NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

How to unlock high speed Wi-Fi on FreeBSD
14

What We’ve Learned Supporting FreeBSD in Production

News Roundup

rsync replaced with openrsync on macOS Sequoia

Framework 13 AMD Setup with FreeBSD

FreeBSD on Dell Latitude 7280

Backup MX with OpenSMTPD

Notes on caddy as QUIC reverse proxy with mac_portacl

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

No feedback this week.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Open Source Software: The $9 Trillion Resource Companies Take for Granted

Tinkering with Manjaro and NetBSD on the Pinebook Pro: a crumbs-in-the-forest tutorial & review

News Roundup

OpenSMTPD 7.5.0p0 Released

OpenBSD 7.5 locks down with improved disk encryption support and syscall limitations

Book 8088

Custom Prometheus dashboards using Console templates

FreeBSD Foundation March 2024 Partnerships Update

Ray tracing made possible on 42-year-old ZX Spectrum: 'reasonably fast, if you consider 17 hours per frame to be reasonably fast'

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Looking Towards the Future: FreeBSD on the RISC-V Architecture

A bit of XENIX history

News Roundup

Official packages

recover lost text by coredumping firefox

FuguIta 7.4 has been released

LibreSSL 3.8.2 Released

OpenSMTPD 7.4.0p0 Released

Conference News

AsiaBSDCon 2024

BSDCan 2024

EuroBSDCon 2024

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

  ---

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Linux and FreeBSD Firewalls – The Ultimate Guide - Part 2

27 Years with the Perfect OS

News Roundup

Top 20 OpenSSH Server Best Security Practices

Huge pfsync rewrite

OpenSMTPD 7.3.0p1 released

Running OpenBSD 7.3 on your laptop is really hard (not)

QuicSSH

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

##Headlines
###ZFS and DTrace update lands in NetBSD

merge a new version of the CDDL dtrace and ZFS code. This changes the upstream vendor from OpenSolaris to FreeBSD, and this version is based on FreeBSD svn r315983.

• r315983 is from March 2017 (14 months ago), so there is still more work to do

in addition to the 10 years of improvements from upstream, this version also has these NetBSD-specific enhancements:

• dtrace FBT probes can now be placed in kernel modules.
• ZFS now supports mmap().

• This brings NetBSD 10 years forward, and they should be able to catch the rest of the way up fairly quickly

###NetBSD network stack security audit

• Maxime Villard has been working on an audit of the NetBSD network stack, a project sponsored by The NetBSD Foundation, which has served all users of BSD-derived operating systems.

Over the last five months, hundreds of patches were committed to the source tree as a result of this work. Dozens of bugs were fixed, among which a good number of actual, remotely-triggerable vulnerabilities.

Changes were made to strengthen the networking subsystems and improve code quality: reinforce the mbuf API, add many KASSERTs to enforce assumptions, simplify packet handling, and verify compliance with RFCs. This was done in several layers of the NetBSD kernel, from device drivers to L4 handlers.
In the course of investigating several bugs discovered in NetBSD, I happened to look at the network stacks of other operating systems, to see whether they had already fixed the issues, and if so how. Needless to say, I found bugs there too.

• A lot of code is shared between the BSDs, so it is especially helpful when one finds a bug, to check the other BSDs and share the fix.

The IPv6 Buffer Overflow: The overflow allowed an attacker to write one byte of packet-controlled data into ‘packet_storage+off’, where ‘off’ could be approximately controlled too. This allowed at least a pretty bad remote DoS/Crash
The IPsec Infinite Loop: When receiving an IPv6-AH packet, the IPsec entry point was not correctly computing the length of the IPv6 suboptions, and this, before authentication. As a result, a specially-crafted IPv6 packet could trigger an infinite loop in the kernel (making it unresponsive). In addition this flaw allowed a limited buffer overflow - where the data being written was however not controllable by the attacker.
The IPPROTO Typo: While looking at the IPv6 Multicast code, I stumbled across a pretty simple yet pretty bad mistake: at one point the Pim6 entry point would return IPPROTO_NONE instead of IPPROTO_DONE. Returning IPPROTO_NONE was entirely wrong: it caused the kernel to keep iterating on the IPv6 packet chain, while the packet storage was already freed.
The PF Signedness Bug: A bug was found in NetBSD’s implementation of the PF firewall, that did not affect the other BSDs. In the initial PF code a particular macro was used as an alias to a number. This macro formed a signed integer. NetBSD replaced the macro with a sizeof(), which returns an unsigned result.
The NPF Integer Overflow: An integer overflow could be triggered in NPF, when parsing an IPv6 packet with large options. This could cause NPF to look for the L4 payload at the wrong offset within the packet, and it allowed an attacker to bypass any L4 filtering rule on IPv6.
The IPsec Fragment Attack: I noticed some time ago that when reassembling fragments (in either IPv4 or IPv6), the kernel was not removing the M_PKTHDR flag on the secondary mbufs in mbuf chains. This flag is supposed to indicate that a given mbuf is the head of the chain it forms; having the flag on secondary mbufs was suspicious.
What Now: Not all protocols and layers of the network stack were verified, because of time constraints, and also because of unexpected events: the recent x86 CPU bugs, which I was the only one able to fix promptly. A todo list will be left when the project end date is reached, for someone else to pick up. Me perhaps, later this year? We’ll see.
This security audit of NetBSD’s network stack is sponsored by The NetBSD Foundation, and serves all users of BSD-derived operating systems. The NetBSD Foundation is a non-profit organization, and welcomes any donations that help continue funding projects of this kind.

DigitalOcean

###MySQL on ZFS Performance

I used sysbench to create a table of 10M rows and then, using export/import tablespace, I copied it 329 times. I ended up with 330 tables for a total size of about 850GB. The dataset generated by sysbench is not very compressible, so I used lz4 compression in ZFS. For the other ZFS settings, I used what can be found in my earlier ZFS posts but with the ARC size limited to 1GB. I then used that plain configuration for the first benchmarks. Here are the results with the sysbench point-select benchmark, a uniform distribution and eight threads. The InnoDB buffer pool was set to 2.5GB.
In both cases, the load is IO bound. The disk is doing exactly the allowed 3000 IOPS. The above graph appears to be a clear demonstration that XFS is much faster than ZFS, right? But is that really the case? The way the dataset has been created is extremely favorable to XFS since there is absolutely no file fragmentation. Once you have all the files opened, a read IOP is just a single fseek call to an offset and ZFS doesn’t need to access any intermediate inode. The above result is about as fair as saying MyISAM is faster than InnoDB based only on table scan performance results of unfragmented tables and default configuration. ZFS is much less affected by the file level fragmentation, especially for point access type.

ZFS stores the files in B-trees in a very similar fashion as InnoDB stores data. To access a piece of data in a B-tree, you need to access the top level page (often called root node) and then one block per level down to a leaf-node containing the data. With no cache, to read something from a three levels B-tree thus requires 3 IOPS.

