BSD Now - Episodes Tagged with “Pcbsd”

189: Codified Summer

JT Pennington — Wed, 12 Apr 2017 08:00:00 -0400

This week on the show we interview Wendell from Level1Techs, cover Google Summer of Code on the different BSD projects, cover YubiKey usage, dive into how NICs work &

This episode was brought to you by

Headlines

Google summer of code for BSDs

FreeBSD
FreeBSD's existing list of GSoC Ideas for potential students
- FreeBSD/Xen: import the grant-table bus_dma(9) handlers from OpenBSD
- Add support for usbdump file-format to wireshark and vusb-analyzer
- Write a new boot environment manager
- Basic smoke test of all base utilities
- Port OpenBSD's pf testing framework and tests
- Userspace Address Space Annotation
- zstandard integration in libstand
- Replace mergesort implementation
- Test Kload (kexec for FreeBSD)
- Kernel fuzzing suite
- Integrate MFSBSD into the release building tools
- NVMe controller emulation for bhyve
- Verification of bhyve's instruction emulation
- VGA emulation improvements for bhyve
- audit framework test suite
- Add more FreeBSD testing to Xen osstest
- Lua in bootloader
- POSIX compliance testing framework
- coreclr: add Microsoft's coreclr and corefx to the Ports tree.
NetBSD
- Kernel-level projects
- Medium
- ISDN NT support and Asterisk integration
- LED/LCD Generic API
- NetBSD/azure -- Bringing NetBSD to Microsoft Azure
- OpenCrypto swcrypto(4) enhancements
- Scalable entropy gathering
- Userland PCI drivers
- Hard
- Real asynchronous I/O
- Parallelize page queues
- Tickless NetBSD with high-resolution timers
- Userland projects
- Easy
- Inetd enhancements -- Add new features to inetd
- Curses library automated testing
- Medium
- Make Anita support additional virtual machine systems
- Create an SQL backend and statistics/query page for ATF test results
- Light weight precision user level time reading
- Query optimizer for find(1)
- Port launchd
- Secure-PLT - supporting RELRO binaries
- Sysinst alternative interface
- Hard
- Verification tool for NetBSD32
- pkgsrc projects
- Easy
- Version control config files
- Spawn support in pkgsrc tools
- Authentication server meta-package
- Medium
- pkgin improvements
- Unify standard installation tasks
- Hard
- Add dependency information to binary packages
- Tool to find dependencies precisely
LLVM
- Fuzzing the Bitcode reader

> Description of the project: The optimizer is 25-30% slower when debug info are enabled, it'd be nice to track all the places where we don't do a good job about ignoring them!

Extend clang AST to provide information for the type as written in template instantiations.

> Description of the project: When instantiating a template, the template arguments are canonicalized before being substituted into the template pattern. Clang does not preserve type sugar when subsequently accessing members of the instantiation. Clang should "re-sugar" the type when performing member access on a class template specialization, based on the type sugar of the accessed specialization.

Shell auto-completion support for clang.

> Bash and other shells support typing a partial command and then automatically completing it for the user (or at least providing suggestions how to complete) when pressing the tab key. This is usually only supported for popular programs such as package managers (e.g. pressing tab after typing "apt-get install late" queries the APT package database and lists all packages that start with "late"). As of now clang's frontend isn't supported by any common shell.

Clang-based C/C++ diff tool.

> Description of the project: Every developer has to interact with diff tools daily. The algorithms are usually based on detecting "longest common subsequences", which is agnostic to the file type content. A tool that would understand the structure of the code may provide a better diff experience by being robust against, for example, clang-format changes.

Find dereference of pointers.

> Description of the project: Find dereference of pointer before checking for nullptr.

Warn if virtual calls are made from constructors or destructors.

> Description of the project: Implement a path-sensitive checker that warns if virtual calls are made from constructors and destructors, which is not valid in case of pure virtual calls and could be a sign of user error in non-pure calls.

Improve Code Layout

> Description of the project: The goal for the project is trying to improve the layout/performances of the generated executable. The primary object format considered for the project is ELF but this can be extended to other object formats. The project will touch both LLVM and lld.

Turtles on the Wire: Understanding How the OS Uses the Modern NIC

The Simple NIC
MAC Address Filters and Promiscuous Mode
Problem: The Single Busy CPU
A Swing and a Miss
Nine Rings for Packets Doomed to be Hashed
Problem: Density, Density, Density
A Brief Aside: The Virtual NIC
Always Promiscuous?
The Classification Challenge
Problem: CPUs are too ‘slow’
Problem: The Interrupts are Coming in too Hot
Solution One: Do Less Work
Solution Two: Turn Off Interrupts
Recapping
Future Directions and More Reading

Make Dragonfly BSD great again!

> Recently I spent some time reading Dragonfly BSD code. While doing so I spotted a vulnerability in the sysvsem subsystem that let user to point to any piece of memory and write data through it (including the kernel space). This can be turned into execution of arbitrary code in the kernel context and by exploiting this, we're gonna make Dragonfly BSD great again!

> Dragonfly BSD is a BSD system which originally comes from the FreeBSD project. In 2003 Matthew Dillon forked code from the 4.x branch of the FreeBSD and started a new flavour.
> I thought of Dragonfly BSD as just another fork, but during EuroBSDCon 2015 I accidentally saw the talk about graphical stack in the Dragonfly BSD. I confused rooms, but it was too late to escape as I was sitting in the middle of a row, and the exit seemed light years away from me. :-) Anyway, this talk was a sign to me that it's not just a niche of a niche of a niche of a niche operating system. I recommend spending a few minutes of your precious time to check out the HAMMER file system, Dragonfly's approach to MP, process snapshots and other cool features that it offers. Wikipedia article is a good starter

With the exploit, they are able to change the name of the operating system back to FreeBSD, and escalate from an unprivileged user to root.

> The Bug itself is located in the semctl(2) system call implementation. bcopy(3) in line 385 copies semid_ds structure to memory pointed by arg->buf, this pointer is fully controlled by the user, as it's one of the syscall's arguments. So the bad thing here is that we can copy things to arbitrary address, but we have not idea what we copy yet. This code was introduced by wrongly merging code from the FreeBSD project, bah, bug happens.

Using this access, the example code shows how to overwrite the function pointers in the kernel used for the open() syscall, and how to overwrite the ostype global, changing the name of the operating system.
In the second example, the reference to the credentials of the user trying to open a file are used to overwrite that data, making the user root.

> The bug was fixed in uber fast manner (within few hours!) by Matthew Dillon, version 4.6.1 released shortly after that seems to be safe. In case you care, you know what to do!

Thanks to Mateusz Kocielski for the detailed post, and finding the bug ***

Interview - Wendell - wendell@level1techs.com / @tekwendell

Host of Level1Techs website, podcast and YouTube channel

News Roundup

Using yubikeys everywhere

Ted Unangst is back, with an interesting post about YUBI Keys

> Everybody is getting real excited about yubikeys recently, so I figured I should get excited, too. I have so far resisted two factor authorizing everything, but this seemed like another fun experiment. There’s a lot written about yubikeys and how you should use one, but nothing I’ve read answered a few of the specific questions I had
> To begin with, I ordered two yubikeys. One regular sized 4 and one nano. I wanted to play with different form factors to see which is better for various uses, and I wanted to test having a key and a backup key. Everybody always talks about having one yubikey. And then if you lose it, terrible things happen. Can this problem be alleviated with two keys? I’m also very curious what happens when I try to login to a service with my phone after enabling U2F.
> We’ve got three computers (and operating systems) in the mix, along with a number of (mostly web) services. Wherever possible, I want to use a yubikey both to login to the computer and to authorize myself to remote services.
> I started my adventure on my chromebook. Ultimate goal would be to use the yubikey for local logins. Either as a second factor, or as an alternative factor. First things first and we need to get the yubikey into the account I use to sign into the chromebook. Alas, there is apparently no way to enroll only a security key for a Google account. Every time I tried, it would ask me for my phone number. That is not what I want. Zero stars.
> Giving up on protecting the chromebook itself, at least maybe I can use it to enable U2F with some other sites. U2F is currently limited to Chrome, but it sounds like everything I want. Facebook signup using U2F was pretty easy. Go to account settings, security subheading, add the device. Tap the button when it glows. Key added. Note that it’s possible to add a key without actually enabling two factor auth, in which case you can still login with only a password, but no way to login with no password and only a USB key. Logged out to confirm it would check the key, and everything looked good, so I killed all my other active sessions. Now for the phone test. Not quite as smooth. Tried to login, the Facebook app then tells me it has sent me an SMS and to enter the code in the box. But I don’t have a phone number attached. I’m not getting an SMS code.
> Meanwhile, on my laptop, I have a new notification about a login attempt. Follow the prompts to confirm it’s me and permit the login. This doesn’t have any effect on the phone, however. I have to tap back, return to the login screen, and enter my password again. This time the login succeeds. So everything works, but there are still some rough patches in the flow. Ideally, the phone would more accurately tell me to visit the desktop site, and then automatically proceed after I approve. (The messenger app crashed after telling me my session had expired, but upon restarting it was able to borrow the Facebook app credentials and I was immediately logged back in.)
> Let’s configure Dropbox next. Dropbox won’t let you add a security key to an account until after you’ve already set up some other mobile authenticator. I already had the Duo app on my phone, so I picked that, and after a short QR scan, I’m ready to add the yubikey. So the key works to access Dropbox via Chrome. Accessing Dropbox via my phone or Firefox requires entering a six digit code. No way to use a yubikey in a three legged configuration
> I don’t use Github, but I know they support two factors, so let’s try them next. Very similar to Dropbox. In order to set up a key, I must first set up an authenticator app. This time I went with Yubico’s own desktop authenticator. Instead of scanning the QR code, type in some giant number (on my Windows laptop), and it spits out an endless series of six digit numbers, but only while the yubikey is inserted. I guess this is kind of what I want, although a three pound yubikey is kind of unwieldy.
> As part of my experiment, I noticed that Dropbox verifies passwords before even looking at the second auth. I have a feeling that they should be checked at the same time. No sense allowing my password guessing attack to proceed while I plot how to steal someone’s yubikey. In a sense, the yubikey should serve as a salt, preventing me from mounting such an attack until I have it, thus creating a race where the victim notices the key is gone and revokes access before I learn the password. If I know the password, the instant I grab the key I get access. Along similar lines, I was able to complete a password reset without entering any kind of secondary code.
> Having my phone turn into a second factor is a big part of what I’m looking to avoid with the yubikey. I’d like to be able to take my phone with me, logged into some sites but not all, and unable to login to the rest. All these sites that require using my phone as mobile authenticator are making that difficult. I bought the yubikey because it was cheaper than buying another phone! Using the Yubico desktop authenticator seems the best way around that.

The article also provides instructions for configuring the Yubikey on OpenBSD

> A few notes about OTP. As mentioned, the secret key is the real password. It’s stored on whatever laptop or server you login to. Meaning any of those machines can take the key and use it to login to any other machine. If you use the same yubikey to login to both your laptop and a remote server, your stolen laptop can trivially be used to login to the server without the key. Be mindful of that when setting up multiple machines. Also, the OTP counter isn’t synced between machines in this setup, which allows limited replay attacks.

Ted didn’t switch his SSH keys to the Yubikey, because it doesn’t support ED25519, and he just finished rotating all of his keys and doesn’t want to do it again.

> I did most of my experimenting with the larger yubikey, since it was easier to move between machines. For operations involving logging into a web site, however, I’d prefer the nano. It’s very small, even smaller than the tiniest wireless mouse transcievers I’ve seen. So small, in fact, I had trouble removing it because I couldn’t find anything small enough to fit through the tiny loop. But probably a good thing. Most other micro USB gadgets stick out just enough to snag when pushing a laptop into a bag. Not the nano. You lose a port, but there’s really no reason to ever take it out. Just leave it in, and then tap it whenever you login to the tubes. It would not be a good choice for authenticating to the local machine, however. The larger device, sized to fit on a keychain, is much better for that.
> It is possible to use two keys as backups. Facebook and Dropbox allow adding two U2F keys. This is perhaps a little tiresome if there’s lots of sites, as I see no way to clone a key. You have to login to every service. For challenge response and OTP, however, the personalization tool makes it easy to generate lots of yubikeys with the same secrets. On the other hand, a single device supports an infinite number of U2F sites. The programmable interfaces like OTP are limited to only two slots, and the first is already used by the factory OTP setup.

What happened to my vlan

> A long term goal of the effort I'm driving to unlock OpenBSD's Network Stack is obviously to increase performances. So I'd understand that you find confusing when some of our changes introduce performance regressions.
> It is just really hard to do incremental changes without introducing temporary regressions. But as much as security is a process, improving performance is also a process. Recently markus@ told me that vlan(4) performances dropped in last releases. He had some ideas why but he couldn't provide evidences. So what really happened?
> Hrvoje Popovski was kind enough to help me with some tests. He first confirmed that on his Xeon box (E5-2643 v2 @ 3.50GHz), forwarding performances without pf(4) dropped from 1.42Mpps to 880Kpps when using vlan(4) on both interfaces.
> Together vlan_input() and vlan_start() represent 25% of the time CPU1 spends processing packets. This is not exactly between 33% and 50% but it is close enough. The assumption we made earlier is certainly too simple. If we compare the amount of work done in process context, represented by if_input_process() we clearly see that half of the CPU time is not spent in ether_input().
> I'm not sure how this is related to the measured performance drop. It is actually hard to tell since packets are currently being processed in 3 different contexts. One of the arguments mikeb@ raised when we discussed moving everything in a single context, is that it is simpler to analyse and hopefully make it scale.
> With some measurements, a couple of nice pictures, a bit of analysis and some educated guesses we are now in measure of saying that the performances impact observed with vlan(4) is certainly due to the pseudo-driver itself. A decrease of 30% to 50% is not what I would expect from such pseudo-driver.
> I originally heard that the reason for this regression was the use of SRP but by looking at the profiling data it seems to me that the queuing API is the problem. In the graph above the CPU time spent in if_input() and if_enqueue() from vlan(4) is impressive. Remember, in the case of vlan(4) these operations are done per packet!
> When if_input() has been introduced the queuing API did not exist and putting/taking a single packet on/from an interface queue was cheap. Now it requires a mutex per operation, which in the case of packets received and sent on vlan(4) means grabbing three mutexes per packets.
> I still can't say if my analysis is correct or not, but at least it could explain the decrease observed by Hrvoje when testing multiple vlan(4) configurations. vlan_input() takes one mutex per packet, so it decreases the number of forwarded packets by ~100Kpps on this machine, while vlan_start() taking two mutexes decreases it by ~200Kpps.

An interesting analysis of the routing performance regression on OpenBSD
I have asked Olivier Cochard-Labbe about doing a similar comparison of routing performance on FreeBSD when a vlan pseudo interface is added to the forwarding path ***

NetBSD: the first BSD introducing a modern process plugin framework in LLDB

Clean up in ptrace(2) ATF tests

> We have created some maintanance burden for the current ptrace(2) regression tests. The main issues with them is code duplication and the splitting between generic (Machine Independent) and port-specific (Machine Dependent) test files. I've eliminated some of the ballast and merged tests into the appropriate directory tests/lib/libc/sys/. The old location (tests/kernel) was a violation of the tests/README recommendation

PTRACE_FORK on !x86 ports

> Along with the motivation from Martin Husemann we have investigated the issue with PTRACE_FORK ATF regression tests. It was discovered that these tests aren't functional on evbarm, alpha, shark, sparc and sparc64 and likely on other non-x86 ports. We have discovered that there is a missing SIGTRAP emitted from the child, during the fork(2) handshake. The proper order of operations is as follows:

>> parent emits SIGTRAP with si_code=TRAP_CHLD and pe_set_event=pid of forkee
>> child emits SIGTRAP with si_code=TRAP_CHLD and pe_set_event=pid of forker

> Only the x86 ports were emitting the second SIGTRAP signal.

PT_SYSCALL and PT_SYSCALLEMU

> With the addition of PT_SYSCALLEMU we can implement a virtual kernel syscall monitor. It means that we can fake syscalls within a debugger. In order to achieve this feature, we need to use the PT_SYSCALL operation, catch SIGTRAP with si_code=TRAP_SCE (syscall entry), call PT_SYSCALLEMU and perform an emulated userspace syscall that would have been done by the kernel, followed by calling another PT_SYSCALL with si_code=TRAP_SCX.

What has been done in LLDB

> A lot of work has been done with the goal to get breakpoints functional. This target penetrated bugs in the existing local patches and unveiled missing features required to be added. My initial test was tracing a dummy hello-world application in C. I have sniffed the GDB Remote Protocol packets and compared them between Linux and NetBSD. This helped to streamline both versions and bring the NetBSD support to the required Linux level.

Plan for the next milestone

> I've listed the following goals for the next milestone.

watchpoints support
floating point registers support
enhance core(5) and make it work for multiple threads
introduce PT_SETSTEP and PT_CLEARSTEP in ptrace(2)
support threads in the NetBSD Process Plugin
research F_GETPATH in fcntl(2)
Beyond the next milestone is x86 32-bit support.

LibreSSL 2.5.2 released

Added the recallocarray(3) memory allocation function, and converted various places in the library to use it, such as CBB and BUF_MEM_grow. recallocarray(3) is similar to reallocarray. Newly allocated memory is cleared similar to calloc(3). Memory that becomes unallocated while shrinking or moving existing allocations is explicitly discarded by unmapping or clearing to 0.
Added new root CAs from SECOM Trust Systems / Security Communication of Japan.
Added EVP interface for MD5+SHA1 hashes.
Fixed DTLS client failures when the server sends a certificate request.
Correct handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection.
Allow protocols and ciphers to be set on a TLS config object in libtls.
Improved nc(1) TLS handshake CPU usage and server-side error reporting.

Beastie Bits

HardenedBSD Stable v46.16 released
KnoxBUG looking for OpenBSD people in Knoxville TN area
KnoxBUG Tuesday, April 18, 2017 - 6:00pm : Caleb Cooper: Advanced BASH Scripting](http://knoxbug.org/2017-04-18)
e2k17 Nano hackathon report from Bob Beck
Noah Chelliah, Host of the Linux Action Show calls Linux a ‘Bad Science Project’ and ditches Linux for TrueOS](https://youtu.be/yXB85_olYhQ?t=3238) ***

Feedback/Questions

188: And then the murders began

JT Pennington — Wed, 05 Apr 2017 08:00:00 -0400

Today on BSD Now, the latest Dragonfly BSD release, RaidZ performance, another OpenSSL Vulnerability, and more; all this week on BSD Now.

This episode was brought to you by

Headlines

DragonFly BSD 4.8 is released

Improved kernel performance
- This release further localizes cache lines and reduces/removes cache ping-ponging on globals. For bulk builds on many-cores or multi-socket systems, we have around a 5% improvement, and certain subsystems such as namecache lookups and exec()s see massive focused improvements. See the corresponding mailing list post with details.
Support for eMMC booting, and mobile and high-performance PCIe SSDs
- This kernel release includes support for eMMC storage as the boot device. We also sport a brand new SMP-friendly, high-performance NVMe SSD driver (PCIe SSD storage). Initial device test results are available.
EFI support
- The installer can now create an EFI or legacy installation. Numerous adjustments have been made to userland utilities and the kernel to support EFI as a mainstream boot environment. The /boot filesystem may now be placed either in its own GPT slice, or in a DragonFly disklabel inside a GPT slice.
- DragonFly, by default, creates a GPT slice for all of DragonFly and places a DragonFly disklabel inside it with all the standard DFly partitions, such that the disk names are roughly the same as they would be in a legacy system.
Improved graphics support
- The i915 driver has been updated to match the version found with the Linux 4.6 kernel. Broadwell and Skylake processor users will see improvements.
Other user-affecting changes
- Kernel is now built using -O2.
- VKernels now use COW, so multiple vkernels can share one disk image.
- powerd() is now sensitive to time and temperature changes.
- Non-boot-filesystem kernel modules can be loaded in rc.conf instead of loader.conf. ***

#8005 poor performance of 1MB writes on certain RAID-Z configurations

Matt Ahrens posts a new patch for OpenZFS

> Background: RAID-Z requires that space be allocated in multiples of P+1 sectors,because this is the minimum size block that can have the required amount of parity. Thus blocks on RAIDZ1 must be allocated in a multiple of 2 sectors; on RAIDZ2 multiple of 3; and on RAIDZ3 multiple of 4. A sector is a unit of 2^ashift bytes, typically 512B or 4KB.
> To satisfy this constraint, the allocation size is rounded up to the proper multiple, resulting in up to 3 "pad sectors" at the end of some blocks. The contents of these pad sectors are not used, so we do not need to read or write these sectors. However, some storage hardware performs much worse (around 1/2 as fast) on mostly-contiguous writes when there are small gaps of non-overwritten data between the writes. Therefore, ZFS creates "optional" zio's when writing RAID-Z blocks that include pad sectors. If writing a pad sector will fill the gap between two (required) writes, we will issue the optional zio, thus doubling performance. The gap-filling performance improvement was introduced in July 2009.
> Writing the optional zio is done by the io aggregation code in vdev_queue.c. The problem is that it is also subject to the limit on the size of aggregate writes, zfs_vdev_aggregation_limit, which is by default 128KB. For a given block, if the amount of data plus padding written to a leaf device exceeds zfs_vdev_aggregation_limit, the optional zio will not be written, resulting in a ~2x performance degradation.
> The solution is to aggregate optional zio's regardless of the aggregation size limit.

