web02.fireside.fm Tue, 26 May 2026 04:45:58 -0500 Fireside (https://fireside.fm) BSD Now - Episodes Tagged with “Network Stack” https://www.bsdnow.tv/tags/network%20stack Thu, 18 Mar 2021 03:00:00 -0400 Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day. en-us episodic A weekly podcast and the place to B...SD JT Pennington Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day. no berkeley,freebsd,openbsd,netbsd,dragonflybsd,trueos,trident,hardenedbsd,tutorial,howto,guide,bsd,interview JT Pennington feedback@bsdnow.tv 394: FreeBSD on Mars https://www.bsdnow.tv/394 65a9a52b-9058-4d08-8c38-8a1bffad6c86 Thu, 18 Mar 2021 03:00:00 -0400 JT Pennington full JT Pennington Onboard Scheduler for the Mars 2020 Rover, Practical Guide to Storage of Large Amounts of Microscopy Data, OpenBSD guest with bhyve - OmniOS, NextCloud on OpenBSD, MySQL Transactions - the physical side, TrueNAS 12.0-U2.1 is released, HardenedBSD 2021 State of the Hardened Union, and more 43:31 no <p>Onboard Scheduler for the Mars 2020 Rover, Practical Guide to Storage of Large Amounts of Microscopy Data, OpenBSD guest with bhyve - OmniOS, NextCloud on OpenBSD, MySQL Transactions - the physical side, TrueNAS 12.0-U2.1 is released, HardenedBSD 2021 State of the Hardened Union, and more</p> <p><strong><em>NOTES</em></strong><br> This episode of BSDNow is brought to you by <a href="https://www.tarsnap.com/bsdnow" target="_blank" rel="nofollow noopener">Tarsnap</a></p> <h2>Headlines</h2> <h3><a href="https://ai.jpl.nasa.gov/public/documents/papers/rabideau_iwpss2017_prototyping.pdf" target="_blank" rel="nofollow noopener">Prototyping an Onboard Scheduler for the Mars 2020 Rover</a></h3> <ul> <li>The mars rover runs VxWorks, which is based on BSD, and uses the FreeBSD networking stack. While there has been a lot of type about the little helicopter that was inside the rover running Linux, the rover itself runs BSD. *** ### <a href="https://www.cambridge.org/core/journals/microscopy-today/article/practical-guide-to-storage-of-large-amounts-of-microscopy-data/D3CE39447BFF5BBF9B3ED8A0C35C6F36" target="_blank" rel="nofollow noopener">Practical Guide to Storage of Large Amounts of Microscopy Data</a> &gt; Biological imaging tools continue to increase in speed, scale, and resolution, often resulting in the collection of gigabytes or even terabytes of data in a single experiment. In comparison, the ability of research laboratories to store and manage this data is lagging greatly. This leads to limits on the collection of valuable data and slows data analysis and research progress. Here we review common ways researchers store data and outline the drawbacks and benefits of each method. We also offer a blueprint and budget estimation for a currently deployed data server used to store large datasets from zebrafish brain activity experiments using light-sheet microscopy. Data storage strategy should be carefully considered and different options compared when designing imaging experiments. *** ## News Roundup ### <a href="https://www.pbdigital.org/omniosce/bhyve/openbsd/2020/06/08/bhyve-zones-omnios.html" target="_blank" rel="nofollow noopener">OpenBSD guest with bhyve - OmniOS</a> &gt; Today I will be creating a OpenBSD guest via bhyve on OmniOS. I will also be adding a Pass Through Ethernet Controller so I can have a multi-homed guest that will serve as a firewall/router. &gt; This post will cover setting up bhyve on OmniOS, so it will also be a good introduction to bhyve. As well, I look into OpenBSD’s uEFI boot loader so if you have had trouble with this, then you are in the right place. *** ### <a href="https://h3artbl33d.nl/blog/nextcloud-on-openbsd" target="_blank" rel="nofollow noopener">NextCloud on OpenBSD</a> &gt; NextCloud and OpenBSD are complimentary to one another. NextCloud is an awesome, secure and private alternative for propietary platforms, whereas OpenBSD forms the most secure and solid foundation to serve it on. Setting it up in the best way isn’t hard, especially using this step by step tutorial.</li> </ul> <hr> <h3><a href="https://blog.koehntopp.info/2020/07/27/mysql-transactions.html" target="_blank" rel="nofollow noopener">MySQL Transactions - the physical side</a></h3> <p>&gt; So you talk to a database, doing transactions. What happens actually, behind the scenes? Let’s have a look.</p> <hr> <h3><a href="https://www.truenas.com/docs/hub/intro/release-notes/12.0u2.1/" target="_blank" rel="nofollow noopener">TrueNAS 12.0-U2.1 is released</a></h3> <hr> <h3><a href="https://www.nycbug.org/index?action=view&amp;id=10682" target="_blank" rel="nofollow noopener">HardenedBSD 2021 State of the Hardened Union - NYCBUG - 2021-04-07</a></h3> <hr> <h2>Beastie Bits</h2> <ul> <li> <a href="https://freebsdfoundation.org/our-work/journal/" target="_blank" rel="nofollow noopener">FreeBSD Journal: Case Studies</a> *** ###Tarsnap</li> <li>This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.</li> </ul> <h2>Feedback/Questions</h2> <ul> <li><p><a href="https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/394/feedback/Al%20-%20BusyNAS" target="_blank" rel="nofollow noopener">Al - BusyNAS</a></p></li> <li><p><a href="https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/394/feedback/Jeff%20-%20ZFS%20and%20NFS%20on%20FreeBSD" target="_blank" rel="nofollow noopener">Jeff - ZFS and NFS on FreeBSD</a></p></li> <li> <p><a href="https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/394/feedback/Michael%20-%20remote%20unlock%20for%20encrypted%20systems" target="_blank" rel="nofollow noopener">Michael - remote unlock for encrypted systems</a></p> <hr> </li> <li> <p>Send questions, comments, show ideas/topics, or stories you want mentioned on the show to <a href="mailto:feedback@bsdnow.tv" target="_blank" rel="nofollow noopener">feedback@bsdnow.tv</a></p> <hr> </li> </ul> freebsd, openbsd, netbsd, dragonflybsd, trueos, trident, hardenedbsd, tutorial, howto, guide, bsd, operating system, shell, unix, os, berkeley, software, distribution, release, zfs, zpool, dataset, interview, mars, rover, vxworks, network stack, microscopy, large data, bhyve, guest, nextcloud, mysql, transaction, truenas, state of the union Onboard Scheduler for the Mars 2020 Rover, Practical Guide to Storage of Large Amounts of Microscopy Data, OpenBSD guest with bhyve - OmniOS, NextCloud on OpenBSD, MySQL Transactions - the physical side, TrueNAS 12.0-U2.1 is released, HardenedBSD 2021 State of the Hardened Union, and more