The extra IOPS performed by ZFS are needed to access those internal blocks in the B-trees of the files. These internal blocks are labeled as metadata. Essentially, in the above benchmark, the ARC is too small to contain all the internal blocks of the table files’ B-trees. If we continue the comparison with InnoDB, it would be like running with a buffer pool too small to contain the non-leaf pages. The test dataset I used has about 600MB of non-leaf pages, about 0.1% of the total size, which was well cached by the 3GB buffer pool. So only one InnoDB page, a leaf page, needed to be read per point-select statement.

To correctly set the ARC size to cache the metadata, you have two choices. First, you can guess values for the ARC size and experiment. Second, you can try to evaluate it by looking at the ZFS internal data. Let’s review these two approaches.

You’ll read/hear often the ratio 1GB of ARC for 1TB of data, which is about the same 0.1% ratio as for InnoDB. I wrote about that ratio a few times, having nothing better to propose. Actually, I found it depends a lot on the recordsize used. The 0.1% ratio implies a ZFS recordsize of 128KB. A ZFS filesystem with a recordsize of 128KB will use much less metadata than another one using a recordsize of 16KB because it has 8x fewer leaf pages. Fewer leaf pages require less B-tree internal nodes, hence less metadata. A filesystem with a recordsize of 128KB is excellent for sequential access as it maximizes compression and reduces the IOPS but it is poor for small random access operations like the ones MySQL/InnoDB does.

• In order to improve ZFS performance, I had 3 options:
• Increase the ARC size to 7GB
• Use a larger Innodb page size like 64KB
• Add a L2ARC

I was reluctant to grow the ARC to 7GB, which was nearly half the overall system memory. At best, the ZFS performance would only match XFS. A larger InnoDB page size would increase the CPU load for decompression on an instance with only two vCPUs; not great either. The last option, the L2ARC, was the most promising.

ZFS is much more complex than XFS and EXT4 but, that also means it has more tunables/options. I used a simplistic setup and an unfair benchmark which initially led to poor ZFS results. With the same benchmark, very favorable to XFS, I added a ZFS L2ARC and that completely reversed the situation, more than tripling the ZFS results, now 66% above XFS.

• Conclusion

We have seen in this post why the general perception is that ZFS under-performs compared to XFS or EXT4. The presence of B-trees for the files has a big impact on the amount of metadata ZFS needs to handle, especially when the recordsize is small. The metadata consists mostly of the non-leaf pages (or internal nodes) of the B-trees. When properly cached, the performance of ZFS is excellent. ZFS allows you to optimize the use of EBS volumes, both in term of IOPS and size when the instance has fast ephemeral storage devices. Using the ephemeral device of an i3.large instance for the ZFS L2ARC, ZFS outperformed XFS by 66%.

###OpenSMTPD new config

TL;DR:
OpenBSD #p2k18 hackathon took place at Epitech in Nantes.
I was organizing the hackathon but managed to make progress on OpenSMTPD.
As mentioned at EuroBSDCon the one-line per rule config format was a design error.
A new configuration grammar is almost ready and the underlying structures are simplified.
Refactor removes ~750 lines of code and solves _many_ issues that were side-effects of the design error.
New features are going to be unlocked thanks to this.

• Anatomy of a design error

OpenSMTPD started ten years ago out of dissatisfaction with other solutions, mainly because I considered them way too complex for me not to get things wrong from time to time.
The initial configuration format was very different, I was inspired by pyr@’s hoststated, which eventually became relayd, and designed my configuration format with blocks enclosed by brackets.
When I first showed OpenSMTPD to pyr@, he convinced me that PF-like one-line rules would be awesome, and it was awesome indeed.
It helped us maintain our goal of simple configuration files, it helped fight feature creeping, it helped us gain popularity and become a relevant MTA, it helped us get where we are now 10 years later.
That being said, I believe this was a design error. A design error that could not have been predicted until we hit the wall to understand WHY this was an error. One-line rules are semantically wrong, they are SMTP wrong, they are wrong.
One-line rules are making the entire daemon more complex, preventing some features from being implemented, making others more complex than they should be, they no longer serve our goals.
To get to the point: we should move to two-line rules :-)

Anatomy of a design error
OpenSMTPD started ten years ago out of dissatisfaction with other solutions, mainly because I considered them way too complex for me not to get things wrong from time to time.

The initial configuration format was very different, I was inspired by pyr@’s hoststated, which eventually became relayd, and designed my configuration format with blocks enclosed by brackets.

When I first showed OpenSMTPD to pyr@, he convinced me that PF-like one-line rules would be awesome, and it was awesome indeed.

It helped us maintain our goal of simple configuration files, it helped fight feature creeping, it helped us gain popularity and become a relevant MTA, it helped us get where we are now 10 years later.

That being said, I believe this was a design error. A design error that could not have been predicted until we hit the wall to understand WHY this was an error. One-line rules are semantically wrong, they are SMTP wrong, they are wrong.

One-line rules are making the entire daemon more complex, preventing some features from being implemented, making others more complex than they should be, they no longer serve our goals.

To get to the point: we should move to two-line rules :-)

• The problem with one-line rules

OpenSMTPD decides to accept or reject messages based on one-line rules such as:

accept from any for domain poolp.org deliver to mbox

Which can essentially be split into three units:

• the decision: accept/reject
• the matching: from any for domain poolp.org
• the (default) action: deliver to mbox

To ensure that we meet the requirements of the transactions, the matching must be performed during the SMTP transaction before we take a decision for the recipient.
Given that the rule is atomic, that it doesn’t have an identifier and that the action is part of it, the two only ways to make sure we can remember the action to take later on at delivery time is to either:

• save the action in the envelope, which is what we do today
• evaluate the envelope again at delivery
• And this this where it gets tricky… both solutions are NOT ok.

The first solution, which we’ve been using for a decade, was to save the action within the envelope and kind of carve it in stone. This works fine… however it comes with the downsides that errors fixed in configuration files can’t be caught up by envelopes, that delivery action must be validated way ahead of time during the SMTP transaction which is much trickier, that the parsing of delivery methods takes place as the _smtpd user rather than the recipient user, and that envelope structures that are passed all over OpenSMTPD carry delivery-time informations, and more, and more, and more. The code becomes more complex in general, less safe in some particular places, and some areas are nightmarish to deal with because they have to deal with completely unrelated code that can’t be dealt with later in the code path.

The second solution can’t be done. An envelope may be the result of nested rules, for example an external client, hitting an alias, hitting a user with a .forward file resolving to a user. An envelope on disk may no longer match any rule or it may match a completely different rule If we could ensure that it matched the same rule, evaluating the ruleset may spawn new envelopes which would violate the transaction. Trying to imagine how we could work around this leads to more and more and more RFC violations, incoherent states, duplicate mails, etc…

There is simply no way to deal with this with atomic rules, the matching and the action must be two separate units that are evaluated at two different times, failure to do so will necessarily imply that you’re either using our first solution and all its downsides, or that you are currently in a world of pain trying to figure out why everything is burning around you. The minute the action is written to an on-disk envelope, you have failed.