As you can see from the graphs, this can make a large difference in performance.
I encourage you to read the entire commit message, it is well written and very detailed. ***

Can you spot the OpenSSL vulnerability

> This code was introduced in OpenSSL 1.1.0d, which was released a couple of days ago. This is in the server SSL code, ssl/statem/statem_srvr.c, ssl_bytes_to_cipher_list()), and can easily be reached remotely. Can you spot the vulnerability?
> So there is a loop, and within that loop we have an ‘if’ statement, that tests a number of conditions. If any of those conditions fail, OPENSSL_free(raw) is called. But raw isn’t the address that was allocated; raw is increment every loop. Hence, there is a remote invalid free vulnerability.
> But not quite. None of those checks in the ‘if’ statement can actually fail; earlier on in the function, there is a check that verifies that the packet contains at least 1 byte, so PACKET_get_1 cannot fail. Furthermore, earlier in the function it is verified that the packet length is a multiple of 3, hence PACKET_copy_bytes and PACKET_forward cannot fail.

So, does the code do what the original author thought, or expected it to do?
But what about the next person that modifies that code, maybe changing or removing one of the earlier checks, allowing one of those if conditions to fail, and execute the bad code?

> Nonetheless OpenSSL has acknowledged that the OPENSSL_free line needs a rewrite: Pull Request #2312
> PS I’m not posting this to ridicule the OpenSSL project or their programming skills. I just like reading code and finding corner cases that impact security, which is an effort that ultimately works in everybody’s best interest, and I like to share what I find. Programming is a very difficult enterprise and everybody makes mistakes.

Thanks to Guido Vranken for the sharp eye and the blog post ***

Research Debt

I found this article interesting as it relates to not just research, but a lot of technical areas in general

> Achieving a research-level understanding of most topics is like climbing a mountain. Aspiring researchers must struggle to understand vast bodies of work that came before them, to learn techniques, and to gain intuition. Upon reaching the top, the new researcher begins doing novel work, throwing new stones onto the top of the mountain and making it a little taller for whoever comes next.
> People expect the climb to be hard. It reflects the tremendous progress and cumulative effort that’s gone into the research. The climb is seen as an intellectual pilgrimage, the labor a rite of passage. But the climb could be massively easier. It’s entirely possible to build paths and staircases into these mountains. The climb isn’t something to be proud of. The climb isn’t progress: the climb is a mountain of debt.
> Programmers talk about technical debt: there are ways to write software that are faster in the short run but problematic in the long run.

> Poor Exposition – Often, there is no good explanation of important ideas and one has to struggle to understand them. This problem is so pervasive that we take it for granted and don’t appreciate how much better things could be.

> Undigested Ideas – Most ideas start off rough and hard to understand. They become radically easier as we polish them, developing the right analogies, language, and ways of thinking.

> Bad abstractions and notation – Abstractions and notation are the user interface of research, shaping how we think and communicate. Unfortunately, we often get stuck with the first formalisms to develop even when they’re bad. For example, an object with extra electrons is negative, and pi is wrong

> Noise – Being a researcher is like standing in the middle of a construction site. Countless papers scream for your attention and there’s no easy way to filter or summarize them. We think noise is the main way experts experience research debt.

> There’s a tradeoff between the energy put into explaining an idea, and the energy needed to understand it. On one extreme, the explainer can painstakingly craft a beautiful explanation, leading their audience to understanding without even realizing it could have been difficult. On the other extreme, the explainer can do the absolute minimum and abandon their audience to struggle. This energy is called interpretive labor
> Research distillation is the opposite of research debt. It can be incredibly satisfying, combining deep scientific understanding, empathy, and design to do justice to our research and lay bare beautiful insights. Distillation is also hard. It’s tempting to think of explaining an idea as just putting a layer of polish on it, but good explanations often involve transforming the idea. This kind of refinement of an idea can take just as much effort and deep understanding as the initial discovery.

The distillation can often times require an entirely different set of skills than the original creation of the idea. Almost all of the BSD projects have some great ideas or subsystems that just need distillation into easy to understand and use platforms or tools.
> Like the theoretician, the experimentalist or the research engineer, the research distiller is an integral role for a healthy research community. Right now, almost no one is filling it.
Anyway, if that bit piqued your interest, go read the full article and the suggested further reading.

News Roundup

And then the murders began.

> A whole bunch of people have pointed me at articles like this one, which claim that you can improve almost any book by making the second sentence “And then the murders began.”
> It’s entirely possible they’re correct. But let’s check, with a sampling of books. As different books come in different tenses and have different voices, I’ve made some minor changes.

>“Welcome to Cisco Routers for the Desperate! And then the murders begin.” — Cisco Routers for the Desperate, 2nd ed

> “Over the last ten years, OpenSSH has become the standard tool for remote management of Unix-like systems and many network devices. And then the murders began.” — SSH Mastery

> “The Z File System, or ZFS, is a complicated beast, but it is also the most powerful tool in a sysadmin’s Batman-esque utility belt. And then the murders begin.” — FreeBSD Mastery: Advanced ZFS

> “Blood shall rain from the sky, and great shall be the lamentation of the Linux fans. And then, the murders will begin.” — Absolute FreeBSD, 3rd Ed

Netdata now supports FreeBSD

> netdata is a system for distributed real-time performance and health monitoring. It provides unparalleled insights, in real-time, of everything happening on the system it runs (including applications such as web and database servers), using modern interactive web dashboards.

From the release notes:

> apps.plugin ported for FreeBSD

Check out their demo sites ***

Distrowatch Weekly reviews RaspBSD

> RaspBSD is a FreeBSD-based project which strives to create a custom build of FreeBSD for single board and hobbyist computers. RaspBSD takes a recent snapshot of FreeBSD and adds on additional components, such as the LXDE desktop and a few graphical applications. The RaspBSD project currently has live images for Raspberry Pi devices, the Banana Pi, Pine64 and BeagleBone Black & Green computers.

> The default RaspBSD system is quite minimal, running a mere 16 processes when I was logged in. In the background the operating system runs cron, OpenSSH, syslog and the powerd power management service. Other than the user's shell and terminals, nothing else is running. This means RaspBSD uses little memory, requiring just 16MB of active memory and 31MB of wired or kernel memory.

> I made note of a few practical differences between running RaspBSD on the Pi verses my usual Raspbian operating system. One minor difference is RaspBSD turns off the Pi's external power light after booting. Raspbian leaves the light on. This means it looks like the Pi is off when it is running RaspBSD, but it also saves a little electricity.

> Conclusions: Apart from these little differences, running RaspBSD on the Pi was a very similar experience to running Raspbian and my time with the operating system was pleasantly trouble-free. Long-term, I think applying source updates to the base system might be tedious and SD disk operations were slow. However, the Pi usually is not utilized for its speed, but rather its low cost and low-energy usage. For people who are looking for a small home server or very minimal desktop box, RaspBSD running on the Pi should be suitable.

Research UNIX V8, V9 and V10 made public by Alcatel-Lucent

Alcatel-Lucent USA Inc. (“ALU-USA”), on behalf of itself and Nokia Bell Laboratories agrees, to the extent of its ability to do so, that it will not assert its copyright rights with respect to any non-commercial copying, distribution, performance, display or creation of derivative works of Research Unix®1 Editions 8, 9, and 10.
Research Unix is a term used to refer to versions of the Unix operating system for DEC PDP-7, PDP-11, VAX and Interdata 7/32 and 8/32 computers, developed in the Bell Labs Computing Science Research Center. The version breakdown can be viewed on its Wikipedia page
It only took 30+ years, but now they’re public
You can grab them from here
If you’re wondering what happened with Research Unix, After Version 10, Unix development at Bell Labs was stopped in favor of a successor system, Plan 9; which itself was succeeded by Inferno. ***

Beastie Bits

Feedback/Questions

gozes asks via twitter about how get involved in FreeBSD ***

187: Catching up to BSD

JT Pennington — Wed, 29 Mar 2017 08:00:00 -0400

Catching up to BSD, news about the NetBSD project, a BSD Phone, and a bunch of OpenBSD and TrueOS News.

This episode was brought to you by

Headlines

NetBSD 7.1 released

This update represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements.
Kernel
- compat_linux(8): Fully support sched_setaffinity and sched_getaffinity, fixing, e.g., the Intel Math Kernel Library.
DTrace:
- Avoid redefined symbol errors when loading the module.
- Fix module autoload.
IPFilter:
- Fix matching of ICMP queries when NAT'd through IPF.
- Fix lookup of original destination address when using a redirect rule. This is required for transparent proxying by squid, for example.
- ipsec(4): Fix NAT-T issue with NetBSD being the host behind NAT.
Drivers
- Add vioscsi driver for the Google Compute Engine disk.
- ichsmb(4): Add support for Braswell CPU and Intel 100 Series.
- wm(4):
- Add C2000 KX and 2.5G support.
- Add Wake On Lan support.
- Fixed a lot of bugs
Security Fixes
- NetBSD-SA2017-001 Memory leak in the connect system call.
- NetBSD-SA2017-002 Several vulnerabilities in ARP.
ARM related
- Support for Raspberry Pi Zero.
- ODROID-C1 Ethernet now works.

Summary of the preliminary LLDB support project

What has been done in NetBSD
- Verified the full matrix of combinations of wait(2) and ptrace(2) in the following
- GNU libstdc++ std::call_once bug investigation test-cases
- Improving documentation and other minor system parts
- Documentation of ptrace(2) and explanation how debuggers work
- Introduction of new siginfo(2) codes for SIGTRAP
- New ptrace(2) interfaces
What has been done in LLDB
Native Process NetBSD Plugin
The MonitorCallback function
Other LLDB code, out of the NativeProcessNetBSD Plugin
Automated LLDB Test Results Summary
Plan for the next milestone
- fix conflict with system-wide py-six
- add support for auxv read operation
- switch resolution of pid -> path to executable from /proc to sysctl(7)
- recognize Real-Time Signals (SIGRTMIN-SIGRTMAX)
- upstream !NetBSDProcessPlugin code
- switch std::call_once to llvm::call_once
- add new ptrace(2) interface to lock and unlock threads from execution
- switch the current PT_WATCHPOINT interface to PT_GETDBREGS and PT_SETDBREGS

Actually building a FreeBSD Phone

There have been a number of different projects that have proposed building a FreeBSD based smart phone
This project is a bit different, and I think that gives it a better chance to make progress
It uses off-the-shelf parts, so while not as neatly integrated as a regular smartphone device, it makes a much better prototype, and is more readily available.
Hardware overview: X86-based, long-lasting (user-replaceable) battery, WWAN Modem (w/LTE), 4-5" LCD Touchscreen (Preferably w/720p resolution, IPS), upgradable storage.
Currently targeting the UDOO Ultra platform. It features Intel Pentium N3710 (2.56GHz Quad-core, HD Graphics 405 [16 EUs @ 700MHz], VT-x, AES-NI), 2x4GB DDR3L RAM, 32GB eMMC storage built-in, further expansion w/M.2 SSD & MicroSD slot, lots of connectivity onboard.
Software: FreeBSD Hypervisor (bhyve or Xen) to run atop the hardware, hosting two separate hosts.
- One will run an instance of pfSense, the "World's Most Popular Open Source Firewall" to handle the WWAN connection, routing, and Firewall (as well as Secure VPN if desired).
- The other instance will run a slimmed down installation of FreeBSD. The UI will be tweaked to work best in this form factor & resources tuned for this platform. There will be a strong reliance on Google Chromium & Google's services (like Google Voice).
The project has a detailed log, and it looks like the hardware it is based on will ship in the next few weeks, so we expect to see more activity. ***

News Roundup

NVME M.2 card road tests (Matt Dillon)

DragonFlyBSD’s Matt Dillon has posted a rundown of the various M.2 NVMe devices he has tested
- SAMSUNG 951
- SAMSUNG 960 EVO
- TOSHIBA OCZ RD400
- INTEL 600P
- WD BLACK 256G
- MYDIGITALSSD
- PLEXTOR M8Pe
It is interesting to see the relative performance of each device, but also how they handle the workload and manage their temperature (or don’t in a few cases)
The link provides a lot of detail about different block sizes and overall performance ***

ZREP ZFS replication and failover

"zrep", a robust yet easy to use ZFS based replication and failover solution. It can also serve as the conduit to create a simple backup hub.
The tool was originally written for Solaris, and is written in ksh
However, it seems people have used it on FreeBSD and even FreeNAS by installing the ksh93 port
Has anyone used this? How does it compare to tools like zxfer?
There is a FreeBSD port, but it is a few versions behind, someone should update it
We would be interested in hearing some feedback ***

Catching up on some TrueOS News

Catching up on some OpenBSD News

Beastie Bits

Feedback/Questions

Noel asks about moving to bhyve/jails ***

186: The Fast And the Firewall: Tokyo Drift

JT Pennington — Wed, 22 Mar 2017 08:00:00 -0400

This week on BSDNow, reports from AsiaBSDcon, TrueOS and FreeBSD news, Optimizing IllumOS Kernel, your questions and more.

This episode was brought to you by

Headlines

AsiaBSDcon Reports and Reviews

TrueOS Community Guidelines are here!

TrueOS has published its new Community Guidelines
The TrueOS Project has existed for over ten years. Until now, there was no formally defined process for interested individuals in the TrueOS community to earn contributor status as an active committer to this long-standing project. The current core TrueOS developers (Kris Moore, Ken Moore, and Joe Maloney) want to provide the community more opportunities to directly impact the TrueOS Project, and wish to formalize the process for interested people to gain full commit access to the TrueOS repositories.
These describe what is expected of community members and committers
They also describe the process of getting commit access to the TrueOS repo:

>Previously, Kris directly handed out commit bits. Now, the Core developers have provided a small list of requirements for gaining a TrueOS commit bit:

>Create five or more pull requests in a TrueOS Project repository within a single six month period.

>Stay active in the TrueOS community through at least one of the available community channels (Gitter, Discourse, IRC, etc.).

>Request commit access from the core developers via core@trueos.org OR Core developers contact you concerning commit access.

> Pull requests can be any contribution to the project, from minor documentation tweaks to creating full utilities.

> At the end of every month, the core developers review the commit logs, removing elements that break the Project or deviate too far from its intended purpose. Additionally, outstanding pull requests with no active dissension are immediately merged, if possible. For example, a user submits a pull request which adds a little-used OpenRC script. No one from the community comments on the request or otherwise argues against its inclusion, resulting in an automatic merge at the end of the month. In this manner, solid contributions are routinely added to the project and never left in a state of “limbo”.

The page also describes the perks of being a TrueOS committer:

> Contributors to the TrueOS Project enjoy a number of benefits, including:

> A personal TrueOS email alias: @trueos.org

> Full access for managing TrueOS issues on GitHub.

> Regular meetings with the core developers and other contributors.

> Access to private chat channels with the core developers.

> Recognition as part of an online Who’s Who of TrueOS developers.

> The eternal gratitude of the core developers of TrueOS.

> A warm, fuzzy feeling.

Intel Donates 250.000 $ to the FreeBSD Foundation

More details about the deal: Systems Thinking: Intel and the FreeBSD Project

> Intel will be more actively engaging with the FreeBSD Foundation and the FreeBSD Project to deliver more timely support for Intel products and technologies in FreeBSD.

> Intel has contributed code to FreeBSD for individual device drivers (i.e. NICs) in the past, but is now seeking a more holistic “systems thinking” approach.

Intel Blog Post

> We will work closely with the FreeBSD Foundation to ensure the drivers, tools, and applications needed on Intel® SSD-based storage appliances are available to the community. This collaboration will also provide timely support for future Intel® 3D XPoint™ products.

Thank you very much, Intel! ***

Applied FreeBSD: Basic iSCSI

> iSCSI is often touted as a low-cost replacement for fibre-channel (FC) Storage Area Networks (SANs). Instead of having to setup a separate fibre-channel network for the SAN, or invest in the infrastructure to run Fibre-Channel over Ethernet (FCoE), iSCSI runs on top of standard TCP/IP. This means that the same network equipment used for routing user data on a network could be utilized for the storage as well.

> This article will cover a very basic setup where a FreeBSD server is configured as an iSCSI Target, and another FreeBSD server is configured as the iSCSI Initiator. The iSCSI Target will export a single disk drive, and the initiator will create a filesystem on this disk and mount it locally. Advanced topics, such as multipath, ZFS storage pools, failover controllers, etc. are not covered.

> The real magic is the /etc/ctl.conf file, which contains all of the information necessary for ctld to share disk drives on the network. Check out the man page for /etc/ctl.conf for more details; below is the configuration file that I created for this test setup. Note that on a system that has never had iSCSI configured, there will be no existing configuration file, so go ahead and create it.

Then, enable ctld and start it:
- sysrc ctld_enable=”YES”
- service ctld start
You can use the ctladm command to see what is going on:

root@bsdtarget:/dev # ctladm lunlist

(7:0:0/0): Fixed Direct Access SPC-4 SCSI device

(7:0:1/1): Fixed Direct Access SPC-4 SCSI device

root@bsdtarget:/dev # ctladm devlist

LUN Backend Size (Blocks) BS Serial Number Device ID

0 block 10485760 512 MYSERIAL 0 MYDEVID 0

1 block 10485760 512 MYSERIAL 1 MYDEVID 1

Now, let’s configure the client side:

> In order for a FreeBSD host to become an iSCSI Initiator, the iscsd daemon needs to be started.

sysrc iscsid_enable=”YES”
service iscsid start

> Next, the iSCSI Initiator can manually connect to the iSCSI target using the iscsictl tool. While setting up a new iSCSI session, this is probably the best option. Once you are sure the configuration is correct, add the configuration to the /etc/iscsi.conf file (see man page for this file). For iscsictl, pass the IP address of the target as well as the iSCSI IQN for the session:

+ iscsictl -A -p 192.168.22.128 -t iqn.2017-02.lab.testing:basictarget

You should now have a new device (check dmesg), in this case, da1
The guide them walks through partitioning the disk, and laying down a UFS file system, and mounting it
This it walks through how to disconnect iscsi, incase you don’t want it anymore
This all looked nice and easy, and it works very well. Now lets see what happens when you try to mount the iSCSI from Windows
Ok, that wasn’t so bad.
Now, instead of sharing an entire space disk on the host via iSCSI, share a zvol. Now your windows machine can be backed by ZFS. All of your problems are solved.

Interview - Philipp Buehler - pbuehler@sysfive.com

Technical Lead at SysFive, and Former OpenBSD Committer

News Roundup

Half a dozen new features in mandoc -T html

mandoc’s HTML output mode got some new features

> Even though mdoc(7) is a semantic markup language, traditionally none of the semantic annotations were communicated to the reader. [...] Now, at least in -T html output mode, you can see the semantic function of marked-up words by hovering your mouse over them.

> In terminal output modes, we have the ctags(1)-like internal search facility built around the less(1) tag jump (:t) feature for quite some time now. We now have a similar feature in -T html output mode. To jump to (almost) the same places in the text, go to the address bar of the browser, type a hash mark ('#') after the URI, then the name of the option, command, variable, error code etc. you want to jump to, and hit enter.

Check out the full report by Ingo Schwarze (schwarze@) and try out these new features ***

Optimizing IllumOS Kernel Crypto

Sašo Kiselkov, of ZFS fame, looked into the performance of the OpenSolaris kernel crypto framework and found it lacking.
The article also spends a few minutes on the different modes and how they work.

> Recently I've had some motivation to look into the KCF on Illumos and discovered that, unbeknownst to me, we already had an AES-NI implementation that was automatically enabled when running on Intel and AMD CPUs with AES-NI support. This work was done back in 2010 by Dan Anderson.This was great news, so I set out to test the performance in Illumos in a VM on my Mac with a Core i5 3210M (2.5GHz normal, 3.1GHz turbo).

The initial tests of “what the hardware can do” were done in OpenSSL

> So now comes the test for the KCF. I wrote a quick'n'dirty crypto test module that just performed a bunch of encryption operations and timed the results.

KCF got around 100 MB/s for each algorithm, except half that for AES-GCM
OpenSSL had done over 3000 MB/s for CTR mode, 500 MB/s for CBC, and 1000 MB/s for GCM

> What the hell is that?! This is just plain unacceptable. Obviously we must have hit some nasty performance snag somewhere, because this is comical. And sure enough, we did.

> When looking around in the AES-NI implementation I came across this bit in aes_intel.s that performed the CLTS instruction.

> This is a problem: 3.1.2 Instructions That Cause VM Exits ConditionallyCLTS. The CLTS instruction causes a VM exit if the bits in position 3 (corresponding to CR0.TS) are set in both the CR0 guest/host mask and the CR0 read shadow.

