This episode was brought to you by

Headlines

OpenBSD presents tame

• Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do
• When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do
• As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops."
• Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking
• Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously)
• Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation)
• Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc.
• This is an initial work-in-progress version of tame, so there may be more improvements or further control options added before it hits a release (very specific access policies can sometimes backfire, however)
• The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it)
• Kernel bits are in the tree now, with userland changes starting to trickle in too
• Combined with a myriad of memory protections, tight privilege separation and (above all else) good coding practices, tame should further harden the OpenBSD security fortress
• Further discussion can be found in the usual places you'd expect ***

Using Docker on FreeBSD

• With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up
• This docker is "the real thing," and isn’t using a virtual machine as the backend - as such, it has some limitations
• The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations
• When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support)
• For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally)
• Give it a try, let us know how you find it to be compared to other solutions ***

OpenBSD imports doas, removes sudo

• OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev
• The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code
• Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot)
• Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact
• There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary?
• After the initial import, a number of developers began reviewing and improving various bits here and there
• You can check out the code now if you're interested
• Command usage and config syntax seem pretty straightforward
• More discussion on HN ***

What would you like to see in FreeBSD

• Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see
• There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you're interested in more
• The top comment says things don't "just work," citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable
• Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now - should they be removed, and more focus put into ipfw?
• Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD - similar comments were made about wireless chipsets as well
• Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more
• At least one user suggested better "marketing" for FreeBSD, with more advocacy and (hopefully) more business adoption
• That one really applies to all the BSDs, and regular users (that's you listening to this) can help make it happen for whichever ones you use right now
• Maybe Adrian can singlehandedly do all the work and make all the users happy ***

Interview - Ryan Lortie & Baptiste Daroussin

Porting the latest GNOME code to FreeBSD

News Roundup

Introducing resflash

• If you haven't heard of resflash before, it's "a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way"
• One of the major benefits to images like this is the read-only filesystem, so there's no possibility of filesystem corruption if power is lost
• There's an optional read-write partition as well, used for any persistent changes you want to make
• You can check out the source code on Github or read the main site for more info ***

Jails with iocage

• There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others
• After looking at all the different choices, the author of this blog post eventually settled on iocage for the job
• The post walks you through the basic configuration and usage of iocage for creating managing jails
• If you've been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration) ***

DragonFly GPU improvements

• DragonFlyBSD continues to up their graphics game, this time with Intel's ValleyView series of CPUs
• These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones
• A git branch was created to hold the fixes for now while the last remaining bugs get fixed
• Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing ***

Branchless development

• Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them
• He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once
• "For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else."
• The solution, according to him, is bringing all the code the developers are using closer together
• One big benefit is that WIP code gets tested much faster (and bugs get fixed early on) ***

Feedback/Questions

• Matthew writes in
• Chris writes in
• Anonymous writes in
• Bill writes in ***

This episode was brought to you by

Headlines

Even more BSD presentation videos

• More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week
• Robert Ryan, At the Heart of the Digital Economy
• FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives
• Richard Yao, libzfs_core and ioctl stabilization
• OpenZFS, Company lightning talks
• OpenZFS, Hackathon Presentation and Awards
• Pavel Zakharov, Fast File Cloning
• Rick Reed, Half a billion unsuspecting FreeBSD users
• Alex Reece & Matt Ahrens, Device Removal
• Chris Side, Channel Programs
• David Maxwell, The Unix command pipeline
• Be sure to check out the giant list of videos from last week's episode if you haven't seen them already ***

NetBSD on a Cobalt Qube 2

• The Cobalt Qube was a very expensive networking appliance around 2000
• In 2014, you can apparently get one of these MIPS-based machines for about forty bucks
• This blog post details getting NetBSD installed and set up on the rare relic of our networking past
• If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you
• Lots of great pictures of the hardware too ***

OpenBSD vs. AFL

• In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree with a fuzzer
• If you're not familiar, fuzzing is a semi-automated way to test programs for crashes and potential security problems
• The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs
• American Fuzzy Lop, in particular, has provided some interesting results across various open source projects recently
• So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc and a few other things
• AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix
• It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself ***

GNOME 3 hits the FreeBSD ports tree

• While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now
• Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD
• Be sure to check the commit message and /usr/ports/UPDATING if you're upgrading from GNOME 2
• You might also want to go back and listen to our interview with Joe Marcus Clark about GNOME's portability ***

Interview - Brendan Gregg - bgregg@netflix.com / @brendangregg

Performance tuning, benchmarks, debugging

News Roundup

DragonFlyBSD 4.0 released

• A new major version of DragonFly, 4.0.1, was just recently announced
• This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs
• It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club
• Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes ***

Can we talk about FreeBSD vs Linux

• Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once
• Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities
• If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read
• Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy ***

OpenBSD IPSEC tunnel guide

• If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you
• It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN
• The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts
• Though the article itself is a few years old, it mostly still applies to the latest stuff today
• All the tools used are in the OpenBSD base system, so that's pretty handy too ***