A proper ruleset must define a set of matching patterns resolving to an action identifier that is carved in stone, AND a set of named action set that is resolved dynamically at delivery time.

• Follow the link above to see the rest of the article

Break

##News Roundup
###Backing up a legacy Windows machine to a FreeNAS with rsync

I have some old Windows servers (10 years and counting) and I have been using rsync to back them up to my FreeNAS box. It has been working great for me.

First of all, I do have my Windows servers backup in virtualized format. However, those are only one-time snapshops that I run once in a while. These are classic ASP IIS web servers that I can easily put up on a new VM. However, many of these legacy servers generate gigabytes of data a day in their repositories. Running VM conversion daily is not ideal.

My solution was to use some sort of rsync solution just for the data repos. I’ve tried some applications that didn’t work too well with Samba shares and these old servers have slow I/O. Copying files to external sata or usb drive was not ideal. We’ve moved on from Windows to Linux and do not have any Windows file servers of capacity to provide network backups. Hence, I decided to use Delta Copy with FreeNAS. So here is a little write up on how to set it up. I have 4 Windows 2000 servers backing up daily with this method.

First, download Delta Copy and install it. It is open-source and pretty much free. It is basically a wrapper for cygwin’s rsync. When you install it, it will ask you to install the Server services which allows you to run it as a Rsync server on Windows. You don’t need to do this. Instead, you will be just using the Delta Copy Client application. But before we do that, we will need to configure our Rsync service for our Windows Clients on FreeNAS.

• In FreeNAS, go under Services , Select Rsync > Rsync Modules > Add Rsync Module.
• Then fill out the form; giving the module a name and set the path. In my example, I simply called it WIN and linked it to a user called backupuser.
• This process is much easier than trying to configure the daemon rsyncd.conf file by hand.
• Now, on the Windows Client, start the DeltaCopy Client. You will create a new Profile.
• You will need to enter the IP of the Rsync server (FreeNAS) and specify the module name which will be called “Virtual Directory Name.” When you pull the select menu, the list of Rsync Modules you created earlier in FreeNAS will populate.
• You can set authentication. On the server, you can restrict by IP and do other things to lock down your rsync.
• Next, you will add folders (and/or files) you want to synchronize.
• Once the paths are set up, you can run a sync by right clicking the profile name.
• Here, I made a test sync to a home folder of a virtualized windows box. As you can see, I mounted the rsync volume on my mac to see the progress. The rsync worked beautifully. DeltaCopy did what it was told.
• Once you get everything working. The next thing to do is set schedules. If you done tasks schedules in Windows before, it is pretty straightforward. DeltaCopy has a link in the application to directly create a new task for you. I set my backups to run nightly and it has been working great.

There you have it. Windows rsync to FreeNAS using DeltaCopy.
The nice thing about FreeNAS is you don’t have to modify /etc/rsyncd.conf files. Everything can be done in the web admin.

iXsystems

###How to write ATF tests for NetBSD

I have recently started contributing to the amazing NetBSD foundation. I was thinking of trying out a new OS for a long time. Switching to the NetBSD OS has been a fun change.

My first contribution to the NetBSD foundation was adding regression tests for the Address Sanitizer (ASan) in the Automated Testing Framework(ATF) which NetBSD has. I managed to complete it with the help of my really amazing mentor Kamil. This post is gonna be about the ATF framework that NetBSD has and how to you can add multiple tests with ease.

• Intro

In ATF tests we will basically be talking about test programs which are a suite of test cases for a specific application or program.

• The ATF suite of Commands

There are a variety of commands that the atf suite offers. These include :

• atf-check: The versatile command that is a vital part of the checking process. man page

• atf-run: Command used to run a test program. man page

• atf-fail: Report failure of a test case.

• atf-report: used to pretty print the atf-run. man page

• atf-set: To set atf test conditions.

• We will be taking a better look at the syntax and usage later.

• Let’s start with the Basics

The ATF testing framework comes preinstalled with a default NetBSD installation. It is used to write tests for various applications and commands in NetBSD. One can write the Test programs in either the C language or in shell script. In this post I will be dealing with the Bash part.

• Follow the link above to see the rest of the article

###The Importance of ZFS Block Size

• Warning! WARNING! Don’t just do things because some random blog says so

One of the important tunables in ZFS is the recordsize (for normal datasets) and volblocksize (for zvols). These default to 128KB and 8KB respectively.
As I understand it, this is the unit of work in ZFS. If you modify one byte in a large file with the default 128KB record size, it causes the whole 128KB to be read in, one byte to be changed, and a new 128KB block to be written out.
As a result, the official recommendation is to use a block size which aligns with the underlying workload: so for example if you are using a database which reads and writes 16KB chunks then you should use a 16KB block size, and if you are running VMs containing an ext4 filesystem, which uses a 4KB block size, you should set a 4KB block size
You can see it has a 16GB total file size, of which 8.5G has been touched and consumes space - that is, it’s a “sparse” file. The used space is also visible by looking at the zfs filesystem which this file resides in
Then I tried to copy the image file whilst maintaining its “sparseness”, that is, only touching the blocks of the zvol which needed to be touched. The original used only 8.42G, but the copy uses 14.6GB - almost the entire 16GB has been touched! What’s gone wrong?
I finally realised that the difference between the zfs filesystem and the zvol is the block size. I recreated the zvol with a 128K block size
That’s better. The disk usage of the zvol is now exactly the same as for the sparse file in the filesystem dataset

• It does impact the read speed too. 4K blocks took 5:52, and 128K blocks took 3:20
• Part of this is the amount of metadata that has to be read, see the MySQL benchmarks from earlier in the show
• And yes, using a larger block size will increase the compression efficiency, since the compressor has more redundant data to optimize.
• Some of the savings, and the speedup is because a lot less metadata had to be written
• Your zpool layout also plays a big role, if you use 4Kn disks, and RAID-Z2, using a volblocksize of 8k will actually result in a large amount of wasted space because of RAID-Z padding. Although, if you enable compression, your 8k records may compress to only 4k, and then all the numbers change again.

###Using a Raspberry Pi 2 as a Router on a Stick Starring NetBSD

• Sorry we didn’t answer you quickly enough

A few weeks ago I set about upgrading my feeble networking skills by playing around with a Cisco 2970 switch. I set up a couple of VLANs and found the urge to set up a router to route between them. The 2970 isn’t a modern layer 3 switch so what am I to do?

Why not make use of the Raspberry Pi 2 that I’ve never used and put it to some good use as a ‘router on a stick’.