> The CLTS instruction signals to the CPU that we're about to use FPU registers (which is needed for AES-NI), which in VMware causes an exit into the hypervisor. And we've been doing it for every single AES block! Needless to say, performing the equivalent of a very expensive context switch every 16 bytes is going to hurt encryption performance a bit. The reason why the kernel is issuing CLTS is because for performance reasons, the kernel doesn't save and restore FPU register state on kernel thread context switches. So whenever we need to use FPU registers inside the kernel, we must disable kernel thread preemption via a call to kpreempt_disable() and kpreempt_enable() and save and restore FPU register state manually. During this time, we cannot be descheduled (because if we were, some other thread might clobber our FPU registers), so if a thread does this for too long, it can lead to unexpected latency bubbles

> The solution was to restructure the AES and KCF block crypto implementations in such a way that we execute encryption in meaningfully small chunks. I opted for 32k bytes, for reasons which I'll explain below. Unfortunately, doing this restructuring work was a bit more complicated than one would imagine, since in the KCF the implementation of the AES encryption algorithm and the block cipher modes is separated into two separate modules that interact through an internal API, which wasn't really conducive to high performance (we'll get to that later). Anyway, having fixed the issue here and running the code at near native speed, this is what I get:

AES-128/CTR: 439 MB/s

AES-128/CBC: 483 MB/s

AES-128/GCM: 252 MB/s

> Not disastrous anymore, but still, very, very bad. Of course, you've got keep in mind, the thing we're comparing it to, OpenSSL, is no slouch. It's got hand-written highly optimized inline assembly implementations of most of these encryption functions and their specific modes, for lots of platforms. That's a ton of code to maintain and optimize, but I'll be damned if I let this kind of performance gap persist.

> Fixing this, however, is not so trivial anymore. It pertains to how the KCF's block cipher mode API interacts with the cipher algorithms. It is beautifully designed and implemented in a fashion that creates minimum code duplication, but this also means that it's inherently inefficient.

> ECB, CBC and CTR gained the ability to pass an algorithm-specific "fastpath" implementation of the block cipher mode, because these functions benefit greatly from pipelining multiple cipher calls into a single place.

> ECB, CTR and CBC decryption benefit enormously from being able to exploit the wide XMM register file on Intel to perform encryption/decryption operations on 8 blocks at the same time in a non-interlocking manner. The performance gains here are on the order of 5-8x.CBC encryption benefits from not having to copy the previously encrypted ciphertext blocks into memory and back into registers to XOR them with the subsequent plaintext blocks, though here the gains are more modest, around 1.3-1.5x.

> After all of this work, this is how the results now look on Illumos, even inside of a VM:

Algorithm/Mode 128k ops

AES-128/CTR: 3121 MB/s

AES-128/CBC: 691 MB/s

AES-128/GCM: 1053 MB/s

So the CTR and GCM speeds have actually caught up to OpenSSL, and CBC is actually faster than OpenSSL.

> On the decryption side of things, CBC decryption also jumped from 627 MB/s to 3011 MB/s. Seeing these performance numbers, you can see why I chose 32k for the operation size in between kernel preemption barriers. Even on the slowest hardware with AES-NI, we can expect at least 300-400 MB/s/core of throughput, so even in the worst case, we'll be hogging the CPU for at most ~0.1ms per run.

> Overall, we're even a little bit faster than OpenSSL in some tests, though that's probably down to us encrypting 128k blocks vs 8k in the "openssl speed" utility. Anyway, having fixed this monstrous atrocity of a performance bug, I can now finally get some sleep.

To made these tests repeatable, and to ensure that the changes didn’t break the crypto algorithms, Saso created a crypto_test kernel module.
I have recently created a FreeBSD version of crypto_test.ko, for much the same purposes
Initial performance on FreeBSD is not as bad, if you have the aesni.ko module loaded, but it is not up to speed with OpenSSL. You cannot directly compare to the benchmarks Saso did, because the CPUs are vastly different.
Performance results
I hope to do some more tests on a range of different sized CPUs in order to determine how the algorithms scale across different clock speeds.
I also want to look at, or get help and have someone else look at, implementing some of the same optimizations that Saso did.
It currently seems like there isn’t a way to perform addition crypto operations in the same session without regenerating the key table. Processing additional buffers in an existing session might offer a number of optimizations for bulk operations, although in many cases, each block is encrypted with a different key and/or IV, so it might not be very useful. ***

Brendan Gregg’s special freeware tools for sysadmins

These tools need to be in every (not so) serious sysadmins toolbox.
Triple ROT13 encryption algorithm (beware: export restrictions may apply)
/usr/bin/maybe, in case true and false don’t provide too little choice...
The bottom command lists you all the processes using the least CPU cycles.
Check out the rest of the tools.
You wrote similar tools and want us to cover them in the show? Send us an email to feedback@bsdnow.tv ***

A look at 2038

> I remember the Y2K problem quite vividly. The world was going crazy for years, paying insane amounts of money to experts to fix critical legacy systems, and there was a neverending stream of predictions from the media on how it’s all going to fail. Most didn’t even understand what the problem was, and I remember one magazine writing something like the following:
> Most systems store the current year as a two-digit value to save space. When the value rolls over on New Year’s Eve 1999, those two digits will be “00”, and “00” means “halt operation” in the machine language of many central processing units. If you’re in an elevator at this time, it will stop working and you may fall to your death.
> I still don’t know why they thought a computer would suddenly interpret data as code, but people believed them. We could see a nearby hydropower plant from my parents’ house, and we expected it to go up in flames as soon as the clock passed midnight, while at least two airplanes crashed in our garden at the same time. Then nothing happened. I think one of the most “severe” problems was the police not being able to open their car garages the next day because their RFID tokens had both a start and end date for validity, and the system clock had actually rolled over to 1900, so the tokens were “not yet valid”.
> That was 17 years ago. One of the reasons why Y2K wasn’t as bad as it could have been is that many systems had never used the “two-digit-year” representation internally, but use some form of “timestamp” relative to a fixed date (the “epoch”).
> The actual problem with time and dates rolling over is that systems calculate timestamp differences all day. Since a timestamp derived from the system clock seemingly only increases with each query, it is very common to just calculate diff = now - before and never care about the fact that now could suddenly be lower than before because the system clock has rolled over. In this case diff is suddenly negative, and if other parts of the code make further use of the suddenly negative value, things can go horribly wrong.
> A good example was a bug in the generator control units (GCUs) aboard Boeing 787 “Dreamliner” aircrafts, discovered in 2015. An internal timestamp counter would overflow roughly 248 days after the system had been powered on, triggering a shut down to “safe mode”. The aircraft has four generator units, but if all were powered up at the same time, they would all fail at the same time. This sounds like an overflow caused by a signed 32-bit counter counting the number of centiseconds since boot, overflowing after 248.55 days, and luckily no airline had been using their Boing 787 models for such a long time between maintenance intervals.
> The “obvious” solution is to simply switch to 64-Bit values and call it day, which would push overflow dates far into the future (as long as you don’t do it like the IBM S/370 mentioned before). But as we’ve learned from the Y2K problem, you have to assume that computer systems, computer software and stored data (which often contains timestamps in some form) will stay with us for much longer than we might think. The years 2036 and 2038 might be far in the future, but we have to assume that many of the things we make and sell today are going to be used and supported for more than just 19 years. Also many systems have to store dates which are far in the future. A 30 year mortgage taken out in 2008 could have already triggered the bug, and for some banks it supposedly did.
> sys_gettimeofday() is one of the most used system calls on a generic Linux system and returns the current time in form of an UNIX timestamp (time_t data type) plus fraction (suseconds_t data type). Many applications have to know the current time and date to do things, e.g. displaying it, using it in game timing loops, invalidating caches after their lifetime ends, perform an action after a specific moment has passed, etc. In a 32-Bit UNIX system, time_t is usually defined as a signed 32-Bit Integer.
> When kernel, libraries and applications are compiled, the compiler will turn this assumption machine code and all components later have to match each other. So a 32-Bit Linux application or library still expects the kernel to return a 32-Bit value even if the kernel is running on a 64-Bit architecture and has 32-Bit compatibility. The same holds true for applications calling into libraries. This is a major problem, because there will be a lot of legacy software running in 2038. Systems which used an unsigned 32-Bit Integer for time_t push the problem back to 2106, but I don’t know about many of those.
> The developers of the GNU C library (glibc), the default standard C library for many GNU/Linux systems, have come up with a design for year 2038 proofness for their library. Besides the time_t data type itself, a number of other data structures have fields based on time_t or the combined struct timespec and struct timeval types. Many methods beside those intended for setting and querying the current time use timestamps
> 32-Bit Windows applications, or Windows applications defining _USE_32BIT_TIME_T, can be hit by the year 2038 problem too if they use the time_t data type. The __time64_t data type had been available since Visual C 7.1, but only Visual C 8 (default with Visual Studio 2015) expanded time_t to 64 bits by default. The change will only be effective after a recompilation, legacy applications will continue to be affected.
> If you live in a 64-Bit world and use a 64-Bit kernel with 64-Bit only applications, you might think you can just ignore the problem. In such a constellation all instances of the standard time_t data type for system calls, libraries and applications are signed 64-Bit Integers which will overflow in around 292 billion years. But many data formats, file systems and network protocols still specify 32-Bit time fields, and you might have to read/write this data or talk to legacy systems after 2038. So solving the problem on your side alone is not enough.

Then the article goes on to describe how all of this will break your file systems. Not to mention your databases and other file formats.
Also see Theo De Raadt’s EuroBSDCon 2013 Presentation ***

Beastie Bits

Feedback/Questions

Craig asks about BSD server management
Michael asks about jails as a router between networks
Todd asks about connecting jails
Dave writes in with an interesting link > applications crash more often due to errors than corruptions. In the case of corruption, a few applications (e.g., Log-Cabin, ZooKeeper) can use checksums and redundancy to recover, leading to a correct behavior; however, when the corruption is transformed into an error, these applications crash, resulting in reduced availability. ***

185: Exit Interview

JT Pennington — Thu, 16 Mar 2017 08:00:00 -0400

This is a very special BSD Now! New exciting changes are coming to the show and we’re gonna cover them, so stick around or you’ll miss it!

Interview – Kris Moore – kris@trueos.org / @pcbsdKris

TrueOS founder, FreeNAS developer, BSD Now co-host

Benedict Reuschling – bcr@freebsd.org / @bsdbcr

FreeBSD commiter & FreeBSD Foundation Vice President, BSD Now co-host

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

184: Tokyo Dreaming

JT Pennington — Wed, 08 Mar 2017 08:00:00 -0500

This week on BSDNow, Allan and I are in Tokyo for AsiaBSDCon, but not to worry, we have a full episode lined up and ready to go. Hackathon reports

This episode was brought to you by

Headlines

OpenBSD A2k17 hackathon reports

NetBSD is now reproducible

Christos Zoulas posts to the NetBSD blog that he has completed his project to make fully reproducible NetBSD builds for amd64 and sparc64

> I have been working on and off for almost a year trying to get reproducible builds (the same source tree always builds an identical cdrom) on NetBSD. I did not think at the time it would take as long or be so difficult, so I did not keep a log of all the changes I needed to make. I was also not the only one working on this. Other NetBSD developers have been making improvements for the past 6 years. I would like to acknowledge the NetBSD build system (aka build.sh) which is a fully portable cross-build system. This build system has given us a head-start in the reproducible builds work.

> I would also like to acknowledge the work done by the Debian folks who have provided a platform to run, test and analyze reproducible builds. Special mention to the diffoscope tool that gives an excellent overview of what's different between binary files, by finding out what they are (and if they are containers what they contain) and then running the appropriate formatter and diff program to show what's different for each file.

> Finally other developers who have started, motivated and did a lot of work getting us here like Joerg Sonnenberger and Thomas Klausner for their work on reproducible builds, and Todd Vierling and Luke Mewburn for their work on build.sh.

Some of the stumbling blocks that were overcome:
- Timestamps
- Date/time/author embedded in source files
- Timezone sensitive code
- Directory order / build order
- Non-sanitized data stored in files
- Symbolic links / paths
- General tool inconsistencies: including gcc profiling, the fact that GPT partition tables, are by definition, globally unique each time they are created, and the iso9660 standard calls for a timestamp with a timezone.
- Toolchain
- Build information / tunables / environment. NetBSD now has a knob ‘MKREPRO’, if set to YES it sets a long list of variables to a consistent set of a values.
The post walks through how these problems where solves
Future Work:
- Vary more parameters and find more inconsistencies
- Verify that cross-building is reproducible
- Verify that unprivileged builds are reproducible
- Test on other platforms ***

Features are faults redux

From Ted Unangst

> Last week I gave a talk for the security class at Notre Dame based on features are faults but with some various commentary added. It was an exciting trip, with the opportunity to meet and talk with the computer vision group as well. Some other highlights include the Indiana skillet I had for breakfast, which came with pickles and was amazing, and explaining the many wonders of cvs to the Linux users group over lunch. After that came the talk, which went a little something like this.

> I got started with OpenBSD back about the same time I started college, although I had a slightly different perspective then. I was using OpenBSD because it included so many security features, therefore it must be the most secure system, right? For example, at some point I acquired a second computer. What’s the first thing anybody does when they get a second computer? That’s right, set up a kerberos domain. The idea that more is better was everywhere. This was also around the time that ipsec was getting its final touches, and everybody knew ipsec was going to be the most secure protocol ever because it had more options than any other secure transport. We’ll revisit this in a bit.

> There’s been a partial attitude adjustment since then, with more people recognizing that layering complexity doesn’t result in more security. It’s not an additive process. There’s a whole talk there, about the perfect security that people can’t or won’t use. OpenBSD has definitely switched directions, including less code, not more. All the kerberos code was deleted a few years ago.

> Let’s assume about one bug per 100 lines of code. That’s probably on the low end. Now say your operating system has 100 million lines of code. If I’ve done the math correctly, that’s literally a million bugs. So that’s one reason to avoid adding features. But that’s a solveable problem. If we pick the right language and the right compiler and the right tooling and with enough eyeballs and effort, we can fix all the bugs. We know how to build mostly correct software, we just don’t care.

> As we add features to software, increasing its complexity, new unexpected behaviors start to emerge. What are the bounds? How many features can you add before craziness is inevitable? We can make some guesses. Less than a thousand for sure. Probably less than a hundred? Ten maybe? I’ll argue the answer is quite possibly two. Interesting corollary is that it’s impossible to have a program with exactly two features. Any program with two features has at least a third, but you don’t know what it is

> My first example is a bug in the NetBSD ftp client. We had one feature, we added a second feature, and just like that we got a third misfeature

> Our story begins long ago. The origins of this bug are probably older than I am. In the dark times before the web, FTP sites used to be a pretty popular way of publishing files. You run an ftp client, connect to a remote site, and then you can browse the remote server somewhat like a local filesystem. List files, change directories, get files. Typically there would be a README file telling you what’s what, but you don’t need to download a copy to keep. Instead we can pipe the output to a program like more. Right there in the ftp client. No need to disconnect.

> Fast forward a few decades, and http is the new protocol of choice. http is a much less interactive protocol, but the ftp client has some handy features for batch downloads like progress bars, etc. So let’s add http support to ftp. This works pretty well. Lots of code reused.

> http has one quirk however that ftp doesn’t have. Redirects. The server can redirect the client to a different file. So now you’re thinking, what happens if I download http://somefile and the server sends back 302 http://|reboot. ftp reconnects to the server, gets the 200, starts downloading and saves it to a file called |reboot. Except it doesn’t. The function that saves files looks at the first character of the name and if it’s a pipe, runs that command instead. And now you just rebooted your computer. Or worse.

> It’s pretty obvious this is not the desired behavior, but where exactly did things go wrong? Arguably, all the pieces were working according to spec. In order to see this bug coming, you needed to know how the save function worked, you needed to know about redirects, and you needed to put all the implications together.

The post then goes into a lot more detail about other issues. We just don’t have time to cover it all today, but you should go read it, it is very enlightening

> What do we do about this? That’s a tough question. It’s much easier to poke fun at all the people who got things wrong. But we can try. My attitudes are shaped by experiences with the OpenBSD project, and I think we are doing a decent job of containing the complexity. Keep paring away at dependencies and reducing interactions. As a developer, saying “no” to all feature requests is actually very productive. It’s so much faster than implementing the feature. Sometimes users complain, but I’ve often received later feedback from users that they’d come to appreciate the simplicity.

> There was a question about which of these vulnerabilities were found by researchers, as opposed to troublemakers. The answer was most, if not all of them, but it made me realize one additional point I hadn’t mentioned. Unlike the prototypical buffer overflow vulnerability, exploiting features is very reliable. Exploiting something like shellshock or imagetragick requires no customized assembly and is independent of CPU, OS, version, stack alignment, malloc implementation, etc. Within about 24 hours of the initial release of shellshock, I had logs of people trying to exploit it. So unless you’re on about a 12 hour patch cycle, you’re going to have a bad time.

reimplement zfsctl (.zfs) support

avg@ (Andriy Gapon) has rewritten the .zfs support in FreeBSD

> The current code is written on top of GFS, a library with the generic support for writing filesystems, which was ported from Illumos. Because of significant differences between illumos VFS and FreeBSD VFS models, both the GFS and zfsctl code were heavily modified to work on FreeBSD. Nonetheless, they still contain quite a few ugly hacks and bugs.

> This is a reimplementation of the zfsctl code where the VFS-specific bits are written from scratch and only the code that interacts with the rest of ZFS is reused.

> Some ideas are picked from an independent work by Will (wca@)

This work improves the overall quality of the ZFS port to FreeBSD

> The code that provides support for ZFS .zfs/ directory functionality has been reimplemented. It is no longer possible to create a snapshot by mkdir under .zfs/snapshot/. That should be the only user visible change.

TIL: On IllumOS, you can create, rename, and destroy snapshots, by manipulating the virtual directories in the .zfs/snapshots directory.
If enough people would find this feature useful, maybe it could be implemented (rm and rename have never existed on FreeBSD). At the same time, it seems like rather a lot of work, when the ZFS command line tools work so well. Although wca@ pointed out on IRC, it can be useful to be able to create a snapshot over NFS, or SMB.

Interview - Konrad Witaszczyk - def@freebsd.org

Encrypted Kernel Crash Dumps ***

News Roundup

PBKDF2 Performance improvements on FreeBSD

Joe Pixton did some research and found that, because of the way the spec is written, most PBKDF2 implementations are 2x slower than they need to be.
Since the PBKDF is used to derive a key, used for encryption, this poses a problem. The attacker can derive a key twice as fast as you can. On FreeBSD the PBKDF2 was configured to derive a SHA512-HMAC key that would take approximately 2 seconds to calculate. That is 2 seconds on one core. So an attacker can calculate the same key in 1 second, and use many cores.
Luckily, 1 second is still a long time for each brute force guess. On modern CPUs with the fast algorithm, you can do about 500,000 iterations of PBKDF per second (per core).
Until a recent change, OpenBSD used only 8192 iterations. It now uses a similar benchmark of ~2 seconds, and uses bcrypt instead of a SHA1-HMAC.
Joe’s research showed that the majority of implementations were done the ‘slow’ way. Calculating the initial part of the outer round each iteration, instead of reusing the initial calculation over and over for each round.
Joe submitted a match to FreeBSD to solve this problem. That patch was improved, and a test of tests were added by jmg@, but then work stalled
I picked up the work, and fixed some merge conflicts in the patch that had cropped up based on work I had done that moved the HMAC code to a separate file.
This work is now committed.

> With this change, all newly generated GELI keys will be approximately 2x as strong. Previously generated keys will take half as long to calculate, resulting in faster mounting of encrypted volumes. Users may choose to rekey, to generate a new key with the larger default number of iterations using the geli(8) setkey command. Security of existing data is not compromised, as ~1 second per brute force attempt is still a very high threshold.

If you are interested in the topic, I recommend the video of Joe’s presentation from the Passwords15 conference in Las Vegas ***

Quick How-To: Updating a screenshot in the TrueOS Handbook

Docs writers, might be time to pay attention. This week we have a good walk-through of adding / updating new screenshots to the TrueOS Sphinx Documentation.
For those who have not looked in the past, TrueOS and FreeNAS both have fantastic docs by the team over at iXsystems using Sphinx as their doc engine.
Often we get questions from users asking what “they can do to help” but don’t necessarily have programming skills to apply.
The good news is that using Sphinx is relatively easy, and after learning some minio rst syntax you can easily help fix, or even contribute to new sections of the TrueOS (Or FreeNAS) documentation.
In this example, Tim takes us through the process of replacing an old out of date screenshot in the handbook with the latest hotness.
Starting with a .png file, he then locates the old screenshot name and adds the updated version “lumina-e.png” to “lumina-f.png”. With the file added to the tree, the relevant section of .rst code can be adjusted and the sphinx build run to verify the output HTML looks correct.
Using this method you can easily start to get involved with other aspects of documentation and next thing you know you’ll be writing boot-loaders like Allan! ***

Learn C Programming With 9 Excellent Open Source Books

Now that you’ve easily mastered all your documentation skills, you may be ready to take on a new challenge. (Come on, that boot-loader isn’t going to write itself!)
We wanted to point out some excellent resources to get you started on your journey into writing C.
Before you think, “oh, more books to purchase”, wait there’s good news. These are the top-9 open-source books that you can download in digital form free of charge. Now I bet we got your attention.
We start the rundown with “The C Book”, by Mike Banahan, Declan Brady and Mark Doran, which will lay the groundwork with your introduction into the C language and concepts.
Next up, if you are going to do anything, do it with style, so take a read through the “C Elements of Style” which will make you popular at all the parties. (We can’t vouch for that statement)
From here we have a book on using C to build your own minimal “lisp” interpreter, reference guides on GNU C and some other excellent introduction / mastery books to help round-out your programming skill set.
Your C adventure awaits, hopefully these books can not only teach you good C, but also make you feel confident when looking at bits of the FreeBSD world or kernel with a proper foundation to back it up. ***

Running a Linux VM on OpenBSD

Over the past few years we’ve talked a lot about Virtualization, Bhyve or OpenBSD’s ‘vmm’, but qemu hasn’t gotten much attention.
Today we have a blog post with details on how to deploy qemu to run Linux on top of an OpenBSD host system.
The starts by showing us how to first provision the storage for qemu, using the handy ‘qemu-img’ command, which in this example only creates a 4GB disk, you’ll probably want more for real-world usage though.
Next up the qemu command will be run, pay attention to the particular flags for network and memory setup. You’ll probably want to bump it up past the recommended 256M of memory.
Networking is always the fun part, as the author describes his intended setup

> I want OpenBSD and Debian to be able to obtain an IP via DHCP on their wired interfaces and I don't want external networking required for an NFS share to the VM. To accomplish this I need two interfaces since dhclient will erase any other IPv4 addresses already assigned. We can't assign an address directly to the bridge, but we can configure a virtual Ethernet device and add it.

