NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Did Linux Kill Commercial Unix?

Sales of commercial Unix have fallen off a cliff. There has to be something behind this dramatic decline. Has Linux killed its ancestor by becoming a perfectly viable replacement, like an operating system version of Invasion of the Body Snatchers?

---

Wireguard: Simple and Secure VPN in FreeBSD

• A great article by Tom Jones about setting up Wireguard on FreeBSD ***

Setup a Three Node Replicated GlusterFS Cluster on FreeBSD

GlusterFS (GFS) is the open source equivalent to Microsoft's Distributed Filesystem (DFS). It's a service that replicates the contents of a filesystem in real time from one server to another. Clients connect to any server and changes made to a file will replicate automatically. It's similar to something like rsync or syncthing, but much more automatic and transparent. A FreeBSD port has been available since v3.4, and (as of this post) is currently at version 8.0 with 9.0 being released soon.

---

News Roundup

OpenBSD on the Lenovo ThinkPad X1 Nano (1st Gen)

Lenovo has finally made a smaller version of its X1 Carbon, something I’ve been looking forward to for years.

---

NetBSD on the EdgeRouter Lite

NetBSD-current now has pre-built octeon bootable images (which will appear in NetBSD 10.0) for the evbmips port, so I decided to finally give it a try. I've been happily running OpenBSD/octeon on my EdgeRouter Lite for a few years now, and have previously published some notes including more detail about the CPU.

---

“TLS Mastery” first draft done!

---

Beastie Bits

• A Thread on a FreeBSD Desktop for PineBook Pro
• FOSSASIA Conference - March 2021(Virtual)
• WireGuard for pfSense Software
• NetBSD logo to going Moon *** ###Tarsnap
• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. ### Producer's Note > Hey everybody, it’s JT here. After our AMA episode where I mentioned I was looking for older BSD Retail Copies, I was contacted by Andrew who hooked me up with a bunch of OpenBSD disks from the 4.x era. So shout out to him, and since that worked so well, I figured I'd give it another shot and ask that if anyone has any old Unixes that will run on an 8088, 8086, or 286 and you're willing to send me copies of the disks. I've recently dug out an old 286 system and I’d love to get a Unix OS on it. I know of Minix, Xenix and Microport, but I haven’t been able to find many versions of them. I've found Microport 1.3.3, and SCO Xenix... but that's about it. Let me know if you happen to have any other versions, or know where I can get them.
  

Feedback/Questions

• Christian - ZFS replication and verification
• Iain - progress
• Paul - APU2 device ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Headlines

Tales From a Core File - Lessons from the Unix stdio ABI: 40 Years Later

On the side, I’ve been wrapping up some improvements to the classic Unix stdio libraries in illumos. stdio contains the classic functions like fopen(), printf(), and the security nightmare gets(). While working on support for fmemopen() and friends I got to reacquaint myself with some of the joys of the stdio ABI and its history from 7th Edition Unix. With that in mind, let’s dive into this, history, and some mistakes not to repeat. While this is written from the perspective of the C programming language, aspects of it apply to many other languages.

Update Lenovo X260 BIOS with OpenBSD

My X260 only runs OpenBSD and has no CD driver. But I still need to upgrade its BIOS from time to time. And this is possible using the ISO BIOS image.

First off all, you need to download the “BIOS Update (Bootable CD)” from the Lenovo Support Website.

News Roundup

The problem of Unix iowait and multi-CPU machines

Various Unixes have had a 'iowait' statistic for a long time now (although I can't find a source for where it originated; it's not in 4.x BSD, so it may have come through System V and sar). The traditional and standard definition of iowait is that it's the amount of time the system was idle but had at least one process waiting on disk IO. Rather than count this time as 'idle' (as you would if you had a three-way division of CPU time between user, system, and idle), some Unixes evolved to count this as a new category, 'iowait'.

My Latest Self Hosted Hugo Workflow using FreeBSD Jails, Caddy, Restic and More

After hosting with Netlify for a few years, I decided to head back to self hosting. Theres a few reasons for that but the main reasoning was that I had more control over how things worked.