I could install a Linux based OS as I am quite familiar with it but where’s the fun in that? In my home lab I use SmartOS which by the way is a shit hot hypervisor but as far as I know there aren’t any Illumos distributions for the Raspberry Pi. On the desktop I use Solus OS which is by far the slickest Linux based OS that I’ve had the pleasure to use but Solus’ focus is purely desktop. It’s looking like BSD then!

I believe FreeBSD is renowned for it’s top notch networking stack and so I wrote to the BSDNow show on Jupiter Broadcasting for some help but it seems that the FreeBSD chaps from the show are off on a jolly to some BSD conference or another(love the show by the way).

It looks like me and the luvverly NetBSD are on a date this Saturday. I’ve always had a secret love for NetBSD. She’s a beautiful, charming and promiscuous lover(looking at the supported architectures) and I just can’t stop going back to her despite her misgivings(ahem, zfs). Just my type of grrrl!

Let’s crack on…

• Follow the link above to see the rest of the article

##Beastie Bits

• BSD Jobs
• University of Aberdeen’s Internet Transport Research Group is hiring
• VR demo on OpenBSD via OpenHMD with OSVR HDK2
• patch runs ed, and ed can run anything (mentions FreeBSD and OpenBSD)
• Alacritty (OpenGL-powered terminal emulator) now supports OpenBSD
• MAP_STACK Stack Register Checking Committed to -current
• EuroBSDCon CfP till June 17, 2018

Tarsnap

##Feedback/Questions

• NeutronDaemon - Tutorial request
• Kurt - Question about transferability/bi-directionality of ZFS snapshots and send/receive
• Peter - A Question and much love for BSD Now
• Peter - netgraph state

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

Out with the old, in with the less

• Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions"
• "Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs."
• In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure
• It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers
• "Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver."
• In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced
• The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness)
• He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it."
• Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called "doas"
• There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing" talk is good complementary reading material ***

More OpenZFS and BSDCan videos

• We mentioned last week that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more
• Matt Ahrens did a Q&A session and talked about ZFS send and receive, as well as giving an overview of OpenZFS
• George Wilson talked about a performance retrospective
• Toshiba, Syneto and HGST also gave some talks about their companies and how they're using ZFS
• As for BSDCan, more of their BSD presentations have been uploaded too...
• Ryan Stone, PCI SR-IOV on FreeBSD
• George Neville-Neil, Measure Twice, Code Once
• Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD
• Warner Losh, I/O Scheduling in CAM
• Kirk McKusick, An Introduction to the Implementation of ZFS
• Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support
• Baptiste Daroussin, Packaging FreeBSD's base system
• Matt Ahrens, New OpenZFS features supporting remote replication
• Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities
• The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here, and the slides are here ***

SMP steroids for PF

• An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review
• Attached to the mail was what may be the beginnings of making native PF SMP-aware
• Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle
• The initial response has been quite positive though, with some back and forth between developers and the submitter
• For now, let's be patient and see what happens ***

DragonFly 4.2.0 released

• DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes
• i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release
• Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page about configuring it
• They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery
• The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools
• Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement
• There was also some hacker news discussion you can check out, as well as upgrade instructions ***

OpenSMTPD 5.7.1 released

• The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently
• Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default
• The long-awaited filter API is now enabled by default, though still considered slightly experimental
• Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones)
• Many more small additions and bugfixes were made, so check the changelog for the full list
• Starting with 5.7.1, releases are now cryptographically signed to ensure integrity
• This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server with thousands of emails per second, even offering prizes to whoever can DDoS them the hardest
• OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately
• Let's all encourage Kris to stop procrastinating on switching from Postfix ***

Interview - Jun Ebihara (蛯原純) - jun@netbsd.org / @ebijun

Lesser-known CPU architectures, embedded NetBSD devices

News Roundup

FreeBSD foundation at BSDCan

• The FreeBSD foundation has posted a few BSDCan summaries on their blog
• The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people."
• He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily
• Their second trip report is from Ahmed Kamal, who flew in all the way from Egypt
• A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD
• There are also two more wrap-ups from Zbigniew Bodek and Vsevolod Stakhov, so you've got plenty to read ***

OpenBSD from a veteran Linux user perspective

• In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time
• "For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration."
• The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags
• One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless."
• He also goes through some of the basics, installing and updating software, following different branches
• It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern." ***

FreeBSD on the desktop, am I crazy

• Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop
• He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think."
• With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd
• The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash
• Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well
• In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too ***

OpenIKED and Cisco CSR 1000v IPSEC

• This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED
• What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud
• There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon
• It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be ***

HardenedBSD improves stack randomization

• The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area
• In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well
• They're now stacking the new on top of the old as well, with the goal being even more entropy
• This change triggered an ABI and API incompatibility, so their major version has been bumped ***

OpenSSH 6.9 released

• The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes
• There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments
• One very notable change is that the default cipher has changed as of this release
• The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo
• Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits
• Many small bugs fixes and improvements were also made, so check the announcement for everything else
• The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon ***

Feedback/Questions

• Brad writes in
• Mason writes in
• Jochen writes in
• Simon writes in ***

This episode was brought to you by

Headlines

More BSDCan 2015 videos

• Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded
• Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS
• Daichi Goto, FreeBSD for High Density Servers
• Ken Moore, Lumina-DE
• Kevin Bowling, FreeBSD Operations at Limelight Networks
• Maciej Pasternacki, Jetpack, a container runtime for FreeBSD
• Ray Percival, Networking with OpenBSD in a virtualized environment
• Reyk Floeter, Introducing OpenBSD's new httpd
• Still more to come, hopefully ***

OpenBSD httpd rewrite support

• One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
• There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
• Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
• In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you'd like to give it a try now
• It's since been committed to -current, so you can try it out with a snapshot too ***

SSH 2FA on FreeBSD

• We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication
• This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD
• It touches on key pairs with a server-side password, google authenticator and a few other variations
• While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
• OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems ***

NetBSD 7.0-RC1 released

• NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
• Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
• They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team ***

Interview - Sean Chittenden - seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

• We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
• This blog post about it has something not mentioned before: virtual domains and virtual users
• This means you can easily have "user1@domain.com" and "user2@otherdomain.com" both go to a local user on the box (or a different third address)
• It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
• Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we'll cover in more detail when it's released... ***

OctoPkg, a QT frontend to pkgng

• A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
• Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman
• There are some basic instructions on how to get it built and running on the github page
• After some testing, it'll likely make its way to the FreeBSD ports tree
• Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over ***

AFL vs. mandoc, a quantitative analysis

• Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
• It's meant to be accompanying material to his BSDCan talk, which already covered nine topics
• mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
• The article breaks down the 45 different bugs that were found, based on their root cause
• If you're interested in secure coding practices, this'll be a great one to read ***

OpenZFS conference videos

• Videos from the second OpenZFS conference have just started to show up
• The first talk is by, you guessed it, Matt Ahrens
• In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
• There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS ***

