NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Serving Netflix Video at 400Gb/s on FreeBSD

Using the FreeBSD RACK TCP Stack

News Roundup

pkgupdate, an OpenBSD script to update packages fast

Plasma System Monitor and FreeBSD

TrueNAS vs FreeNAS (and why you should upgrade!)

Automatically lock screen on OpenBSD using xidle and xlock

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Ben - LightDM with Slick-Greeter.md
• Dave - Cloned Interface.md
• MJ Rodriguez - Sony.md

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Headlines

FreeBSD on Power

The power and promise of all open source software is freedom. Another way to express freedom is choice — choice of platforms, deployment models, stacks, configurations, etc.

The FreeBSD Foundation is dedicated to supporting and promoting the FreeBSD Project and community worldwide. But, what does this mean, exactly, you may wonder. The truth is it means many different things, but in all cases the Foundation acts to expand freedom and choice so that FreeBSD users have the power to serve their varied compute needs.

This blog tells the story of one specific way the Foundation helps a member of the community provide greater hardware choice for all FreeBSD users.

Dragonfly 5.8

DragonFly version 5.8 brings a new dsynth utility for building your own binary dports packages, plus significant support work to speed up that build - up to and including the entire collection. Additional progress has been made on GPU and signal support.

The details of all commits between the 5.6 and 5.8 branches are available in the associated commit messages for 5.8.0rc1 and 5.8.0. Also see /usr/src/UPDATING for specific file changes in PAM.

• See article for rest of information

2nd HamBUG meeting recap

• The second meeting of the Hamilton BSD Users Group took place last night
• The next meeting is scheduled for the 2nd Tuesday of the month, April 14th 2020

News Roundup

FreeNAS/TrueNAS Brand Unification

FreeNAS and TrueNAS have been separate-but-related members of the #1 Open Source storage software family since 2012. FreeNAS is the free Open Source version with an expert community and has led the pursuit of innovations like Plugins and VMs. TrueNAS is the enterprise version for organizations of all sizes that need additional uptime and performance, as well as the enterprise-grade support necessary for critical data and applications.

From the beginning at iXsystems, we’ve developed, tested, documented, and released both as separate products, even though the vast majority of code is shared. This was a deliberate technical decision in the beginning but over time became less of a necessity and more of “just how we’ve always done it”. Furthermore, to change it was going to require a serious overhaul to how we build and package both products, among other things, so we continued to kick the can down the road. As we made systematic improvements to development and QA efficiency over the past few years, the redundant release process became almost impossible to ignore as our next major efficiency roadblock to overcome. So, we’ve finally rolled up our sleeves.

With the recent 11.3 release, TrueNAS gained parity with FreeNAS on features like VMs and Plugins, further homogenizing the code. Today, we announce the next phase of evolution for FreeNAS and TrueNAS.

OpenBSD versus Prometheus (and Go).

We have a decent number of OpenBSD machines that do important things (and that have sometimes experienced problems like running out of disk space), and we have a Prometheus based metrics and monitoring system. The Prometheus host agent has enough support for OpenBSD to be able to report on critical metrics, including things like local disk space. Despite all of this, after some investigation I've determined that it's not really sensible to even try to deploy the host agent on our OpenBSD machines. This is due to a combination of factors that have at their root OpenBSD's lack of ABI stability

FreeBSD removed gcc from base

As described in Warner's email message[1] to the FreeBSD-arch mailing list we have reached GCC 4.2.1's retirement date. At this time all supported architectures either use in-tree Clang, or rely on external toolchain (i.e., a contemporary GCC version from ports).

GCC 4.2.1 was released July 18, 2007 and was imported into FreeBSD later that year, in r171825. GCC has served us well, but version 4.2.1 is obsolete and not used by default on any architecture in FreeBSD. It does not support modern C and does not support arm64 or RISC-V.

Beastie Bits

• New Archive location for Dragonfly 4.x
• A dead simple git cheat sheet
• Xorg 1.20.7 on HardenedBSD Comes with IE/RELRO+BIND_NOW/CFI/SafeStack Protections

Feedback/Questions

• Niclas writes in Regarding the Lenovo E595 user (episode 340)
• Lyubomir writes about GELI and ZFS
• Peter writes in about scaling FreeBSD jails

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

FreeBSD is an amazing operating System

Update 2020-01-21: Since I wrote this article it got posted on Hacker News, Reddit and Lobster, and a few people have emailed me with comments. I have updated the article with comments where I have found it needed. As an important side note I would like to point out that I am not a FreeBSD developer, there may be things going on in the FreeBSD world that I know absolutely nothing about. I am also not glued to the FreeBSD developer mailing lists. I am not a FreeBSD "fanboy". I have been using GNU/Linux a ton more for the past two decades than FreeBSD, mainly due to hardware incompatibility (lacking or buggy drivers), and I love both Debian GNU/Linux and Arch Linux just as much as FreeBSD. However, I am concerned about the development of GNU/Linux as of late. Also this article is not about me trying to make anyone switch from something else to FreeBSD. It's about why I like FreeBSD and that I recommend you try it out if you're into messing with operating systems.

I think the year was late 1999 or mid 2000 when I one day was browsing computer books at my favorite bookshop and I discovered the book The Complete FreeBSD third edition from 1999 by Greg Lehey. With the book came 4 CD Roms with FreeBSD 3.3.

I had already familiarized myself with GNU/Linux in 1998, and I was in the process of migrating every server and desktop operating system away from Microsoft Windows, both at home and at my company, to GNU/Linux, initially Red Hat Linux and then later Debian GNU/Linux, which eventually became my favorite GNU/Linux distribution for many years.

When I first saw The Complete FreeBSD book by Greg Lehey I remember noticing the text on the front page that said, "The Free Version of Berkeley UNIX" and "Rock Solid Stability", and I was immediately intrigued! What was that all about? A free UNIX operating system! And rock solid stability? That sounded amazing.

Hyperbola Dev Interview

In late December 2019, Hyperbola announced that they would be making major changes to their project. They have decided to drop the Linux kernel in favor of forking the OpenBSD kernel. This announcement only came months after Project Trident announced that they were going in the opposite direction (from BSD to Linux).

Hyperbola also plans to replace all software that is not GPL v3 compliant with new versions that are.

To get more insight into the future of their new project, I interviewed Andre, co-founder of Hyperbola.

News Roundup

Improving the ptrace(2) API and preparing for LLVM-10.0

This month I have improved the NetBSD ptrace(2) API, removing one legacy interface with a few flaws and replacing it with two new calls with new features, and removing technical debt.

As LLVM 10.0 is branching now soon (Jan 15th 2020), I worked on proper support of the LLVM features for NetBSD 9.0 (today RC1) and NetBSD HEAD (future 10.0).

The first FreeBSD conference in Australia

FreeBSD has existed as an operating system, project, and foundation for more than twenty years, and its earlier incantations have exited for far longer. The old guard have been developing code, porting software, and writing documentation for longer than I’ve existed. I’ve been using it for more than a decade for personal projects, and professionally for half that time.

While there are many prominent Australian FreeBSD contributors, sysadmins, and users, we’ve always had to venture overseas for conferences. We’re always told Australians are among the most ardent travellers, but I always wondered if we could do a domestic event as well.

And on Tuesday, we did! Deb Goodkin and the FreeBSD Foundation graciously organised and chaired a dedicated FreeBSD miniconf at the long-running linux.conf.au event held each year in a different city in Australia and New Zealand.

A practical guide to containers on FreeNAS for a depraved psychopath

This is a simple write-up to setup Docker on FreeNAS 11 or FreeBSD 11.

But muh jails?

You know that jails are dope and you know that jails are dope, yet no one else knows it. So here we are stuck with docker. Two years ago I would be the last person to recommend using docker, but a whole lot of things has changes past years…

So jails are dead then?

No, jails are still dope, but jails lack tools to manage them. Yes, there are a few tools, but they meant for hard-core FreeBSD users who used to suffering. Docker allows you to run applications without deep knowledge of application you’re running. It will also allow you to run applications that are not ported to FreeBSD.

Why you should migrate everything from Linux to BSD

As an operating system GNU/Linux has become a real mess because of the fragmented nature of the project, the bloatware in the kernel, and because of the jerking around by commercial interests.

• Response Should you migrate from Linux to BSD? It depends.

Beastie Bits

• Using the OpenBSD ports tree with dedicated users
• broot on FreeBSD
• A Trip down Memory Lane
• Running syslog-ng in BastilleBSD
• NASA : Using Software Packages in pkgsrc

Feedback/Questions

• All of our questions this week were pretty technical in nature so I'm going to save those for the next episode so Allan can weigh in on them, since if we cover them now we're basically going to be deferring to Allan anyway.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

Authentication vulnerabilities in OpenBSD

• We discovered an authentication-bypass vulnerability in OpenBSD's authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
• From the manual page of login.conf:

OpenBSD uses BSD Authentication, which is made up of a variety of authentication styles. The authentication styles currently provided are:
passwd Request a password and check it against the password in the master.passwd file. See login_passwd(8).
skey Send a challenge and request a response, checking it with S/Key (tm) authentication. See login_skey(8).
yubikey Authenticate using a Yubico YubiKey token. See login_yubikey(8).
For any given style, the program /usr/libexec/auth/login_style is used to
perform the authentication. The synopsis of this program is:
/usr/libexec/auth/login_style [-v name=value] [-s service] username class

• This is the first piece of the puzzle: if an attacker specifies a username of the form "-option", they can influence the behavior of the authentication program in unexpected ways.

 login_passwd [-s service] [-v wheel=yes|no] [-v lastchance=yes|no] user [class] The service argument specifies which protocol to use with the invoking program.  The allowed protocols are login, challenge, and response.  (The challenge protocol is silently ignored but will report success as passwd-style authentication is not challenge-response based).

• This is the second piece of the puzzle: if an attacker specifies the username "-schallenge" (or "-schallenge:passwd" to force a passwd-style authentication), then the authentication is automatically successful and therefore bypassed.
• Case study: smtpd
• Case study: ldapd
• Case study: radiusd
• Case study: sshd
• Acknowledgments: We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published patches for these vulnerabilities less than 40 hours after our initial contact. We also thank MITRE's CVE Assignment Team.

First release candidate for NetBSD 9.0 available!

• Since the start of the release process four months ago a lot of improvements went into the branch - more than 500 pullups were processed!
• This includes usbnet (a common framework for usb ethernet drivers), aarch64 stability enhancements and lots of new hardware support, installer/sysinst fixes and changes to the NVMM (hardware virtualization) interface.
• We hope this will lead to the best NetBSD release ever (only to be topped by NetBSD 10 next year).

• Here are a few highlights of the new release:

  Support for Arm AArch64 (64-bit Armv8-A) machines, including "Arm ServerReady"
  compliant machines (SBBR+SBSA)
  Enhanced hardware support for Armv7-A
  Updated GPU drivers (e.g. support for Intel Kabylake)
  Enhanced virtualization support
  Support for hardware-accelerated virtualization (NVMM)
  Support for Performance Monitoring Counters
  Support for Kernel ASLR
  Support several kernel sanitizers (KLEAK, KASAN, KUBSAN)
  Support for userland sanitizers
  Audit of the network stack
  Many improvements in NPF
  Updated ZFS
  Reworked error handling and NCQ support in the SATA subsystem
  Support a common framework for USB Ethernet drivers (usbnet)

• More information on the RC can be found on the NetBSD 9 release page

News Roundup

Running FreeNAS on a Digitalocean droplet

• ZFS is awesome. FreeBSD even more so. FreeNAS is the battle-tested, enterprise-ready-yet-home-user-friendly software defined storage solution which is cooler then deep space, based on FreeBSD and makes heavy use of ZFS. This is what I (and soooooo many others) use for just about any storage-related task. I can go on and on and on about what makes it great, but if you're here, reading this, you probably know all that already and we can skip ahead.
• I've needed an offsite FreeNAS setup to replicate things to, to run some things, to do some stuff, basically, my privately-owned, tightly-controlled NAS appliance in the cloud, one I control from top to bottom and with support for whatever crazy thing I'm trying to do. Since I'm using DigitalOcean as my main VPS provider, it seemed logical to run FreeNAS there, however, you can't. While DO supports many many distos and pre-setup applications (e.g OpenVPN), FreeNAS isn't a supported feature, at least not in the traditional way :)
• Before we begin, here's the gist of what we're going to do:

Base of a FreeBSD droplet, we'll re-image our boot block device with FreeNAS iso. We'll then install FreeNAS on the second block device. Once done we're going to do the ol' switcheroo: we're going to re-image our original boot block device using the now FreeNAS-installed second block device.

• Part 1: re-image our boot block device to boot FreeNAS install media.
• Part 2: Install FreeNAS on the second block-device
• Part 3: Re-image the boot block device using the FreeNAS-installed block device

NomadBSD 1.3 is now available

• From the release notes:

The base system has been changed to FreeBSD 12.1-RELEASE-p1
Due to a deadlock problem, FreeBSD's unionfs has been replaced by unionfs-fuse
The GPT layout has been changed to MBR. This prevents problems with Lenovo
systems that refuse to boot from GPT if "lenovofix" is not set, and systems that
hang on boot if "lenovofix" is set.
Support for ZFS installations has been added to the NomadBSD installer.
The rc-script for setting up the network interfaces has been fixed and improved.
Support for setting the country code for the wlan device has been added.
Auto configuration for running in VirtualBox has been added.
A check for the default display has been added to the graphics configuration scripts. This fixes problems where users with Optimus have their NVIDIA card disabled, and use the integrated graphics chip instead.
NVIDIA driver version 440 has been added.
nomadbsd-dmconfig, a Qt tool for selecting the display manager theme, setting the
default user and autologin has been added.
nomadbsd-adduser, a Qt tool for added preconfigured user accounts to the system has been added.
Martin Orszulik added Czech translations to the setup and installation wizard.
The NomadBSD logo, designed by Ian Grindley, has been changed.
Support for localized error messages has been added.
Support for localizing the password prompts has been added.
Some templates for starting other DEs have been added to ~/.xinitrc.
The interfaces of nomadbsd-setup-gui and nomadbsd-install-gui have been improved.
A script that helps users to configure a multihead systems has been added.
The Xorg driver for newer Intel GPUs has been changed from "intel" to "modesetting".
/proc has been added to /etc/fstab
A D-Bus session issue has been fixed which prevented thunar from accessing samba shares.
DSBBg which allows users to change and manage wallpapers has been added.
The latest version of update_obmenu now supports auto-updating the Openbox menu. Manually updating the Openbox menu after packet (de)installation is therefore no longer needed.