The setup for this portion involves touching a few more files, but isn’t that painless. Some “pf” rules to enable NAT for and dhcpd setup to assign a “fixed” IP to the vm will get us going, along with some additional details on how to configure the networking for inside the debian VM.
Once those steps are completed you should be able to mount NFS and share data from the host to the VM painlessly.

Beastie Bits

Feedback/Questions

183: Getting Steamy Here

JT Pennington — Wed, 01 Mar 2017 08:00:00 -0500

This week on BSDNow, we have “Weird Unix Things”, “Is it getting Steamy in here?” and an Interview about BSD Sockets API. (Those

This episode was brought to you by

Headlines

playonbsd with TrueOS: It’s Getting Steamy in Here and I’ve Had Too Much Wine

> We’ve done a couple of tutorials in the past on using Steam and Wine with PC-BSD, but now with the addition of playonbsd to the AppCafe library, you have more options than ever before to game on your TrueOS system. We’re going to have a look today at playonbsd, how it works with TrueOS, and what you can expect if you want to give it a try on your own system. Let’s dive right in!

> Once playonbsd is installed, go back to your blank desktop, right-click on the wallpaper, and select terminal. Playonbsd does almost all the configuring for you, but there are still a couple of simple options you’ll want to configure to give yourself the best experience. In your open terminal, type: playonbsd. You can also find playonbsd by doing a fast search using Lumina’s built-in search function in the start menu after it’s been installed. Once opened, a graphical interface greets us with easy to navigate menus and even does most of the work for you.

A nice graphical UI that hides the complexity of setting up WINE and Steam, and lets you pick select the game you want, and get it setup
Start gaming quicker, without the headache

> If you’re a PC gamer, you should definitely give playonbsd a try! You may be surprised at how well it works. If you want to know ahead of time if your games are well supported or not, head on over to WineHQ and do a search. Many people have tested and provided feedback and even solutions for potential problems with a large variety of video games. This is a great resource if you run into a glitch or other problem.

Weird Unix thing: 'cd //'

So why can you do ‘cd //tmp’, and it isn’t the same as ‘cd /tmp’?
The spec says:

> An implementation may further simplify curpath by removing any trailing characters that are not also leading characters, replacing multiple non-leading consecutive characters with a single , and replacing three or more leading characters with a single . If, as a result of this canonicalization, the curpath variable is null, no further steps shall be taken.

“So! We can replace “three or more leading / characters with a single slash”. That does not say anything about what to do when there are 2 / characters though, which presumably is why cd //tmp leaves you at //tmp.”

> A pathname that begins with two successive slashes may be interpreted in an implementation-defined manner

So what is it for? Well, the blog did a bit of digging and came up with this stackoverflow answer
In cygwin and some other systems // is treated as a unix-ified version of \, to access UNC windows file sharing paths like \server\share
Perforce, the vcs, uses // to denote a path relative to the depot
It seems to have been used in the path for a bunch of different network file systems, but also for myriad other things

Testing out snapshots in Apple’s next-generation APFS file system

Adam Leventhal takes his DTrace hammer to Apple’s new file system to see what is going on

> Back in June, Apple announced its new upcoming file system: APFS, or Apple File System. There was no mention of it in the WWDC keynote, but devotees needed no encouragement. They picked over every scintilla of data from the documentation on Apple’s developer site, extrapolating, interpolating, eager for whatever was about to come. In the WWDC session hall, the crowd buzzed with a nervous energy, eager for the grand unveiling of APFS. I myself badge-swapped my way into the conference just to get that first glimpse of Apple’s first original filesystem in the 30+ years since HFS

> Apple’s presentation didn’t disappoint the hungry crowd. We hoped for a modern filesystem, optimized for next generation hardware, rich with features that have become the norm for data centers and professionals. With APFS, Apple showed a path to meeting those expectations. Dominic Giampaolo and Eric Tamura, leaders of the APFS team, shared performance optimizations, data integrity design, volume management, efficient storage of copied data, and snapshots—arguably the feature of APFS most directly in the user’s control.

> It’s 2017, and Apple already appears to be making good on its promise with the revelation that the forthcoming iOS 10.3 will use APFS. The number of APFS tinkerers using it for their personal data has instantly gone from a few hundred to a few million. Beta users of iOS 10.3 have already made the switch apparently without incident. They have even ascribed unscientifically-significant performance improvements to APFS.

Previously Adam had used DTrace to find a new syscall introduced in OS X, fs_snapshot, but he had not dug into how to use it. Now it seems, the time has come

> Learning from XNU and making some educated guesses, I wrote my first C program to create an APFS snapshot. This section has a bit of code, which you can find in this Github repo

That just returned “fs_snapshot: Operation not permitted”
So, being Adam, he used DTrace to figure out what the problem was

> Running this DTrace script in one terminal while running the snapshot program in another shows the code flow through the kernel as the program executes

> In the code flow, the priv_check_cred() function jumps out as a good place to continue because of its name, the fact that fs_snapshot calls it directly, and the fact that it returns 1 which corresponds with EPERM, the error we were getting.

Turns out, it just requires some sudo

> With a little more testing I wrote my own version of Apple's unreleased snapUtil command from the WWDC demo

> We figured out the proper use of the fs_snapshot system call and reconstructed the WWDC snapUtil. But all this time an equivalent utility has been lurking on macOS Sierra. If you look in /System/Library/Filesystems/apfs.fs/Contents/Resources/, Apple has included a number of APFS-related utilities, including apfs_snapshot (and, tantalizingly, a tool called hfs_convert).

> Snapshots let you preserve state to later peruse; we can also revert an APFS volume to a previous state to restore its contents. The current APFS semantics around rollback are a little odd. The revert operation succeeds, but it doesn't take effect until the APFS volume is next mounted

> Another reason Apple may not have wanted people messing around with snapshots is that the feature appears to be incomplete. Winding yourself into a state where only a reboot can clear a mounted snapshot is easy, and using snapshots seems to break some of the diskutil APFS output

It is interesting to see what you can do with DTrace, as well as to see what a DTrace and ZFS developer things of APFS ***

Interview - Tom Jones - tj@enoti.me

Replacing the BSD Sockets API ***

News Roundup

FreeBSD rc.d script to map ethernet device names by MAC address

> Self-contained FreeBSD rc.d script for re-naming devices based on their MAC address. I needed it due to USB Ethernet devices coming up in different orders across OS upgrades.

Copy ethname into /usr/local/etc/rc.d/
Add the following to rc.conf:
> ethname_enable="YES"
> ethname_devices="em0 ue0 ue1" # Replace with desired devices to rename
Create /usr/local/etc/ifmap in the following format:
> 01:23:45:67:89:ab eth0
> 01:23:45:67:89:ac eth1

> That's it. Use ifconfig_="" settings in rc.conf with the new names.

I know MFSBSD has something like this, but a polished up hybrid of the two should likely be part of the base system if something is not already available
This would be a great “Junior Job”, if say, a viewer wanted to get started with their first FreeBSD patch ***

Mog: A different take on the Unix tool cat

Do you abuse cat to view files?
Did you know cat is meant for con*cat*enating files, meaning: cat part1 part2 part3 > wholething.txt
mog is a tool for actually viewing files, and it adds quite a few nice features
- Syntax highlight scripts
- Print a hex dump of binary files
- Show details of image files
- Perform objdump on executables
- List a directory

> mog reads the $HOME/.mogrc config file which describes a series of operations it can do in an ordered manner. Each operation has a match command and an action command. For each file you give to mog it will test each match command in turn, when one matches it will perform the action. A reasonably useful config file is generated when you first run it.

How Unix erases things when you type a backspace while entering text

> Yesterday I mentioned in passing that printing a DEL character doesn't actually erase anything. This raises an interesting question, because when you're typing something into a Unix system and hit your backspace key, Unix sure erases the last character that you entered. So how is it doing that?

> The answer turns out to be basically what you'd expect, although the actual implementation rapidly gets complex. When you hit backspace, the kernel tty line discipline rubs out your previous character by printing (in the simple case) Ctrl-H, a space, and then another Ctrl-H.

> Of course just backing up one character is not always the correct way of erasing input, and that's when it gets complicated for the kernel. To start with we have tabs, because when you (the user) backspace over a tab you want the cursor to jump all the way back, not just move back one space. The kernel has a certain amount of code to work out what column it thinks you're on and then back up an appropriate number of spaces with Ctrl-Hs.

> Then we have the case when you quoted a control character while entering it, eg by typing Ctrl-V Ctrl-H; this causes the kernel to print the Ctrl-H instead of acting on it, and it prints it as the two character sequence ^H. When you hit backspace to erase that, of course you want both (printed) characters to be rubbed out, not just the 'H'. So the kernel needs to keep track of that and rub out two characters instead of just one.

Chris then provides an example, from IllumOS, of the kernel trying to deal with multibyte characters

> FreeBSD also handles backspacing a space specially, because you don't need to actually rub that out with a '\b \b' sequence; you can just print a plain \b. Other kernels don't seem to bother with this optimization. The FreeBSD code for this is in sys/kern/tty_ttydisc.c in the ttydisc_rubchar function

> PS: If you want to see the kernel's handling of backspace in action, you usually can't test it at your shell prompt, because you're almost certainly using a shell that supports command line editing and readline and so on. Command line editing requires taking over input processing from the kernel, and so such shells are handling everything themselves. My usual way to see what the kernel is doing is to run 'cat >/dev/null' and then type away.

And you thought the backspace key would be simple... ***

FreeBSD ports now have Wayland

We’ve discussed the pending Wayland work, but we wanted to point you today to the ports which are in mainline FreeBSD ports tree now.
First of all, (And I was wondering how they would deal with this) it has landed in the “graphics” category, since Wayland is the Anti-X11, putting it in x11/ didn’t make a lot of sense.
Couple of notes before you start installing new packages and expecting wayland to “just work”
First, this does require that you have working DRM from the kernel side. You’ll want to grab TrueOS or build from Matt Macy’s FreeBSD branches on GitHub before testing on any kind of modern Intel GPU. Nvidia with modesetting should be supported.
Next, not all desktops will “just work”. You may need to grab experimental Weston for compositor. KDE / Gnome (And Lumina) and friends will grow Wayland support in the future, so don’t expect to just fire up $whatever and have it all work out of box.
Feedback is needed! This is brand new functionality for FreeBSD, and the maintainers will want to hear your results. For us on the TrueOS side we are interested as well, since we want to port Lumina over to Wayland soon(ish)
Happy Experimenting! ***

Beastie Bits

Feedback/Questions

182: Bloaty McBloatface

JT Pennington — Wed, 22 Feb 2017 08:00:00 -0500

This week on the show, we’ve got FreeBSD quarterly Status reports to discuss, OpenBSD changes to the installer, EC2 and IPv6 and more. Stay

This episode was brought to you by

Headlines

OpenBSD changes of note 6

OpenBSD can now be cross built with clang. Work on this continues

> Build ld.so with -fno-builtin because otherwise clang would optimize the local versions of functions like _dl_memset into a call to memset, which doesn’t exist.
> Add connection timeout for ftp (http). Mostly for the installer so it can error out and try something else.
> Complete https support for the installer.

I wonder how they handle certificate verification. I need to look into this as I’d like to switch the FreeBSD installer to this as well

> New ocspcheck utility to validate a certificate against its ocsp responder.
> net lock here, net lock there, net lock not quite everywhere but more than before.
> More per cpu counters in networking code as well.
> Disable and lock Silicon Debug feature on modern Intel CPUs.
> Prevent wireless frame injection attack described at 33C3 in the talk titled “Predicting and Abusing WPA2/802.11 Group Keys” by Mathy Vanhoef.
> Add support for multiple transmit ifqueues per network interface. Supported drivers include bge, bnx, em, myx, ix, hvn, xnf.
> pledge now tracks when a file as opened and uses this to permit or deny ioctl.
> Reimplement httpd’s support for byte ranges. Fixes a memory DOS.

FreeBSD 2016Q4 Status Report

An overview of some of the work that happened in October - December 2016
The ports tree saw many updates and surpassed 27,000 ports
The core team was busy as usual, and the foundation attended and/or sponsored a record 24 events in 2016.
CEPH on FreeBSD seems to be coming along nicely. For those that do not know, CEPH is a distributed filesystem that can sit on top of another filesystem. That is, you can use it to create a clustered filesystem out of a bunch of ZFS servers. Would love to have some viewers give it a try and report back.
OpenBSM, the FreeBSD audit framework, got some updates
Ed Schouten committed a front end to export sysctl data in a format usable by Prometheus, the open source monitoring system. This is useful for other monitoring software too.
Lots of updates for various ARM boards
There is an update on Reproducible Builds in FreeBSD, “ It is now possible to build the FreeBSD base system (kernel and userland) completely reproducibly, although it currently requires a few non-default settings”, and the ports tree is at 80% reproducible
Lots of toolchain updates (gcc, lld, gdb)
Various updates from major ports teams ***

Amazon rolls out IPv6 support on EC2

> A few hours ago Amazon announced that they had rolled out IPv6 support in EC2 to 15 regions — everywhere except the Beijing region, apparently. This seems as good a time as any to write about using IPv6 in EC2 on FreeBSD instances.
> First, the good news: Future FreeBSD releases will support IPv6 "out of the box" on EC2. I committed changes to HEAD last week, and merged them to the stable/11 branch moments ago, to have FreeBSD automatically use whatever IPv6 addresses EC2 makes available to it.
> Next, the annoying news: To get IPv6 support in EC2 from existing FreeBSD releases (10.3, 11.0) you'll need to run a few simple commands. I consider this unfortunate but inevitable: While Amazon has been unusually helpful recently, there's nothing they could have done to get support for their IPv6 networking configuration into FreeBSD a year before they launched it.

You need the dual-dhclient port:

> pkg install dual-dhclient

And the following lines in your /etc/rc.conf:

> ifconfig_DEFAULT="SYNCDHCP accept_rtadv"
> ipv6_activate_all_interfaces="YES"
> dhclient_program="/usr/local/sbin/dual-dhclient"

It is good to see FreeBSD being ready to use this feature on day 0, not something we would have had in the past

> Finally, one important caveat: While EC2 is clearly the most important place to have IPv6 support, and one which many of us have been waiting a long time to get, this is not the only service where IPv6 support is important. Of particular concern to me, Application Load Balancer support for IPv6 is still missing in many regions, and Elastic Load Balancers in VPC don't support IPv6 at all — which matters to those of us who run non-HTTP services. Make sure that IPv6 support has been rolled out for all the services you need before you start migrating.

Colin’s blog also has the details on how to actually activate IPv6 from the Amazon side, if only it was as easy as configuring it on the FreeBSD side ***

FreeBSD’s George Neville-Neil tries valiantly for over an hour to convince a Linux fan of the error of their ways

> In today's episode of the Lunduke Hour I talk to George Neville-Neil -- author and FreeBSD advocate. He tries to convince me, a Linux user, that FreeBSD is better.

They cover quite a few topics, including:
- licensing, and the motivations behind it
- vendor relations
- community
- development model
- drivers and hardware support
George also talks about his work with the FreeBSD Foundation, and the book he co-authored, “The Design and Implementation of the FreeBSD Operating System, 2nd Edition” ***

News Roundup

An interactive script that makes it easy to install 50+ desktop environments following a base install of FreeBSD 11

And I thought I was doing good when I wrote a patch for the installer that enables your choice of 3 desktop environments...

> This is a collection of scripts meant to install desktop environments on unix-like operating systems following a base install. I call one of these 'complete' when it meets the following requirements:
> + A graphical logon manager is presented without user intervention after powering on the machine
> + Logging into that graphical logon manager takes the user into the specified desktop environment
> + The user can open a terminal emulator

I need to revive my patch, and add Lumina to it ***

Firefox 51 on sparc64 - we did not hit the wall yet

A NetBSD developers tells the story of getting Firefox 51 running on their sparc64 machine
It turns out the bug impacted amd64 as well, so it was quickly fixed
They are a bit less hopeful about the future, since Firefox will soon require rust to compile, and rust is not working on sparc64 yet
Although there has been some activity on the rust on sparc64 front, so maybe there is hope
The post also look at a few alternative browsers, but it not hopeful ***

Introducing Bloaty McBloatface: a size profiler for binaries

> I’m very excited to announce that today I’m open-sourcing a tool I’ve been working on for several months at Google. It’s called Bloaty McBloatface, and it lets you explore what’s taking up space in your .o, .a, .so, and executable binary files.

> Bloaty is available under the Apache 2 license. All of the code is available on GitHub: github.com/google/bloaty. It is quick and easy to build, though it does require a somewhat recent compiler since it uses C++11 extensively. Bloaty primarily supports ELF files (Linux, BSD, etc) but there is some support for Mach-O files on OS X too. I’m interested in expanding Bloaty’s capabilities to more platforms if there is interest!

I need to try this one some of the boot code files, to see if there are places we can trim some fat

> We’ve been using Bloaty a lot on the Protocol Buffers team at Google to evaluate the binary size impacts of our changes. If a change causes a size increase, where did it come from? What sections/symbols grew, and why? Bloaty has a diff mode for understanding changes in binary size

The diff mode looks especially interesting. It might be worth setting up some kind of CI testing that alerts if a change results in a significant size increase in a binary or library ***

A BSD licensed mdns responder

One of the things we just have to deal with in the modern world is service and system discovery. Many of us have fiddled with avahi or mdnsd and related “mdns” services.
For various reasons those often haven’t been the best-fit on BSD systems.
Today we have a github project to point you at, which while a bit older, has recently been updated with pledge() support for OpenBSD.
First of all, why do we need an alternative? They list their reasons:

>This is an attempt to bring native mdns/dns-sd to OpenBSD. Mainly cause all the other options suck and proper network browsing is a nice feature these days.

> Why not Apple's mdnsd ?
> 1 - It sucks big time.
> 2 - No BSD License (Apache-2).
> 3 - Overcomplex API.
> 4 - Not OpenBSD-like.

> Why not Avahi ?
> 1 - No BSD License (LGPL).
> 2 - Overcomplex API.
> 3 - Not OpenBSD-like
> 4 - DBUS and lots of dependencies.