Feedback/Questions

• Bryson writes in
• Kevin writes in ***

This episode was brought to you by

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted a report of the activities that went on between January and March of this year
• As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
• The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
• The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
• FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
• Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
• Lots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarter
• Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
• Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
• The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
• ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
• The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
• Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) ***

OpenBSD 5.7 released

• OpenBSD has formally released another new version, complete with the giant changelog we've come to expect
• In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
• If you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilities
• Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLS
• The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementations
• Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
• Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily
• BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
• Speaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so
• This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
• Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
• Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases
• There's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week
• Consider picking one up to support the project (and it's the only way to get puffy stickers)
• For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now... ***

Tor-BSD diversity project

• We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
• A new initiative has started to do just that, called the Tor-BSD diversity project
• "Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity."
• In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
• There's an additional progress report for that part specifically, and it looks like most of the work is done now
• Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
• If you've been considering running a node to help out, there's always our handy tutorial on getting set up ***

PC-BSD 10.1.2-RC1 released

• If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
• This quarterly update includes a number of new features, improvements and even some additional utilities
• PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems
• A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use
• Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network
• IPFW is now the default firewall, offering improved VIMAGE capabilities
• The life preserver backup tool now allows for bare-metal restores via the install CD
• ISC's NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
• It also includes the latest Lumina desktop, and there's another post dedicated to that
• Binary packages have also been updated to fresh versions from the ports tree
• More details, including upgrade instructions, can be found in the linked blog post ***

Interview - Ed Schouten - ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

• This article introduces OpenHRC, the "Open Household Router Contraption"
• In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
• It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup
• Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation
• All the code is open source and on Github, so you can read through what's actually being changed and put in place
• There's also a video guide to the entire process, if you're more of a visual person ***

OPNsense 15.1.10 released

• Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version
• 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
• Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree
• Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
• NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
• Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs ***

IBM Workpad Z50 and NetBSD

• Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
• Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display
• You can probably tell where this is going... the article is about installing NetBSD it
• "What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running"
• The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
• He's also got a couple videos of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) ***

FreeBSD from the trenches

• The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases
• In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
• While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually
• Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool ***

Broadwell in DragonFly

• DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
• Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too
• It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being ***

Feedback/Questions

• Bostjan writes in
• Hunter writes in
• Hrishi writes in
• Clint writes in
• Sergei writes in ***

Mailing List Gold

• How did you guess ***

This episode was brought to you by

Headlines

Strange timer bug in FreeBSD 11

• Peter Wemm wrote in to the FreeBSD -CURRENT mailing list with an interesting observation
• Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime
• This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break
• A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game
• An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap
• Peter disagreed and gave some background, offering a different patch to fix the issue and detect it early if it happens again
• Ultimately, the problem was traced back to an issue with a recent clang import
• It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down ***

An OpenBSD mail server

• There's been a recent influx of blog posts about building a BSD mail server for some reason
• In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux
• In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin
• It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd
• That means this is more of a "complete solution" - right down to what the end users see
• The series is split up into categories so it's very easy to follow along step-by-step ***

How DragonFlyBSD uses git

• DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code
• In a series of posts, Matthew Dillon (the project lead) details their internal setup
• They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access)
• The maintainers of the server are the only ones with shell access available
• He also details how a cron job syncs from the master to a public box that anyone can check out code from
• It would be interesting to hear about how other BSD projects manage their master source repository ***

Why not try PCBSD?

• ITwire, another more mainstream tech site, published a recent article about switching to PCBSD
• They interview a guy named Kris that we've never heard of before
• In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same
• "With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD."
• If you have some friends who complain to you about systemd all the time, this might be a good article to show them ***

Interview - Henning Brauer - henning@openbsd.org / @henningbrauer

OpenNTPD and its portable variant

News Roundup

Authenticated time in OpenNTPD

• We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already
• While at the hackathon, some developers came up with an alternate way to get authenticated NTP responses
• You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool
• OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header
• It's not intended to be a direct time source, just a constraint to keep things within reason
• If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid
• Henning and Theo also weigh in to give some of the backstory on the idea
• Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) ***

NetBSD at Open Source Conference 2015 Oita and Hamanako

• It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them
• This time the conferences were in Oita and Hamanako, Japan
• Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices
• As always, they took lots of pictures from the event of NetBSD on all these weird machines ***

Poudriere in a jail

• A common question we get about our poudriere tutorial is "how do I run it in a jail?" - this blog post is about exactly that
• It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow poudriere to work its magic ***

Bruteblock, another way to stop bruteforce

• We've mentioned a few different ways to stop ssh bruteforce attempts in the past: fail2ban, denyhosts, or even just with pf's built-in rate limiting
• Bruteblock is a similar tool, but it's not just for ssh logins - it can do a number of other services
• It can also work directly with IPFW, which is a plus if you're using that as your firewall
• Add a few lines to your syslog.conf and bruteblock will get executed automatically
• The rest of the article takes you through the different settings you can configure for blocking ***

New iwm(4) driver and cross-polination

• The OpenBSD guys recently imported a new "iwm" driver for newer Intel 7260 wireless cards (commonly found in Thinkpads)
• NetBSD wasted no time in porting it over, giving a bit of interesting backstory
• According to Antti Kantee, "it was created for OpenBSD by writing and porting a NetBSD driver which was developed in a rump kernel in Linux userspace"
• Both projects would appreciate further testing if you have the hardware and can provide useful bug reports
• Maybe FreeBSD and DragonFly will port it over too, or come up with something that's partially based on the code ***

PCBSD current images

• The first PCBSD -CURRENT images should be available this weekend
• This image will be tagged 11.0-CURRENTFEB2015, with planned monthly updates
• For the more adventurous this will allow testing both FreeBSD and PCBSD bleeding edge ***

Feedback/Questions

• Antonio writes in
• Richard writes in
• Charlie writes in
• Ben writes in ***

Mailing List Gold

• A systematic effort
• GCC's lunch
• Hopes and dreams ***

Discussion

Comparison of ways to securely tunnel your traffic

• OpenVPN, OpenBSD IKED, FreeBSD IPSEC, OpenSSH, Tor ***

This episode was brought to you by

Headlines

Key rotation in OpenSSH 6.8

• Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
• Times changes, key types change, problems are found with old algorithms and we switch to new ones
• In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now
• With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange
• Keys that are in your known_hosts file but not on the server will get automatically removed
• This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
• There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple
• There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released ***

NetBSD Banana Pi images

• We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi
• Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
• There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially
• The email includes some steps to get everything working and an overview of what comes with the image
• Also check the wiki page for some related boards and further instructions on getting set up
• On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) ***

LibreSSL shirts and other BSD goodies

• If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online
• There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL"
• While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
• You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
• OpenBSD recently launched their new store, but the selection is still a bit limited right now
• NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
• We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
• Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) ***