Support for multiple keyboard layouts has been added.
www/palemoon has been removed.
mail/thunderbird has been removed.
audio/audacity has been added.
deskutils/orage has been added.
the password manager fpm2 has been replaced by KeePassXC
mail/sylpheed has been replaced by mail/claws-mail
multimedia/simplescreenrecorder has been added.
DSBMC has been changed to DSBMC-Qt
Many small improvements and bug fixes.

At e2k19 nobody can hear you scream

• After 2 years it was once again time to pack skis and snowshoes, put a satellite dish onto a sledge and hike through the snowy rockies to the Elk Lakes hut.
• I did not really have much of a plan what I wanted to work on but there were a few things I wanted to look into. One of them was rpki-client and the fact that it was so incredibly slow. Since Bob beck@ was around I started to ask him innocent X509 questions ... as if there are innocent X509 questions! Mainly about the abuse of the X509_STORE in rpki-client. Pretty soon it was clear that rpki-client did it all wrong and most of the X509 verification had to be rewritten. Instead of only storing the root certificates in the store and passing the intermediate certs as a chain to the verification function rpki-client threw everything into it. The X509_STORE is just not built for such an abuse and so it was no wonder that this was slow.
• Lucky me I pulled benno@ with me into this dark hole of libcrypto code. He managed to build up an initial diff to pass the chains as a STACK_OF(X509) and together we managed to get it working. A big thanks goes to ingo@ who documented most of the functions we had to use. Have a look at STACK_OF(3) and sk_pop_free(3) to understand why benno@ and I slowly turned crazy.
• Our next challenge was to only load the necessary certificate revocation list into the X509_STORE_CTX. While doing those changes it became obvious that some of the data structures needed better lookup functions. Looking up certificates was done using a linear lookup and so we replaced the internal certificate and CRL tables with RB trees for fast lookups. deraadt@ also joined the rpki-client commit fest and changed the output code to use rename(2) so that files are replaced in an atomic operation. Thanks to this rpki-client can now be safely run from cron (there is an example in the default crontab).
• I did not plan to spend most of my week hacking on rpki-client but in the end I'm happy that I did and the result is fairly impressive. Working with libcrypto code and especially X509 was less than pleasant. Our screams of agony died away in the snowy rocky mountains and made Bob deep dive into UVM with a smile since he knew that benno@ and I had it worse.
• In case you wonder thanks to all changes at e2k19 rpki-client improved from over 20min run time to validate all VRPS to roughly 1min to do the same job. A factor 20 improvement!
• Thanks to Theo, Bob and Howie to make this possible. To all the cooks for the great food and to Xplornet for providing us with Internet at the hut.

Beastie Bits

• FOSDEM 2020 BSD Devroom schedule
• Easy Minecraft Server on FreeBSD Howto
• stats(3) framework in the TCP stack
• 4017 days of uptime
• sysget - A front-end for every package manager
• PlayOnBSD’s Cross-BSD Shopping Guide

Feedback/Questions

• Pat asks about the proper disk drive type for ZFS
• Brad asks about a ZFS rosetta stone

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Special Guest: Mariusz Zaborski.

Headlines

OPNsense 19.7.1

We do not wish to keep you from enjoying your summer time, but this
is a recommended security update enriched with reliability fixes for the
new 19.7 series. Of special note are performance improvements as well
as a fix for a longstanding NAT before IPsec limitation.

Full patch notes:

• system: do not create automatic copies of existing gateways
• system: do not translate empty tunables descriptions
• system: remove unwanted form action tags
• system: do not include Syslog-ng in rc.freebsd handler
• system: fix manual system log stop/start/restart
• system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead
• system: allow curl-based downloads to use both trusted and local authorities
• system: fix group privilege print and correctly redirect after edit
• system: use cached address list in referrer check
• system: fix Syslog-ng search stats
• firewall: HTML-escape dynamic entries to display aliases
• firewall: display correct IP version in automatic rules
• firewall: fix a warning while reading empty outbound rules configuration
• firewall: skip illegal log lines in live log
• interfaces: performance improvements for configurations with hundreds of interfaces
• reporting: performance improvements for Python 3 NetFlow aggregator rewrite
• dhcp: move advanced router advertisement options to correct config section
• ipsec: replace global array access with function to ensure side-effect free boot
• ipsec: change DPD action on start to "dpdaction = restart"
• ipsec: remove already default "dpdaction = none" if not set
• ipsec: use interface IP address in local ID when doing NAT before IPsec
• web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
• plugins: os-acme-client 1.24[1]
• plugins: os-bind 1.6[2]
• plugins: os-dnscrypt-proxy 1.5[3]
• plugins: os-frr now restricts characters BGP prefix-list and route-maps[4]
• plugins: os-google-cloud-sdk 1.0[5]
• ports: curl 7.65.3[6]
• ports: monit 5.26.0[7]
• ports: openssh 8.0p1[8]
• ports: php 7.2.20[9]
• ports: python 3.7.4[10]
• ports: sqlite 3.29.0[11]
• ports: squid 4.8[12]

Stay safe and hydrated, Your OPNsense team

ZFS on Linux still has annoying issues with ARC size

One of the frustrating things about operating ZFS on Linux is that the ARC size is critical but ZFS's auto-tuning of it is opaque and apparently prone to malfunctions, where your ARC will mysteriously shrink drastically and then stick there.

Linux's regular filesystem disk cache is very predictable; if you do disk IO, the cache will relentlessly grow to use all of your free memory. This sometimes disconcerts people when free reports that there's very little memory actually free, but at least you're getting value from your RAM. This is so reliable and regular that we generally don't think about 'is my system going to use all of my RAM as a disk cache', because the answer is always 'yes'. (The general filesystem cache is also called the page cache.)

This is unfortunately not the case with the ZFS ARC in ZFS on Linux (and it wasn't necessarily the case even on Solaris). ZFS has both a current size and a 'target size' for the ARC (called 'c' in ZFS statistics). When your system boots this target size starts out as the maximum allowed size for the ARC, but various events afterward can cause it to be reduced (which obviously limits the size of your ARC, since that's its purpose). In practice, this reduction in the target size is both pretty sticky and rather mysterious (as ZFS on Linux doesn't currently expose enough statistics to tell why your ARC target size shrunk in any particular case).

The net effect is that the ZFS ARC is not infrequently quite shy and hesitant about using memory, in stark contrast to Linux's normal filesystem cache. The default maximum ARC size starts out as only half of your RAM (unlike the regular filesystem cache, which will use all of it), and then it shrinks from there, sometimes very significantly, and once shrunk it only recovers slowly (if at all).

News Roundup

Hammer2 is now default

commit a49112761c919d42d405ec10252eb0553662c824
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Mon Jun 10 17:53:46 2019 -0700

    installer - Default to HAMMER2

    * Change the installer default from HAMMER1 to HAMMER2.

    * Adjust the nrelease build to print the location of the image files
      when it finishes.

Summary of changes:
 nrelease/Makefile                          |  2 +-
 usr.sbin/installer/dfuibe_installer/flow.c | 20 ++++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/a49112761c919d42d405ec10252eb0553662c824

NetBSD audio – an application perspective

NetBSD audio – an application perspective ... or, "doing it natively, because we can"

• audio options for NetBSD in pkgsrc

  • Use NetBSD native audio (sun audio/audioio.h)
  • Or OSS emulation layer: Basically a wrapper around sun audio in the kernel. Incomplete and old version, but works for simple stuff

• Many many abstraction layers available:

  • OpenAL-Soft
  • alsa-lib (config file required)
  • libao, GStreamer (plugins!)
  • PortAudio, SDL
  • PulseAudio, JACK
  • ... lots more!? some obsolete stuff (esd, nas?)

• Advantages of using NetBSD audio directly

  • Low latency, low CPU usage: Abstraction layers differ in latency (SDL2 vs ALSA/OpenAL)
  • Query device information: Is /dev/audio1 a USB microphone or another sound card?
  • Avoid bugs from excessive layering
  • Nice API, well documented: [nia note: I had no idea how to write audio code. I read a man page and now I do.]
  • Your code might work on illumos too

• [nia note: SDL2 seems very sensitive to the blk_ms sysctl being high or low, with other implementations there seems to be a less noticable difference. I don't know why.]

New FreeNAS Mini

Two new FreeNAS Mini systems join the very popular FreeNAS Mini and Mini XL:

FreeNAS Mini XL+: This powerful 10 Bay platform (8x 3.5” and 1x 2.5” hot-swap, 1x 2.5” internal) includes the latest, compact server technology and provides dual 10GbE ports, 8 CPU cores and 32 GB RAM for high performance workgroups. The Mini XL+ scales beyond 100TB and is ideal for very demanding applications, including hosting virtual machines and multimedia editing. Starting at $1499, the Mini XL+ configured with cache SSD and 80 TB capacity is $4299, and consumes about 100 Watts.

FreeNAS Mini E: This cost-effective 4 Bay platform provides the resources required for SOHO use with quad GbE ports and 8 GB of RAM. The Mini E is ideal for file sharing, streaming and transcoding video at 1080p. Starting at $749, the Mini E configured with 8 TB capacity is $999, and consumes about 36 Watts.

Beastie Bits

• Welcome to NetBSD 9.99.1!
• Berkeley smorgasbord — part II
• dtracing postgres
• Project Trident 19.07-U1 now available
• Need a Secure Operating System? Take a Look at OpenBSD

Feedback/Questions

• Jeff - OpenZFS Port Testing Feedback
• Malcolm - Best Practices for Custom Ports
• Michael - Little Correction

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

Polprog's Am5x86 based retro UNIX build log

I have recently acquired an Am5x86 computer, in a surprisingly good condition. This is an ongoing project, check this page often for updates!

I began by connecting a front panel. The panel came from a different chassis and is slightly too wide, so I had to attach it with a couple of zip-ties. However, that makes it stick out from the PC front at an angle, allowing easy access when the computer sits at the floor - and thats where it is most of the time. It's not that bad, to be honest, and its way easier to access than it would be, if mounted vertically

There is a mains switch on the front panel because the computer uses an older style power supply. Those power supplies instead of relying on a PSON signal, like modern ATX supplies, run a 4 wire cable to a mains switch. The cable carries live and neutral both ways, and the switch keys in or out the power. The system powers on as soon as the switch is enabled.

Originally there was no graphics card in it. Since a PC will not boot with out a GPU, I had to find one. The mainboard only has PCI and ISA slots, and all the GPUs I had were AGP. Fortunately, I bought a PCI GPU hoping it would solve my issue...

However the GPU turned out to be faulty. It took me some time to repair it. I had to repair a broken trace leading to one of the EEPROM pins, and replace a contact in the EEPROM's socket. Then I replaced all the electrolytic capacitors on it, and that fixed it for good.

Having used up only one of the three PCI slots, I populated the remaining pair with two ethernet cards. I still have a bunch of ISA slots available, but I have nothing to install there. Yet.

• See the article for the rest of the writeup

Setting up services in a FreeNAS Jail

This piece demonstrates the setup of a server service in a FreeNAS jail and how to share files with a jail using Apache 2.4 as an example. Jails are powerful, self-contained FreeBSD environments with separate network settings, package management, and access to thousands of FreeBSD application packages. Popular packages such as Apache, NGINX, LigHTTPD, MySQL, and PHP can be found and installed with the pkg search and pkg install commands.

This example shows creating a jail, installing an Apache web server, and setting up a simple web page.

NOTE: Do not directly attach FreeNAS to an external network (WAN). Use port forwarding, proper firewalls and DDoS protections when using FreeNAS for external web sites. This example demonstrates expanding the functionality of FreeNAS in an isolated LAN environment.

News Roundup

First taste of DragonflyBSD

Last week, I needed to pick a BSD Operating System which supports NUMA to do some testing, so I decided to give Dragonfly BSD a shot. Dragonfly BSDonly can run on X86_64 architecture, which reminds me of Arch Linux, and after some tweaking, I feel Dragonfly BSD may be a “developer-friendly” Operating System, at least for me.

I mainly use Dragonfly BSD as a server, so I don’t care whether GUI is fancy or not. But I have high requirements of developer tools, i.e., compiler and debugger. The default compiler of Dragonfly BSD is gcc 8.3, and I can also install clang 8.0.0 from package. This means I can test state-of-the-art features of compilers, and it is really important for me. gdb‘s version is 7.6.1, a little lag behind, but still OK.

Furthermore, the upgradation of Dragonfly BSD is pretty simple and straightforward. I followed document to upgrade my Operating System to 5.6.0 this morning, just copied and pasted, no single error, booted successfully.

Streaming Netflix on NetBSD

Here's a step-by-step guide that allows streaming Netflix media on NetBSD using a intel-haxm accelerated QEMU vm.

Heads-up! Sound doesn't work, but everything else is fine. Please read the rest of this thread for a solution to this!!

“Sudo Mastery 2nd Edition” cover art reveal

I’m about halfway through the new edition of Sudo Mastery. Assuming nothing terrible happens, should have a complete first draft in four to six weeks. Enough stuff has changed in sudo that I need to carefully double-check every single feature. (I’m also horrified by the painfully obsolete versions of sudo shipped in the latest versions of CentOS and Debian, but people running those operating systems are already accustomed to their creaky obsolescence.)

But the reason for this blog post? I have Eddie Sharam’s glorious cover art. My Patronizers saw it last month, so now the rest of you get a turn.

NetBSD on the last G4 Mac mini

I'm a big fan of NetBSD. I've run it since 2000 on a Mac IIci (of course it's still running it) and I ran it for several years on a Power Mac 7300 with a G3 card which was the second incarnation of the Floodgap gopher server. Today I also still run it on a MIPS-based Cobalt RaQ 2 and an HP Jornada 690. I think NetBSD is a better match for smaller or underpowered systems than current-day Linux, and is fairly easy to harden and keep secure even though none of these systems are exposed to the outside world.

Recently I had a need to set up a bridge system that would be fast enough to connect two networks and I happened to have two of the "secret" last-of-the-line 1.5GHz G4 Mac minis sitting on the shelf doing nothing. Yes, they're probably outclassed by later Raspberry Pi models, but I don't have to buy anything and I like putting old hardware to good use.

