour Linux/KVM)
  4. OOM-KILLER sous Linux : Protéger MySQL

Leave a Comment

Este formulario guarda los datos que indiques de nombre, email y comentario para poder realizar un seguimiento de los comentarios dejados en cada entrada.