OPNsense 15.1.4 released

• The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
• A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs)
• This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
• They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
• A developer has also posted an interesting write-up titled "Development Workflow in OPNsense"
• If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it ***

Interview - Ed Maste - board@freebsdfoundation.org

The FreeBSD foundation's activities

News Roundup

Rolling with OpenBSD snapshots

• One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling
• There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
• This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
• This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
• After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think
• He's now helping test out patches and new ports since he's running the same code as the developers ***

Signing pkgsrc packages

• As of the time this show airs, the official pkgsrc packages aren't cryptographically signed
• Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS
• Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal
• Instead, they're using netpgpverify, a fork of NetBSD's netpgp utility
• Maybe someday this will become the official way to sign packages in NetBSD? ***

FreeBSD support model changes

• Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model
• The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime"
• There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
• This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
• Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read ***

OpenSMTPD, Dovecot and SpamAssassin

• We've been talking about setting up your own BSD-based mail server on the last couple episodes
• Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
• A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
• In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked
• Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane…
• In related news, OpenSMTPD has got some interesting new features coming soon
• They're also planning to switch to LibreSSL by default for the portable version ***

FreeBSD 10 on the Thinkpad T400

• BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400
• Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
• This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
• If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
• The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt ***

PC-BSD 10.1.1 Released

• Automatic background updater now in
• Shiny new Qt5 utils
• OVA files for VM’s
• Full disk encryption with GELI v7 ***

Feedback/Questions

• Camio writes in
• Sha'ul writes in
• John writes in
• Sean writes in (TJ's lengthy reply)
• Christopher writes in ***

Mailing List Gold

• Special Instructions
• Pretending to be a VT220 ***

This episode was brought to you by

Headlines

The missing EuroBSDCon videos

• Some of the missing videos from EuroBSDCon 2014 we mentioned before have mysteriously appeared
• Jordan Hubbard, FreeBSD, looking forward to another 10 years
• Lourival Viera Neto, NPF scripting with Lua
• Kris Moore, Snapshots, replication and boot environments
• Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel
• Kirk McKusick, An introduction to FreeBSD's implementation of ZFS
• Emannuel Dreyfus, FUSE and beyond, bridging filesystems
• John-Mark Gurney, Optimizing GELI performance
• Unfortunately, there are still about six talks missing… and no ETA ***

FreeBSD on a MacBook Pro (or two)

• We've got a couple posts about running FreeBSD on a MacBook Pro this week
• In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™
• Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier
• He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step
• He's still not quite to that point yet, but documents his experiments with BSD as a desktop
• The second article also documents an ex-Linux user switching over to BSD for their desktop
• It also covers power management, bluetooth and trackpad setup
• On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down"
• Check out both articles if you've been considering running FreeBSD on a MacBook ***

Remote logging over TLS

• In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time
• That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server
• The problem is, of course, that it's sent in cleartext, unless you tunnel it over SSH or use some kind of third party wrapper
• With a few recent commits, OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification
• By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot?
• That problem was also conquered, by loading the CA chain directly from memory, so the entire process can be run in the chroot without issue
• Some of the privsep verifcation code even made its way into LibreSSL right afterwards
• If you haven't set up remote logging before, now might be an interesting time to try it out ***

FreeBSD, not a Linux distro

• George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro"
• It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history
• He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options
• There's even an interesting "thirty years in three minutes" segment
• It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s)
• We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products
• This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them ***

Long-term support considered harmful

• There was recently a pretty horrible bug in GNU's libc (BSDs aren't affected, don't worry)
• Aside from the severity of the actual problem, the fix was delayed for quite a long time, leaving people vulnerable
• Ted Unangst writes a post about how this idea of long-term support could actually be harmful in the long run, and compares it to how OpenBSD does things
• OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes
• He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date
• "Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early."
• There was also some discussion about the article you can check out ***

Interview - Andrew Tanenbaum - info@minix3.org / @minix3

MINIX's integration of NetBSD

News Roundup

Using AFL on OpenBSD

• We've talked about American Fuzzy Lop a bit on a previous episode, and how some OpenBSD devs are using it to catch and fix new bugs
• Undeadly has a cool guide on how you can get started with fuzzing
• It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read
• Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software ***

Lumina 0.8.1 released

• A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released
• This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements"
• There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options
• You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!)
• If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it ***

My first OpenBSD port

• The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports
• He recently made his first port and got it into the tree, so he talks about the whole process from start to finish
• After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser
• At that point he did what you're supposed to do in that situation, and started working on it himself
• OpenBSD has a great porter's handbook that he referenced throughout the process
• Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course)
• If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen ***

How to slide with DragonFly

• DragonFly BSD has a new HAMMER FS utility called "Slider"
• It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine
• They have a pretty comprehensive guide on how to use it on their wiki page
• If you're using HAMMER FS, this is a really handy tool to have, check it out ***

OpenSMTPD with Dovecot and Salt

• We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three
• This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment
• Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan
• "Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with"
• Check it out if you've been thinking about configuring your first mail server on any of the BSDs ***

Feedback/Questions

• Christopher writes in (handbook section)
• Mark writes in
• Kevin writes in
• Stefano writes in
• Matthew writes in ***

Mailing List Gold

• Not that interested actually
• This guy again
• Yep, this is the place ***

This episode was brought to you by

Headlines

More BSD conference videos

• We mentioned it a few times, but the "New Directions in Operating Systems" conference was held in November in the UK
• The presentations videos are now online, with a few BSD-related talks of interest
• Antti Kantee, Rump kernels and why / how we got here
• Franco Fichtner, An introduction to userland networking
• Robert Watson, New ideas about old OS security
• Lots of other interesting, but non-BSD-related, talks were also presented, so check the full list if you're interested in operating systems in general
• The 2014 AsiaBSDCon videos are also slowly being uploaded (better late than never)
• Kirk McKusick, An Overview of Security in the FreeBSD Kernel
• Matthew Ahrens, OpenZFS ensures the continued excellence of ZFS
• Eric Allman, Bambi Meets Godzilla: They Elope - Open Source Meets the Commercial World
• Scott Long, Modifying the FreeBSD kernel Netflix streaming servers
• Dru Lavigne, ZFS for the Masses
• Kris Moore, Snapshots, Replication, and Boot Environments
• David Chisnall, The Future of LLVM in the FreeBSD Toolchain
• Luba Tang, Bold, fast optimizing linker for BSD
• John Hixson, Introduction to FreeNAS development
• Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
• Michael Dexter, Visualizing Unix: Graphing bhyve, ZFS and PF with Graphite
• Peter Grehan, Nested Paging in Bhyve
• Martin Matuška, Deploying FreeBSD systems with Foreman and mfsBSD
• James Brown, Analysys of BSD Associate Exam Results
• Mindaugas Rasiukevicius, NPF - progress and perspective
• Luigi Rizzo, Netmap as a core networking technology
• Michael W. Lucas, Sudo: You're Doing it Wrong (not from a BSD conference, but still good)
• They should make for some great material to watch during the holidays ***

OpenBSD vs FreeBSD security features

• From the author of both the OpenBSD and FreeBSD secure gateway articles we've featured in the past comes a new entry about security
• The article goes through a list of all the security features enabled (and disabled) by default in both FreeBSD and OpenBSD
• It covers a wide range of topics, including: memory protection, randomization, encryption, privilege separation, Capsicum, securelevels, MAC, Jails and chroots, network stack hardening, firewall features and much more
• This is definitely one of the most in-depth and complete articles we've seen in a while - the author seems to have done his homework
• If you're looking to secure any sort of BSD box, this post has some very detailed explanations of different exploit mitigation techniques - be sure to read the whole thing
• There are also some good comments on DaemonForums and lobste.rs that you may want to read ***

The password? You changed it, right?