Those already sound like pretty compelling reasons. What makes this “new” information again is the pledge support, and perhaps it’s time for more BSD’s to start considering importing something like mdnsd into their base system to make system discovery more “automatic” ***

Beastie Bits

Feedback/Questions

181: The Cantrillogy (Not special edition)

JT Pennington — Wed, 15 Feb 2017 08:00:00 -0500

This week on BSDNow we have a cantrill special to bring you! All three interviews back to back in their original glory, you won’t want to miss

This episode was brought to you by

– Show Notes: –

FOSDEM 2017 BSD Dev Room Videos

Ubuntu Slaughters Kittens | BSD Now 103

The Cantrill Strikes Back | BSD Now 117

Return of the Cantrill | BSD Now 163

180: Illuminating the desktop

JT Pennington — Wed, 08 Feb 2017 08:00:00 -0500

This week on BSDNow, I’m out of town but we have a great interview with Ken Moore (My brother) about the latest in BSD desktop computing and

This episode was brought to you by

Interview - Ken Moore - ken@trueos.org

TrueOS, Lumina, Sys Admin, The BSD Desktop Ecosystem

KM: Thank you for joining us again, can you believe it has been an entire year?
AJ: Let’s start by getting an update on Lumina, what has happened in the last year?
KM: What is the change you are most proud of in that time?
AJ: What do you think of the recent introduction of Wayland to the ports tree? Do you think this will impact Lumina? Do you have any plans?
KM:
AJ: What has changed with SysAdm after a year of development?
KM: What plans do you have for the future of SysAdm?
AJ: How has it been working with the drm-next branch? Does it feel like that is progressing?
KM: Can you tell us about some of the other TrueOS work you have been doing?
AJ: What are your thoughts on how the BSD Desktop Ecosystem has changed over the last year? Do you think the future looks better or worse now?
KM: Do you think systemd is going to continue to make things work? Or does it seem like there is enough resistance to it that fewer projects are going to throw out support for anything not-systemd
AJ: Anything else you want to add? ***

179: The Wayland Machine

JT Pennington — Wed, 01 Feb 2017 08:00:00 -0500

This week on BSDNow, we’re going to be leading off with the latest news about Wayland and Xorg support on FreeBSD, then a look at OpenBSD ARM64

This episode was brought to you by

Headlines

Wayland is now in the FreeBSD Ports tree

This commit brings Wayland, the new windowing system, into the FreeBSD ports tree
“This port was first created by Koop Mast (kwm@) then updated and improved by Johannes Lundberg”
“Wayland is intended as a simpler replacement for X, easier to develop and maintain. GNOME and KDE are expected to be ported to it.”
Wayland is designed for desktop and laptop use, rather than X, which was designed for use over the network, where clients were not powerful enough to run the applications locally.
“Wayland is a protocol for a compositor to talk to its clients as well as a C library implementation of that protocol. The compositor can be a standalone display server running on Linux kernel modesetting and evdev input devices, an X application, or a wayland client itself. The clients can be traditional applications, X servers (rootless or fullscreen) or other display servers.”
“Please report bugs to the FreeBSD bugtracker!”
It is good to see this project progressing, as it seems in a few generations, high performance graphics drivers may only be actively developed for Wayland. ***

Call For Testing: xorg 1.18.4 and newer intel/ati DDX

Baptiste Daroussin, and the FreeBSD X11 team, have issued a call for testing for the upgrade to Xorg 1.18.4
Along with it comes newer ATI/AMD and Intel drivers
“Note that you will need to rebuild all the xf86-* packages to work with thatnewer xorg (hence the bump of the revision)”
“Do not expect newer gpu supported as this is not the kernel part”, it only provides the newer Xorg driver, not the kernel mode setting driver (this is a separate project)
“If you experience any issue with intel or radeon driver please try to use the new modesetting driver provided by xorg directly (note that fedora and debian recommend the use of the new driver instead of the ati/intel one)” ***

Error handling in C

“Unlike other languages which have one preferred means of signalling an error, C is a multi error paradigm language. Error handling styles in C can be organized into one of several distinct styles, such as popular or correct. Some examples of each.”
- “One very popular option is the classic unix style. -1 is returned to indicate an error.”
- “Another option seen in the standard C library is NULL for errors.”
- “The latter has the advantage that NULL is a false value, which makes it easier to write logical conditions. File descriptor 0 is valid (stdin) but false, while -1 is invalid but true.”
- “And of course, there’s the worst of both worlds approach requiring a special sentinel that you’ll probably forget to use”
- “Other unix functions, those that don’t need to return a file descriptor, stick to just 0 and -1”
- “Of course, none of these functions reveal anything about the nature of the error. For that, you need to consult the errno on the side”
The article goes on to describe different ways of dealing with the issue, and return values.
There is also coverage of more complex examples and involve a context that might contain the error message
It is really interesting to see the differences, and the pitfalls of each approach ***

Fixing POSIX Filenames

“Traditionally, Unix/Linux/POSIX pathnames and filenames can be almost any sequence of bytes. A pathname lets you select a particular file, and may include zero or more “/” characters. Each pathname component (separated by “/”) is a filename; filenames cannot contain “/”. Neither filenames nor pathnames can contain the ASCII NUL character (\0), because that is the terminator.”
“This lack of limitations is flexible, but it also creates a legion of unnecessary problems. In particular, this lack of limitations makes it unnecessarily difficult to write correct programs (enabling many security flaws). It also makes it impossible to consistently and accurately display filenames, causes portability problems, and confuses users.”
“This article will try to convince you that adding some tiny limitations on legal Unix/Linux/POSIX filenames would be an improvement. Many programs already presume these limitations, the POSIX standard already permits such limitations, and many Unix/Linux filesystems already embed such limitations — so it’d be better to make these (reasonable) assumptions true in the first place. This article will discuss, in particular, the three biggest problems: control characters in filenames (including newline, tab, and escape), leading dashes in filenames, and the lack of a standard character encoding scheme (instead of using UTF-8). These three problems impact programs written in any language on Unix/Linux/POSIX system. There are other problems, of course. Spaces in filenames can cause problems; it’s probably hopeless to ban them outright, but resolving some of the other issues will simplify handling spaces in filenames. For example, when using a Bourne shell, you can use an IFS trick (using IFS=printf '\n\t') to eliminate some problems with spaces. Similarly, special metacharacters in filenames cause some problems; I suspect few if any metacharacters could be forbidden on all POSIX systems, but it’d be great if administrators could locally configure systems so that they could prevent or escape such filenames when they want to. I then discuss some other tricks that can help.”
“After limiting filenames slightly, creating completely-correct programs is much easier, and some vulnerabilities in existing programs disappear. This article then notes some others’ opinions; I knew that some people wouldn’t agree with me, but I’m heartened that many do agree that something should be done. Finally, I briefly discuss some methods for solving this long-term; these include forbidding creation of such names (hiding them if they already exist on the underlying filesystem), implementing escaping mechanisms, or changing how tools work so that these are no longer problems (e.g., when globbing/scanning, have the libraries prefix “./” to any filename beginning with “-”). Solving this is not easy, and I suspect that several solutions will be needed. In fact, this paper became long over time because I kept finding new problems that needed explaining (new “worms under the rocks”). If I’ve convinced you that this needs improving, I’d like your help in figuring out how to best do it!”
“Filename problems affect programs written in any programming language. However, they can be especially tricky to deal with when using Bourne shells (including bash and dash). If you just want to write shell programs that can handle filenames correctly, you should see the short companion article Filenames and Pathnames in Shell: How to do it correctly.”
Imagine that you don’t know Unix/Linux/POSIX (I presume you really do), and that you’re trying to do some simple tasks. For our purposes we will create simple scripts on the command line (using a Bourne shell) for these tasks, though many of the underlying problems affect any program. For example, let’s try to print out the contents of all files in the current directory, putting the contents into a file in the parent directory:
- cat * > ../collection # WRONG
- cat ./* > ../collection # CORRECT
- cat find . -type f > ../collection # WRONG
- ( set -f ; for file in find . -type f ; do # WRONG cat "$file" done ) > ../collection
- ( find . -type f | xargs cat ) > ../collection # WRONG, WAY WRONG
Just think about trying to remove a file named: -rf / ***

News Roundup

OpenBSD ARM64

A new page has appeared on the OpenBSD website, offering images for ARM64
“The current target platforms are the Pine64 and the Raspberry Pi 3.”
“OpenBSD/arm64 bundles various platforms sharing the 64-bit ARM architecture. Due to the fact that there are many System on a Chips (SoC) around, OpenBSD/arm64 differentiates between various SoCs and may have a different level of support between them”
The page contains a list of the devices that are supported, and which components have working drivers
At the time of recording, the link to download the snapshots did not work yet, but by time this airs a week from now, it should be working. ***

The design of Chacha20

Seems like every few episodes we end up discussing Ciphers (With their o-so amusing naming) and today is no exception.
We have a great writeup on the D & I of the ‘chacha20’ cipher written by “Loup Vaillant”
First of all, is this story for you? Maybe the summary will help make that call:

“Quick summary: Chacha20 is ARX-based hash function, keyed, running in counter mode. It embodies the idea that one can use a hash function to encrypt data.”

If your eyes didn’t glaze over, then you are cleared to proceed.
Chacha20 is built around stream ciphers:

> While Chacha20 is mainly used for encryption, its core is a pseudo-random number generator. The cipher text is obtained by XOR'ing the plain text with a pseudo-random stream:
> cipher_text = plain_text XOR chacha_stream(key, nonce)

> Provided you never use the same nonce with the same key twice, you can treat that stream as a one time pad. This makes it very simple: unlike block ciphers, you don't have to worry about padding, and decryption is the same operation as encryption:
> plain_text = cipher_text XOR chacha_stream(key, nonce)

>Now we just have to get that stream.

The idea that the streams can mimic the concept of a one-time pad does make chacha20 very attractive, even to a non-crypto guy such as myself.
From here the article goes into depth on how the cipher scrambles 512bit blocks using the quarter-round method (A forth of a block or 4 32bit numbers)
Some ascii art is used here to help visualize how this done, in the quarter round-phase, then to the complete block as the 4 quarters are run in parallel over the entire 512 bit block.
From here the article goes more into depth, looking at the complete chacha block, and the importance of a seemingly unnecessary 32byte constant (Hint: it’s really important)
If crypto is something you find fascinating, you’ll want to make sure you give this one a full read-through. ***

CyberChef - Coming to a FreeBSD Ports tree near you

Dan Langille tweets that he will be creating a port of GCHQ’s CyberChef tool
“CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include creating hexdumps, simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, data compression and decompression, calculating hashes and checksums, IPv6 and X.509 parsing, and much more.”
“The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer and the code has not been peer-reviewed for compliance with a formal specification.”
Some handy functions, beyond stuff like base64 encoding:
Network Enumeration (CIDR to list of IPS)
Browser User Agent Parser (what browser is that, based on your HTTP logs)
XOR Brute Force: enter some XOR’d text, and try every possible key to find plaintext. Optionally give it a regex of known plaintext to find the right key.
Calculate the “Shannon Entropy” of the input (how random is this data)
It also has a number of built in regular expressions for common things, very useful
The project is up on github if you want to play with the code ***

Building Electron and VSCode in FreeBSD11

A patch and set of instructions for building Electron and VSCode on FreeBSD
“Visual Studio Code is a source code editor developed by Microsoft for Windows, Linux and macOS. It includes support for debugging, embedded Git control, syntax highlighting, intelligent code completion, snippets, and code refactoring. It is also customizable, so users can change the editor's theme, keyboard shortcuts, and preferences. It is free and open-source, although the official download is under a proprietary license.”
“Visual Studio Code is based on Electron, a framework which is used to deploy Node.js applications for the desktop running on the Blink layout engine. Although it uses the Electron framework, the software is not a fork of Atom, it is actually based on Visual Studio Online's editor (codename "Monaco")”
It would be interesting to see official support for VSCode on FreeBSD
Has anyone tried VSCode on the FreeBSD Code base? ***

Beastie Bits

178: Enjoy the Silence

JT Pennington — Wed, 25 Jan 2017 08:00:00 -0500

This week on BSD Now, we will be discussing a wide variety of topics including Routers, Run-Controls, the “Rule” of silence and some

This episode was brought to you by

Headlines

Ports no longer build on EOL FreeBSD versions

The FreeBSD ports tree has been updated to automatically fail if you try to compile ports on EOL versions of FreeBSD (any version of 9.x or earlier, 10.0 - 10.2, or 11 from before 11.0)
This is to prevent shooting yourself in the food, as the compatibility code for those older OSes has been removed now that they are no longer supported.
If you use pkg, you will also run into problems on old releases. Packages are always built on the oldest supported release in a branch. Until recently, this meant packages for 10.1, 10.2, and 10.3 were compiled on 10.1. Now that 10.1 and 10.2 are EOL, packages for 10.x are compiled on 10.3.
This matters because 10.3 supports the new openat() and various other *at() functions used by capsicum. Now that pkg and packages are built on a version that supports this new feature, they will not run on systems that do not support it. So pkg will exit with an error as soon as it tries to open a file.
You can work around this temporarily by using the pkg-static command, but you should upgrade to a supported release immediately. ***

Improving TrueOS: OpenRC

With TrueOS moving to a rolling-release model, we’ve decided to be a bit more proactive in sharing news about new features that are landing.
This week we’ve posted an article talking about the transition to OpenRC
In past episodes you’ve heard me mention OpenRC, but hopefully today we can help answer any of those lingering questions you may still have about it
The first thing always asked, is “What is OpenRC?”

> OpenRC is a dependency-based init system working with the system provided init program. It is used with several Linux distributions, including Gentoo and Alpine Linux. However, OpenRC was created by the NetBSD developer Roy Marples in one of those interesting intersections of Linux and BSD development. OpenRC’s development history, portability, and 2-clause BSD license make its integration into TrueOS an easy decision.

Now that we know a bit about what it is, how does it behave differently than traditional RC?

> TrueOS now uses OpenRC to manage all system services, as opposed to FreeBSD’s RC. Instead of using rc.d for base system rc scripts, OpenRC uses init.d. Also, every service in OpenRC has its own user configuration file, located in /etc/conf.d/ for the base system and /usr/local/etc.conf.d/ for ports. Finally, OpenRC uses runlevels, as opposed to the FreeBSD single- or multi- user modes. You can view the services and their runlevels by typing $ rc-update show -v in a CLI. Also, TrueOS integrates OpenRC service management into SysAdm with the Service Manager tool

One of the prime benefits of OpenRC is much faster boot-times, which is important in a portable world of laptops (and desktops as well). But service monitoring and crash detection are also important parts of what make OpenRC a substantial upgrade for TrueOS.
Lastly people have asked us about migration, what is done, what isn’t? As of now almost all FreeBSD base system services have been migrated over. In addition most desktop-facing services required to run Lumina and the like are also ported. We are still going through the ports tree and converting legacy rc.d scripts to init.d, but the process takes time. Several new folks have begun contributing OpenRC scripts and we hope to have all the roughly 1k ports converted over this year.

BSDRP Releases 1.70

A new release of the BSD Router Project
This distro is designed to replace high end routers, like those from Cisco and Juniper, with FreeBSD running on regular off-the-shelf server.
Highlights:
- Upgraded to FreeBSD 11.0-STABLE r312663 (skip 11.0 for massive performance improvement)
- Re-Added: netmap-fwd (https://github.com/Netgate/netmap-fwd)
- Add FIBsync patch to netmap-fwd from Zollner Robert
- netmap pkt-gen supports IPv6, thanks to Andrey V. Elsukov (ae@freebsd.org)
- bird 1.6.3 (add BGP Large communities support)
- OpenVPN 2.4.0 (adds the high speed AEAD GCM cipher)
All of the other packages have also been upgraded
A lot of great work has been done on BSDRP, and it has also generated a lot of great benchmarks and testing that have resulted in performance increases and improved understanding of how FreeBSD networking scales across different CPU types and speeds ***

DragonFlyBSD gets UEFI support

This commit adds support for UEFI to the Dragonfly Installer, allowing new systems to be installed to boot from UEFI
This script provides a way to build a HAMMER filesystem that works with UEFI
There is also a UEFI man page
The install media has also been updated to support booting from either UEFI or MBR, in the same way that the FreeBSD images work ***

News Roundup

The Rule of Silence

“The rule of silence, also referred to as the silence is golden rule, is an important part of the Unix philosophy that states that when a program has nothing surprising, interesting or useful to say, it should say nothing. It means that well-behaved programs should treat their users' attention and concentration as being valuable and thus perform their tasks as unobtrusively as possible. That is, silence in itself is a virtue.”
This doesn’t mean a program cannot be verbose, it just means you have to ask it for the additional output, rather than having it by default
“There is no single, standardized statement of the Unix philosophy, but perhaps the simplest description would be: "Write programs that are small, simple and transparent. Write them so that they do only one thing, but do it well and can work together with other programs." That is, the philosophy centers around the concepts of smallness, simplicity, modularity, craftsmanship, transparency, economy, diversity, portability, flexibility and extensibility.”
“This philosophy has been fundamental to the the fact that Unix-like operating systems have been thriving for more than three decades, far longer than any other family of operating systems, and can be expected to see continued expansion of use in the years to come”
“The rule of silence is one of the oldest and most persistent design rules of such operating systems. As intuitive as this rule might seem to experienced users of such systems, it is frequently ignored by the developers of other types of operating systems and application programs for them. The result is often distraction, annoyance and frustration for users.”
“There are several very good reasons for the rule of silence: (1) One is to avoid cluttering the user's mind with information that might not be necessary or might not even be desired. That is, unnecessary information can be a distraction. Moreover, unnecessary messages generated by some operating systems and application programs are sometimes poorly worded, and can cause confusion or needless worry on the part of users.”
No news is good news. When there is bad news, error messages should be descriptive, and ideally tell the user what they might do about the error.
“A third reason is that command line programs (i.e., all-text mode programs) on Unix-like operating systems are designed to work together with pipes, i.e., the output from one program becomes the input of another program. This is a major feature of such systems, and it accounts for much of their power and flexibility. Consequently, it is important to have only the truly important information included in the output of each program, and thus in the input of the next program.”
Have you ever had to try to strip out useless output so you could feed that data into another program?
“The rule of silence originally applied to command line programs, because all programs were originally command line programs. However, it is just as applicable to GUI (graphical user interfaces) programs. That is, unnecessary and annoying information should be avoided regardless of the type of user interface.”
“A example is the useless and annoying dialog boxes (i.e., small windows) that pop up on the display screen with with surprising frequency on some operating systems and programs. These dialog boxes contain some obvious, cryptic or unnecessary message and require the user to click on them in order to close them and proceed with work. This is an interruption of concentration and a waste of time for most users. Such dialog boxes should be employed only in situations in which some unexpected result might occur or to protect important data.”
It goes on to make an analogy about Public Address systems. If too many unimportant messages, like advertisements, are sent over the PA system, people will start to ignore them, and miss the important announcements. ***

The Tao of tmux

An interesting article floated across my news feed a few weeks back. It’s what essentially boils down to a book called the “Tao of tmux”, which immediately piqued my interest.
My story may be similar to many of yours. I was initially raised on using screen, and screen only for my terminal session and multiplexing needs.
Since then I’ve only had a passing interest in tmux, but its always been one of those utilities I felt was worthy of investing some more time into. (Especially when seeing some of the neat setups some of my peers have with it)
Needless to say, this article has been bookmarked, and I’ve started digesting some of it, but thought it would be good to share with anybody else who finds them-self in a similar situation.
The book starts off well, explaining in the simplest terms possible what Tmux really is, by comparing and contrasting it to something we are all familiar with, GUIS!
Helpfully they also include a chart which explains some of the terms we will be using frequently when discussing tmux (https://leanpub.com/the-tao-of-tmux/read#leanpub-auto-window-manager-for-the-terminal)
One of the things the author does recommend is also making sure you are up to speed on your Terminal knowledge.

> Before getting into tmux, a few fundamentals of the command line should be reviewed. Often, we’re so used to using these out of street smarts and muscle memory a great deal of us never see the relation of where these tools stand next to each other.

> Seasoned developers are familiar with zsh, Bash, iTerm2, konsole, /dev/tty, shell scripting, and so on. If you use tmux, you’ll be around these all the time, regardless of whether you’re in a GUI on a local machine or SSH’ing into a remote server.

> If you want to learn more about how processes and TTY’s work at the kernel level (data structures and all) the book The Design and Implementation of the FreeBSD Operating System (2nd Edition) by Marshall Kirk McKusick is nice. In particular, Chapter 4, Process Management and Section 8.6, Terminal Handling. The TTY demystified by Linus Åkesson (available online) dives into the TTY and is a good read as well.

We had to get that shout-out of Kirk’s book in here ;)
From here the boot/article takes us on a whirlwind journey of Sessions, Windows, Panes and more. Every control- command is covered, information on how to customize your statusbar, tips, tricks and the like. There’s far more here than we can cover in a single segment, but you are highly encouraged to bookmark this one and start your own adventure into the world of tmux. ***

SDF Celebrates 30 years of service in 2017

HackerNews thread on SDF
“Super Dimension Fortress (SDF, also known as freeshell.org) is a non-profit public access UNIX shell provider on the Internet. It has been in continual operation since 1987 as a non-profit social club. The name is derived from the Japanese anime series The Super Dimension Fortress Macross; the original SDF server was a BBS for anime fans[1]. From its BBS roots, which have been well documented as part of the BBS: The Documentary project, SDF has grown into a feature-rich provider serving members around the world.”
A public access UNIX system, it was many people’s first access to a UNIX shell.
In the 90s, Virtual Machines were rare, the software to run them usually cost a lot of money and no one had very much memory to try to run two operating systems at the same time.
So for many people, these type of shell accounts were the only way they could access UNIX without having to replace the OS on their only computer
This is how I first started with UNIX, eventually moving to paying for access to bigger machines, and then buying my own servers and renting out shell accounts to host IRC servers and channel protection bots.
“On June 16th, 1987 Ted Uhlemann (handle: charmin, later iczer) connected his Apple ][e's 300 baud modem to the phone line his mother had just given him for his birthday. He had published the number the night before on as many BBSes around the Dallas Ft. Worth area that he could and he waited for the first caller. He had a copy of Magic Micro BBS which was written in Applesoft BASIC and he named the BBS "SDF-1" after his favorite Japanimation series ROBOTECH (Macross). He hoped to draw users who were interested in anime, industrial music and the Church of the Subgenius.”
I too started out in the world of BBSes before I had access to the internet. My parents got my a dedicated phone line for my birthday, so I wouldn’t tie up their line all the time. I quickly ended up running my own BBS, the Sudden Death BBS (Renegade on MS DOS)
I credit this early experience for my discovery of a passion for Systems Administration, that lead me to my current career
“Slowly, SDF has grown over all these years, never forgetting our past and unlike many sites on the internet, we actually have a past. Some people today may come here and see us as outdated and "retro". But if you get involved, you'll see it is quite alive with new ideas and a platform for opportunity to try many new things. The machines are often refreshed, the quotas are gone, the disk space is expanding as are the features (and user driven features at that) and our cabinets have plenty of space for expansion here in the USA and in Europe (Germany).”
“Think about ways you'd like to celebrate SDF's 30th and join us on the 'bboard' to discuss what we could do. I realize many of you have likely moved on yourselves, but I just wanted you to know we're still here and we'll keep doing new and exciting things with a foundation in the UNIX shell.” ***

Getting Minecraft to Run on NetBSD

One thing that doesn’t come up often on BSDNow is the idea of gaming. I realize most of us are server folks, or perhaps don’t play games (The PC is for work, use your fancy-smanzy PS4 and get off my lawn you kids)
Today I thought it would be fun to highlight this post over at Reddit talking about running MineCraft on NetBSD
Now I realize this may not be news to some of you, but perhaps it is to others. For the record my kids have been playing Minecraft on PC-BSD / TrueOS for years. It's the primary reason they are more often booted into that instead of Windows. (Funny story behind that - Got sick of all the 3rd party mods, which more often than not came helpfully bundled with viruses and malware)
On NetBSD the process looks a bit different than on FreeBSD. First up, you’ll need to enable Linux Emulation and install Oracle JRE (Not OpenJDK, that path leads to sadness here)
The guide will then walk us through the process of fetching the Linux runtime packages, extracting and then enabling bits such as ‘procfs’ that is required to run the Linux binaries.
Once that's done, minecraft is only a simple “oracle8-jre /path/to/minecraft.jar” command away from starting up, and you’ll be “crafting” in no time. (Does anybody even play survival anymore?) ***

Beastie Bits

Feedback/Questions

***

177: Getting Pi on my Wifi

JT Pennington — Wed, 18 Jan 2017 08:00:00 -0500

This week on BSDNow, we’ve got Wifi galore, a new iocage and some RPi3 news and guides to share. Stay tuned for your place to B...SD!