DragonFly starts work on IPFW2

• DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use
• Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3")
• Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap page with some planned additions
• The guy who's working on this has already agreed to come on the show for an interview, but we're going to give him a chance to get some more work done first
• Expect that sometime next year, once he's made some progress ***

Feedback/Questions

• Michael writes in
• Samael writes in
• Steven writes in
• Remy writes in
• Michael writes in ***

This episode was brought to you by

Headlines

Portscout ported to OpenBSD

• Portscout is a popular utility used in the FreeBSD ports infrastructure
• It lets port maintainers know when there's a new version of the upstream software available by automatically checking the distfile mirror
• Now OpenBSD porters can enjoy the same convenience, as it's been ported over
• You can view the status online to see how it works and who maintains what
• The developer who ported it is working to get all the current features working on OpenBSD, and added a few new features as well
• He decided to fork and rename it a few days later ***

Sysadmins and systemd refugees flocking to BSD

• With all the drama in Linux land about the rapid changes to their init system, a lot of people are looking at BSD alternatives
• This "you got your Windows in my Linux" article (and accompanying comments) give a nice glimpse into the minds of some of those switchers
• Both server administrators and regular everyday users are switching away from Linux, as more and more distros give them no choice but to use systemd
• Fortunately, the BSD communities are usually very welcoming of switchers - it's pretty nice on this side! ***

OpenBSD's versioning schemes

• Ted Unangst explains the various versioning systems within OpenBSD, from the base to libraries to other included software
• In contrast to FreeBSD's release cycle, OpenBSD isn't as concerned with breaking backwards compatibility (but only if it's needed to make progress)
• This allows them to innovate and introduce new features a lot more easily, and get those features in a stable release that everyone uses
• He also details the difference between branches, their errata system and lack of "patch levels" for security
• Some other things in OpenBSD don't have version numbers at all, like tmux
• "Every release adds some new features, fixes some old bugs, probably adds a new bug or two, and, if I have anything to say about it, removes some old features." ***

VAXstation 4000 Model 90 booting NetBSD

• We found a video of NetBSD booting on a 22 year old VAX workstation, circa 1992
• This system has a monstrous 71 MHz CPU and 128MB of ECC RAM
• It continues in part two, where we learn that it would've cost around $25,000 when it was released!
• The uploader talks about his experiences getting NetBSD on it, what does and doesn't work, etc
• It's interesting to see that such old hardware isn't necessarily obsolete just because newer things have come out since then (but maybe don't try to build world on it...) ***

Interview - Ken Moore - ken@pcbsd.org

The Lumina desktop environment

Special segment

Lumina walkthrough

News Roundup

Suricata for IDS on pfSense

• While most people are familiar with Snort as an intrusion detection system, Suricata is another choice
• This guide goes through the steps of installing and configuring it on a public-facing pfSense box
• Part two details some of the configuration steps
• One other cool thing about Suricata - it's compatible with Snort rules, so you can use the same updates
• There's also another recent post about snort as well, if that's more your style
• If you run pfSense (or any BSD) as an edge router for a lot of users, this might be worth looking into ***

OpenBSD's systemd API emulation project

• This story was pretty popular in the mainstream news this week
• For the Google Summer of Code, a student is writing emulation wrappers for some of systemd's functions
• There was consideration from some Linux users to port over the finished emulation back to Linux, so they wouldn't have to run the full systemd
• One particularly interesting Slashdot comment snippet: "We are currently migrating a large number (much larger than planned after initial results) of systems from RHEL to BSD - a decision taken due to general unhappiness with RHEL6, but SystemD pushed us towards BSD rather than another Linux distro - and in some cases are seeing throughput gains of greater than 10% on what should be equivalent Linux and BSD server builds. The re-learning curve wasn't as steep as we expected, general system stability seems to be better too, and BSD's security reputation goes without saying."
• It will NOT be in the base system - only in ports, and only installed as a dependency for things like newer GNOME that require such APIs
• In the long run, BSD will still be safe from systemd's reign of terror, but will hopefully still be compatible with some third party packages like GNOME that insist on using it ***

GhostBSD 4 previewed

• The GhostBSD project is moving along, slowly getting closer to the 4 release
• This article shows some of the progress made, and includes lots of screenshots and interesting graphical frontends
• If you're not too familiar with GhostBSD, we interviewed the lead developer a little while back ***

NetBSD on the Banana Pi

• The Banana Pi is a tasty alternative to the Raspberry Pi, with similar hardware specs
• In this blog post, a NetBSD developer details his experiences in getting NetBSD to run on it
• After studying how the prebuilt Linux image booted, he made some notes and started hacking
• Ethernet, one of the few things not working, is being looked into and he's hoping to get it fully supported for the upcoming NetBSD 7.0
• They're only about $65 as of the time we're recording this, so it might be a fun project to try ***