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Prototyping an Onboard Scheduler for the Mars 2020 Rover

  • The mars rover runs VxWorks, which is based on BSD, and uses the FreeBSD networking stack. While there has been a lot of type about the little helicopter that was inside the rover running Linux, the rover itself runs BSD. *** ### Practical Guide to Storage of Large Amounts of Microscopy Data > Biological imaging tools continue to increase in speed, scale, and resolution, often resulting in the collection of gigabytes or even terabytes of data in a single experiment. In comparison, the ability of research laboratories to store and manage this data is lagging greatly. This leads to limits on the collection of valuable data and slows data analysis and research progress. Here we review common ways researchers store data and outline the drawbacks and benefits of each method. We also offer a blueprint and budget estimation for a currently deployed data server used to store large datasets from zebrafish brain activity experiments using light-sheet microscopy. Data storage strategy should be carefully considered and different options compared when designing imaging experiments. *** ## News Roundup ### OpenBSD guest with bhyve - OmniOS > Today I will be creating a OpenBSD guest via bhyve on OmniOS. I will also be adding a Pass Through Ethernet Controller so I can have a multi-homed guest that will serve as a firewall/router. > This post will cover setting up bhyve on OmniOS, so it will also be a good introduction to bhyve. As well, I look into OpenBSD’s uEFI boot loader so if you have had trouble with this, then you are in the right place. *** ### NextCloud on OpenBSD > NextCloud and OpenBSD are complimentary to one another. NextCloud is an awesome, secure and private alternative for propietary platforms, whereas OpenBSD forms the most secure and solid foundation to serve it on. Setting it up in the best way isn’t hard, especially using this step by step tutorial.