Hammer vs Hammer2

With the newly released DragonFlyBSD 5.6 there are improvements to its original HAMMER2 file-system to the extent that it's now selected by its installer as the default file-system choice for new installations. Curious how the performance now compares between HAMMER and HAMMER2, here are some initial benchmarks on an NVMe solid-state drive using DragonFlyBSD 5.6.0.

With a 120GB Toshiba NVMe SSD on an Intel Core i7 8700K system, I ran some benchmarks of DragonFlyBSD 5.6.0 freshly installed with HAMMER2 and then again when returning to the original HAMMER file-system that remains available via its installer. No other changes were made to the setup during testing.

And then for the more synthetic workloads it was just a mix. But overall HAMMER2 was performing well during the initial testing and great to see it continuing to offer noticeable leads in real-world workloads compared to the aging HAMMER file-system. HAMMER2 also offers better clustering, online deduplication, snapshots, compression, encryption, and many other modern file-system features.

Beastie Bits

• Unix CLI relational database
• The TTY demystified
• Ranger, a console file manager with VI keybindings
• Some Unix Humor
• OpenBSD -import vulkan-loader for Vulkan API support
• FreeBSD ZFS without drives

Feedback/Questions

• Moritz - ARM Builds
• Dave - Videos
• Chris - Raspberry Pi4

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

FreeBSD 11.3-b1 is out

BSDCan 2019 Recap

• We’re back from BSDCan and it was a packed week as always.
• It started with bhyvecon on Tuesday. Meanwhile, Benedict spent the whole day in productive meetings: annual FreeBSD Foundation board meeting and FreeBSD Journal editorial board meeting.
• On Wednesday, tutorials for BSDCan started as well as the FreeBSD Developer Summit. In the mornings, there were presentations in the big auditorium, while working groups about networking, failsafe bootcode, development web services, swap space management, and testing/CI were held. Friday had a similar format with an update from the FreeBSD core team and the “have, need, want” session for FreeBSD 13. In the afternoon, there were working groups about translation tools, package base, GSoC/Outreachy, or general hacking. Benedict held his Icinga tutorial in the afternoon with about 15 people attending. Devsummit presentation slides can be found on the wiki page and video recordings done by ScaleEngine are available on FreeBSD’s youtube channel.
• The conference program was a good mixture of sysadmin and tech talks across the major BSDs. Benedict saw the following talks: How ZFS snapshots really work by Matt Ahrens, 20 years in Jail by Michael W. Lucas, OpenZFS BOF session, the future of OpenZFS and FreeBSD, MQTT for system administrators by Jan-Piet Mens, and spent the rest of the time in between in the hallway track.
• Photos from the event are available on Ollivier Robert’s talegraph and Diane Bruce’s website for day 1, day 2, conference day 1, and conference day 2.
• Thanks to all the sponsors, supporters, organizers, speakers, and attendees for making this yet another great BSDCan. Next year’s BSDCan will be from June 2 - 6, 2020.

OpenIndiana 2019.04 is out

We have released a new OpenIndiana Hipster snapshot 2019.04. The noticeable changes:

• Firefox was updated to 60.6.3 ESR

• Virtualbox packages were added (including guest additions)

• Mate was updated to 1.22

• IPS has received updates from OmniOS CE and Oracle IPS repos, including automatic boot environment naming

• Some OI-specific applications have been ported from Python 2.7/GTK 2 to Python 3.5/GTK 3

• Quick Demo Video: https://www.youtube.com/watch?v=tQ0-fo3XNrg

News Roundup

Overview of ZFS Pools in FreeNAS

FreeNAS uses the OpenZFS (ZFS) file system, which handles both disk and volume management. ZFS offers RAID options mirror, stripe, and its own parity distribution called RAIDZ that functions like RAID5 on hardware RAID. The file system is extremely flexible and secure, with various drive combinations, checksums, snapshots, and replication all possible. For a deeper dive on ZFS technology, read the ZFS Primer section of the FreeNAS documentation.

SUGGEST LAYOUT attempts to balance usable capacity and redundancy by automatically choosing an ideal vdev layout for the number of available disks.

• The following vdev layout options are available when creating a pool:
  • Stripe data is shared on two drives, similar to RAID0)
  • Mirror copies data on two drives, similar to RAID1 but not limited to 2 disks)
  • RAIDZ1 single parity similar to RAID5
  • RAIDZ2 double parity similar to RAID6
  • RAIDZ3 which uses triple parity and has no RAID equivalent

Why OpenSource Firmware is Important for Security

• Roots of Trust

The goal of the root of trust should be to verify that the software installed in every component of the hardware is the software that was intended. This way you can know without a doubt and verify if hardware has been hacked. Since we have very little to no visibility into the code running in a lot of places in our hardware it is hard to do this. How do we really know that the firmware in a component is not vulnerable or that is doesn’t have any backdoors? Well we can’t. Not unless it was all open source. Every cloud and vendor seems to have their own way of doing a root of trust. Microsoft has Cerberus, Google has Titan, and Amazon has Nitro. These seem to assume an explicit amount of trust in the proprietary code (the code we cannot see). This leaves me with not a great feeling. Wouldn’t it be better to be able to use all open source code? Then we could verify without a doubt that the code you can read and build yourself is the same code running on hardware for all the various places we have firmware. We could then verify that a machine was in a correct state without a doubt of it being vulnerable or with a backdoor. It makes me wonder what the smaller cloud providers like DigitalOcean or Packet have for a root of trust. Often times we only hear of these projects from the big three or five.

OPNsense

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

• Here are the full patch notes:

• system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)

• system: /etc/hosts generation without interfacehasgateway()

• system: show correct timestamp in config restore save message (contributed by nhirokinet)

• system: list the commands for the pluginctl utility when n+ argument is given

• system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly

• system: use absolute path in widget ACLs (reported by Netgate)

• system: RRD-related cleanups for less code exposure

• interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)

• interfaces: replace legacygetallinterface_addresses() usage

• firewall: fix port validation in aliases with leading / trailing spaces

• firewall: fix outbound NAT translation display in overview page

• firewall: prevent CARP outgoing packets from using the configured gateway

• firewall: use CARP net.inet.carp.demotion to control current demotion in status page

• firewall: stop live log poller on error result

• dhcpd: change rule priority to 1 to avoid bogon clash

• dnsmasq: only admins may edit custom options field

• firmware: use insecure mode for base and kernel sets when package fingerprints are disabled

• firmware: add optional device support for base and kernel sets

• firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)

• ipsec: always reset rightallowany to default when writing configuration

• lang: say "hola" to Spanish as the newest available GUI language

• lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese

• network time: only admins may edit custom options field

• openvpn: call openvpnrefreshcrls() indirectly via plugin_configure() for less code exposure

• openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)

• openvpn: remove custom options field from wizard

• unbound: only admins may edit custom options field

• wizard: translate typehint as well

• plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)

• plugins: os-nginx 1.12[2]

• plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)

• plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)

• src: timezone database information update[3]

• src: install(1) broken with partially matching relative paths[4]

• src: microarchitectural Data Sampling (MDS) mitigation[5]

• ports: carootnss 3.44

• ports: php 7.2.18[6]

• ports: sqlite 3.28.0[7]

• ports: strongswan custom XAuth generic patch removed

wiregaurd on OpenBSD

Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current. Jason A. Donenfeld (WireGuard author) has worked to support OpenBSD in WireGuard and as such his post on ports@ last year got me interested in WireGuard, since then others have toyed with WireGuard on OpenBSD before and as such I've used Ted's article as a reference. Note however that some of the options mentioned there are no longer valid. Also, I'll be using two OpenBSD peers here. The setup will be as follows: two OpenBSD peers, of which we'll dub wg1 the server and wg2 the client. The WireGuard service on wg1 is listening on 100.64.4.3:51820.

• Conclusion

WireGuard (cl)aims to be easier to setup and faster than OpenVPN and while I haven't been able to verify the latter, the first is certainly true...once you've figured it out. Most documentation out there is for Linux so I had to figure out the wireguardgo service and the tun parameters. But all in all, sure, it's easier. Especially the client configuration on iOS which I didn't cover here because it's essentially pkgadd libqrencode ; cat client.conf | qrencode -t ansiutf8, scan the code with the WireGuard app and you're good to go. What is particularly neat is that WireGuard on iOS supports Always-on.

Beastie Bits

• Serenity OS
• vkernels vs pmap
• Brian Kernighan interviews Ken Thompson
• Improvements in forking, threading, and signal code
• DragonFly 5.4.3
• NetBSD on the Odroid C2

Feedback/Questions

• Paulo - Laptops
• A Listener - Thanks
• Bostjan - Extend a pool and lower RAM footprint

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

What I learned during my FreeBSD intership

Hi, my name is Mitchell Horne. I am a computer engineering student at the University of Waterloo, currently in my third year of studies, and fortunate to have been one of the FreeBSD Foundation’s co-op students this past term (January to April). During this time I worked under Ed Maste, in the Foundation’s small Kitchener office, along with another co-op student Arshan Khanifar. My term has now come to an end, and so I’d like to share a little bit about my experience as a newcomer to FreeBSD and open-source development.

I’ll begin with some quick background — and a small admission of guilt. I have been an open-source user for a large part of my life. When I was a teenager I started playing around with Linux, which opened my eyes to the wider world of free software. Other than some small contributions to GNOME, my experience has been mostly as an end user; however, the value of these projects and the open-source philosophy was not lost on me, and is most of what motivated my interest in this position. Before beginning this term I had no personal experience with any of the BSDs, although I knew of their existence and was extremely excited to receive the position. I knew it would be a great opportunity for growth, but I must confess that my naivety about FreeBSD caused me to make the silent assumption that this would be a form of compromise — a stepping stone that would eventually allow me to work on open-source projects that are somehow “greater” or more “legitimate”. After four months spent immersed in this project I have learned how it operates, witnessed its community, and learned about its history. I am happy to admit that I was completely mistaken. Saying it now seems obvious, but FreeBSD is a project with its own distinct uses, goals, and identity. For many there may exist no greater opportunity than to work on FreeBSD full time, and with what I know now I would have a hard time coming up with a project that is more “legitimate”.

• What I Liked

In all cases, the work I submitted this term was reviewed by no less than two people before being committed. The feedback and criticism I received was always both constructive and to the point, and it commented on everything from high-level ideas to small style issues. I appreciate having these thorough reviews in place, since I believe it ultimately encourages people to accept only their best work. It is indicative of the high quality that already exists within every aspect of this project, and this commitment to quality is something that should continue to be honored as a core value. As I’ve discovered in some of my previous work terms, it is all too easy cut corners in the name of a deadline or changing priorities, but the fact that FreeBSD doesn’t need to make these types of compromises is a testament to the power of free software.

It’s a small thing, but the quality and completeness of the FreeBSD documentation was hugely helpful throughout my term. Everything you might need to know about utilities, library functions, the kernel, and more can be found in a man page; and the handbook is a great resource as both an introduction to the operating system and a reference. I only wish I had taken some time earlier in the term to explore the different documents more thoroughly, as they cover a wide range of interesting and useful topics. The effort people put into writing and maintaining FreeBSD’s documentation is easy to overlook, but its value cannot be overstated.

• What I Learned

Although there was a lot I enjoyed, there were certainly many struggles I faced throughout the term, and lessons to be learned from them. I expect that some of issues I faced may be specific to FreeBSD, while others may be common to open-source projects in general. I don’t have enough experience to speculate on which is which, so I will leave this to the reader.

The first lesson can be summed up simply: you have to advocate for your own work. FreeBSD is made up in large part by volunteer efforts, and in many cases there is more work to go around than people available to do it. A consequence of this is that there will not be anybody there to check up on you. Even in my position where I actually had a direct supervisor, Ed often had his plate full with so many other things that the responsibility to find someone to look at my work fell to me. Admittedly, a couple of smaller changes I worked on got left behind or stuck in review simply because there wasn’t a clear person/place to reach out to.

I think this is both a barrier of entry to FreeBSD and a mental hurdle that I needed to get over. If there’s a change you want to see included or reviewed, then you may have to be the one to push for it, and there’s nothing wrong with that. Perhaps this process should be easier for newcomers or infrequent contributors (the disconnect between Bugzilla and Phabricator definitely leaves a lot to be desired), but we also have to be aware that this simply isn’t the reality right now. Getting your work looked at may require a little bit more self-motivation, but I’d argue that there are much worse problems a project like FreeBSD could have than this.

I understand this a lot better now, but it is still something I struggle with. I’m not naturally the type of person who easily connects with others or asks for help, so I see this as an area for future growth rather than simply a struggle I encountered and overcame over the course of this work term. Certainly it is an important skill to understand the value of your own work, and equally important is the ability to communicate that value to others.

I also learned the importance of starting small. My first week or two on the job mainly involved getting set up and comfortable with the workflow. After this initial stage, I began exploring the project and found myself overwhelmed by its scale. With so many possible areas to investigate, and so much work happening at once, I felt quite lost on where to begin. Many of the potential projects I found were too far beyond my experience level, and most small bugs were picked up and fixed quickly by more experienced contributors before I could even get to them.

It’s easy to make the mistake that FreeBSD is made up solely of a few rock-star committers that do everything. This is how it appears at face-value, as reading through commits, bug reports, and mailing lists yields a few of the same names over and over. The reality is that just as important are the hundreds of users and infrequent contributors who take the time to submit bug reports, patches, or feedback. Even though there are some people who would fall under the umbrella of a rock-star committer, they didn’t get there overnight. Rather, they have built their skills and knowledge through many years of involvement in FreeBSD and similar projects.

As a student coming into this project and having high expectations of myself, it was easy to set the bar too high by comparing myself against those big committers, and feel that my work was insignificant, inadequate, and simply too infrequent. In reality, there is no reason I should have felt this way. In a way, this comparison is disrespectful to those who have reached this level, as it took them a long time to get there, and it’s a humbling reminder that any skill worth learning requires time, patience, and dedication. It is easy to focus on an end product and simply wish to be there, but in order to be truly successful one must start small, and find satisfaction in the struggle of learning something new. I take pride in the many small successes I’ve had throughout my term here, and appreciate the fact that my journey into FreeBSD and open-source software is only just beginning.