• Peter Hansteen has a new blog post up, detailing some weird SSH bruteforcing he's seen recently
• He apparently reads his auth logs when he gets bored at an airport
• This new bruteforcing attempt seems to be targetting D-Link devices, as evidenced by the three usernames the bots try to use
• More than 700 IPs have tried to get into Peter's BSD boxes using these names in combination with weak passwords
• Lots more details, including the lists of passwords and IPs, can be found in the full article
• If you're using a BSD router, things like this can be easily prevented with PF or fail2ban (and you probably don't have a "d-link" user anyway) ***

Get started with FreeBSD, an intro for Linux users

• Another new BSD article on a mainstream technology news site - seems we're getting popular
• This article is written for Linux users who may be considering switching over to BSD and wondering what it's all about
• It details installing FreeBSD 9.3 and getting a basic system setup, while touching on ports and packages, and explaining some terminology along the way
• "Among the legions of Linux users and admins, there seems to be a sort of passive curiosity about FreeBSD and other BSDs. Like commuters on a packed train, they gaze out at a less crowded, vaguely mysterious train heading in a slightly different direction and wonder what traveling on that train might be like" **

Interview - Michael W. Lucas - mwlucas@michaelwlucas.com / @mwlauthor

FreeBSD Mastery: Storage Essentials

News Roundup

OpenSMTPD status update

• The OpenSMTPD guys, particularly Gilles, have posted an update on what they've been up to lately
• As of 5.6, it's become the default MTA in OpenBSD, and sendmail will be totally gone in 5.7
• Email is a much more tricky protocol than you might imagine, and the post goes through some of the weirdness and problems they've had to deal with
• There's also another post that goes into detail on their upcoming filtering API - a feature many have requested
• The API is still being developed, but you can test it out now if you know what you're doing - full details in the article
• OpenSMTPD also has portable versions in FreeBSD ports and NetBSD pkgsrc, so check it out ***

OpenCrypto changes in FreeBSD

• A little while back, we talked to John-Mark Gurney about updating FreeBSD's OpenCrypto framework, specifically for IPSEC
• Some of that work has just landed in the -CURRENT branch, and the commit has a bit of details
• The ICM and GCM modes of AES were added, and both include support for AESNI
• There's a new port - "nist-kat" - that can be used to test the new modes of operation
• Some things were fixed in the process as well, including an issue that would leak timing info and result in the ability to forge messages
• Code was also borrowed from both OpenBSD and NetBSD to make this possible ***

First thoughts on OpenBSD's httpd

• Here we have a blog post from a user of OpenBSD's new homegrown web server that made its debut in 5.6
• The author loves that it has proper privilege separation, a very simple config syntax and that it always runs in a chroot
• He also mentions dynamic content hosting with FastCGI, and provides an example of how to set it up
• Be sure to check our interview with Reyk about the new httpd if you're curious on how it got started
• Also, if you're running the version that came with 5.6, there's a huge patch you can apply to get a lot of the features and fixes from -current without waiting for 5.7 ***

Steam on PCBSD

• One of the most common questions people who want to use BSD as a desktop ask us is "can I run games?" or "can I use steam?"
• Steam through the Linux emulation layer (in FreeBSD) may be possible soon, but it's already possible to use it with WINE
• This video shows how to get Steam set up on PCBSD using the Windows version
• There are also some instructions in the video description to look over
• A second video details getting streaming set up ***

Feedback/Questions

• Charlie writes in
• Sean writes in
• Predrag writes in ***

This episode was brought to you by

Headlines

BSD panel at Phoenix LUG

• The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
• It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
• They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
• It was a good "real world" example of things potential switchers are curious to know about
• They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea ***

Book of PF signed copy auction

• Peter Hansteen (who we've had on the show) is auctioning off the first signed copy of the new Book of PF
• All the profits from the sale will go to the OpenBSD Foundation
• The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences)
• If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause
• Michael Lucas has challenged Peter to raise more for the foundation than his last book selling - let's see who wins
• Pause the episode, go bid on it and then come back! ***

FreeBSD Foundation goes to EuroBSDCon

• Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
• They also sponsored four other developers to go
• The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD"
• They also have a second report from Kamil Czekirda
• A total of $2000 was raised at the conference ***

OpenBSD 5.6 released

• Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this
• Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
• It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
• 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
• You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
• ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
• This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
• Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
• As always, 5.6 comes with its own song and artwork - the theme this time was obviously LibreSSL
• Be sure to check the full changelog (it's huge) and pick up a CD or tshirt to support their efforts
• If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely
• Here are some cool images of the set
• After you do your installation or upgrade, don't forget to head over to the errata page and apply any patches listed there ***

Interview - John-Mark Gurney - jmg@freebsd.org / @encthenet

Updating FreeBSD's IPSEC stack

News Roundup

Clang in DragonFly BSD

• As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64
• Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
• We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using ***

reallocarray(): integer overflow detection for free

• One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()"
• It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
• Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
• OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too ***

Switching from Linux blog

• A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
• After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
• So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far
• It'll be an ongoing series, so we may check back in with him again later on ***

Owncloud in a FreeNAS jail

• One of the most common emails we get is about running Owncloud in FreeNAS
• Now, finally, someone made a video on how to do just that, and it's even jailed
• A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
• If you're looking for an easy way to back up and sync your files, this might be worth a watch ***

Feedback/Questions

• Ernõ writes in
• David writes in
• Kamil writes in
• Torsten writes in
• Dominik writes in ***

Mailing List Gold

• That's not our IP
• Is this thing on? ***

This episode was brought to you by

Headlines

FreeBSD foundation semi-annual newsletter

• The FreeBSD foundation published their semi-annual newsletter, complete with a letter from the president of the foundation
• "In fact after reading [the president's] letter, I was motivated to come up with my own elevator pitch instead of the usual FreeBSD is like Linux, only better!"
• It talks about the FreeBSD journal as being one of the most exciting things they've launched this year, conferences they funded and various bits of sponsored code that went into -CURRENT
• The full list of funded projects is included, also with details in the financial reports
• There are also a number of conference wrap-ups: NYCBSDCon, BSDCan, AsiaBSDCon and details about the upcoming EuroBSDCon