MySQL Transactions - the physical side

So you talk to a database, doing transactions. What happens actually, behind the scenes? Let’s have a look.

TrueNAS 12.0-U2.1 is released

HardenedBSD 2021 State of the Hardened Union - NYCBUG - 2021-04-07

Beastie Bits

  • FreeBSD Journal: Case Studies *** ###Tarsnap
  • This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

]]> Onboard Scheduler for the Mars 2020 Rover, Practical Guide to Storage of Large Amounts of Microscopy Data, OpenBSD guest with bhyve - OmniOS, NextCloud on OpenBSD, MySQL Transactions - the physical side, TrueNAS 12.0-U2.1 is released, HardenedBSD 2021 State of the Hardened Union, and more

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Prototyping an Onboard Scheduler for the Mars 2020 Rover

  • The mars rover runs VxWorks, which is based on BSD, and uses the FreeBSD networking stack. While there has been a lot of type about the little helicopter that was inside the rover running Linux, the rover itself runs BSD. *** ### Practical Guide to Storage of Large Amounts of Microscopy Data > Biological imaging tools continue to increase in speed, scale, and resolution, often resulting in the collection of gigabytes or even terabytes of data in a single experiment. In comparison, the ability of research laboratories to store and manage this data is lagging greatly. This leads to limits on the collection of valuable data and slows data analysis and research progress. Here we review common ways researchers store data and outline the drawbacks and benefits of each method. We also offer a blueprint and budget estimation for a currently deployed data server used to store large datasets from zebrafish brain activity experiments using light-sheet microscopy. Data storage strategy should be carefully considered and different options compared when designing imaging experiments. *** ## News Roundup ### OpenBSD guest with bhyve - OmniOS > Today I will be creating a OpenBSD guest via bhyve on OmniOS. I will also be adding a Pass Through Ethernet Controller so I can have a multi-homed guest that will serve as a firewall/router. > This post will cover setting up bhyve on OmniOS, so it will also be a good introduction to bhyve. As well, I look into OpenBSD’s uEFI boot loader so if you have had trouble with this, then you are in the right place. *** ### NextCloud on OpenBSD > NextCloud and OpenBSD are complimentary to one another. NextCloud is an awesome, secure and private alternative for propietary platforms, whereas OpenBSD forms the most secure and solid foundation to serve it on. Setting it up in the best way isn’t hard, especially using this step by step tutorial.

MySQL Transactions - the physical side

So you talk to a database, doing transactions. What happens actually, behind the scenes? Let’s have a look.

TrueNAS 12.0-U2.1 is released

HardenedBSD 2021 State of the Hardened Union - NYCBUG - 2021-04-07

Beastie Bits

  • FreeBSD Journal: Case Studies *** ###Tarsnap
  • This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