• Closing Thoughts

I would like to close with some brief thank-you’s. First, to everyone at the Foundation for being so helpful, and allowing this position to exist in the first place. I am extremely grateful to have been given this unique opportunity to learn about and give back to the open-source world. I’d also like to thank my office mates; Ed: for being an excellent mentor, who offered an endless wealth of knowledge and willingness to share it. My classmate and fellow intern Arshan: for giving me a sense of camaraderie and the comforting reminder that at many moments he was as lost as I was. Finally, a quick thanks to everyone else I crossed paths with who offered reviews and advice. I appreciate your help and look forward to working with you all further.

I am walking away from this co-op with a much greater appreciation for this project, and have made it a goal to remain involved in some capacity. I feel that I’ve gained a little bit of a wider perspective on my place in the software world, something I never really got from my previous co-ops. Whether it ends up being just a stepping stone, or the beginning of much larger involvement, I thoroughly enjoyed my time here.

Recent Developments in FreeBSD

• Support for encrypted, compressed (gzip and zstd), and network crash dumps enabled by default on most platforms
• Intel Microcode Splitter
• Intel Spec Store Bypass Disable control
• Raspberry Pi 3B+ Ethernet Driver
• IBRS for i386
• Upcoming:
• Microcode updater for AMD CPUs
• the RACK TCP/IP stack, from Netflix
• Voting in the FreeBSD Core Election begins today:

DigitalOcean Digital Ocean Promo Link for BSD Now Listeners

Running FreeNAS on a DigitalOcean Droplet

• Need to backup your FreeNAS offsite? Run a locked down instance in the cloud, and replicate to it
• The tutorial walks though the steps of converting a fresh FreeBSD based droplet into a FreeNAS
• Create a droplet, and add a small secondary block-storage device
• Boot the droplet, login, and download FreeNAS
• Disable swap, enable ‘foot shooting’ mode in GEOM
• use dd to write the FreeNAS installer to the boot disk
• Reboot the droplet, and use the FreeNAS installer to install FreeNAS to the secondary block storage device
• Now, reimage the droplet with FreeBSD again, to replace the FreeNAS installer
• Boot, and dd FreeNAS from the secondary block storage device back to the boot disk
• You can now destroy the secondary block device
• Now you have a FreeNAS, and can take it from there.
• Use the FreeNAS replication wizard to configure sending snapshots from your home NAS to your cloud NAS
• Note: You might consider creating a new block storage device to create a larger pool, that you can more easily grow over time, rather than using the boot device in the droplet as your main pool.

News Roundup

Network Manager Control for OpenBSD (Updated)

• Generalities

• I just remind the scope of this small tool:

  • allow you to pre-define several cable or wifi connections
  • let nmctl to connect automatically to the first available one
  • allow you to easily switch from one network connection to an other one
  • create openbox dynamic menus

• Enhancements in this version

This is my second development version: 0.2. I've added performed several changes in the code:

• code style cleanup, to better match the python recommendations
• adapt the tool to allow to connect to an Open-wifi having blancs in the name. This happens in some hotels
• implement a loop as work-around concerning the arp table issue.

The source code is still on the git of Sourceforge.net. You can see the files here

And you can download the last version here

• Feedbacks after few months

I'm using this script on my OpenBSD laptop since about 5 months. In my case, I'm mainly using the openbox menus and the --restart option.

• The Openbox menus

The openbox menus are working fine. As explain in my previous blog, I just have to create 2 entries in my openbox's menu.xml file, and all the rest comes automatically from nmctl itself thanks to the --list and --scan options. I've not changed this part of nmctl since it works as expected (for me :-) ).

• The --restart option

Because I'm very lazy, and because OpenBSD is very simple to use, I've added the command "nmctl --restart" in the /etc/apm/resume script. Thanks to apmd, this script will be used each time I'm opening the lid of my laptop. In other words, each time I'll opening my laptop, nmctl will search the optimum network connection for me. But I had several issues in this scenario. Most of the problems were linked to the arp table issues. Indeed, in some circumstances, my proxy IP address was associated to the cable interface instead of the wifi interface or vice-versa. As consequence I'm not able to connect to the proxy, thus not able to connect to internet. So the ping to google (final test nmctl perform) is failing. Knowing that anyhow, I'm doing a full arp cleanup, it's not clear for me from where this problem come from. To solve this situation I've implemented a "retry" concept. In other words, before testing an another possible network connection (as listed in my /etc/nmctl.conf file), the script try 3x the current connection's parameters. If you want to reduce or increase this figures, you can do it via the --retry parameter.

• Results of my expertise with this small tool

Where ever I'm located, my laptop is now connecting automatically to the wifi / cable connection previously identified for this location. Currently I have 3 places where I have Wifi credentials and 2 offices places where I just have to plug the network cable. Since the /etc/apm/resume scripts is triggered when I open the lid of the laptop, I just have to make sure that I plug the RJ45 before opening the laptop. For the rest, I do not have to type any commands, OpenBSD do all what is needed ;-). I hotels or restaurants, I can just connect to the Open Wifi thanks to the openbox menu created by "nmctl --scan".

• Next steps

• Documentation

The tool is missing lot of documentation. I appreciate OpenBSD for his great documentation, so I have to do the same. I plan to write a README and a man page at first instances. But since my laziness, I will do it as soon as I see some interest for this tool from other persons.

• Tests

I now have to travel and see how to see the script react on the different situations. Interested persons are welcome to share with me the outcome of their tests. I'm curious how it work.

OpenBSD 6.3 on EdgeRouter Lite simple upgrade method

• TL;DR

OpenBSD 6.3 oceton upgrade instructions may not factor that your ERL is running from the USB key they want wiped with the miniroot63.fs image loaded on. Place the bsd.rd for OpenBSD 6.3 on the sd0i slice used by U-Boot for the kernel, and then edit the boot command to run it.

• a tiny upgrade

The OpenBSD documentation is comprehensive, but there might be rough corners around what are probably edge cases in their user base. People running EdgeRouter Lite hardware for example, who are looking to upgrade from 6.2 to 6.3. The documentation, which gave us everything we needed last time, left me with some questions about how to upgrade. In INSTALL.octeon, the Upgrading section does mention: The best solution, whenever possible, is to backup your data and reinstall from scratch I had to check if that directive existed in the documentation for other architectures. I wondered if oceton users were getting singled out. We were not. Just simplicity and pragmatism.

• Reading on:

To upgrade OpenBSD 6.3 from a previous version, start with the general instructions in the section "Installing OpenBSD". But that section requires us to boot off of TFTP or NFS. Which I don’t want to do right now. Could also use a USB stick with the miniroot63.fs installed on it. But as the ERL only has a single USB port, we would have to remove the USB stick with the current install on it. Once we get to the Install or Upgrade prompt, there would be nothing to upgrade. Well, I guess I could use a USB hub. But the ERL’s USB port is inside the case. With all the screws in. And the tools are neatly put away. And I’d have to pull the USB hub from behind a workstation. And it’s two am. And I cleaned up the cabling in the lab this past weekend. Looks nice for once. So I don’t want to futz around with all that. There must be an almost imperceptibly easier way of doing this than setting up a TFTP server or NFS share in five minutes… Right?

iXsystems Boise Technology Show 2018 Recap

OpenZFS User Conference Slides & Videos

• Thank you ZFS
• ZSTD Compression
• Pool Layout Considerations
• ZFS Releases
• Helping Developers Help You
• ZFS and MySQL on Linux
• Micron
• OSNEXUS
• ZFS at Six Feet Up
• Flexible Disk Use with OpenZFS

Batch editing files with ed

• what’s ‘ed’?

ed is this sort of terrifying text editor. A typical interaction with ed for me in the past has gone something like this:

$ ed help ? h ? asdfasdfasdfsadf ? <close terminal in frustration>

Basically if you do something wrong, ed will just print out a single, unhelpful, ?. So I’d basically dismissed ed as an old arcane Unix tool that had no practical use today. vi is a successor to ed, except with a visual interface instead of this ?

• surprise: Ed is actually sort of cool and fun

So if Ed is a terrifying thing that only prints ? at you, why am I writing a blog post about it? WELL!!!! On April 1 this year, Michael W Lucas published a new short book called Ed Mastery. I like his writing, and even though it was sort of an april fool’s joke, it was ALSO a legitimate actual real book, and so I bought it and read it to see if his claims that Ed is actually interesting were true. And it was so cool!!!! I found out:

• how to get Ed to give you better error messages than just ?
• that the name of the grep command comes from ed syntax (g/re/p)
• the basics of how to navigate and edit files using ed

All of that was a cool Unix history lesson, but did not make me want to actually use Ed in real life. But!!!

The other neat thing about Ed (that did make me want to use it!) is that any Ed session corresponds to a script that you can replay! So if I know Ed, then I can use Ed basically as a way to easily apply vim-macro-like programs to my files.

Beastie Bits

• FreeBSD Mastery: Jails -- Help make it happen
• Video: OpenZFS Basics presented by George Wilson and Matt Ahrens at Scale 16x back in March 2018
• DragonFlyBSD’s IPFW gets highspeed lockless in-kernel NAT
• A Love Letter to OpenBSD
• New talks, and the F-bomb
• Practical UNIX Manuals: mdoc
• BSD Meetup in Zurich: May 24th
• BSD Meetup in Warsaw: May 24th
• MeetBSD 2018

Tarsnap

Feedback/Questions

• Seth - First time poudriere Builder
• Farhan - Why we didn't go FreeBSD
• architech - Encryption Feedback
• Dave - Handy Tip on setting up automated coredump handling for FreeBSD

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

href="http://www.digitalocean.com/" title="DigitalOcean"> href="http://www.tarsnap.com/bsdnow" title="Tarsnap">

OpenBSD 6.1 RELEASED

• Mailing list post
• We are pleased to announce the official release of OpenBSD 6.1. This is our 42nd release.
• New/extended platforms:
  • New arm64 platform, using clang(1) as the base system compiler.
  • The loongson platform now supports systems with Loongson 3A CPU and RS780E chipset.
  • The following platforms were retired: armish, sparc, zaurus
• New vmm(4)/ vmd(8)
• IEEE 802.11 wireless stack improvements
• Generic network stack improvements
• Installer improvements
• Routing daemons and other userland network improvements
• Security improvements
• dhclient(8)/ dhcpd(8)/ dhcrelay(8) improvements
• Assorted improvements
• OpenSMTPD 6.0.0
• OpenSSH 7.4
• LibreSSL 2.5.3
• mandoc 1.14.1 ***

Fuzz Testing OpenSSH

• Vegard Nossum writes a blog post explaining how to fuzz OpenSSH using AFL
• It starts by compiling AFL and SSH with LLVM to get extra instrumentation to make the fuzzing process better, and faster
• Sandboxing, PIE, and other features are disabled to increase debuggability, and to try to make breaking SSH easier
• Privsep is also disabled, because when AFL does make SSH crash, the child process crashing causes the parent process to exit normally, and AFL then doesn’t realize that a crash has happened. A one-line patch disables the privsep feature for the purposes of testing
• A few other features are disabled to make testing easier (disabling replay attack protection allows the same inputs to be reused many times), and faster:
  • the local arc4random_buf() is patched to return a buffer of zeros
  • disabling CRC checks
  • disabling MAC checks
  • disabling encryption (allow the NULL cipher for everything)
  • add a call to __AFL_INIT(), to enable “deferred forkserver mode”
  • disabling closefrom()
  • “Skipping expensive DH/curve and key derivation operations”
• Then, you can finally get around to writing some test cases
• The steps are all described in detail
• In one day of testing, the author found a few NULL dereferences that have since been fixed.
• Maybe you can think of some other code paths through SSH that should be tested, or want to test another daemon ***

Getting OpenBSD running on Raspberry Pi 3

Ian Darwin writes in about his work deploying the arm64 platform and the Raspberry Pi 3
So I have this empty white birdhouse-like thing in the yard, open at the front. It was intended to house the wireless remote temperature sensor from a low-cost weather station, which had previously been mounted on a dark-colored wall of the house [...]. But when I put the sensor into the birdhouse, the signal is too weak for the weather station to receive it (the mounting post was put in place by a previous owner of our property, and is set deeply in concrete). So the next plan was to pop in a tiny OpenBSD computer with a uthum(4) temperature sensor and stream the temperature over WiFi.
The Raspberry Pi computers are interesting in their own way: intending to bring low-cost computing to everybody, they take shortcuts and omit things that you'd expect on a laptop or desktop. They aren't too bright on their own: there's very little smarts in the board compared to the "BIOS" and later firmwares on conventional systems. Some of the "smarts" are only available as binary files. This was part of the reason that our favorite OS never came to the Pi Party for the original rpi, and didn't quite arrive for the rpi2. With the rpi3, though, there is enough availability that our devs were able to make it boot. Some limitations remain, though: if you want to build your own full release, you have to install the dedicated raspberrypi-firmware package from the ports tree. And, the boot disks have to have several extra files on them - this is set up on the install sets, but you should be careful not to mess with these extra files until you know what you're doing!

But wait! Before you read on, please note that, as of April 1, 2017, this platform boots up but is not yet ready for prime time:

• there's no driver for SD/MMC but that's the only thing the hardware can level-0 boot from, so you need both the uSD card and a USB disk, at least while getting started;
• there is no support for the built-in WiFi (a Broadcom BCM43438 SDIO 802.11), so you have to use wired Ethernet or a USB WiFi dongle (for my project an old MSI that shows up as ural(4) seems to work fine);
• the HDMI driver isn't used by the kernel (if a monitor is plugged in uBoot will display its messages there), so you need to set up cu with a 3V serial cable, at least for initial setup.
• the ports tree isn't ready to cope with the base compiler being clang yet, so packages are "a thing of the future"

But wait - there's more! The "USB disk" can be a USB thumb drive, though they're generally slower than a "real" disk. My first forays used a Kingston DTSE9, the hardy little steel-cased version of the popular DataTraveler line. I was able to do the install, and boot it, once (when I captured the dmesg output shown below). After that, it failed - the boot process hung with the ever-unpopular "scanning usb for storage devices..." message. I tried the whole thing again with a second DTSE9, and with a 32GB plastic-cased DataTraveler. Same results. After considerable wasted time, I found a post on RPI's own site which dates back to the early days of the PI 3, in which they admit that they took shortcuts in developing the firmware, and it just can't be made to work with the Kingston DataTraveler! Not having any of the "approved" devices, and not living around the corner from a computer store, I switched to a Sabrent USB dock with a 320GB Western Digital disk, and it's been rock solid. Too big and energy-hungry for the final project, but enough to show that the rpi3 can be solid with the right (solid-state) disk. And fast enough to build a few simple ports - though a lot will not build yet. I then found and installed OpenBSD onto a “PNY” brand thumb drive and found it solid - in fact I populated it by dd’ing from one of the DataTraveller drives, so they’re not at fault.