This episode was brought to you by

Headlines

WiFi: 11n hostap mode added to athn(4) driver, testers wanted

“OpenBSD as WiFi access points look set to be making a comeback in the near future”
“Stefan Sperling added 802.11n hostap mode, with full support initially for the Atheros chips supported by the athn(4) driver.”
“Hostap performance is not perfect yet but should be no worse than 11a/b/g modes in the same environment.”
“For Linux clients a fix for WME params is needed which I also posted to tech@”
“This diff does not modify the known-broken and disabled ar9003 code, apart from making sure it still builds.”
“I'm looking for both tests and OKs.”
There has also been a flurry of work in FreeBSD on the ath10k driver, which supports 802.11ac
Like this one and this one

The long-awaited iocage update has landed

We’ve hinted at the new things happening behind the scenes with iocage, and this last week the code has made its first public debut.
So what’s changed you may ask. The biggest is that iocage has undergone a complete overhaul, moving from its original shell-base to python.
The story behind that is that the author (Brandon) works at iXsystems, and the plan is to move away from the legacy warden-based jail management which was also shell-based.
This new python re-write will allow it to integrate into FreeNAS (and other projects) better by exposing an API for all jail management tasks. Thats right, no more ugly CLI output parsing just to wrangle jail options either at creation or runtime.
But what about users who just run iocage manually from the CLI? No worries, the new iocage is almost identical to the original CLI usage, making the switch over very simple.
Just to re-cap, lets look at the new features list:

“FEATURES:

Ease of use
Rapid jail creation within seconds
Automatic package installation
Virtual networking stacks (vnet)
Shared IP based jails (non vnet)
Transparent ZFS snapshot management
Export and import “
The new iocage is available now via ports and packages under sysutils/py-iocage, give it a spin and be sure to report issues back to the developer(s). ***

Reading DHT11 temperature sensors on a Raspberry Pi under FreeBSD

“DHT-11 is a very cheap temperature/humidity sensor which is commonly used in the IoT devices. It is not very accurate, so for the accurate measurement i would recommend to use DHT21 instead. Anyway, i had DHT-11 in my tool box, so decided to start with it. DHT-11 using very simple 1 wire protocol – host is turning on chip by sending 18ms low signal to the data output and then reading 40 bytes of data.”
“To read data from the chip it should be connected to the power (5v) and gpio pin. I used pin 2 as VCC, 6 as GND and 11 as GPIO”
“There is no support for this device out of the box on FreeBSD. I found some sample code on the github, see lex/freebsd-gpio-dht11 repository. This code was a good starting point, but soon i found 2 issues with it:
- Results are very unreliable, probably due to gpio decoding algorithm.
Checksum is not validated, so sometime values are bogus.
“Initially i was thinking to fix this myself, but later found kernel module for this purpose, 1 wire over gpio. This module contains DHT11 kernel driver (gpio_sw) which implements DHT-11 protocol in the kernel space and exporting /dev/sw0 for the userland. Driver compiles on FreeBSD11/ARM without any changes. Use make install to install the driver.”
The articles goes into how to install and configure the driver, including a set of devfs rules to allow non-root users to read from the sensor
“Final goal was to add this sensor to the domoticz software. It is using LUA scripting to extend it functionality, e.g. to obtain data from non-supported or non standard devices. So, i decided to read /dev/sw0 from the LUA.”
They ran into some trouble with LUA trying to read too much data at once, and had to work around it
In the end, they got the results and were able to use them in the monitoring tool ***

Tor-ified Home Network using HardenedBSD and a RPi3

Shawn from HardendBSD has posted an article up on GitHub talking about his deployment of a new Tor relay on a RPi3
This particular method was attractive, since it allows running a Relay, but without it being on a machine which may have personal data, such as SSH keys, files, etc
While his setup is done on HardendBSD, the same applies to a traditional FreeBSD setup as well.
First up, is the list of things needed for this project:

Raspberry Pi 3 Model B Rev 1.2 (aka, RPI3)
Serial console cable for the RPI3
Belkin F4U047 USB Ethernet Dongle
Insignia NS-CR2021 USB 2.0 SD/MMC Memory Card Reader
32GB SanDisk Ultra PLUS MicroSDHC
A separate system, running FreeBSD or HardenedBSD
HardenedBSD clang 4.0.0 image for the RPI3
An external drive to be formatted
A MicroUSB cable to power the RPI3
Two network cables
Optional: Edimax N150 EW-7811Un Wireless USB
Basic knowledge of vi

After getting HBSD running on the RPi3 and serial connection established, he then takes us through the process of installing and enabling the various services needed. (Don’t forget to growfs your sdcard first!)
Now the tricky part is that some of the packages needed to be compiled from ports, which is somewhat time-consuming on a RPi. He strongly recommends not compiling on the sdcard (it sounds like personal experience has taught him well) and to use iscsi or some external USB drive.
With the compiling done, our package / software setup is nearly complete. Next up is firewalling the box, which he helpfully provides a full PF config setup that we can copy-n-paste here.
The last bits will be enabling the torrc configuration knobs, which if you follow his example again, will result in a tor public relay, and a local transparent proxy for you.
Bonus! Shawn helpfully provides DHCPD configurations, and even Wireless AP configurations, if you want to setup your RPi3 to proxy for devices that connect to it. ***

News Roundup

Unix Admin. Horror Story Summary, version 1.0

A great collection of stories, many of which will ring true with our viewers
The very first one, is about a user changing root’s shell to /usr/local/bin/tcsh but forgetting to make it executable, resulting in not being able to login as root.
I too have run into this issue, in a slightly different way. I had tcsh as my user shell (back before tcsh was in base), and after a major OS upgrade, but before I had a chance to recompile all of my ports. Now I couldn’t ssh in to the remote machine in order to recompile my shell. Now I always use a shell included in the base system, and test it before rebooting after an upgrade.
“Our operations group, a VMS group but trying to learn UNIX, was assigned account administration. They were cleaning up a few non-used accounts like they do on VMS - backup and purge. When they came across the account "sccs", which had never been accessed, away it went. The "deleteuser" utility from DEC asks if you would like to delete all the files in the account. Seems reasonable, huh? Well, the home directory for "sccs" is "/". Enough said :-(“
“I was working on a line printer spooler, which lived in /etc. I wanted to remove it, and so issued the command "rm /etc/lpspl." There was only one problem. Out of habit, I typed "passwd" after "/etc/" and removed the password file. Oops.”
I’ve done things like this as well. Finger memory can be dangerous
“I was happily churning along developing something on a Sun workstation, and was getting a number of annoying permission denieds from trying to write into a directory heirarchy that I didn't own. Getting tired of that, I decided to set the permissions on that subtree to 777 while I was working, so I wouldn't have to worry about it. Someone had recently told me that rather than using plain "su", it was good to use "su -", but the implications had not yet sunk in. (You can probably see where this is going already, but I'll go to the bitter end.) Anyway, I cd'd to where I wanted to be, the top of my subtree, and did su -. Then I did chmod -R 777. I then started to wonder why it was taking so damn long when there were only about 45 files in 20 directories under where I (thought) I was. Well, needless to say, su - simulates a real login, and had put me into root's home directory, /, so I was proceeding to set file permissions for the whole system to wide open. I aborted it before it finished, realizing that something was wrong, but this took quite a while to straighten out.”
Where is a ZFS snapshot when you need it? ***

How individual contributors get stuck

An interesting post looking at the common causes of people getting stuck when trying to create or contribute new code
- Brainstorming/architecture: “I must have thought through all edge cases of all parts of everything before I can begin this project”
- Researching possible solutions forever (often accompanied by desire to do a “bakeoff” where they build prototypes in different platforms/languages/etc)
- Refactoring: “this code could be cleaner and everything would be just so much easier if we cleaned this up… and this up… and…”
- Helping other people instead of doing their assigned tasks (this one isn’t a bad thing in an open source community)
- Working on side projects instead of the main project (it is your time, it is up to you how to spend it)
- Excessive testing (rare)
- Excessive automation (rare)
- Finish the last 10–20% of a project
- Start a project completely from scratch
- Do project planning (You need me to write what now? A roadmap?) (this is why FreeBSD has devsummits, some things you just need to whiteboard)
- Work with unfamiliar code/libraries/systems
- Work with other teams (please don’t make me go sit with data engineering!!)
- Talk to other people
- Ask for help (far beyond the point they realized they were stuck and needed help)
- Deal with surprises or unexpected setbacks
- Deal with vendors/external partners
- Say no, because they can’t seem to just say no (instead of saying no they just go into avoidance mode, or worse, always say yes)
“Noticing how people get stuck is a super power, and one that many great tech leads (and yes, managers) rely on to get big things done. When you know how people get stuck, you can plan your projects to rely on people for their strengths and provide them help or even completely side-step their weaknesses. You know who is good to ask for which kinds of help, and who hates that particular challenge just as much as you do.”
“The secret is that all of us get stuck and sidetracked sometimes. There’s actually nothing particularly “bad” about this. Knowing the ways that you get hung up is good because you can choose to either a) get over the fears that are sticking you (lack of knowledge, skills, or confidence), b) avoid such tasks as much as possible, and/or c) be aware of your habits and use extra diligence when faced with tackling these areas.” ***

Make Docs!

“MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.”
“MkDocs builds completely static HTML sites that you can host on GitHub pages, Amazon S3, or anywhere else you choose”
It is an easy to install python package
It includes a server mode that auto-refreshes the page as you write the docs, making it easy to preview your work before you post it online
Everything needs docs, and writing docs should be as simple as possible, so that more of them will get written
Go write some docs! ***

Experimental FreeNAS 11/12 builds

We know there’s a lot of FreeNAS users who listen to BSDNow, so I felt it was important to share this little tidbit.
I’ve posted something to the forums last night which includes links to brand-new spins of FreeNAS 9.10 based upon FreeBSD 11/stable and 12/current.
These builds are updated nightly via our Jenkins infrastructure and hopefully will provide a new playground for technical folks and developers to experiment with FreeBSD features in their FreeNAS environment, long before they make it into a -STABLE release.
As usual, the notes of caution do apply, these are nightlies, and as such bugs will abound. Do NOT use these with your production data, unless you are crazy, or just want an excuse to test your backup strategy
If you do run these builds, of course feedback is welcome via the usual channels, such as the bug tracker.
The hope is that by testing FreeBSD code earlier, we can vet and determine what is safe / ready to go into mainline FreeNAS sooner rather than later. ***

Beastie Bits

An Explainer on Unix’s Most Notorious Code Comment
turn your network inside out with one pf.conf trick
A story of if_get(9)
Apple re-affirms its commitment to LLVM/Clang
python 3k17
2017 presentation proposals
NetBSD 7.1_RC1 available
#define FS_UFS2_MAGIC 0x19540119 (Happy Birthday to Kirk McKusick tomorrow) ***

Feedback/Questions

176: Linking your world

JT Pennington — Wed, 11 Jan 2017 08:00:00 -0500

Another exciting week on BSDNow, we are queued up with LLVM / Linking news, a look at NetBSD’s scheduler,

This episode was brought to you by

Headlines

FreeBSD Kernel and World, and many Ports, can now be linked with lld

“With this change applied I can link the entirety of the FreeBSD/amd64 base system (userland world and kernel) with LLD.”
“Rafael's done an initial experimental Poudriere FreeBSD package build with lld head, and found almost 20K out of 26K ports built successfully. I'm now looking at getting CI running to test this on an ongoing basis. But, I think we're at the point where an experimental build makes sense.”
Such testing will become much easier once llvm 4.0 is imported into -current
“I suggest that during development we collect patches in a local git repo -- for example, I've started here for my Poudriere run https://github.com/emaste/freebsd-ports/commits/ports-lld”
“It now looks like libtool is responsible for the majority of my failed / skipped ports. Unless we really think we'll add "not GNU" and other hacks to lld we're going to have to address libtool limitations upstream and in the FreeBSD tree. I did look into libtool a few weeks ago, but unfortunately haven't yet managed to produce a patch suitable for sending upstream.”
If you are interested in LLVM/Clang/LLD/LLDB etc, check out: A Tourist’s Guide to the LLVM Source Code ***

Documenting NetBSD's scheduler tweaks

A followup to our previous coverage of improvements to the scheduler in NetBSD
“NetBSD's scheduler was recently changed to better distribute load of long-running processes on multiple CPUs. So far, the associated sysctl tweaks were not documented, and this was changed now, documenting the kern.sched sysctls.”
kern.sched.cacheht_time (dynamic): Cache hotness time in which a LWP is kept on one particular CPU and not moved to another CPU. This reduces the overhead of flushing and reloading caches. Defaults to 3ms. Needs to be given in ``hz'' units, see mstohz(9).
kern.sched.balance_period (dynamic): Interval at which the CPU queues are checked for re-balancing. Defaults to 300ms.
kern.sched.min_catch (dynamic): Minimum count of migratable (runable) threads for catching (stealing) from another CPU. Defaults to 1 but can be increased to decrease chance of thread migration between CPUs.
It is important to have good documentation for these tunables, so that users can understand what it is they are adjusting ***

FreeBSD Network Gateway on EdgeRouter Lite

“EdgeRouter Lite is a great device to run at the edge of a home network. It becomes even better when it's running FreeBSD. This guide documents how to setup such a gateway. There are accompanying git repos to somewhat automate the process as well.”
“Colin Percival has written a great blog post on the subject, titled FreeBSD on EdgeRouter Lite - no serial port required . In it he provides and describes a shell script to build a bootable image of FreeBSD to be run on ERL, available from GitHub in the freebsd-ERL-build repo. I have built a Vagrant-based workflow to automate the building of the drive image. It's available on GitHub in the freebsd-edgerouterlite-ansible repo. It uses the build script Percival wrote.”
“Once you've built the disk image it's time to write it to a USB drive. There are two options: overwrite the original drive in the ERL or buy a new drive. I tried the second option first and wrote to a new Sandrive Ultra Fit 32GB USB 3.0 Flash Drive (SDCZ43-032G-GAM46). It did not work and I later found on some blog that those drives do not work. I have not tried another third party drive since.”
The tutorial covers all of the steps, and the configuration files, including rc.conf, IP configuration, DHCP (and v6), pf, and DNS (unbound)
“I'm pretty happy with ERL and FreeBSD. There is great community documentation on how to configure all the pieces of software that make a FreeBSD-based home network gateway possible. I can tweak things as needed and upgrade when newer versions become available.”
“My plan on upgrading the base OS is to get a third party USB drive that works, write a newer FreeBSD image to it, and replace the drive in the ERL enclosure. This way I can keep a bunch of drives in rotation. Upgrades to newer builds or reverts to last known good version are as easy as swapping USB drives.”
Although something more nanobsd style with 2 partitions on the one drive might be easier.
“Configuration with Ansible means I don't have to manually do things again and again. As the configs change they'll be tracked in git so I get version control as well. ERL is simply a great piece of network hardware. I'm tempted to try Ubiquiti's WiFi products instead of a mixture of DD-WRT and OpenWRT devices I have now. But that is for another day and perhaps another blog post.” ***

A highly portable build system targeting modern UNIX systems

An exciting new/old project is up on GitHub that we wanted to bring your attention to.
BSD Owl is a highly portable build-system based around BSD Make that supports a variety of popular (and not so popular) languages, such as:
- C programs, compiled for several targets
- C libraries, static and shared, compiled for several targets
- Shell scripts
- Python scripts
- OCaml programs
- OCaml libraries, with ocamldoc documentation
- OCaml plugins
- TeX documents, prepared for several printing devices
- METAPOST figures, with output as PDF, PS, SVG or PNG, either as part of a TeX document or as standalone documents
What about features you may ask? Well BSD Owl has plenty of those to go around:
- Support of compilation profiles
- Support of the parallel mode (at the directory level)
- Support of separate trees for sources and objects
- Support of architecture-dependant compilation options
- Support GNU autoconf
- Production of GPG-signed tarballs
- Developer subshell, empowered with project-specific scripts
- Literate programming using noweb
- Preprocessing with m4
As far as platform support goes, BSD Owl is tested on OSX / Debian Jesse and FreeBSD > 9. Future support for OpenBSD and NetBSD is planned, once they update their respective BSD Make binaries to more modern versions

News Roundup

find -delete in OpenBSD. Thanks to tedu@ OpenBSD will have this very handy flag to in the future.