]]> 328: EPYC Netflix Stack https://www.bsdnow.tv/328 be8ded86-58b0-46af-ba11-af5a748bc3d8 Thu, 12 Dec 2019 07:00:00 -0500 JT Pennington full JT Pennington LLDB Threading support now ready, Multiple IPSec VPN tunnels with FreeBSD, Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance, happy eyeballs with unwind(8), AWS got FreeBSD ARM 12, OpenSSH U2F/FIDO support, and more. 57:43 no <p>LLDB Threading support now ready, Multiple IPSec VPN tunnels with FreeBSD, Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance, happy eyeballs with unwind(8), AWS got FreeBSD ARM 12, OpenSSH U2F/FIDO support, and more.</p> <h2>Headlines</h2> <h3><a href="https://blog.netbsd.org/tnf/entry/lldb_threading_support_now_ready" target="_blank" rel="nofollow noopener">LLDB Threading support now ready for mainline</a></h3> <p>&gt; Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages.</p> <p>&gt; In February, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues and fixing watchpoint support. Then, I've started working on improving thread support which is taking longer than expected. You can read more about that in my September 2019 report.</p> <p>&gt; So far the number of issues uncovered while enabling proper threading support has stopped me from merging the work-in-progress patches. However, I've finally reached the point where I believe that the current work can be merged and the remaining problems can be resolved afterwards. More on that and other LLVM-related events happening during the last month in this report.</p> <hr> <h3><a href="https://blog.socruel.nu/text-only/how-to-multiple-ipsec-vpn-tunnels-on-freebsd.txt" target="_blank" rel="nofollow noopener">Multiple IPSec VPN tunnels with FreeBSD</a></h3> <p>&gt;The FreeBSD handbook describes an IPSec VPN tunnel between 2 FreeBSD hosts (see <a href="https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html" target="_blank" rel="nofollow noopener">https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html</a>)</p> <p>But it is also possible to have multiple, 2 or more, IPSec VPN tunnels created and running on a FreeBSD host. How to implement and configure this is described below.</p> <p>&gt; The requirements is to have 3 locations (A, B and C) connected with IPSec VPN tunnels using FreeBSD (11.3-RELEASE).</p> <p>&gt; Each location has 1 IPSec VPN host running FreeBSD (VPN host A, B and C).</p> <p>&gt; VPN host A has 2 IPSec VPN tunnels: 1 to location B (VPN host B) and 1 to location C (VPN host C).</p> <hr> <h2>News Roundup</h2> <h3><a href="https://www.phoronix.com/scan.php?page=news_item&amp;px=Netflix-NUMA-FreeBSD-Optimized" target="_blank" rel="nofollow noopener">Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance</a></h3> <p>&gt; Drew Gallatin of Netflix presented at the recent EuroBSDcon 2019 conference in Norway on the company's network stack optimizations to FreeBSD. Netflix was working on being able to deliver 200Gb/s network performance for video streaming out of Intel Xeon and AMD EPYC servers, to which they are now at 190Gb/s+ and in the process that doubled the potential of EPYC Naples/Rome servers and also very hefty upgrades too for Intel.</p> <p>&gt; Netflix has long been known to be using FreeBSD in their data centers particularly where network performance is concerned. But in wanting to deliver 200Gb/s throughput from individual servers led them to making NUMA optimizations to the FreeBSD network stack. Allocating NUMA local memory for kernel TLS crypto buffers and for backing files sent via sentfile were among their optimizations. Changes to network connection handling and dealing with incoming connections to Nginx were also made.</p> <p>&gt; For those just wanting the end result, Netflix's NUMA optimizations to FreeBSD resulted in their Intel Xeon servers going from 105Gb/s to 191Gb/s while the NUMA fabric utilization dropped from 40% to 13%.</p> <hr> <h3><a href="https://marc.info/?l=openbsd-tech&amp;m=157475113130337&amp;w=2" target="_blank" rel="nofollow noopener">unwind(8); "happy eyeballs"</a></h3> <p>&gt; In case you are wondering why happy eyeballs: It's a variation on this:<br> <a href="https://en.wikipedia.org/wiki/Happy_Eyeballs" target="_blank" rel="nofollow noopener">https://en.wikipedia.org/wiki/Happy_Eyeballs</a></p> <p>&gt; unwind has a concept of a best nameserver type. It considers a configured DoT nameserver to be better than doing it's own recursive resolving. Recursive resolving is considered to be better than asking the dhcp provided nameservers.