• Check out the full article for detailed setup instructions ***

Dennis M. Ritchie’s Paper: The Evolution of the Unix Time Sharing System

• From the abstract:

This paper presents a brief history of the early development of the Unix operating system. It concentrates on the evolution of the file system, the process-control mechanism, and the idea of pipelined commands. Some attention is paid to social conditions during the development of the system.
During the past few years, the Unix operating system has come into wide use, so wide that its very name has become a trademark of Bell Laboratories. Its important characteristics have become known to many people. It has suffered much rewriting and tinkering since the first publication describing it in 1974 [1], but few fundamental changes. However, Unix was born in 1969 not 1974, and the account of its development makes a little-known and perhaps instructive story. This paper presents a technical and social history of the evolution of the system.

• High level document structure:

Origins
The PDP-7 Unix file system
Process control
IO Redirection
The advent of the PDP-11
The first PDP-11 system
Pipes
High-level languages
Conclusion

One of the comforting things about old memories is their tendency to take on a rosy glow. The programming environment provided by the early versions of Unix seems, when described here, to be extremely harsh and primitive. I am sure that if forced back to the PDP-7 I would find it intolerably limiting and lacking in conveniences. Nevertheless, it did not seem so at the time; the memory fixes on what was good and what lasted, and on the joy of helping to create the improvements that made life better. In ten years, I hope we can look back with the same mixed impression of progress combined with continuity.

---

Interview - Kris Moore - kris@trueos.org | @pcbsdkris

• Director of Engineering at iXSystems
• FreeNAS

News Roundup

Compressed zfs send / receive now in FreeBSD’s vendor area

• Andriy Gapon committed a whole lot of ZFS updates to FreeBSD’s vendor area
• This feature takes advantage of the new compressed ARC feature, which means blocks that are compressed on disk, remain compressed in ZFS’ RAM cache, to use the compressed blocks when using ZFS replication.
• Previously, blocks were uncompressed, sent (usually over the network), then recompressed on the other side.
• This is rather wasteful, and can make the process slower, not just because of the CPU time wasted decompressing/recompressing the data, but because it means more data has to be sent over the network.
• This caused many users to end up doing: zfs send | xz -T0 | ssh unxz | zfs recv, or similar, to compress the data before sending it over the network.
• With this new feature, zfs send with the new -c flag, will transmit the already compressed blocks instead.
• This change also adds longopts versions of all of the zfs send flags, making them easier to understand when written in shell scripts.
• A lot of fixes, man page updates, etc. from upstream OpenZFS
• Thanks to everyone who worked on these fixes and features!
• We’ll announce when these have been committed to head for testing ***

Granting privileges using the FreeBSD MAC framework

• The MAC (Mandatory Access Control) framework allows finer grained permissions than the standard UNIX permissions that exist in the base system

FreeBSD’s kernel provides quite sophisticated privilege model that extends the traditional UNIX user-and-group one. Here I’ll show how to leverage it to grant access to specific privileges to group of non-root users.
mac(9) allows creating pluggable modules with policies that can extend existing base system security definitions. struct mac_policy_ops consist of many entry points that we can use to amend the behaviour.
This time, I wanted to grant a privilege to change realtime priority to a selected group. While Linux kernel lets you specify a named group, FreeBSD doesn’t have such ability, hence I created this very simple policy.
The privilege check can be extended using two user supplied functions: priv_check and priv_grant. The first one can be used to further restrict existing privileges, i.e. you can disallow some specific priv to be used in jails, etc. The second one is used to explicitly grant extra privileges not available for the target in base configuration.
The core of the mac_rtprio module is dead simple. I defined sysctl tree for two oids: enable (on/off switch for the policy) and gid (the GID target has to be member of), then I specified our custom version of mpo_priv_grant called rtprio_priv_grant. Body of my granting function is even simpler. If the policy is disabled or the privilege that is being checked is not PRIV_SCHED_RTPRIO, we simply skip and return EPERM. If the user is member of the designated group we return 0 that’ll allow the action – target would change realtime privileges.

• Another useful thing the MAC framework can be used to grant to non-root users: PortACL: The ability to bind to TCP/UDP ports less than 1024, which is usually restricted to root.
• Some other uses for the MAC framework are discussed in The FreeBSD Handbook
• However, there are lots more, and we would really like to see more tutorials and documentation on using MAC to make more secure servers, but allowing the few specific things that normally require root access. ***

The Story of the PING Program

• This is from the homepage of Mike Muuss:

Yes, it's true! I'm the author of ping for UNIX. Ping is a little thousand-line hack that I wrote in an evening which practically everyone seems to know about. :-)
I named it after the sound that a sonar makes, inspired by the whole principle of cho-location. In college I'd done a lot of modeling of sonar and radar systems, so the "Cyberspace" analogy seemed very apt. It's exactly the same paradigm applied to a new problem domain: ping uses timed IP/ICMP ECHO_REQUEST and ECHO_REPLY packets to probe the "distance" to the target machine.
My original impetus for writing PING for 4.2a BSD UNIX came from an offhand remark in July 1983 by Dr. Dave Mills while we were attending a DARPA meeting in Norway, in which he described some work that he had done on his "Fuzzball" LSI-11 systems to measure path latency using timed ICMP Echo packets.
In December of 1983 I encountered some odd behavior of the IP network at BRL. Recalling Dr. Mills' comments, I quickly coded up the PING program, which revolved around opening an ICMP style SOCK_RAW AF_INET Berkeley-style socket(). The code compiled just fine, but it didn't work -- there was no kernel support for raw ICMP sockets! Incensed, I coded up the kernel support and had everything working well before sunrise. Not surprisingly, Chuck Kennedy (aka "Kermit") had found and fixed the network hardware before I was able to launch my very first "ping" packet. But I've used it a few times since then. grin If I'd known then that it would be my most famous accomplishment in life, I might have worked on it another day or two and added some more options.
The folks at Berkeley eagerly took back my kernel modifications and the PING source code, and it's been a standard part of Berkeley UNIX ever since. Since it's free, it has been ported to many systems since then, including Microsoft Windows95 and WindowsNT.
In 1993, ten years after I wrote PING, the USENIX association presented me with a handsome scroll, pronouncing me a Joint recipient of The USENIX Association 1993 Lifetime Achievement Award presented to the Computer Systems Research Group, University of California at Berkeley 1979-1993. ``Presented to honor profound intellectual achievement and unparalleled service to our Community. At the behest of CSRG principals we hereby recognize the following individuals and organizations as CSRG participants, contributors and supporters.'' Wow!
The best ping story I've ever heard was told to me at a USENIX conference, where a network administrator with an intermittent Ethernet had linked the ping program to his vocoder program, in essence writing:
ping goodhost | sed -e 's/.*/ping/' | vocoder
He wired the vocoder's output into his office stereo and turned up the volume as loud as he could stand. The computer sat there shouting "Ping, ping, ping..." once a second, and he wandered through the building wiggling Ethernet connectors until the sound stopped. And that's how he found the intermittent failure.

---

FreeBSD: /usr/local/lib/libpkg.so.3: Undefined symbol "utimensat"

The internet will tell you that, of course, 10.2 is EOL, that packages are being built for 10.3 by now and to better upgrade to the latest version of FreeBSD. While all of this is true and running the latest versions is generally good advise, in most cases it is unfeasible to do an entire OS upgrade just to be able to install a package.

• Points out the ABI variable being used in /usr/local/etc/pkg/repos/FreeBSD.conf

Now, if you have 10.2 installed and 10.3 is the current latest FreeBSD version, this url will point to packages built for 10.3 resulting in the problem that, when running pkg upgrade pkg it’ll go ahead and install the latest version of pkg build for 10.3 onto your 10.2 system. Yikes! FreeBSD 10.3 and pkgng broke the ABI by introducing new symbols, like utimensat.

• The solution:

Have a look at the actual repo url http://pkg.FreeBSD.org/FreeBSD:10:amd64… there’s repo’s for each release! Instead of going through the tedious process of upgrading FreeBSD you just need to Use a repo url that fits your FreeBSD release:

Update the package cache: pkg update
Downgrade pkgng (in case you accidentally upgraded it already): pkg delete -f pkg
pkg install -y pkg
Install your package
There you go. Don’t fret. But upgrade your OS soon ;)

---

Beastie Bits

• CPU temperature collectd report on NetBSD
• Booting FreeBSD 11 with NVMe and ZFS on AMD Ryzen
• BeagleBone Black Tor relay
• FreeBSD - Disable in-tree GDB by default on x86, mips, and powerpc
• CharmBUG April Meetup
• The origins of XXX as FIXME ***

Feedback/Questions

• Felis - L2ARC
• Gabe - FreeBSD Server Install
  
• FEMP Script
• Scott - FreeNAS & LAGG
• Marko - Backups ***

This episode was brought to you by

Headlines

Optimizing TLS for high bandwidth applications

• Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD
• TLS has traditionally had too much overhead for the levels of bandwidth they're using, so this pdf outlines some of their strategy in optimizing it
• The sendfile() syscall (which nginx uses) isn't available when data is encrypted in userland
• To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel
• Having encrypted movie streams would be pretty neat ***

Crypto in unexpected places

• OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc)
• One place you might not expect crypto to be used (or even needed) is in the "ping" utility, right? Well, think again
• David Gwynne recently committed a change that adds MAC to the ping timestamp payload
• By default, it'll be filled with a ChaCha stream instead of an unvarying payload, and David says "this lets us have some confidence that the timestamp hasn't been damaged or tampered with in transit"
• Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward
• Maybe we can look forward to a cryptographically secure "echo" command next... ***

Broadwell in DragonFly

• The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status
• Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn't work
• The two main show-stoppers right now are the graphics and wireless, but they have someone who's already making progress with the GPU support
• Wireless support will likely have to wait until FreeBSD gets it, then they'll port it back over
• None of the BSDs currently have full Broadwell support, so stay tuned for further updates ***

DIY NAS software roundup

• In this blog post, the author compares a few different software solutions for a network attached storage device
• He puts FreeNAS, one of our favorites, up against a number of opponents - both BSD and Linux-based
• NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface
• If you've been thinking about putting together a NAS, but aren't quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names
• Some competition is always good, gotta keep those guys on their toes ***

Interview - Antoine Jacoutot - ajacoutot@openbsd.org / @ajacoutot

OpenBSD at M:Tier, business adoption of BSD, various topics

News Roundup

OpenBSD on DigitalOcean

• When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction - we hoped that all the other BSDs would soon follow
• This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS
• Using a -current snapshot and some swapfile trickery, it's possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk
• After doing so, you just boot from their web UI-based console and can perform a standard installation
• You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step ***

Initial ARM64 support lands in FreeBSD

• The ARM64 architecture, sometimes called ARMv8 or AArch64, is a new generation of CPUs that will mostly be in embedded devices
• FreeBSD has just gotten support for this platform in the -CURRENT branch
• Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU - now a full build is possible
• Work should now start happening in the main source code tree, and hopefully they'll have full support in a branch soon ***

Scripting with least privilege

• A new scripting language with a focus on privilege separation and running with only what's absolutely needed has been popular in the headlines lately
• Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc.
• Shill aims to answer the questions "how do we limit the authority of scripts" and "how do we determine what authority is necessary" by including a declarative security policy that's checked and enforced by the language runtime
• If used on FreeBSD, Shill will use Capsicum for sandboxing
• You can find some more of the technical information in their documentation pdf or watch their USENIX presentation video
• Hacker News also had some discussion on the topic ***

OpenBSD first impressions

• A brand new BSD user has started documenting his experience through a series of blog posts
• Formerly a Linux guy, he's tried out FreeBSD and OpenBSD so far, and is currently working on an OpenBSD desktop
• The first post goes into why he chose BSD at all, why he's switching away from Linux, how the initial transition has been, what you'll need to relearn and what he's got planned going forward
• He's only been using OpenBSD for a few days as of the time this was written - we don't usually get to hear from people this early in on their BSD journey, so it offers a unique perspective ***

PCBSD and 4K oh my!

• Yesterday, Kris got ahold of some 4K monitor hardware to test PC-BSD out
• The short of it - It works great!
• Minor tweaks being made to some of the PC-BSD defaults to better accommodate 4K out of box
• This particular model monitor ships with DisplayPort set to 1.1 mode only, switching it to 1.2 mode enables 60Hz properly ***

Feedback/Questions

• Darin writes in
• Mitch writes in ***

Discussion

Comparison of BSD release cycles

• FreeBSD, OpenBSD, NetBSD and DragonFlyBSD ***

This episode was brought to you by

Headlines

Even more BSD presentation videos

• More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week
• Robert Ryan, At the Heart of the Digital Economy
• FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives
• Richard Yao, libzfs_core and ioctl stabilization
• OpenZFS, Company lightning talks
• OpenZFS, Hackathon Presentation and Awards
• Pavel Zakharov, Fast File Cloning
• Rick Reed, Half a billion unsuspecting FreeBSD users
• Alex Reece & Matt Ahrens, Device Removal
• Chris Side, Channel Programs
• David Maxwell, The Unix command pipeline
• Be sure to check out the giant list of videos from last week's episode if you haven't seen them already ***

NetBSD on a Cobalt Qube 2

• The Cobalt Qube was a very expensive networking appliance around 2000
• In 2014, you can apparently get one of these MIPS-based machines for about forty bucks
• This blog post details getting NetBSD installed and set up on the rare relic of our networking past
• If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you
• Lots of great pictures of the hardware too ***

OpenBSD vs. AFL

• In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree with a fuzzer
• If you're not familiar, fuzzing is a semi-automated way to test programs for crashes and potential security problems
• The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs
• American Fuzzy Lop, in particular, has provided some interesting results across various open source projects recently
• So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc and a few other things
• AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix
• It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself ***

GNOME 3 hits the FreeBSD ports tree

• While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now
• Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD
• Be sure to check the commit message and /usr/ports/UPDATING if you're upgrading from GNOME 2
• You might also want to go back and listen to our interview with Joe Marcus Clark about GNOME's portability ***

Interview - Brendan Gregg - bgregg@netflix.com / @brendangregg

Performance tuning, benchmarks, debugging

News Roundup

DragonFlyBSD 4.0 released

• A new major version of DragonFly, 4.0.1, was just recently announced
• This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs
• It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club
• Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes ***