In this post, i’ll show you my workflow for deploying my Hugo generated site (www.jaredwolff.com). Instead of using what most people would go for, i’ll be doing all of this using a FreeBSD Jails based server. Plus i’ll show you some tricks i’ve learned over the years on bulk image resizing and more.

Let’s get to it.

Extending support for the NetBSD-7 branch

Typically, some time after releasing a new NetBSD major version (such as NetBSD 9.0), we will announce the end-of-life of the N-2 branch, in this case NetBSD-7.

We've decided to hold off on doing that to ensure our users don't feel rushed to perform a major version update on any remote machines, possibly needing to reach the machine if anything goes wrong.

Security fixes will still be made to the NetBSD-7 branch.

We hope you're all safe. Stay home.

Tale of two hypervisor bugs - Escaping from FreeBSD bhyve

VM escape has become a popular topic of discussion over the last few years. A good amount of research on this topic has been published for various hypervisors like VMware, QEMU, VirtualBox, Xen and Hyper-V. Bhyve is a hypervisor for FreeBSD supporting hardware-assisted virtualization. This paper details the exploitation of two bugs in bhyve - FreeBSD-SA-16:32.bhyve (VGA emulation heap overflow) and CVE-2018-17160 (Firmware Configuration device bss buffer overflow) and some generic techniques which could be used for exploiting other bhyve bugs. Further, the paper also discusses sandbox escapes using PCI device passthrough, and Control-Flow Integrity bypasses in HardenedBSD 12-CURRENT

Beastie Bits

• GhostBSD 20.02 Overview
• FuryBSD 12.1 Overview > Joe Maloney got in touch to say that the issues in the video and other ones found have since been fixed. Now that's community feedback in action, and an example of a developer who does his best to help the community. A great guy indeed.
• OS108-9.0 amd64 MATE released
• FreeBSD hacking: carp panics & test
• Inaugural FreeBSD Office Hours

Feedback/Questions

• Shody - systemd question
• Ben - GELI and GPT
• Stig - DIY NAS

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

BSDCan 2015 schedule

• The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
• Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada
• This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
• Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings
• In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
• That's not the ideal balance we'd hope for, but BSDCan says they'll try to improve that next year
• Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error)
• Michael Lucas (who's on the BSDCan board) wrote up a blog post about the proposals and rejections this year
• If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available
• We also interviewed Dan Langille about the conference and what to expect this year, so check that out too ***

SSL interception with relayd

• There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
• If you're running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
• Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
• It starts off with some backstory and some of the things relayd is capable of
• relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
• When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
• The post is very long, with lots of details and some sample config files - the whole nine yards ***

OPNsense 15.1.6.1 released

• The OPNsense team has released yet another version in rapid succession, but this one has some big changes
• It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
• This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update)
• It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
• The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
• With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices
• Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling) ***

OpenBSD on a Minnowboard Max

• What would our show be without at least one story about someone installing BSD on a weird device
• For once, it's actually not NetBSD…
• This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
• It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
• The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage
• You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article
• Have a look at the spec sheet if you're interested, they make for cool little BSD boxes ***

Netmap for 40gbit NICs in FreeBSD

• Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed
• The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support
• It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
• This should make for some serious packet-pushing power
• If you have any network hardware like this, he would appreciate testing for the new code ***

Interview - Ken Westerback - directors@openbsdfoundation.org

The OpenBSD foundation's activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

• The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
• Ken was also busy, getting a few networking-related things fixed and improved in the base system
• He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
• The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
• There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient ***

FreeBSD beginner video series

• A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
• We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
• So far, he's covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
• Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers
• It should be an ongoing series with more topics to come ***

NetBSD tests: zero unexpected failures

• The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
• They've finally gotten the number of "expected" failures down to zero on a few select architectures
• Results are published on a special release engineering page, so you can have a look if you're interested
• The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch ***

PCBSD switches to IPFW

• The PCBSD crew continues their recent series of switching between major competing features
• This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall
• Look forward to Kris wearing a "keep calm and use IPFW" shir- wait ***

Feedback/Questions

• Sean writes in
• Dan writes in
• Florian writes in
• Sean writes in
• Chris writes in ***

Mailing List Gold

• VCS flamebait
• Hidden agenda ***