</p> <p>&gt; This diff sorts the nameserver types by quality, as above (validation, resolving, dead...), and as a tie breaker it adds the median of the round trip time of previous queries into the mix. </p> <p>&gt; One other interesting thing about this is that it gets us past captive portals without a check URL, that's why this diff is so huge, it rips out all the captive portal stuff (please apply with patch -E):<br> 17 files changed, 385 insertions(+), 1683 deletions(-)</p> <p>&gt; Please test this. I'm particularly interested in reports from people who move between networks and need to get past captive portals.</p> <hr> <h3><a href="https://aws.amazon.com/marketplace/pp/B081NF7BY7" target="_blank" rel="nofollow noopener">Amazon now has FreeBSD ARM 12</a></h3> <p>&gt; Product Overview</p> <p>&gt; FreeBSD is an operating system used to power servers, desktops, and embedded systems. Derived from BSD, the version of UNIX developed at the University of California, Berkeley, FreeBSD has been continually developed by a large community for more than 30 years.</p> <p>&gt; FreeBSD's networking, security, storage, and monitoring features, including the pf firewall, the Capsicum and CloudABI capability frameworks, the ZFS filesystem, and the DTrace dynamic tracing framework, make FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage systems.</p> <hr> <h3><a href="https://www.undeadly.org/cgi?action=article;sid=20191115064850" target="_blank" rel="nofollow noopener">OpenSSH U2F/FIDO support in base</a></h3> <p>&gt; I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys.</p> <p>&gt; Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step.</p> <p>&gt; You'll get a public/private keypair back as usual, except in this case, the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time.</p> <p>&gt; So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything. </p> <p>&gt; Once you have generated a key, you can use it normally - i.e. add it to an agent, copy it to your destination's authorized_keys files (assuming they are running -current too), etc. At authentication time, you will be prompted to tap your security key to confirm the signature operation - this makes theft-of-access attacks against security keys more difficult too.</p> <p>&gt; Please test this thoroughly - it's a big change that we want to have stable before the next release.</p> <hr> <h2>Beastie Bits</h2> <ul> <li><a href="http://lists.dragonflybsd.org/pipermail/commits/2019-November/719945.html" target="_blank" rel="nofollow noopener">DragonFly - git: virtio - Fix LUN scan issue w/ Google Cloud</a></li> <li><a href="https://0x0f0f0f.github.io/posts/2019/11/really-fast-markov-chains-in-%7E20-lines-of-sh-grep-cut-and-awk/" target="_blank" rel="nofollow noopener">Really fast Markov chains in ~20 lines of sh, grep, cut and awk</a></li> <li><a href="https://www.freebsdfoundation.org/past-issues/security-3/" target="_blank" rel="nofollow noopener">FreeBSD Journal Sept/Oct 2019</a></li> <li><a href="https://twitter.com/michaeldexter/status/1201231729228308480" target="_blank" rel="nofollow noopener">Michael Dexter is raising money for Bhyve development</a></li> <li><a href="https://marc.info/?l=openbsd-tech&amp;m=157488907117170" target="_blank" rel="nofollow noopener">syscall call-from verification</a></li> <li><a href="https://forums.freebsd.org/forums/howtos-and-faqs-moderated.39/" target="_blank" rel="nofollow noopener">FreeBSD Forums Howto Section</a></li> </ul> <hr> <h2>Feedback/Questions</h2> <ul> <li>Jeroen - <a href="http://dpaste.com/0PK1EG2#wrap" target="_blank" rel="nofollow noopener">Feedback</a> </li> <li>Savo - <a href="http://dpaste.com/0PZ03B7#wrap" target="_blank" rel="nofollow noopener">pfsense ports</a> </li> <li>Tin - <a href="http://dpaste.com/2GVNCYB#wrap" target="_blank" rel="nofollow noopener">I want to learn C</a> </li> </ul> <hr> <ul> <li>Send questions, comments, show ideas/topics, or stories you want mentioned on the show to <a href="mailto:feedback@bsdnow.tv" target="_blank" rel="nofollow noopener">feedback@bsdnow.tv</a> </li> </ul> <hr> <source src="http://201406.jb-dl.cdn.scaleengine.net/bsdnow/2019/bsd-0328.mp4" type="video/mp4"> Your browser does not support the HTML5 video tag. </source> freebsd, openbsd, netbsd, dragonflybsd, trueos, trident, hardenedbsd, tutorial, howto, guide, bsd, interview, lldb, threading, ipsec, vpn, tunnel, netflix, optimized, network stack, amd, amd epyc, performance, unwind, eyeballs, aws, arm, arm 12, openssh, u2f, fido LLDB Threading support now ready, Multiple IPSec VPN tunnels with FreeBSD, Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance, happy eyeballs with unwind(8), AWS got FreeBSD ARM 12, OpenSSH U2F/FIDO support, and more.