Can we talk about FreeBSD vs Linux

• Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once
• Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities
• If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read
• Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy ***

OpenBSD IPSEC tunnel guide

• If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you
• It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN
• The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts
• Though the article itself is a few years old, it mostly still applies to the latest stuff today
• All the tools used are in the OpenBSD base system, so that's pretty handy too ***

DragonFly starts work on IPFW2

• DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use
• Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3")
• Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap page with some planned additions
• The guy who's working on this has already agreed to come on the show for an interview, but we're going to give him a chance to get some more work done first
• Expect that sometime next year, once he's made some progress ***

Feedback/Questions

• Michael writes in
• Samael writes in
• Steven writes in
• Remy writes in
• Michael writes in ***

This episode was brought to you by

Headlines

BSD panel at Phoenix LUG

• The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
• It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
• They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
• It was a good "real world" example of things potential switchers are curious to know about
• They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea ***

Book of PF signed copy auction

• Peter Hansteen (who we've had on the show) is auctioning off the first signed copy of the new Book of PF
• All the profits from the sale will go to the OpenBSD Foundation
• The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences)
• If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause
• Michael Lucas has challenged Peter to raise more for the foundation than his last book selling - let's see who wins
• Pause the episode, go bid on it and then come back! ***

FreeBSD Foundation goes to EuroBSDCon

• Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
• They also sponsored four other developers to go
• The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD"
• They also have a second report from Kamil Czekirda
• A total of $2000 was raised at the conference ***

OpenBSD 5.6 released

• Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this
• Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
• It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
• 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
• You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
• ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
• This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
• Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
• As always, 5.6 comes with its own song and artwork - the theme this time was obviously LibreSSL
• Be sure to check the full changelog (it's huge) and pick up a CD or tshirt to support their efforts
• If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely
• Here are some cool images of the set
• After you do your installation or upgrade, don't forget to head over to the errata page and apply any patches listed there ***

Interview - John-Mark Gurney - jmg@freebsd.org / @encthenet

Updating FreeBSD's IPSEC stack

News Roundup

Clang in DragonFly BSD

• As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64
• Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
• We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using ***

reallocarray(): integer overflow detection for free

• One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()"
• It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
• Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
• OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too ***

Switching from Linux blog

• A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
• After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
• So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far
• It'll be an ongoing series, so we may check back in with him again later on ***

Owncloud in a FreeNAS jail

• One of the most common emails we get is about running Owncloud in FreeNAS
• Now, finally, someone made a video on how to do just that, and it's even jailed
• A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
• If you're looking for an easy way to back up and sync your files, this might be worth a watch ***

Feedback/Questions

• Ernõ writes in
• David writes in
• Kamil writes in
• Torsten writes in
• Dominik writes in ***

Mailing List Gold

• That's not our IP
• Is this thing on? ***

This episode was brought to you by

Headlines

BSD Devroom CFP

• This year's FOSDEM conference (Belgium, Jan 31st - Feb 1st) is having a dedicated BSD devroom
• They've issued a call for papers on anything BSD-related, and we always love more presentations
• If you're in the Belgium area or plan on going, submit a talk about something cool you're doing
• There's also a mailing list and some more information in the original post ***

Bhyve SVM code merge

• The bhyve_svm code has been in the "projects" tree of FreeBSD, but is now ready for -CURRENT
• This changeset will finally allow bhyve to run on AMD CPUs, where it was previously limited to Intel only
• All the supported operating systems and utilities should work on both now
• One thing to note: bhyve doesn't support PCI passthrough on AMD just yet
• There may still be some issues though ***

NetBSD at Open Source Conference Tokyo

• The Japanese NetBSD users group held a booth at another recent open source conference
• As always, they were running NetBSD on everything you can imagine
• One of the users reports back to the mailing list on their experience, providing lots of pictures and links
• Here's an interesting screenshot of NetBSD running various other BSDs in Xen ***

More BSD switchers every day

• A decade-long Linux user is considering making the switch, and asks Reddit about the BSD community
• Tired of the pointless bickering he sees in his current community, he asks if the same problems exist over here and what he should expect
• So far, he's found that BSD people seem to act more level-headed about things, and are much more practical, whereas some FSF/GNU/GPL people make open source a religion
• There's also another semi-related thread about another Linux user wanting to switch to BSD because of systemd and GNU people
• There are some extremely well written and thought-out comments in the replies (in both threads), be sure to give them all a read
• Maybe the OPs should've just watched this show ***

Interview - Olivier Cochard-Labbé - olivier@cochard.me / @ocochardlabbe

The BSD Router Project

News Roundup

FreeBSD -CURRENT on a T420

• Thinkpads are quite popular with BSD developers and users
• Most of the hardware seems to be supported across the BSDs (especially wifi)
• This article walks through installing FreeBSD -CURRENT on a Thinkpad T420 with UEFI
• If you've got a Thinkpad, or especially this specific one, have a look at some of the steps involved ***

FreeNAS on a Supermicro 5018A-MHN4

• More and more people are migrating their NAS devices to BSD-based solutions
• In this post, the author goes through setting up FreeNAS on some of his new hardware
• His new rack-mounted FreeNAS machine has a low power Atom with eight cores and 64GB of RAM - quite a lot for its small form factor
• The rest of the post details all of the hardware he chose and goes through the build process (with lots of cool pictures) ***

Hardening procfs and linprocfs

• There was an exploit published recently for SFTP in OpenSSH, but it mostly just affected Linux
• There exists a native procfs in FreeBSD, which was the target point of that exploit, but it's not used very often
• The Linux emulation layer also supports its own linprocfs, which was affected as well
• The HardenedBSD guys weigh in on how to best solve the problem, and now support an additional protection layer from writing to memory with procfs
• If you want to learn more about ASLR and HardenedBSD, be sure to check out our interview with Shawn too ***

pfSense monitoring with bandwidthd

• A lot of people run pfSense on their home network, and it's really useful to monitor the bandwidth usage
• This article will walk you through setting up bandwidthd to do exactly that
• bandwidthd monitors based on the IP address, rather than per-interface
• It can also build some cool HTML graphs, and we love those pfSense graphs
• Have a look at our bandwidth monitoring and testing tutorial for some more ideas ***

Feedback/Questions

• Dave writes in
• Chris writes in
• Zeke writes in
• Bostjan writes in
• Patrick writes in ***

Mailing List Gold

• More old bugs
• The Right Font™ (see also) ***

This episode was brought to you by

Headlines

BSD talks at XDC 2014

• This year's Xorg conference featured a few BSD-related talks
• Matthieu Herrb, Status of the OpenBSD graphics stack
• Matthieu's talk details what's been done recently in Xenocara the OpenBSD kernel for graphics (slides here)
• Jean-Sébastien Pédron, The status of the graphics stack on FreeBSD
• His presentation gives a history of major changes and outlines the current overall status of graphics in FreeBSD (slides here)
• Francois Tigeot, Porting DRM/KMS drivers to DragonFlyBSD
• Francois' talk tells the story of how he ported some of the DRM and KMS kernel drivers to DragonFly (slides here) ***

FreeBSD Quarterly Status Report

• The FreeBSD project has a report of their activities between July and September of this year
• Lots of ARM work has been done, and a goal for 11.0 is tier one support for the platform
• The release includes reports from the cluster admin team, release team, ports team, core team and much more, but we've already covered most of the items on the show
• If you're interested in seeing what the FreeBSD community has been up to lately, check the full report - it's huge ***

Monitoring pfSense logs using ELK

• If you're one of those people who loves the cool graphs and charts that pfSense can produce, this is the post for you
• ELK (ElasticSearch, Logstash, Kibana) is a group of tools that let you collect, store, search and (most importantly) visualize logs
• It works with lots of different things that output logs and can be sent to one central server for displaying
• This post shows you how to set up pfSense to do remote logging to ELK and get some pretty awesome graphs ***

Some updates to IPFW

• Even though PF gets a lot of attention, a lot of FreeBSD people still love IPFW
• While mostly a dormant section of the source tree, some updates were recently committed to -CURRENT
• The commit lists the user-visible changes, performance changes, ABI changes and internal changes
• It should be merged back to -STABLE after a month or so of testing, and will probably end up in 10.2-RELEASE
• Also check this blog post for some more information and fancy graphs ***

Interview - Hiroki Sato (佐藤広生) - hrs@freebsd.org / @hiroki_sato

BSD in Japan, technology conferences, various topics

News Roundup

pfSense on Hyper-V

• In case you didn't know, the latest pfSense snapshots support running on Hyper-V
• Unfortunately, the current stable release is based on an old, unsupported FreeBSD 8.x base, so you have to use the snapshots for now
• The author of the post tells about his experience running pfSense and gives lots of links to read if you're interested in doing the same
• He also praises pfSense above other Linux-based solutions for its IPv6 support and high quality code ***

OpenBSD as a daily driver

• A curious Reddit user posts to ask the community about using OpenBSD as an everyday desktop OS
• The overall consensus is that it works great for that, stays out of your way and is quite reliable
• Caveats would include there being no Adobe Flash support (though others consider this a blessing..) and it requiring a more hands-on approach to updating
• If you're considering running OpenBSD as a "daily driver," check all the comments for more information and tips ***

Getting PF log statistics

• The author of this post runs an OpenBSD box in front of all his VMs at his colocation, and details his experiences with firewall logs
• He usually investigates any IPs of interest with whois, nslookup, etc. - but this gets repetitive quickly, so..
• He sets out to find the best way to gather firewall log statistics
• After coming across a perl script to do this, he edited it a bit and is now a happy, lazy admin once again
• You can try out his updated PF script here ***

FlashRD 1.7 released

• In case anyone's not familiar, flashrd is a tool to create OpenBSD images for embedded hardware devices, executing from a virtualized environment
• This new version is based on (the currently unreleased) OpenBSD 5.6, and automatically adapts to the number of CPUs you have for building
• It also includes fixes for 4k drives and lots of various other improvements
• If you're interested in learning more, take a look at some of the slides and audio from the main developer on the website ***

Feedback/Questions

• Antonio writes in
• Don writes in
• Andriy writes in
• Richard writes in
• Robert writes in ***

Mailing List Gold

• Subtle trolling
• Old bugs with old fixes
• A pig reinstall
• Strange DOS-like environment ***

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

• The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
• MeetBSD has an "unconference" format, which means there will be both planned talks and community events
• All the extra details will be on their site soon
• It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
• Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

• A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
• The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
• He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
• From there, it talks about how he used the OpenBSD USB image and got a fully-working system
• He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
• Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

• When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
• However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
• This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
• Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
• While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

• OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
• Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
• LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
• Whichever version of whatever SSL you use, make sure it's patched for these issues
• DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

• If you use git (like a certain host of this show) then you've probably considered setting up your own server
• This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
• It even shows you how to set up multiple repos with key-based user separation and other cool things
• The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

• In this article, different methods of data storage and backup are compared
• After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
• He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
• It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

• As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
• If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
• In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
• Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

• If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
• FreeBSD, ZFS and Samba obviously!
• The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
• This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
• It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

• An interesting Reddit thread (or two)
• PB writes in
• Sean writes in
• Steve writes in
• Lachlan writes in
• Justin writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 registration open

• September is getting closer, and that means it's time for EuroBSDCon - held in Bulgaria this year
• Registration is finally open to the public, with prices for businesses ($287), individuals ($217) and students ($82) for the main conference until August 18th
• Tutorials, sessions, dev summits and everything else all have their own pricing as well
• Registering between August 18th - September 12th will cost more for everything
• You can register online here and check hotels in the area
• The FreeBSD foundation is also accepting applications for travel grants ***

OpenBSD SMP PF update

• A couple weeks ago we talked about how DragonflyBSD updated their PF to be multithreaded
• With them joining the SMP ranks along with FreeBSD, a lot of users have been asking about when OpenBSD is going to make the jump
• In a recent mailing list thread, Henning Brauer addresses some of the concerns
• The short version is that too many things in OpenBSD are currently single-threaded for it to matter - just reworking PF by itself would be useless
• He also says PF on OpenBSD is over four times faster than FreeBSD's old version, presumably due to those extra years of development it's gone through
• There's also been even more recent concern about the uncertain future of FreeBSD's PF, being mostly unmaintained since their SMP patches
• We reached out to four developers (over week ago) about coming on the show to talk about OpenBSD network performance and SMP, but they all ignored us ***

Introduction to NetBSD pkgsrc

• An article from one of our listeners about how to create a new pkgsrc port or fix one that you need
• The post starts off with how to get the pkgsrc tree, shows how to get the developer tools and finally goes through the Makefile format
• It also lists all the different bmake targets and their functions in relation to the porting process
• Finally, the post details the whole process of creating a new port ***

FreeBSD 9.3-RELEASE

• After three RCs, FreeBSD 9.3 was scheduled to be finalized and announced today but actually came out yesterday
• The full list of changes is available, but it's mostly a smaller maintenance release
• Lots of driver updates, ZFS issues fixed, hardware RNGs are entirely disabled by default, netmap framework updates, read-only ext4 support was added, the vt driver was merged from -CURRENT, new hardware support (including radeon KMS), various userland tools got new features, OpenSSL and OpenSSH were updated... and much more
• If you haven't jumped to the 10.x branch yet (and there are a lot of people who haven't!) this is a worthwhile upgrade - 9.2-RELEASE will reach EOL soon
• Good news, this will be the first release with PGP-signed checksums on the FTP mirrors - a very welcome change
• With that out of the way, the 10.1-RELEASE schedule was posted ***

Interview - Bryan Drewery - bdrewery@freebsd.org / @bdrewery

The FreeBSD package building cluster, pkgng, ports, various topics

Tutorial

Tunneling traffic through DNS

News Roundup

SSH two-factor authentication on FreeBSD

• We've previously mentioned stories on how to do two-factor authentication with a Yubikey or via a third party website
• This blog post tells you how to do exactly that, but with your Google account and the pam_google_authenticator port
• Using this setup, every user that logs in with a password will have an extra requirement before they can gain access - but users with public keys can login normally
• It's a really, really simple process once you have the port installed - full details on the page ***

Ditch tape backup in favor of FreeNAS

• The author of this post shares some of his horrible experiences with tape backups for a client
• Having constant, daily errors and failed backups, he needed to find another solution
• With 1TB of backups, tapes just weren't a good option anymore - so he switched to FreeNAS (after also ruling out a pre-built NAS)
• The rest of the article details his experiences with it and tells about his setup ***