Feedback/Questions

• Antonio writes in
• Garegin writes in
• Erno writes in
• Brandon writes in ***

This episode was brought to you by

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you've probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes... and a lot more
• The full list of changes is HUGE, be sure to read through it all if you're interested in the details
• If you're doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations... especially those OpenSSL ones (some of which still aren't fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release - 5.6 is going to be even more awesome with "Libre"SSL and lots of other stuff that's currently in development ***

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they're spending the money that everyone donates
• "As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we've done to help FreeBSD become the most innovative, reliable, and high-performance operation system"
• During this spring, they want to highlight the new UEFI boot support and newcons
• There's a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we'll get to see what other work is being sponsored ***

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won't have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES in counter mode and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys - only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we'll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc, would be really neat ***

BSDMag's April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around, good ***

Interview - David Chisnall - theraven@freebsd.org

The LLVM/Clang switch, FreeBSD's core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• Our buddy Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest - mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and... much more
• GNN also talks a little about the Precision Time Protocol and how it's different than NTP
• Two people we've interviewed talking to each other, awesome
• If you're interested in NTP, be sure to see our tutorial too ***

m2k14 trip reports

• We've got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter and gave us the screenshots for the OpenBSD desktop tutorial)
• "Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do"
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports' compatibility with LibreSSL
• Speaking of LibreSSL, there's an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD ***

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• The 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS ***

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more ***

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in ***

This episode was brought to you by

Headlines

Preorders for cool BSD stuff

• The 2nd edition of The Design and Implementation of the FreeBSD Operating System is up for preorder
• We talked to GNN briefly about it, but he and Kirk have apparently finally finished the book
• "For many years, The Design and Implementation of the FreeBSD Operating System has been recognized as the most complete, up-to-date, and authoritative technical guide to FreeBSD's internal structure. Now, this definitive guide has been extensively updated to reflect all major FreeBSD improvements between Versions 5 and Versions 11"
• OpenBSD 5.5 preorders are also up, so you can buy a CD set now
• You can help support the project, and even get the -release of the OS before it's available publicly
• 5.5 is a huge release with lots of big changes, so now is the right time to purchase one of these - tell Austin we sent you! ***

pkgsrcCon 2014 CFP

• This year's pkgsrcCon is in London, on June 21st and 22nd
• There's a Call For Papers out now, so you can submit your talks
• Anything related to pkgsrc is fine, it's pretty informal
• Does anyone in the audience know if the talks will be recorded? This con is relatively unknown ***

BSDMag issue for March 2014

• The monthly BSD magazine releases its newest issue
• Topics this time include: deploying NetBSD using AWS EC2, creating a multi-purpose file server with NetBSD, DragonflyBSD as a backup server, more GIMP lessons, network analysis with wireshark and a general security article
• The Linux article trend seems to continue... hmm ***

Non-ECC RAM in FreeNAS

• We've gotten a few questions about ECC RAM with ZFS
• Here we've got a surprising blog post about why someone did not go with ECC RAM for his NAS build
• The article mentions the benefits of ECC and admits it is a better choice in nearly all instances, but unfortunately it's not very widespread in consumer hardware motherboards and it's more expensive
• Regular RAM also has "special" issues with ZFS and pool corruption
• Long post, so check out the whole thing if you've been considering your memory options and weighing the benefits ***

Interview - Pierre Pronchery - khorben@edgebsd.org / @khorben

EdgeBSD (slides)

Tutorial

Building an OpenBSD desktop

News Roundup

Getting to know your portmgr-lurkers

• This week we get to hear from Frederic Culot, colut@
• Originally an OpenBSD user from France, Frederic joined as a ports committer in 2010 and recently joined the portmgr lurkers team
• "FreeBSD is also one of my sources of inspiration when it comes to how organizations behave and innovate, and I find it very interesting to compare FreeBSD with the for-profit companies I work for"
• We get to find out a little bit about him, why he loves FreeBSD and what he does for the project ***

NetBSD on the Playstation 2

• Who doesn't want to run NetBSD on their old PS2?
• The PS2 port of NetBSD was sadly removed in 2009, but it has been revived
• It's using a slightly unusual MIPS CPU that didn't have much GCC support
• Hopefully a bootable kernel will be available soon ***

The FreeBSD Challenge update

• Our friend from the Linux Foundation continues his FreeBSD switching journey
• This time he starts off by discovering virtual machines suck at keeping accurate time, and some ports weren't working because of his clock being way off
• After polling the IRC for help, he finally learns the difference between ntpdate and ntpd and both of their use cases
• Maybe he should've just read our NTP tutorial! ***

PCBSD weekly digest

• The mount tray icon got lots of updates and fixes
• The faulty distribution server has finally been tracked down and... destroyed
• New language localization project is in progress
• Many many updates to ports and PBIs, new -STABLE builds ***

Feedback/Questions

• Antonio writes in
• Patrick writes in
• Chris writes in
• Ron writes in
• Tyler writes in ***