Headlines

LLDB Threading support now ready for mainline

Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages.

In February, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues and fixing watchpoint support. Then, I've started working on improving thread support which is taking longer than expected. You can read more about that in my September 2019 report.

So far the number of issues uncovered while enabling proper threading support has stopped me from merging the work-in-progress patches. However, I've finally reached the point where I believe that the current work can be merged and the remaining problems can be resolved afterwards. More on that and other LLVM-related events happening during the last month in this report.

Multiple IPSec VPN tunnels with FreeBSD

The FreeBSD handbook describes an IPSec VPN tunnel between 2 FreeBSD hosts (see https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)

But it is also possible to have multiple, 2 or more, IPSec VPN tunnels created and running on a FreeBSD host. How to implement and configure this is described below.

The requirements is to have 3 locations (A, B and C) connected with IPSec VPN tunnels using FreeBSD (11.3-RELEASE).

Each location has 1 IPSec VPN host running FreeBSD (VPN host A, B and C).

VPN host A has 2 IPSec VPN tunnels: 1 to location B (VPN host B) and 1 to location C (VPN host C).

News Roundup

Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance

Drew Gallatin of Netflix presented at the recent EuroBSDcon 2019 conference in Norway on the company's network stack optimizations to FreeBSD. Netflix was working on being able to deliver 200Gb/s network performance for video streaming out of Intel Xeon and AMD EPYC servers, to which they are now at 190Gb/s+ and in the process that doubled the potential of EPYC Naples/Rome servers and also very hefty upgrades too for Intel.

Netflix has long been known to be using FreeBSD in their data centers particularly where network performance is concerned. But in wanting to deliver 200Gb/s throughput from individual servers led them to making NUMA optimizations to the FreeBSD network stack. Allocating NUMA local memory for kernel TLS crypto buffers and for backing files sent via sentfile were among their optimizations. Changes to network connection handling and dealing with incoming connections to Nginx were also made.

For those just wanting the end result, Netflix's NUMA optimizations to FreeBSD resulted in their Intel Xeon servers going from 105Gb/s to 191Gb/s while the NUMA fabric utilization dropped from 40% to 13%.

unwind(8); "happy eyeballs"

In case you are wondering why happy eyeballs: It's a variation on this:
https://en.wikipedia.org/wiki/Happy_Eyeballs

unwind has a concept of a best nameserver type. It considers a configured DoT nameserver to be better than doing it's own recursive resolving. Recursive resolving is considered to be better than asking the dhcp provided nameservers.

This diff sorts the nameserver types by quality, as above (validation, resolving, dead...), and as a tie breaker it adds the median of the round trip time of previous queries into the mix.

One other interesting thing about this is that it gets us past captive portals without a check URL, that's why this diff is so huge, it rips out all the captive portal stuff (please apply with patch -E):
17 files changed, 385 insertions(+), 1683 deletions(-)

Please test this. I'm particularly interested in reports from people who move between networks and need to get past captive portals.

Amazon now has FreeBSD ARM 12

Product Overview

FreeBSD is an operating system used to power servers, desktops, and embedded systems. Derived from BSD, the version of UNIX developed at the University of California, Berkeley, FreeBSD has been continually developed by a large community for more than 30 years.

FreeBSD's networking, security, storage, and monitoring features, including the pf firewall, the Capsicum and CloudABI capability frameworks, the ZFS filesystem, and the DTrace dynamic tracing framework, make FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage systems.