NetBSD vs FreeBSD, desktop experiences

• A NetBSD and pkgsrc developer details his experiences running NetBSD on a workstation at his job
• Becoming more and more disappointed with graphics performance, he finally decides to give FreeBSD 10 a try - especially since it has a native nVidia driver
• "Running on VAX, PlayStation 2 and Amiga is fun, but I’ll tell you a little secret: nobody cares anymore about VAX, PlayStation 2 and Amiga."
• He's become pretty satisfied with FreeBSD, a modern choice for a 2014 desktop system ***

PCBSD not-so-weekly digest

• Speaking of choices for a desktop system, it's the return of the PCBSD digest!
• Warden and PBI_add have gotten some interesting new features
• You can now create jails "on the fly" when adding a new PBI to your application library
• Bulk jail creation is also possible now, and it's really easy
• New Jenkins integration, with public access to poudriere logs as well
• PkgNG 1.3.0.rc2 testing for EDGE users ***

Feedback/Questions

• Jeff writes in - Sending Encrypted Backups over SSH + Sending ZFS snapshots via user
• Bruce writes in
• Richard writes in
• Jeff writes in - NYCBUG dmesg list
• Steve writes in ***

This episode was brought to you by

Interview - Josh Paetzel - josh@ixsystems.com / @bsdunix4ever

Crazy ZFS stories, network protocols, server hardware

This episode was brought to you by

Headlines

pfSense 2.1.4 released

• The pfSense team has released 2.1.4, shortly after 2.1.3 - it's mainly a security release
• Included within are eight security fixes, most of which are pfSense-specific
• OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
• It also includes a large number of various other bug fixes
• Update all your routers! ***

DragonflyBSD's pf gets SMP

• While we're on the topic of pf...
• Dragonfly patches their old[er than even FreeBSD's] pf to support multithreading in many areas
• Stemming from a user's complaint, Matthew Dillon did his own work on pf to make it SMP-aware
• Altering your configuration's ruleset can also help speed things up, he found
• When will OpenBSD, the source of pf, finally do the same? ***

ChaCha usage and deployment

• A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
• This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
• OpenSSH offers it as a stream cipher now, OpenBSD uses it for it's random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
• Both Google's fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
• Unfortunately, this article has one mistake: FreeBSD does not use it - they still use the broken RC4 algorithm ***

BSDMag June 2014 issue

• The monthly online BSD magazine releases their newest issue
• This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, "saving time and headaches using the robot framework for testing," an interview and an article about the increasing number of security vulnerabilities
• The free pdf file is available for download as always ***

Interview - Craig Rodrigues - rodrigc@freebsd.org

FreeBSD's continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

• Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
• In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end - this had the advantage of not requiring any extra disk space, but raised some security concerns
• With signify, now everything is fully downloaded and verified before tar is even invoked
• The pkg_add utility works a little bit differently, but it's also been improved in this area - details in the post
• Be sure to also read the original post from Adam, lots of good information ***

FreeBSD 9.3-RC2 is out

• As the -RELEASE inches closer, release candidate 2 is out and ready for testing
• Since the last one, it's got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
• The updated bsdconfig will use pkgng style packages now too
• A lesser known fact: there are also premade virtual machine images you can use too ***

pkgsrcCon 2014 wrap-up

• In what may be the first real pkgsrcCon article we've ever had!
• Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
• Unfortunately no recordings to be found... ***

PostgreSQL FreeBSD performance and scalability

• FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
• On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
• Lots of technical details if you're interested in getting the best performance out of your hardware
• It also includes specific kernel options he used and the rest of the configuration
• If you don't want to open the pdf file, you can use this link too ***

Feedback/Questions

• James writes in
• Klemen writes in
• John writes in
• Brad writes in
• Adam writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called "FreeBSD, looking forward to another 10 years" by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn't on the page... how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven't given us an interview yet... well you know what's going to happen
• Why aren't the videos up from last year yet? Will this year also not have any? ***

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• "One is pleasantly functional; the other continues devolving during a journey of pain" - uh oh, who's the loser? ***

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects' funding efforts
• A lot of people don't realize just how widespread open source software is - TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish's funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, "Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software"
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive ***

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users' computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that...)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It's got all the details you need to set up a VPN-like system and bypass those pesky geographic filters ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

OpenBSD's package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they're going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects ***

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless - we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time! ***

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is "a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution."
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with "bsd-cloudinit"
• The author of the article is a regular listener and emailer of the show, hey! ***

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The "call for papers" was issued, so if you're around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event ***

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in ***

This episode was brought to you by

Headlines

FreeBSD moves to Bugzilla

• Historically, FreeBSD has used the old GNATS system for keeping track of bug reports
• After years and years of wanting to switch, they've finally moved away from GNATS to Bugzilla
• It offers a lot of advantages, is much more modern and actively maintained and
• There's a new workflow chart for developers to illustrate the new way of doing things
• The old "send-pr" command will still work for the time being, but will eventually be phased out in favor of native Bugzilla reporting tools (of which there are multiple in ports)
• This will hopefully make reporting bugs a lot less painful ***

DIY NAS: EconoNAS 2014

• We previously covered this blog last year, but the 2014 edition is up
• More of a hardware-focused article, the author details the parts he's using for a budget NAS
• Details the motherboard, RAM, CPU, hard drives, case, etc
• With a set goal of $500 max, he goes just over it - $550 for all the parts
• Lots of nice pictures of the hardware and step by step instructions for assembly, as well as software configuration instructions ***

DragonflyBSD 3.8 released

• Justin announced the availability of DragonflyBSD 3.8.0
• Binaries in /bin and /sbin are dynamic now, enabling the use of PAM and NSS to manage user accounts
• It includes a new HAMMER FS backup script and lots of FreeBSD tools have been synced with their latest versions
• Work continues on for the Intel graphics drivers, but it's currently limited to the HD4000 and Ivy Bridge series
• See the release page for more info and check the link for source-based upgrade instructions ***

OpenZFS European conference 2014

• There was an OpenZFS conference held in Europe recently, and now the videos are online for your viewing pleasure
• Matt Ahrens, Introduction
• Michael Alexander, FhGFS performance on ZFS
• Andriy Gapon, Testing ZFS on FreeBSD
• Luke Marsden, HybridCluster: ZFS in the cloud
• Vadim Comănescu, Syneto: continuously delivering a ZFS-based OS
• Chris George, DDRdrive ZIL accelerator: random write revelation
• Grenville Whelan, High-Availability
• Phil Harman, Harman Holistic
• Mark Rees, Storiant and OpenZFS
• Andrew Holway, EraStor ZFS appliances
• Dan Vâtca, Syneto and OpenZFS
• Luke Marsden, HybridCluster and OpenZFS
• Matt Ahrens, Delphix and OpenZFS
• Check the link for slides and other goodies ***

Interview - Benedict Reuschling - bcr@freebsd.org

BSD documentation, getting commit access, unix education, various topics

News Roundup

Getting to know your portmgr, Steve Wills

• "It is my pleasure to introduce Steve Wills, the newest member of the portmgr team"
• swills is an all-round good guy, does a lot for ports (especially the ruby ports)
• In this interview, we learn why he uses FreeBSD, the most embarrassing moment in his FreeBSD career and much more
• He used to work for Red Hat, woah ***

BSDTalk episode 242

• This time on BSDTalk, Will interviews Chris Buechler from pfSense
• Topics include: the heartbleed vulnerability and how it affected pfSense, how people usually leave their firewalls unpatched for a long time (or even forget about them!), changes between major versions, the upgrade process, upcoming features in their 10-based version, backporting drivers and security fixes
• They also touch on recent concerns in the pfSense community about their license change, that they may be "going commercial" and closing the source - so tune in to find out what their future plans are for all of that ***

Turn old PC hardware into a killer home server

• Lots of us have old hardware lying around doing nothing but collecting dust
• Why not turn that old box into a modern file server with FreeNAS and ZFS?
• This article goes through the process of setting up a NAS, gives a little history behind the project and highlights some of the different protocols FreeNAS can use (NFS, SMB, AFS, etc)
• Most of our users are already familiar with all of this stuff, nothing too advanced
• Good to see BSD getting some well-deserved attention on a big mainstream site ***

Unbloating the VAX install CD

• After a discussion on the VAX mailing list, something very important came to the attention of the developers...
• You can't boot NetBSD on a VAX box with 16MB of RAM from the CD image
• This blog post goes through the developer's adventure in trying to fix that through emulation and stripping various things out of the kernel to make it smaller
• In the end, he got it booting - and now all three VAX users who want to run NetBSD can do so on their systems with 16MB of RAM... ***

Feedback/Questions

• Thomas writes in
• Reynold writes in
• Bostjan writes in
• Paul writes in
• John writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports, part 2

• More presentations and trip reports are still being uploaded
• Ingo Schwarze, New Trends in mandoc
• Vsevolod Stakhov, The Architecture of the New Solver in pkg
• Julio Merino, The FreeBSD Test Suite
• Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
• There's also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks! ***

Beyond security, getting to know OpenBSD's real purpose

• Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a "webcast" last week, and the audio and slides are finally up
• It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
• Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a "pressure cooker for ideas," briefly touches on GPL vs BSDL, their "do it right or don't do it at all" attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
• Here's a direct link to the slides
• Great presentation if you'd like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too ***

FreeBSD vs Linux, a comprehensive comparison

• Another blog post covering something people seem to be obsessed with - FreeBSD vs Linux
• This one was worth mentioning because it's very thorough in regards to how things are done behind the scenes, not just the usual technical differences
• It highlights the concept of a "core team" and their role vs "contributors" and "committers" (similar to a presentation Kirk McKusick did not long ago)
• While a lot of things will be the same on both platforms, you might still be asking "which one is right for me?" - this article weighs in with some points for both sides and different use cases
• Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don't hate us for linking it ***

Expand FreeNAS with plugins

• One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
• With these plugins, you can greatly expand the feature set of your NAS via third party programs
• This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
• Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
• It then goes into more detail about each of them, how to actually install plugins and then how to set them up ***

Interview - Karl Lehenbauer - karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

Ports and packages in OpenBSD

News Roundup

Code review culture meets FreeBSD

• In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
• This article describes Phabricator, an open source code review system that we briefly mentioned last week
• Instructions for using it are on the wiki
• While not approved by the core team yet for anything official, it's in a testing phase and developers are encouraged to try it out and get their patches reviewed
• Just look at that fancy interface!! ***

Upcoming BSD books

• Sneaky MWL somehow finds his way into both our headlines and the news roundup
• He gives us an update on the next BSD books that he's planning to release
• The plan is to release three (or so) books based on different aspects of FreeBSD's storage system(s) - GEOM, UFS, ZFS, etc.
• This has the advantage of only requiring you to buy the one(s) you're specifically interested in
• "When will they be released? When I'm done writing them. How much will they cost? Dunno."
• It's not Absolute FreeBSD 3rd edition... ***

CARP failover and high availability on FreeBSD

• If you're running a cluster or a group of servers, you should have some sort of failover in place
• But the question comes up, "how do you load balance the load balancers!?"
• This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
• Also mentions DNS-based load balancing as another option ***

PCBSD weekly digest

• This time in PCBSD land, we're getting ready for the 10.0.2 release (ISOs here)
• AppCafe got a good number of fixes, and now shows 10 random highlighted applications
• EasyPBI added a "bulk" mode to create PBIs of an entire FreeBSD port category
• Lumina, the new desktop environment, is still being worked on and got some bug fixes too ***

Feedback/Questions

• Paul writes in
• Matt writes in
• Kjell writes in
• Paul writes in
• Tom writes in ***

This episode was brought to you by

Interview - John Hixson - john@ixsystems.com / @bsdwhore

FreeNAS development

This episode was brought to you by

Headlines

FreeBSD ASLR status update

• Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
• He's implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
• Work has also started on testing ASLR on ARM, using a Raspberry Pi
• He's giving a presentation at BSDCan this year about his ASLR work
• While we're on the topic of BSDCan... ***

BSDCan tutorials, improving the experience

• Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
• The tutorials are called "Building the network you need with PF, the OpenBSD packet filter" and "Transitioning to OpenBSD 5.5" - both scheduled to last three hours each
• He's requesting anyone that'll be there to go ahead and contact him, telling him exactly what you'd like to learn
• There's also a bit of background information about the tutorials and how he's looking to improve them
• If you're interested in OpenBSD and going to BSDCan this year, hit him up ***

pkgsrc-2014Q1 released

• The new stable branch of pkgsrc packages has been built and is ready
• Python 3.3 is now a "first class citizen" in pkgsrc
• 14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
• There's a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD - you could even use pkgsrc instead of pkgng or ports if you were so inclined
• They're also looking into signing packages ***

Only two holes in a heck of a long time, who cares?