OpenBSD’s find(1) utility will now support the -delete operation
“This option is not posix (not like that's stopped find accumulating a dozen extensions), but it is in gnu and freebsd (for 20 years). it's also somewhat popular among sysadmins and blogs, etc. and perhaps most importantly, it nicely solves one of the more troublesome caveats of find (which the man page actually covers twice because it's so common and easy to screw up). So I think it makes a good addition.”
The actual code was borrowed from FreeBSD
Using the -delete option is much more performant than forking rm once for each file, and safer because there is no risk of mangling path names
If you encounter a system without a -delete option, your best bet is to use the -print0 option of find, which will print each filename terminated by a null byte, and pipe that into xargs -0 rm
This avoids any ambiguity caused by files with spaces in the names ***

New version of the Lumina desktop released

Just in time to kickoff 2017 we have a new release of Lumina Desktop (1.2.0)
Some of the notable changes include fixes to make it easier to port to other platforms, and some features:
New Panel Plugins:
- “audioplayer” (panel version of the desktop plugin with the same name): Allows the user to load/play audio files directly through the desktop itself.
- “jsonmenu” (panel version of the menu plugin with the same name): Allows an external utility/script to be used to generate a menu/contents on demand.
New Menu Plugins:
- “lockdesktop”: Menu option for instantly locking the desktop session.
New Utilities:
- lumina-archiver: This is a pure Qt5 front-end to the “tar” utility for managing/creating archives. This can also use the dd utility to burn a “*.img” file to a USB device for booting.“
Looks like the news already made its rounds to a few different sites, with Phoronix and Softpedia picking it up as well
Phoronix
Softpedia
TrueOS users running the latest updates are already on the pre-release version of 1.2.1, so nothing has to be done there to get the latest and greatest.

dd is not a disk writing tool

“If you’ve ever used dd, you’ve probably used it to read or write disk images:” > # Write myfile.iso to a USB drive > dd if=myfile.iso of=/dev/sdb bs=1M
“Usage of dd in this context is so pervasive that it’s being hailed as the magic gatekeeper of raw devices. Want to read from a raw device? Use dd. Want to write to a raw device? Use dd. This belief can make simple tasks complicated. How do you combine dd with gzip? How do you use pv if the source is raw device? How do you dd over ssh?”
“The fact of the matter is, dd is not a disk writing tool. Neither “d” is for “disk”, “drive” or “device”. It does not support “low level” reading or writing. It has no special dominion over any kind of device whatsoever.”
Then a number of alternatives are discussed
“However, this does not mean that dd is useless! The reason why people started using it in the first place is that it does exactly what it’s told, no more and no less. If an alias specifies -a, cp might try to create a new block device rather than a copy of the file data. If using gzip without redirection, it may try to be helpful and skip the file for not being regular. Neither of them will write out a reassuring status during or after a copy.”
“dd, meanwhile, has one job*: copy data from one place to another. It doesn’t care about files, safeguards or user convenience. It will not try to second guess your intent, based on trailing slashes or types of files. When this is no longer a convenience, like when combining it with other tools that already read and write files, one should not feel guilty for leaving dd out entirely.”
“dd is the swiss army knife of the open, read, write and seek syscalls. It’s unique in its ability to issue seeks and reads of specific lengths, which enables a whole world of shell scripts that have no business being shell scripts. Want to simulate a lseek+execve? Use dd! Want to open a file with O_SYNC? Use dd! Want to read groups of three byte pixels from a PPM file? Use dd!”
“It’s a flexible, unique and useful tool, and I love it. My only issue is that, far too often, this great tool is being relegated to and inappropriately hailed for its most generic and least interesting capability: simply copying a file from start to finish.”
“dd actually has two jobs: Convert and Copy. Legend has it that the intended name, “cc”, was taken by the C compiler, so the letters were shifted by one to give “dd”. This is also why we ended up with a Window system called X.”
dd countdown ***

Bhyve setup for tcp testing

FreeBSD Developer Hiren Panchasara writes about his setup to use bhyve to test changes to the TCP stack in FreeBSD
“Here is how I test simple FreeBSD tcp changes with dummynet on bhyve. I’ve already wrote down how I do dummynet so I’ll focus on bhyve part.”
“A few months back when I started looking into improving FreeBSD TCP’s response to packet loss, I looked around for traffic simulators which can do deterministic packet drop for me.”
“I had used dummynet(4) before so I thought of using it but the problem is that it only provided probabilistic drops. You can specify dropping 10% of the total packets”
So he wrote a quick hack, hopefully he’ll polish it up and get it committed
“Setup: I’ll create 3 bhyve guests: client, router and server”
“Both client and server need their routing tables setup correctly so that they can reach each other. The Dummynet node is the router / traffic shaping node here. We need to enable forwarding between interfaces: sysctl net.inet.ip.forwarding=1”
“We need to setup links (called ‘pipes’) and their parameters on dummynet node”
“For simulations, I run a lighttpd web-server on the server which serves different sized objects and I request them via curl or wget from the client. I have tcpdump running on any/all of four interfaces involved to observe traffic and I can see specified packets getting dropped by dummynet. sysctl net.inet.ip.dummynet.io_pkt_drop is incremented with each packet that dummynet drops.”
“Here, 192.* addresses are for ssh and 10.* are for guests to be able to communicate within themselves.”
Create 2 tap interfaces for each end point, and 3 from the router. One each for SSH/control, and the others for the test flows. Then create 3 bridges, the first includes all of the control tap interfaces, and your hosts’ real interface. This allows the guests to reach the internet to download packages etc. The other two bridges form the connections between the three VMs
The creation and configuration of the VMs is documented in detail
I used a setup very similar to this for teaching the basics of how TCP works when I was teaching at a local community college ***

Beastie Bits

Feedback/Questions

175: How the Dtrace saved Christmas

JT Pennington — Wed, 04 Jan 2017 08:00:00 -0500

This week on BSDNow, we’ve got all sorts of post-holiday goodies to share. New OpenSSL APIs, Dtrace, OpenBSD

This episode was brought to you by

Headlines

OpenSSL 1.1 API migration path, or the lack thereof

> As many of you will already be aware, the OpenSSL 1.1.0 release intentionally introduced significant API changes from the previous release. In summary, a large number of data structures that were previously publically visible have been made opaque, with accessor functions being added in order to get and set some of the fields within these now opaque structs. It is worth noting that the use of opaque data structures is generally beneficial for libraries, since changes can be made to these data structures without breaking the ABI. As such, the overall direction of these changes is largely reasonable.

> However, while API change is generally necessary for progression, in this case it would appear that there is NO transition plan and a complete disregard for the impact that these changes would have on the overall open source ecosystem.

> So far it seems that the only approach is to place the migration burden onto each and every software project that uses OpenSSL, pushing significant code changes to each project that migrates to OpenSSL 1.1, while maintaining compatibility with the previous API. This is forcing each project to provide their own backwards compatibility shims, which is practically guaranteeing that there will be a proliferation of variable quality implementations; it is almost a certainty that some of these will contain bugs, potentially introducing security issues or memory leaks.

I think this will be a bigger issue for other operating systems that do not have the flexibility of the ports tree to deliver a newer version of OpenSSL. If a project switches from the old API to the new API, and the OS only provides the older branch of OpenSSL, how can the application work?
Of course, this leaves the issue, if application A wants OpenSSL 1.0, and application B only works with OpenSSL 1.1, how does that work?

> Due to a number of factors, software projects that make use of OpenSSL cannot simply migrate to the 1.1 API and drop support for the 1.0 API - in most cases they will need to continue to support both. Firstly, I am not aware of any platform that has shipped a production release with OpenSSL 1.1 - any software that supported OpenSSL 1.1 only, would effectively be unusable on every platform for the time being. Secondly, the OpenSSL 1.0.2 release is supported until the 31st of December 2019, while OpenSSL 1.1.0 is only supported until the 31st of August 2018 - any LTS style release is clearly going to consider shipping with 1.0.2 as a result.

> Platforms that are attempting to ship with OpenSSL 1.1 are already encountering significant challenges - for example, Debian currently has 257 packages (out of 518) that do not build against OpenSSL 1.1. There are also hidden gotchas for situations where different libraries are linked against different OpenSSL versions and then share OpenSSL data structures between them - many of these problems will be difficult to detect since they only fail at runtime.

It will be interesting to see what happens with OpenSSL, and LibreSSL
Hopefully, most projects will decide to switch to the cleaner APIs provided by s2n or libtls, although they do not provide the entire functionality of the OpenSSL API.
Hacker News comments ***

exfiltration via receive timing

> Another similar way to create a backchannel but without transmitting anything is to introduce delays in the receiver and measure throughput as observed by the sender. All we need is a protocol with transmission control. Hmmm. Actually, it’s easier (and more reliable) to code this up using a plain pipe, but the same principle applies to networked transmissions.

> For every digit we want to “send” back, we sleep a few seconds, then drain the pipe. We don’t care about the data, although if this were a video file or an OS update, we could probably do something useful with it.

> Continuously fill the pipe with junk data. If (when) we block, calculate the difference between before and after. This is a our secret backchannel data. (The reader and writer use different buffer sizes because on OpenBSD at least, a writer will stay blocked even after a read depending on the space that opens up. Even simple demos have real world considerations.)

> In this simple example, the secret data (argv) is shared by the processes, but we can see that the writer isn’t printing them from its own address space. Nevertheless, it works.

> Time to add random delays and buffering to firewalls? Probably not.

An interesting thought experiment that shows just how many ways there are to covertly convey a message ***

OpenBSD Desktop in about 30 Minutes

Over at hackernews we have a very non-verbose, but handy guide to getting to a OpenBSD desktop in about 30 minutes!
First, the guide will assume you’ve already installed OpenBSD 6.0, so you’ll need to at least be at the shell prompt of your freshly installed system to begin.
With that, now its time to do some tuning. Editing some resource limits in login.conf will be our initial task, upping some datasize tunables to 2GB
Next up, we will edit some of the default “doas” settings to something a bit more workable for desktop computing
Another handy trick, editing your .profile to have your PKG_PATH variables set automatically will make
One thing some folks may overlook, but disabling atime can speed disk performance (which you probably don’t care about atime on your desktop anyway), so this guide will show you what knobs to tweak in /etc/fstab to do so
After some final WPA / Wifi configuration, we then drop to “mere mortal” mode and begin our package installations. In this particular guide, he will be setting up Lumina Desktop (Which yes, it is on OpenBSD)
A few small tweaks later for xscreensaver and your xinitrc file, then you are ready to run “startx” and begin your desktop session!
All in all, great guide which if you are fast can probably be done in even less than 30 minutes and will result in a rock-solid OpenBSD desktop rocking Lumina none-the-less. ***

How DTrace saved Christmas

Adam Leventhal, one of the co-creators of DTrace, wrote up this post about how he uses DTrace at home, to save Christmas

> I had been procrastinating making the family holiday card. It was a combination of having a lot on my plate and dreading the formulation of our annual note recapping the year; there were some great moments, but I’m glad I don’t have to do 2016 again. It was just before midnight and either I’d make the card that night or leave an empty space on our friends’ refrigerators.

Adobe Illustrator had other ideas: “Unable to set maximum number of files to be opened”

> I’m not the first person to hit this. The problem seems to have existed since CS6 was released in 2016. None of the solutions were working for me, and — inspired by Sara Mauskopf’s excellent post — I was rapidly running out of the time bounds for the project. Enough; I’d just DTrace it.

> A colleague scoffed the other day, “I mean, how often do you actually use DTrace?” In his mind DTrace was for big systems, critical system, when dollars and lives were at stake. My reply: I use DTrace every day. I can’t imagine developing software without DTrace, and I use it when my laptop (not infrequently) does something inexplicable (I’m forever grateful to the Apple team that ported it to Mac OS X)

> Illustrator is failing on setrlimit(2) and blowing up as result. Let’s confirm that it is in fact returning -1:$ sudo dtrace -n 'syscall::setrlimit:return/execname == "Adobe Illustrato"/{ printf("%d %d", arg1, errno); }'
> dtrace: description 'syscall::setrlimit:return' matched 1 probe
> CPU ID FUNCTION:NAME
> 0 532 setrlimit:return -1 1

> There it is. And setrlimit(2) is failing with errno 1 which is EPERM (value too high for non-root user). I already tuned up the files limit pretty high. Let’s confirm that it is in fact setting the files limit and check the value to which it’s being set. To write this script I looked at the documentation for setrlimit(2) (hooray for man pages!) to determine that the position of the resource parameter (arg0) and the type of the value parameter (struct rlimit). I needed the DTrace copyin() subroutine to grab the structure from the process’s address space:
> $ sudo dtrace -n 'syscall::setrlimit:entry/execname == "Adobe Illustrato"/{ this->r = *(struct rlimit *)copyin(arg1, sizeof (struct rlimit)); printf("%x %x %x", arg0, this->r.rlim_cur, this->r.rlim_max); }'
>
> dtrace: description 'syscall::setrlimit:entry' matched 1 probe
> CPU ID FUNCTION:NAME
> 0 531 setrlimit:entry 1008 2800 7fffffffffffffff
> Looking through /usr/include/sys/resource.h we can see that 1008 corresponds to the number of files (RLIMIT_NOFILE |
_RLIMIT_POSIX_FLAG)

> The quickest solution was to use DTrace again to whack a smaller number into that struct rlimit. Easy:
> $ sudo dtrace -w -n 'syscall::setrlimit:entry/execname == "Adobe Illustrato"/{ this->i = (rlim_t *)alloca(sizeof (rlim_t)); *this->i = 10000; copyout(this->i, arg1 + sizeof (rlim_t), sizeof (rlim_t)); }'

> dtrace: description 'syscall::setrlimit:entry' matched 1 probe
> dtrace: could not enable tracing: Permission denied

> Oh right. Thank you SIP (System Integrity Protection). This is a new laptop (at least a new motherboard due to some bizarre issue) which probably contributed to Illustrator not working when once it did. Because it’s new I haven’t yet disabled the part of SIP that prevents you from using DTrace on the kernel or in destructive mode (e.g. copyout()). It’s easy enough to disable, but I’m reboot-phobic — I hate having to restart my terminals — so I went to plan B: lldb

After using DTrace to get the address of the setrlimit function, Adam used lldb to change the result before it got back to the application: > (lldb) break set -n _init > Breakpoint 1: 47 locations. > (lldb) run > … > (lldb) di -s 0x1006e5b72 -c 1 > 0x1006e5b72: callq 0x1011628e0 ; symbol stub for: setrlimit > (lldb) memory write 0x1006e5b72 0x31 0xc0 0x90 0x90 0x90 > (lldb) di -s 0x1006e5b72 -c 4 > 0x1006e5b72: xorl %eax, %eax > 0x1006e5b74: nop > 0x1006e5b75: nop > 0x1006e5b76: nop

> Next I just did a process detach and got on with making that holiday card…

> DTrace was designed for solving hard problems on critical systems, but the need to understand how systems behave exists in development and on consumer systems. Just because you didn’t write a program doesn’t mean you can’t fix it.

News Roundup

Say my Blog's name!

Brian Everly over at functionally paranoid has a treat for us today. Let us give you a moment to get the tin-foil hats on… Ok, done? Let’s begin!
He starts off with a look at physical security. He begins by listing your options:
> 1. BIOS passwords – Not something I’m typically impressed with. Most can be avoided by opening up the machine, closing a jumper and powering it up to reset the NVRAM to factory defaults. I don’t even bother with them.
> 2. Full disk encryption – This one really rings my bell in a positive way. If you can kill power to the box (either because the bad actor has to physically steal it and they aren’t carrying around a pile of car batteries and an inverter or because you can interrupt power to it some other way), then the disk will be encrypted. The other beauty of this is that if a drive fails (and they all do eventually) you don’t have to have any privacy concerns about chucking it into an electronics recycler (or if you are a bad, bad person, into a landfill) because that data is effectively gibberish without the key (or without a long time to brute force it).
> 3. Two factor auth for logins – I like this one as well. I’m not a fan of biometrics because if your fingerprint is compromised (yes, it can happen – read about the department of defense background checks that were extracted by a bad agent – they included fingerprint images) you can’t exactly send off for a new finger. Things like the YubiKey are pretty slick. They require that you have the physical hardware key as well as the password so unless the bad actor lifted your physical key, they would have a much harder time with physical access to your hardware.
Out of those options, Brian mentions that he uses disk encryption and yubi-key for all his secure network systems.
Next up is network segmentation, in this case the first thing to do is change your admin password for any ISP supplied modem
/ router. He goes on to scare us of javascript attacks being used not against your local machine, but instead non WAN exposed router admin interface. Scary Stuff!
For added security, naturally he firewalls the router by plugging in the LAN port to a OpenBSD box which does the 2nd layer of firewall / router protection.
What about privacy and browsing? Here’s some more of his tips:

> I use Unbound as my DNS resolver on my local network (with all UDP port 53 traffic redirected to it by pf so I don’t have to configure anything on the clients) and then forward the traffic to DNSCrypt Proxy, caching the results in Unbound. I notice ZERO performance penalty for this and it greatly enhances privacy. This combination of Unbound and DNSCrypt Proxy works very well together. You can even have redundancy by having multiple upstream resolvers running on different ports (basically run the DNSCrypt Proxy daemon multiple times pointing to different public resolvers).

> I also use Firefox exclusively for my web browsing. By leveraging the tips on this page, you can lock it down to do a great job of privacy protection. The fact that your laptop’s battery drain rate can be used to fingerprint your browser completely trips me out but hey – that’s the world we live in.’

What about the cloud you may ask? Well Brian has a nice solution for that as well:

> I recently decided I would try to live a cloud-free life and I’ll give you a bit of a synopsis on it. I discovered a wonderful Open Source project called FreeNAS. What this little gem does is allow you to install a FreeBSD/zfs file server appliance on amd64 hardware and have a slick administrative web interface for managing it. I picked up a nice SuperMicro motherboard and chassis that has 4 hot swap drive bays (and two internal bays that I used to mirror the boot volume on) and am rocking the zfs lifestyle! (Thanks Alan Jude!)

> One of the nicest features of the FreeNAS is that it provides the ability to leverage the FreeBSD jail functionality in an easy to use way. It also has plugins but the security on those is a bit sketchy (old versions of libraries, etc.) so I decided to roll my own. I created two jails – one to run OwnCloud (yeah, I know about NextCloud and might switch at some point) and the other to run a full SMTP/IMAP email server stack. I used Lets Encrypt to generate the SSL certificates and made sure I hit an A on SSLLabs before I did anything else.

His post then goes in to talk about Backups and IoT devices, something else you need to consider in this truely paranoid world we are forced to live in. We even get a nice shout-out near the end!

> Enter TarSnap – a company that advertises itself as “Online Backups for the Truly Paranoid”. It brings a tear to my eye – a kindred spirit! :-) Thanks again to Alan Jude and Kris Moore from the BSD Now podcast for turning me onto this company. It has a very easy command syntax (yes, it isn’t a GUI tool – suck it up buttercup, you wanted to learn the shell didn’t you?) and even allows you to compile the thing from source if you want to.”

We’ve only covered some of the highlights here, but you really should take a few moments of your time today and read this top to bottom. Lots of good tips here, already thinking how I can secure my home network better.

The open source book: “Producing Open Source Software”

“How to Run a Successful Free Software Project” by Karl Fogel
9 chapters and over 200 pages of content, plus many appendices
Some interesting topics include:
- Choosing a good name
- version control
- bug tracking
- creating developer guidelines
- setting up communications channels
- choosing a license (although this guide leans heavily towards the GPL)
- setting the tone of the project
- joining or creating a Non-Profit Organization
- the economics of open source
- release engineering, packaging, nightly builds, etc
- how to deal with forks
A lot of good information packaged into this ebook
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License ***

DTrace Flamegraphs for node.js on FreeBSD

One of the coolest tools built on top of DTrace is flamegraphs
They are a very accurate, and visual way to see where a program is spending its time, which can tell you why it is slow, or where it could be improved. Further enhancements include off-cpu flame graphs, which tell you when the program is doing nothing, which can also be very useful > Recently BSD UNIXes are being acknowledged by the application development community as an interesting operating system to deploy to. This is not surprising given that FreeBSD had jails, the original container system, about 17 years ago and a lot of network focused businesses such as netflix see it as the best way to deliver content. This developer interest has led to hosting providers supporting FreeBSD. e.g. Amazon, Azure, Joyent and you can get a 2 months free instance at Digital Ocean.

> DTrace is another vital feature for anyone who has had to deal with production issues and has been in FreeBSD since version 9. As of FreeBSD 11 the operating system now contains some great work by Fedor Indutny so you can profile node applications and create flamegraphs of node.js processes without any additional runtime flags or restarting of processes.

This is one of the most important things about DTrace. Many applications include some debugging functionality, but they require that you stop the application, and start it again in debugging mode. Some even require that you recompile the application in debugging mode.
Being able to attach DTrace to an application, while it is under load, while the problem is actively happening, can be critical to figuring out what is going on.
In order to configure your FreeBSD instance to utilize this feature make the following changes to the configuration of the server.
- Load the DTrace module at boot
- Increase some DTrace limits
- Install node with the optional DTrace feature compiled in
- Follow the generic node.js flamegraph tutorial > I hope you find this article useful. The ability to look at a runtime in this manor has saved me twice this year and I hope it will save you in the future too. My next post on freeBSD and node.js will be looking at some scenarios on utilising the ZFS features.
Also check out Brendan Gregg’s ACM Queue Article “The Flame Graph: This visualization of software execution is a new necessity for performance profiling and debugging”

SSHGuard 2.0 Call for Testing

SSHGuard is a tool for monitoring brute force attempts and blocking them
It has been a favourite of mine for a while because it runs as a pipe from syslogd, rather than reading the log files from the disk

> A lot of work to get SSHGuard working with new log sources (journalctl, macOS log) and backends (firewalld, ipset) has happened in 2.0. The new version also uses a configuration file.

> Most importantly, SSHGuard has been split into several processes piped into one another (sshg-logmon | sshg-parser | sshg-blocker | sshg-fw). sshg-parser can run with capsicum(4) and pledge(2). sshg-blocker can be sandboxed in its default configuration (without pid file, whitelist, blacklisting) and has not been tested sandboxed in other configurations.

Breaking the processes up so that the sensitive bits can be sandboxes is very nice to see ***

Beastie Bits

Feedback/Questions

174: 2016 Highlights

JT Pennington — Thu, 29 Dec 2016 08:00:00 -0500

A look back at 2016

This episode was brought to you by

173: Carry on my Wayland son

JT Pennington — Wed, 21 Dec 2016 08:00:00 -0500

This week on the show, we’ve got some great stories to bring you, a look at the odder side of UNIX history

This episode was brought to you by

Headlines

syspatch in testing state

Antoine Jacoutot ajacoutot@ openbsd has posted a call for testing for OpenBSD’s new syspatch tool
“syspatch(8), a "binary" patch system for -release is now ready for early testing. This does not use binary diffing to update the system, but regular signed tarballs containing the updated files (ala installer).”
“I would appreciate feedback on the tool. But please send it directly to me, there's no need to pollute the list. This is obviously WIP and the tool may or may not change in drastic ways.”
“These test binary patches are not endorsed by the OpenBSD project and should not be trusted, I am only providing them to get early feedback on the tool. If all goes as planned, I am hoping that syspatch will make it into the 6.1 release; but for it to happen, I need to know how it breaks your systems :-)”
Instructions
If you test it, report back and let us know how it went ***

Weston working

Over the past few years we’ve had some user-interest in the state of Wayland / Weston on FreeBSD. In the past day or so, Johannes Lundberg has sent in a progress report to the FreeBSD mailing lists.
Without further ADO:

> We had some progress with Wayland that we'd like to share.

> Wayland (v1.12.0)
> Working

> Weston (v1.12.0)
> Working (Porting WIP)

> Weston-clients (installed with wayland/weston port)
> Working

> XWayland (run X11 apps in Wayland compositor)
> Works (maximized window only) if started manually but not when
> launching X11 app from Weston. Most likely problem with Weston IPC.