This episode was brought to you by

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you've probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes... and a lot more
• The full list of changes is HUGE, be sure to read through it all if you're interested in the details
• If you're doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations... especially those OpenSSL ones (some of which still aren't fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release - 5.6 is going to be even more awesome with "Libre"SSL and lots of other stuff that's currently in development ***

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they're spending the money that everyone donates
• "As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we've done to help FreeBSD become the most innovative, reliable, and high-performance operation system"
• During this spring, they want to highlight the new UEFI boot support and newcons
• There's a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we'll get to see what other work is being sponsored ***

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won't have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES in counter mode and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys - only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we'll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc, would be really neat ***

BSDMag's April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around, good ***

Interview - David Chisnall - theraven@freebsd.org

The LLVM/Clang switch, FreeBSD's core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• Our buddy Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest - mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and... much more
• GNN also talks a little about the Precision Time Protocol and how it's different than NTP
• Two people we've interviewed talking to each other, awesome
• If you're interested in NTP, be sure to see our tutorial too ***

m2k14 trip reports

• We've got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter and gave us the screenshots for the OpenBSD desktop tutorial)
• "Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do"
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports' compatibility with LibreSSL
• Speaking of LibreSSL, there's an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD ***

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• The 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS ***

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more ***

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in ***

This episode was brought to you by

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we'd love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they'd be interested in someone helping out with
• OpenBSD's want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year ***

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There's also details about flowd and nfsen, more great tools to make network monitoring easy
• If you're listening, Peter... stop ignoring our emails and come on the show! We know you're watching! ***

BSDMag's February issue is out

• The theme is "configuring basic services on OpenBSD 5.4"
• There's also an interview with Peter Hansteen (oh hey...)
• Topics also include locking down SSH, a GIMP lesson, user/group management, and...
• Linux and Solaris articles? Why?? ***

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords - other OSes need to update theirs too! (FreeBSD already has)
• "The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor 'b'."
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full thing ***

Interview - Will Backman - bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the "machdep.allowaperture" sysctl to 0 and still use a GUI ***

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list ***

Creating an OpenBSD USB drive

• Since OpenBSD doesn't distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there's some recent emails that suggest official USB images may be coming soon... oh wait ***

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM ***

Feedback/Questions

• espressowar writes in
• Antonio writes in
• Christian writes in
• Adam writes in
• Alex writes in ***

This episode was brought to you by

Headlines

More faces of FreeBSD

• Another installment of the FoF series
• This time they talk with Reid Linnemann who works at Spectra Logic
• Gives a history of all the different jobs he's done, all the programming languages he knows
• Mentions how he first learned about FreeBSD, actually pretty similar to Kris' story
• "I used the system to build and install ports, and explored, getting actively involved in the mailing lists and forums, studying, passing on my own limited knowledge to those who could benefit from it. I pursued my career in the open source software world, learning the differences in BSD and GNU licensing and the fragmented nature of Linux distributions, realizing the FreeBSD community was more mature and well distributed about industry, education, and research. Everything steered me towards working with and on FreeBSD."
• Now works on FreeBSD as his day job
• The second one covers Brooks Davis
• FreeBSD committer since 2001 and core team member from 2006 through 2012
• He's helped drive our transition from a GNU toolchain to a more modern LLVM-based toolchain
• "One of the reasons I like FreeBSD is the community involved in the process of building a principled, technically-advanced operating system platform. Not only do we produce a great product, but we have fun doing it."
• Lots more in the show notes ***

We cannot trust Intel and Via’s chip-based crypto

• We woke up to see FreeBSD on the front page of The Register, Ars Technica, Slashdot and Hacker News for their strong stance on security and respecting privacy
• At the EuroBSDCon dev summit, there was some discussion about removing support for hardware-based random number generators.
• FreeBSD's /dev/random got some updates and, for 10.0, will no longer allow the use of Intel or VIA's hardware RNGs as the sole point of entropy
• "It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more" ***

OpenSMTPD 5.4.1 released

• The OpenBSD developers came out with major a new version
• Improved config syntax (please check your smtpd.conf before upgrading)
• Adds support for TLS Perfect Forward Secrecy and custom CA certificate
• MTA, Queue and SMTP server improvements
• SNI support confirmed for the next version
• Check the show notes for the full list of changes, pretty huge release
• Watch Episode 3 for an interview we did with the developers ***

More getting to know your portmgr

• The portmgr secretary, Thomas Abthorpe, interviews... himself!
• Joined as -secretary in March 2010, upgraded to full member in March 2011
• His inspiration for using BSD is "I wanted to run a webserver, and I wanted something free. I was going to use something linux, then met up with a former prof from university, and shared my story with him. He told me FreeBSD was the way to go."
• Mentions how he loves that anyone can contribute and watch it "go live"
• The second one covers Baptiste Daroussin
• The reason for his nick, bapt, is "Baptiste is too long to type"
• There's even a video of bapt joining the team! ***

Interview - Santa Clause - josh@ixsystems.com / @freenasteam

FreeNAS 9.2.0

Note: we originally scheduled the interview to be with Josh Paetzel, but Santa showed up instead.

Tutorial

FreeNAS walkthrough

News Roundup

Introducing configinit

• CloudInit is "a system originally written for Ubuntu which performs configuration of a system at boot-time based on user-data provided via EC2"
• Wasn't ideal for FreeBSD since it requires python and is designed around the concept of configuring a system by running commands (rather than editing configuration files)
• Colin Percival came up with configinit, a FreeBSD alternative
• Alongside his new "firstboot-pkgs" port, it can spin up a webserver in 120 seconds from "launch" of the EC2 instance
• Check the show notes for full blog post ***

OpenSSH support for Ed25519 and bcrypt keys

• New Ed25519 key support (hostkeys and user identities) using the public domain ed25519 reference code
• SSH private keys were encrypted with a symmetric key that's just an MD5 of their password
• Now they'll be using bcrypt by default
• We'll get more into this in next week's interview ***

The FreeBSD challenge

• A member of the Linux foundation blogs about using FreeBSD
• Goes through all the beginner steps, has to "unlearn" some of his Linux ways
• Only a few posts as of this time, but it's a continuing series that may be helpful for switchers ***

PCBSD weekly digest

• GNOME3, cinnamon and mate desktops are in the installer
• Compat layer updated to CentOS 6, enables newest Skype
• Looking for people to test printers and hplip
• Continuing work on grub, but the ability to switch between bootloaders is back ***

Feedback/Questions

• Bostjan writes in
• Jason writes in
• John writes in
• Kjell-Aleksander writes in
• Alexy writes in ***