• A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
• He questions "what's the big deal" about OpenBSD's slogan being "Only two remote holes in the default install, in a heck of a long time!"
• Luckily, the community and Theo set the record straight about why you should care about this
• Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
• It spawned a discussion about ease of management and Linux's poor security record, definitely worth reading ***

Interview - Dru Lavigne - dru@freebsd.org / @bsdevents

FreeBSD's documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

• A new version of pfSense is released, mainly to fix some security issues
• Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
• There are also some NIC driver updates and other things
• Of course if you want to learn more about pfSense, watch episode 25
• 2.1.2 is already up for testing too ***

FreeBSD gets UEFI support

• It looks like FreeBSD's battle with UEFI may be coming to a close?
• Ed Maste committed a giant list of patches to enable UEFI support on x86_64
• Look through the list to see all the details and information
• Thanks FreeBSD foundation! ***

Ideas for the next DragonflyBSD release

• Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
• They're aiming for late May for the next version
• Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
• Gasp, they're even considering dropping i386 ***

PCBSD weekly digest

• Lots of new PBI updates for 10.0, new runtime implementation
• New support for running 32 bit applications in PBI runtime
• New default CD and DVD player, umplayer
• Latest GNOME 3 and Cinnamon merged, new edge package builds ***

Feedback/Questions

• Remy writes in
• Jan writes in
• Eddie writes in
• Zen writes in
• Sean writes in ***

This episode was brought to you by

Headlines

OpenBSD on a Sun T5120

• Our buddy Ted Unangst got himself a cool Sun box
• Of course he had to write a post about installing and running OpenBSD on it
• The post goes through some of the quirks and steps to go through in case you're interested in one of these fine SPARC machines
• He's also got another post about OpenBSD on a Dell CS24-SC server ***

Bhyvecon 2014 videos are up

• Like we mentioned last week, Bhyvecon was an almost-impromptu conference before AsiaBSDCon
• The talks have apparently already been uploaded!
• Subjects include Bhyve's past, present and future, OSv on Bhyve, a general introduction to the tool, migrating those last few pesky Linux boxes to virtualization
• Lots more detail in the videos, so check 'em all out ***

Building a FreeBSD wireless access point

• We've got a new blog post about creating a wireless access point with FreeBSD
• After all the recent news of consumer routers being pwned like candy, it's time for people to start building BSD routers
• The author goes through a lot of the process of getting one set up using good ol' FreeBSD
• Using hostapd, he's able to share his wireless card in hostap mode and offer DHCP to all the clients
• Plenty of config files and more messy details in the post ***

Switching from Synology to FreeNAS

• The author has been considering getting a NAS for quite a while and documents his research
• He was faced with the compromise of convenience vs. flexibility - prebuilt or DIY
• After seeing the potential security issues with proprietary NAS devices, and dealing with frustration with trying to get bugs fixed, he makes the right choice
• The post also goes into some detail about his setup, all the things he needed a NAS to do as well as all the advantages an open source solution would give ***

Interview - Warren Block - wblock@freebsd.org

FreeBSD's documentation project, igor, doceng

Tutorial

The world of BSD mailing lists

News Roundup

HAMMER2 work and notes

• Matthew Dillon has posted some updated notes about the development of the new HAMMER version
• The start of a cluster API was committed to the tree
• There are also links to design document, a freemap design document, a changes list and a todo list ***

BSD Breaking Barriers

• Our friend MWL gave a talk at NYCBSDCon about BSD "breaking barriers"
• "What makes the BSD operating systems special? Why should you deploy your applications on BSD? Why does the BSD community keep growing, and why do Linux sites like DistroWatch say that BSD is where the interesting development work is happening? We'll cover the not-so-obvious reasons why BSD still stands tall after almost 40 years."
• He also has another upcoming talk, (or "webcast") called "Beyond Security: Getting to Know OpenBSD's Real Purpose"
• "OpenBSD is frequently billed as a high-security operating system. That's true, but security isn't the OpenBSD Project's main goal. This webcast will introduce systems administrators to OpenBSD, explain the project's mission, and discuss the features and benefits."
• It's on May 27th and will hopefully be recorded ***

FreeBSD in a chroot

• Finch, "FreeBSD running IN a CHroot," is a new project
• It's a way to extend the functionality of restricted USB-based FreeBSD systems (FreeNAS, etc.)
• All the details and some interesting use cases are on the github page
• He really needs to change the project name though ***

PCBSD weekly digest

• Lots of bugfixes for PCBSD coming down the tubes
• LZ4 compression is now enabled by default on the whole pool
• The latest 10-STABLE has been imported and builds are going
• Also the latest GNOME and Cinnamon builds have been imported and much more ***

Feedback/Questions

• Bostjan writes in (IRC suggests md5deep)
• Don writes in
• kaltheat writes in (We use R0DE Podcast microphones and Logitech C920 HD webcams)
• Harri writes in ***

This episode was brought to you by

Headlines

FreeBSD 10.0-RELEASE is out

• The long awaited, giant release of FreeBSD is now official and ready to be downloaded
• One of the biggest releases in FreeBSD history, with tons of new updates
• Some features include: LDNS/Unbound replacing BIND, Clang by default (no GCC anymore), native Raspberry Pi support and other ARM improvements, bhyve, hyper-v support, AMD KMS, VirtIO, Xen PVHVM in GENERIC, lots of driver updates, ZFS on root in the installer, SMP patches to pf that drastically improve performance, Netmap support, pkgng by default, wireless stack improvements, a new iSCSI stack, FUSE in the base system... the list goes on and on
• Start up your freebsd-update or do a source-based upgrade ***

OpenSSH 6.5 CFT

• Our buddy Damien Miller announced a Call For Testing for OpenSSH 6.5
• Huge, huge release, focused on new features rather than bugfixes (but it includes those too)
• New ciphers, new key formats, new config options, see the mailing list for all the details
• Should be in OpenBSD 5.5 in May, look forward to it - but also help test on other platforms! ***

DIY NAS story, FreeNAS 9.2.1-BETA

• Another new blog post about FreeNAS!
• Instead of updating the older tutorials, the author started fresh and wrote a new one for 2014
• "I did briefly consider suggesting nas4free for the EconoNAS blog, since it’s essentially a fork off the FreeNAS tree but may run better on slower hardware, but ultimately I couldn’t recommend anything other than FreeNAS"
• Really long article with lots of nice details about his setup, why you might want a NAS, etc.
• Speaking of FreeNAS, they released 9.2.1-BETA with lots of bugfixes ***

OpenBSD needed funding for electricity.. and they got it

• Briefly mentioned at the end of last week's show, but has blown up over the internet since
• OpenBSD in the headlines of major tech news sites: slashdot, zdnet, the register, hacker news, reddit, twitter.. thousands of comments
• They needed about $20,000 to cover electric costs for the server rack in Theo's basement
• Lots of positive reaction from the community helping out so far, and it appears they have reached their goal and got $100,000 in donations
• From Bob Beck: "we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation"
• This is a shining example of the BSD community coming together, and even the Linux people realizing how critical BSD is to the world at large ***

Interview - Colin Percival - cperciva@freebsd.org / @cperciva

FreeBSD on Amazon EC2, backups with Tarsnap, 10.0-RELEASE, various topics

Tutorial

Bandwidth monitoring and testing

News Roundup

pfSense talk at Tokyo FreeBSD Benkyoukai

• Isaac Levy will be presenting "pfSense Practical Experiences: from home routers, to High-Availability Datacenter Deployments"
• He's also going to be looking for help to translate the pfSense documentation into Japanese
• The event is on February 17, 2014 if you're in the Tokyo area ***

m0n0wall 1.8.1 released

• For those who don't know, m0n0wall is an older BSD-based firewall OS that's mostly focused on embedded applications
• pfSense was forked from it in 2004, and has a lot more active development now
• They switched to FreeBSD 8.4 for this new version
• Full list of updates in the changelog
• This version requires at least 128MB RAM and a disk/CF size of 32MB or more, oh no! ***

Ansible and PF, plus NTP

• Another blog post from our buddy Michael Lucas
• There've been some NTP amplification attacks recently in the news
• The post describes how he configured ntpd on a lot of servers without a lot of work
• He leverages pf and ansible for the configuration
• OpenNTPD is, not surprisingly, unaffected - use it ***

ruBSD videos online

• Just a quick followup from a few weeks ago
• Theo and Henning's talks from ruBSD are now available for download
• There's also a nice interview with Theo ***

PCBSD weekly digest

• 10.0-RC4 images are available
• Wine PBI is now available for 10
• 9.2 systems will now be able to upgrade to version 10 and keep their PBI library ***

Feedback/Questions

• Sha'ul writes in
• Kjell-Aleksander writes in
• Mike writes in
• Charlie writes in (and gets a reply)
• Kevin writes in ***

This episode was brought to you by

Headlines

OpenBSD automatic installation

• A CFT (call for testing) was posted for OpenBSD's new automatic installer process
• Using this new system, you can spin up fully-configured OpenBSD installs very quickly
• It will answer all the questions for you and can put files into place and start services
• Great for large deployments, help test it and report your findings ***

FreeNAS install guide and blog posts

• A multipart series on YouTube about installing FreeNAS
• In part 1, the guy (who is possibly Dracula, with his very Transylvanian accent..) builds his new file server and shows off the hardware
• In part 2, he shows how to install and configure FreeNAS, uses IPMI, sets up his pools
• He pronounces gigabytes as jiggabytes and it's hilarious
• We've also got an unrelated blog post about a very satisfied FreeNAS user who details his setup
• As well as another blog post from our old pal Devin Teske about his recent foray into the FreeNAS development world ***

FreeBSD 10.0-RC5 is out

• Another, unexpected RC is out for 10.0
• Minor fixes included, please help test and report any bugs
• You can update via freebsd-update or from source
• Hopefully this will be the last one before 10.0-RELEASE, which has tons of new features we'll talk about
• It's been tagged -RELEASE in SVN already too! ***

OpenBSD 5.5-beta is out

• Theo updated the branch status to 5.5-beta
• A list of changes
• Help test and report any bugs you find
• Lots of rapid development with signify (which we mentioned last week), the beta includes some "test keys"
• Does that mean it'll be part of the final release? We'll find out in May.. or when we interview Ted (soon) ***

Interview - Neel Natu & Peter Grehan - neel@freebsd.org & grehan@freebsd.org

BHyVe - the BSD hypervisor

Tutorial

Virtualization with bhyve

News Roundup

Hostname canonicalisation in OpenSSH

• Blog post from our friend Damien Miller
• This new feature allows clients to canonicalize unqualified domain names
• SSH will know if you typed "ssh bsdnow" you meant "ssh bsdnow.tv" with new config options
• This will help clean up some ssh configs, especially if you have many hosts
• Should make it into OpenSSH 6.5, which is "due really soon" ***

Dragonfly on a Chromebook

• Some work has been done by Matthew Dillon to get DragonflyBSD working on a Google Chromebook
• These couple of posts detail some of the things he's got working so far
• Changes were needed to the boot process, trackpad and wifi drivers needed updating...
• Also includes a guide written by Dillon on how to get yours working ***

Spider in a box

• "Spiderinabox" is a new OpenBSD-based project
• Using a combination of OpenBSD, Firefox, XQuartz and VirtualBox, it creates a secure browsing experience for OS X
• Firefox runs encapsulated in OpenBSD and doesn't have access to OS X in any way
• The developer is looking for testers on other operating systems! ***

PCBSD weekly digest

• PCBSD 10 has entered into the code freeze phase
• They're focusing on fixing bugs now, rather than adding new features
• The update system got a lot of improvements
• PBI load times reduced by up to 40%! what!!! ***

Feedback/Questions

• Scott writes in
• Chris writes in
• SW writes in
• Ole writes in
• Gertjan writes in ***

This episode was brought to you by

Headlines

More faces of FreeBSD

• Another installment of the FoF series
• This time they talk with Reid Linnemann who works at Spectra Logic
• Gives a history of all the different jobs he's done, all the programming languages he knows
• Mentions how he first learned about FreeBSD, actually pretty similar to Kris' story
• "I used the system to build and install ports, and explored, getting actively involved in the mailing lists and forums, studying, passing on my own limited knowledge to those who could benefit from it. I pursued my career in the open source software world, learning the differences in BSD and GNU licensing and the fragmented nature of Linux distributions, realizing the FreeBSD community was more mature and well distributed about industry, education, and research. Everything steered me towards working with and on FreeBSD."
• Now works on FreeBSD as his day job
• The second one covers Brooks Davis
• FreeBSD committer since 2001 and core team member from 2006 through 2012
• He's helped drive our transition from a GNU toolchain to a more modern LLVM-based toolchain
• "One of the reasons I like FreeBSD is the community involved in the process of building a principled, technically-advanced operating system platform. Not only do we produce a great product, but we have fun doing it."
• Lots more in the show notes ***

We cannot trust Intel and Via’s chip-based crypto

• We woke up to see FreeBSD on the front page of The Register, Ars Technica, Slashdot and Hacker News for their strong stance on security and respecting privacy
• At the EuroBSDCon dev summit, there was some discussion about removing support for hardware-based random number generators.
• FreeBSD's /dev/random got some updates and, for 10.0, will no longer allow the use of Intel or VIA's hardware RNGs as the sole point of entropy
• "It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more" ***

OpenSMTPD 5.4.1 released

• The OpenBSD developers came out with major a new version
• Improved config syntax (please check your smtpd.conf before upgrading)
• Adds support for TLS Perfect Forward Secrecy and custom CA certificate
• MTA, Queue and SMTP server improvements
• SNI support confirmed for the next version
• Check the show notes for the full list of changes, pretty huge release
• Watch Episode 3 for an interview we did with the developers ***

More getting to know your portmgr

• The portmgr secretary, Thomas Abthorpe, interviews... himself!
• Joined as -secretary in March 2010, upgraded to full member in March 2011
• His inspiration for using BSD is "I wanted to run a webserver, and I wanted something free. I was going to use something linux, then met up with a former prof from university, and shared my story with him. He told me FreeBSD was the way to go."
• Mentions how he loves that anyone can contribute and watch it "go live"
• The second one covers Baptiste Daroussin
• The reason for his nick, bapt, is "Baptiste is too long to type"
• There's even a video of bapt joining the team! ***

Interview - Santa Clause - josh@ixsystems.com / @freenasteam

FreeNAS 9.2.0

Note: we originally scheduled the interview to be with Josh Paetzel, but Santa showed up instead.

Tutorial

FreeNAS walkthrough

News Roundup

Introducing configinit

• CloudInit is "a system originally written for Ubuntu which performs configuration of a system at boot-time based on user-data provided via EC2"
• Wasn't ideal for FreeBSD since it requires python and is designed around the concept of configuring a system by running commands (rather than editing configuration files)
• Colin Percival came up with configinit, a FreeBSD alternative
• Alongside his new "firstboot-pkgs" port, it can spin up a webserver in 120 seconds from "launch" of the EC2 instance
• Check the show notes for full blog post ***

OpenSSH support for Ed25519 and bcrypt keys

• New Ed25519 key support (hostkeys and user identities) using the public domain ed25519 reference code
• SSH private keys were encrypted with a symmetric key that's just an MD5 of their password
• Now they'll be using bcrypt by default
• We'll get more into this in next week's interview ***

The FreeBSD challenge

• A member of the Linux foundation blogs about using FreeBSD
• Goes through all the beginner steps, has to "unlearn" some of his Linux ways
• Only a few posts as of this time, but it's a continuing series that may be helpful for switchers ***

PCBSD weekly digest

• GNOME3, cinnamon and mate desktops are in the installer
• Compat layer updated to CentOS 6, enables newest Skype
• Looking for people to test printers and hplip
• Continuing work on grub, but the ability to switch between bootloaders is back ***

Feedback/Questions

• Bostjan writes in
• Jason writes in
• John writes in
• Kjell-Aleksander writes in
• Alexy writes in ***