OpenSSH U2F/FIDO support in base

I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys.

Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step.

You'll get a public/private keypair back as usual, except in this case, the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time.

So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything.

Once you have generated a key, you can use it normally - i.e. add it to an agent, copy it to your destination's authorized_keys files (assuming they are running -current too), etc. At authentication time, you will be prompted to tap your security key to confirm the signature operation - this makes theft-of-access attacks against security keys more difficult too.

Please test this thoroughly - it's a big change that we want to have stable before the next release.

Beastie Bits

Feedback/Questions

  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
]]> LLDB Threading support now ready, Multiple IPSec VPN tunnels with FreeBSD, Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance, happy eyeballs with unwind(8), AWS got FreeBSD ARM 12, OpenSSH U2F/FIDO support, and more.

Headlines

LLDB Threading support now ready for mainline

Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages.

In February, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues and fixing watchpoint support. Then, I've started working on improving thread support which is taking longer than expected. You can read more about that in my September 2019 report.

So far the number of issues uncovered while enabling proper threading support has stopped me from merging the work-in-progress patches. However, I've finally reached the point where I believe that the current work can be merged and the remaining problems can be resolved afterwards. More on that and other LLVM-related events happening during the last month in this report.

Multiple IPSec VPN tunnels with FreeBSD

The FreeBSD handbook describes an IPSec VPN tunnel between 2 FreeBSD hosts (see https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html)

But it is also possible to have multiple, 2 or more, IPSec VPN tunnels created and running on a FreeBSD host. How to implement and configure this is described below.

The requirements is to have 3 locations (A, B and C) connected with IPSec VPN tunnels using FreeBSD (11.3-RELEASE).

Each location has 1 IPSec VPN host running FreeBSD (VPN host A, B and C).

VPN host A has 2 IPSec VPN tunnels: 1 to location B (VPN host B) and 1 to location C (VPN host C).

News Roundup

Netflix Optimized FreeBSD's Network Stack More Than Doubled AMD EPYC Performance

Drew Gallatin of Netflix presented at the recent EuroBSDcon 2019 conference in Norway on the company's network stack optimizations to FreeBSD. Netflix was working on being able to deliver 200Gb/s network performance for video streaming out of Intel Xeon and AMD EPYC servers, to which they are now at 190Gb/s+ and in the process that doubled the potential of EPYC Naples/Rome servers and also very hefty upgrades too for Intel.

Netflix has long been known to be using FreeBSD in their data centers particularly where network performance is concerned. But in wanting to deliver 200Gb/s throughput from individual servers led them to making NUMA optimizations to the FreeBSD network stack. Allocating NUMA local memory for kernel TLS crypto buffers and for backing files sent via sentfile were among their optimizations. Changes to network connection handling and dealing with incoming connections to Nginx were also made.

For those just wanting the end result, Netflix's NUMA optimizations to FreeBSD resulted in their Intel Xeon servers going from 105Gb/s to 191Gb/s while the NUMA fabric utilization dropped from 40% to 13%.

unwind(8); "happy eyeballs"

In case you are wondering why happy eyeballs: It's a variation on this:
https://en.wikipedia.org/wiki/Happy_Eyeballs

unwind has a concept of a best nameserver type. It considers a configured DoT nameserver to be better than doing it's own recursive resolving. Recursive resolving is considered to be better than asking the dhcp provided nameservers.

This diff sorts the nameserver types by quality, as above (validation, resolving, dead...), and as a tie breaker it adds the median of the round trip time of previous queries into the mix.

One other interesting thing about this is that it gets us past captive portals without a check URL, that's why this diff is so huge, it rips out all the captive portal stuff (please apply with patch -E):
17 files changed, 385 insertions(+), 1683 deletions(-)

Please test this. I'm particularly interested in reports from people who move between networks and need to get past captive portals.

Amazon now has FreeBSD ARM 12

Product Overview

FreeBSD is an operating system used to power servers, desktops, and embedded systems. Derived from BSD, the version of UNIX developed at the University of California, Berkeley, FreeBSD has been continually developed by a large community for more than 30 years.

FreeBSD's networking, security, storage, and monitoring features, including the pf firewall, the Capsicum and CloudABI capability frameworks, the ZFS filesystem, and the DTrace dynamic tracing framework, make FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage systems.

OpenSSH U2F/FIDO support in base

I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys.

Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk" (or "ed25519-sk" if your token supports it). Many tokens require to be touched/tapped to confirm this step.

You'll get a public/private keypair back as usual, except in this case, the private key file does not contain a highly-sensitive private key but instead holds a "key handle" that is used by the security key to derive the real private key at signing time.

So, stealing a copy of the private key file without also stealing your security key (or access to it) should not give the attacker anything.

Once you have generated a key, you can use it normally - i.e. add it to an agent, copy it to your destination's authorized_keys files (assuming they are running -current too), etc. At authentication time, you will be prompted to tap your security key to confirm the signature operation - this makes theft-of-access attacks against security keys more difficult too.

Please test this thoroughly - it's a big change that we want to have stable before the next release.

Beastie Bits

Feedback/Questions

  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
]]> 93: Stacked in Our Favor https://www.bsdnow.tv/93 68a32090-b775-42f2-a1e5-50b8189800fa Wed, 10 Jun 2015 08:00:00 -0400 JT Pennington full JT Pennington We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD. 1:08:14 no <p>We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD.</p> <h2>This episode was brought to you by</h2> <p><a href="http://www.ixsystems.com/bsdnow" title="iXsystems" target="_blank" rel="nofollow noopener"><img src="/images/1.png" alt="iXsystems - Enterprise Servers and Storage for Open Source"></a><a href="http://www.digitalocean.com/" title="DigitalOcean" target="_blank" rel="nofollow noopener"><img src="/images/2.png" alt="DigitalOcean - Simple Cloud Hosting, Built for Developers"></a><a href="http://www.tarsnap.com/bsdnow" title="Tarsnap" target="_blank" rel="nofollow noopener"><img src="/images/3.png" alt="Tarsnap - Online Backups for the Truly Paranoid"></a></p> <hr> <h2>Interview - Sepherosa Ziehau - <a href="mailto:sephe@dragonflybsd.org" target="_blank" rel="nofollow noopener">sephe@dragonflybsd.org</a> </h2> <p>Features of DragonFlyBSD's network stack</p> <hr> <h2>Discussion</h2> <h3>Comparing containment methods and privilege separation</h3> <ul> <li>chroot, jails, systrace, capsicum, filesystem permissions, separating users ***</li> </ul> <h2>Feedback/Questions</h2> <ul> <li><a href="http://slexy.org/view/s2GjCsGPef" target="_blank" rel="nofollow noopener">Brad writes in</a></li> <li><a href="http://slexy.org/view/s21jj3QgTj" target="_blank" rel="nofollow noopener">Anonymous writes in</a></li> <li><a href="http://slexy.org/view/s2irrhYfPT" target="_blank" rel="nofollow noopener">Benjamin writes in</a></li> <li> <a href="http://slexy.org/view/s21gtuqXAe" target="_blank" rel="nofollow noopener">Jeroen writes in</a> *** </li> </ul> freebsd, openbsd, netbsd, dragonflybsd, pcbsd, tutorial, howto, guide, bsd, interview, network stack, bsdcan, systrace, capsicum, chroot, jails, privsep, casper, containers, docker, performance We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Interview - Sepherosa Ziehau - sephe@dragonflybsd.org

Features of DragonFlyBSD's network stack

Discussion

Comparing containment methods and privilege separation

  • chroot, jails, systrace, capsicum, filesystem permissions, separating users ***

Feedback/Questions

]]> We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Interview - Sepherosa Ziehau - sephe@dragonflybsd.org

Features of DragonFlyBSD's network stack

Discussion

Comparing containment methods and privilege separation

  • chroot, jails, systrace, capsicum, filesystem permissions, separating users ***

Feedback/Questions

]]>