> Sway (i3-compatible Wayland compositor)
> Working

> SDL20 (Wayland backend)
> games/stonesoup-sdl briefly tested.
> https://twitter.com/johalun/status/811334203358867456

> GDM (with Wayland)
> Halted - depends on logind.

> GTK3
> gtk3-demo runs fine on Weston (might have to set GDK_BACKEND=wayland
> first.
> GTK3 apps working (gedit, gnumeric, xfce4-terminal tested, xfce desktop
> (4.12) does not yet support GTK3)“

Johannes goes on to give instructions on how / where you can fetch their WiP and do your own testing. At the moment you’ll need Matt Macy’s newer Intel video work, as well as their ports tree which includes all the necessary software bits.
Before anybody asks, yes we are watching this for TrueOS! ***

Where the rubber meets the road (part two)

Continuing with our story from Brian Everly from a week ago, we have an update today on the process to dual-boot OpenBSD with Arch Linux.
As we last left off, Arch was up and running on the laptop, but some quirks in the hardware meant OpenBSD would take a bit longer.
With those issues resolved and the HD seen again, the next issue that reared its head was OpenBSD not seeing the partition tables on the disk. After much frustration, it was time to nuke and pave, starting with OpenBSD first this time.
After a successful GPT partitioning and install of OpenBSD, he went back to installing Arch, and then the story got more interesting.

> “I installed Arch as I detailed in my last post; however, when I fired up gdisk I got a weird error message:

> “Warning! Disk size is smaller than the main header indicates! Loading secondary header from the last sector of the disk! You should use ‘v’ to verify disk integrity, and perhaps options on the expert’s menu to repair the disk.”

> Immediately after this, I saw a second warning:

> “Caution: Invalid backup GPT header, but valid main header; regenerating backup header from main header.”

> And, not to be outdone, there was a third:

> “Warning! Main and backup partition tables differ! Use the ‘c’ and ‘e’ options on the recovery & transformation menu to examine the two tables.”

> Finally (not kidding), there was a fourth:

> “Warning! One or more CRCs don’t match. You should repair the disk!”

> Given all of that, I thought to myself, “This is probably why I couldn’t see the disk properly when I partitioned it under Linux on the OpenBSD side. I’ll let it repair things and I should be good to go.” I then followed the recommendation and repaired things, using the primary GPT table to recreate the backup one. I then installed Arch and figured I was good to go.“

After confirming through several additional re-installs that the behavior was reproducible, he then decided to go full on crazy,and partition with MBR. That in and of itself was a challenge, since as he mentions, not many people dual-boot OpenBSD with Linux on MBR, especially using luks and lvm!
If you want to see the details on how that was done, check it out.
The story ends in success though! And better yet:

> “Now that I have everything working, I’ll restore my config and data to Arch, configure OpenBSD the way I like it and get moving. I’ll take some time and drop a note on the tech@ mailing list for OpenBSD to see if they can figure out what the GPT problem was I was running into. Hopefully it will make that part of the code stronger to get an edge-case bug report like this.”

Take note here, if you run into issues like this with any OS, be sure to document in detail what happened so developers can explore solutions to the issue. ***

FreeBSD and ZFS as a time capsule for OS X

Do you have any Apple users in your life? Perhaps you run FreeBSD for ZFS somewhere else in the house or office. Well today we have a blog post from Mark Felder which shows how you can use FreeBSD as a time-capsule for your OSX systems.
The setup is quite simple, to get started you’ll need packages for netatalk3 and avahi-app for service discovery.
Next up will be your AFP configuration. He helpfully provides a nice example that you should be able to just cut-n-paste. Be sure to check the hosts allow lines and adjust to fit your network. Also of note will be the backup location and valid users to adjust.
A little easier should be the avahi setup, which can be a straight copy-n-paste from the site, which will perform the service advertisements.
The final piece is just enabling specific services in /etc/rc.conf and either starting them by hand, or rebooting. At this point your OSX systems should be able to discover the new time-capsule provider on the network and DTRT. ***

News Roundup

netbenches - FreeBSD network forwarding performance benchmark results

Olivier Cochard-Labbé, original creator of FreeNAS, and leader of the BSD Router Project, has a github repo of network benchmarks
There are many interesting results, and all of the scripts, documentation, and configuration files to run the tests yourself
IPSec Performance on an Atom C2558, 12-head vs IPSec Performance Branch
Compared to: Xeon L5630 2.13GHz
and IPSec with Authentication
I look forward to seeing tests on even more hardware, as people with access to different configurations try out these benchmarks ***

A tcpdump Tutorial and Primer with Examples

Most users will be familiar with the basics of using tcpdump, but this tutorial/primer is likely to fill in a lot of blanks, and advance many users understanding of tcpdump
“tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.”
tcpdump is an important tool for any system or network administrator, it is not just for security. It is often the best way to figure out why the network is not behaving as expected.
“In a discipline so dependent on a true understanding of concepts vs. rote learning, it’s important to stay fluent in the underlying mechanics of the TCP/IP suite. A thorough grasp of these protocols allows one to troubleshoot at a level far beyond the average analyst, but mastery of the protocols is only possible through continued exposure to them.”
Not just that, but TCP/IP is a very interesting protocol, considering how little it has changed in its 40+ year history
“First off, I like to add a few options to the tcpdump command itself, depending on what I’m looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet.”
“It’s also important to note that tcpdump only takes the first 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything.”
The page has a nice table of the most useful options
It also has a great primer on doing basic filtering
If you are relatively new to using tcpdump, I highly recommend you spend a few minutes reading through this article ***

How Unix made it to the top

Doug McIlroy gives us a nice background post on how “Unix made it to the top”
It’s fairly short / concise, so I felt it would be good to read in its entirety.

> “It has often been told how the Bell Labs law department became the first non-research department to use Unix, displacing a newly acquired stand-alone word-processing system that fell short of the department's hopes because it couldn't number the lines on patent applications, as USPTO required. When Joe Ossanna heard of this, he told them about roff and promised to give it line-numbering capability the next day. They tried it and were hooked. Patent secretaries became remote members of the fellowship of the Unix lab. In due time the law department got its own machine.

> Less well known is how Unix made it into the head office of AT&T. It seems that the CEO, Charlie Brown, did not like to be seen wearing glasses when he read speeches. Somehow his PR assistant learned of the CAT phototypesetter in the Unix lab and asked whether it might be possible to use it to produce scripts in large type. Of course it was. As connections to the top never hurt, the CEO's office was welcomed as another ouside user. The cost--occasionally having to develop film for the final copy of a speech--was not onerous.

> Having teethed on speeches, the head office realized that Unix could also be useful for things that didn't need phototypesetting. Other documents began to accumulate in their directory. By the time we became aware of it, the hoard came to include minutes of AT&T board meetings. It didn't seem like a very good idea for us to be keeping records from the inner sanctum of the corporation on a computer where most everybody had super-user privileges. A call to the PR guy convinced him of the wisdom of keeping such things on their own premises. And so the CEO's office bought a Unix system.

> Just as one hears of cars chosen for their cupholders, so were theseusers converted to Unix for trivial reasons: line numbers and vanity.“

Odd Comments and Strange Doings in Unix

Everybody loves easter-eggs, and today we have some fun odd ones from the history throughout UNIX told by Dennis Ritchie.
First up, was a fun one where the “mv” command could sometimes print the following “values of b may give rise to dom!”

> “Like most of the messages recorded in these compilations, this one was produced in some situation that we considered unlikely or as result of abuse; the details don't matter. I'm recording why the phrase was selected.

> The very first use of Unix in the "real business" of Bell Labs was to type and produce patent applications, and for a while in the early 1970s we had three typists busily typing away in the grotty lab on the sixth floor. One day someone came in and observed on the paper sticking out of one of the Teletypes, displayed in magnificent isolation, this ominous phrase: values of b may give rise to dom!

> It was of course obvious that the typist had interrupted a printout (generating the "!" from the ed editor) and moved up the paper, and that the context must have been something like "varying values of beta may give rise to domain wall movement" or some other fragment of a physically plausible patent application.But the phrase itself was just so striking! Utterly meaningless, but it looks like what... a warning? What is "dom?"

> At the same time, we were experimenting with text-to-voice software by Doug McIlroy and others, and of course the phrase was tried out with it. For whatever reason, its rendition of "give rise to dom!" accented the last word in a way that emphasized the phonetic similarity between "doom" and the first syllable of "dominance." It pronounced "beta" in the British style, "beeta." The entire occurrence became a small, shared treasure.The phrase had to be recorded somewhere, and it was, in the v6 source. Most likely it was Bob Morris who did the deed, but it could just as easily have been Ken. I hope that your browser reproduces the b as a Greek beta.“

Next up is one you might have heard before:

> /* You are not expected to understand this */> Every now and then on Usenet or elsewhere I run across a reference to a certain comment in the source code of the Sixth
Edition Unix operating system.

> I've even been given two sweatshirts that quote it.

> Most probably just heard about it, but those who saw it in the flesh either had Sixth Edition Unix (ca. 1975) or read the annotated version of this system by John Lions (which was republished in 1996: ISBN 1-57298-013-7, Peer-to-Peer Communications).It's often quoted as a slur on the quantity or quality of the comments in the Bell Labs research releases of Unix. Not an unfair observation in general, I fear, but in this case unjustified.

> So we tried to explain what was going on. "You are not expected to understand this" was intended as a remark in the spirit of "This won't be on the exam," rather than as an impudent challenge.

There’s a few other interesting stories as well, if the odd/fun side of UNIX history at all interests you, I would recommend checking it out.

Beastie Bits

Feedback/Questions

172: A tale of BSD from yore

JT Pennington — Wed, 14 Dec 2016 08:00:00 -0500

This week on BSDNow, we have a very special guest joining us to tell us a tale of the early days in BSD history. That plus some new OpenSSH goodness, shell scripting utilities and much more. Stay tuned for your place to B...SD!

This episode was brought to you by

Headlines

Call For Testing: OpenSSH 7.4

Getting ready to head into the holidays for for the end of 2016 means some of us will have spare time on our hands. What a perfect time to get some call for testing work done!
Damien Miller has issued a public CFT for the upcoming OpenSSH 7.4 release, which considering how much we all rely on SSH I would expect will get some eager volunteers for testing.
What are some of the potential breakers?

> “* This release removes server support for the SSH v.1 protocol.

> * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.

> * sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.

> * ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.

> * sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.

> * sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.“

What about new features? 7.4 has some of those to wake you up also:

> “* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."

> * sshd(8): Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
as anything else we might implement in the future. Like the
'restrict' authorized_keys flag, this is intended to be a simple
and future-proof way of restricting an account.

> * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-support method named
"curve25519-sha256@libssh.org".

> * sshd(8): Improve handling of SIGHUP by checking to see if sshd is
already daemonised at startup and skipping the call to daemon(3)
if it is. This ensures that a SIGHUP restart of sshd(8) will
retain the same process-ID as the initial execution. sshd(8) will
also now unlink the PidFile prior to SIGHUP restart and re-create
it after a successful restart, rather than leaving a stale file in
the case of a configuration error. bz#2641

> * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.

> * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
those supported by AuthorizedKeysCommand (key, key type,
fingerprint, etc.) and a few more to provide access to the
contents of the certificate being offered.

> * Added regression tests for string matching, address matching and
string sanitisation functions.

> * Improved the key exchange fuzzer harness.“

Get those tests done and be sure to send feedback, both positive and negative. ***

How My Printer Caused Excessive Syscalls & UDP Traffic

> “3,000 syscalls a second, on an idle machine? That doesn’t seem right. I just booted this machine. The only processes running are those required to boot the SmartOS Global Zone, which is minimal.”

> This is a story from 2014, about debugging a machine that was being slowed down by excessive syscalls and UDP traffic. It is also an excellent walkthrough of the basics of DTrace

> “Well, at least I have DTrace. I can use this one-liner to figure out what syscalls are being made across the entire system.”

> dtrace -n 'syscall:::entry { @[probefunc,probename] = count(); }'

> “Wow! That is a lot of lwp_sigmask calls. Now that I know what is being called, it’s time to find out who is doing the calling? I’ll use another one-liner to show me the most common user stacks invoking lwp_sigmask.”

> dtrace -n 'syscall::lwp_sigmask:entry { @[ustack()] = count(); }'

> “Okay, so this mdnsd code is causing all the trouble. What is the distribution of syscalls for the mdnsd program?”

> dtrace -n 'syscall:::entry /execname == "mdnsd"/ { @[probefunc] = count(); } tick-1s { exit(0); }'

> “Lots of signal masking and polling. What the hell! Why is it doing this? What is mdnsd anyways? Is there a man page? Googling for mdns reveals that it is used for resolving host names in small networks, like my home network. It uses UDP, and requires zero configuration. Nothing obvious to explain why it’s flipping out. I feel helpless. I turn to the only thing I can trust, the code.”

> “Woah boy, this is some messy looking code. This would not pass illumos cstyle checks. Turns out this is code from Darwin—the kernel of OSX.”

> “Hmmm…an idea pops into my computer animal brain. I wonder…I wonder if my MacBook is also experiencing abnormal syscall rates? Nooo, that can’t be it. Why would both my SmartOS server and MacBook both have the same problem? There is no good technical reason to link these two. But, then again, I’m dealing with computers here, and I’ve seen a lot of strange things over the years—I switch to my laptop.”

> sudo dtrace -n 'syscall::: { @[execname] = count(); } tick-1s { exit(0); }'

> Same thing, except mdns is called discoverd on OS X

> “I ask my friend Steve Vinoski to run the same DTrace one-liner on his OSX machines. He has both Yosemite and the older Mountain Lion. But, to my dismay, neither of his machines are exhibiting high syscall rates. My search continues.”

> “Not sure what to do next, I open the OSX Activity Monitor. In desperation I click on the Network tab.”

> “ HOLE—E—SHIT! Two-Hundred-and-Seventy Million packets received by discoveryd. Obviously, I need to stop looking at code and start looking at my network. I hop back onto my SmartOS machine and check network interface statistics.”

> “Whatever is causing all this, it is sending about 200 packets a second. At this point, the only thing left to do is actually inspect some of these incoming packets. I run snoop(1M) to collect events on the e1000g0 interface, stopping at about 600 events. Then I view the first 15.”

> “ A constant stream of mDNS packets arriving from IP 10.0.1.8. I know that this IP is not any of my computers. The only devices left are my iPhone, AppleTV, and Canon printer. Wait a minute! The printer! Two days earlier I heard some beeping noises…”

> “I own a Canon PIXMA MG6120 printer. It has a touch interface with a small LCD at the top, used to set various options. Since it sits next to my desk I sometimes lay things on top of it like a book or maybe a plate after I’m done eating. If I lay things in the wrong place it will activate the touch interface and cause repeated pressing. Each press makes a beeping noise. If the object lays there long enough the printer locks up and I have to reboot it. Just such events occurred two days earlier.”

> “I fire up dladm again to monitor incoming packets in realtime. Then I turn to the printer. I move all the crap off of it: two books, an empty plate, and the title for my Suzuki SV650 that I’ve been meaning to sell for the last year. I try to use the touch screen on top of the printer. It’s locked up, as expected. I cut power to the printer and whip my head back to my terminal.”

> No more packet storm

> “Giddy, I run DTrace again to count syscalls.”

> “I’m not sure whether to laugh or cry. I laugh, because, LOL computers. There’s some new dumb shit you deal with everyday, better to roll with the punches and laugh. You live longer that way. At least I got to flex my DTrace muscles a bit. In fact, I felt a bit like Brendan Gregg when he was debugging why OSX was dropping keystrokes.”

> “I didn’t bother to root cause why my printer turned into a UDP machine gun. I don’t intend to either. I have better things to do, and if rebooting solves the problem then I’m happy. Besides, I had to get back to what I was trying to do six hours before I started debugging this damn thing.”

> There you go. The Internet of Terror has already been on your LAN for years.

Making Getaddrinfo Concurrent in Python on Mac OS and BSD

We have a very fun blog post today to pass along originally authored by “A. Jesse Jiryu Davis”. Specifically the tale of one man’s quest to unify the Getaddrinfo in Python with Mac OS and BSD.
To give you a small taste of this tale, let us pass along just the introduction

> “Tell us about the time you made DNS resolution concurrent in Python on Mac and BSD. No, no, you do not want to hear that story, my friends. It is nothing but old lore and #ifdefs.

> But you made Python more scalable. The saga of Steve Jobs was sung to you by a mysterious wizard with a fanciful nickname! Tell us!

> Gather round, then. I will tell you how I unearthed a lost secret, unbound Python from old shackles, and banished an ancient and horrible Mutex Troll. Let us begin at the beginning.“

Is your interest piqued? It should be. I’m not sure we could do this blog post justice trying to read it aloud here, but definetly recommend if you want to see how he managed to get this bit of code working cross platform. (And it’s highly entertaining as well)

> “A long time ago, in the 1980s, a coven of Berkeley sorcerers crafted an operating system. They named it after themselves: the Berkeley Software Distribution, or BSD. For generations they nurtured it, growing it and adding features. One night, they conjured a powerful function that could resolve hostnames to IPv4 or IPv6 addresses. It was called getaddrinfo. The function was mighty, but in years to come it would grow dangerous, for the sorcerers had not made getaddrinfo thread-safe.”

> “As ages passed, BSD spawned many offspring. There were FreeBSD, OpenBSD, NetBSD, and in time, Mac OS X. Each made its copy of getaddrinfo thread safe, at different times and different ways. Some operating systems retained scribes who recorded these events in the annals. Some did not.”

The story continues as our hero battles the Mutex Troll and quests for ancient knowledge

> “Apple engineers are not like you and me — they are a shy and secretive folk. They publish only what code they must from Darwin. Their comings and goings are recorded in no bug tracker, their works in no changelog. To learn their secrets, one must delve deep.”

> “There is a tiny coven of NYC BSD users who meet at the tavern called Stone Creek, near my dwelling. They are aged and fierce, but I made the Sign of the Trident and supplicated them humbly for advice, and they were kindly to me.”

Spoiler: “Without a word, the mercenary troll shouldered its axe and trudged off in search of other patrons on other platforms. Never again would it hold hostage the worthy smiths forging Python code on BSD.” ***

Using release(7) to create FreeBSD images for OpenStack

Following a recent episode where we covered a walk through on how to create FreeBSD guest OpenStack images, we wondered if it would be possible to integrate this process into the FreeBSD release(7) process, so they images could be generated consistently and automatically
Being the awesome audience that you are, one of you responded by doing exactly that

> “During a recent BSDNow podcast, Allan and Kris mentioned that it would be nice to have a tutorial on how to create a FreeBSD image for OpenStack using the official release(7) tools. With that, it came to me that: #1 I do have access to an OpenStack environment and #2 I am interested in having FreeBSD as a guest image in my environment. Looks like I was up for the challenge.”

> “Previously, I’ve had success running FreeBSD 11.0-RELEASE on OpenStack but more could/should be done. For instance, as suggested by Allan, wouldn’t be nice to deploy the latest code from FreeBSD ? Running -STABLE or even -CURRENT ? Yes, it would. Also, wouldn’t it be nice to customize these images for a specific need? I’d say ‘Yes’ for that as well.”

> “After some research I found that the current openstack.conf file, located at /usr/src/release/tools/ could use some extra tweaks to get where I wanted. I’ve created and attached that to a bugzilla on the same topic. You can read about that here.”

Steps:
- Fetch the FreeBSD source code and extract it under /usr/src
- Once the code is in place, follow the regular process of build(7) and perform a make buildworld buildkernel
- Change into the release directory (/usr/src/release) and perform a make cloudware
- make cloudware-release WITH_CLOUDWARE=yes CLOUDWARE=OPENSTACK VMIMAGE=2G

> “That’s it! This will generate a qcow2 image with 1.4G in size and a raw image of 2G. The entire process uses the release(7) toolchain to generate the image and should work with newer versions of FreeBSD.”

The patch has already been committed to FreeBSD ***

Interview - Rod Grimes - rgrimes@freebsd.org

Want to help fund the development of GPU Passthru? Visit bhyve.org ***

News Roundup

Configuring the FreeBSD automounter

Ever had to configure the FreeBSD auto-mounting daemon? Today we have a blog post that walks us through a few of the configuration knobs you have at your disposal.
First up, Tom shows us his /etc/fstab file, and the various UFS partitions he has setup with the ‘noauto’ flag so they are not mounted at system boot.
His amd.conf file is pretty basic, with just options enabled to restart mounts, and unmount on exit.
Where most users will most likely want to pay attention is in the crafting of an amd.map file
Within this file, we have the various command-foo which performs mounts and unmounts of targeted disks / file-systems on demand.
Pay special attention to all the special chars, since those all matter and a stray or missing ; could be a source of failure.
Lastly a few knobs in rc.conf will enable the various services and a reboot should confirm the functionality. ***

l2k16 hackathon report: LibreSSL manuals now in mdoc(7)

Hackathon report by Ingo Schwarze

> “Back in the spring two years ago, Kristaps Dzonsons started the pod2mdoc(1) conversion utility, and less than a month later, the LibreSSL project began. During the general summer hackathon in the same year, g2k14, Anthony Bentley started using pod2mdoc(1) for converting LibreSSL manuals to mdoc(7).”

> “Back then, doing so still was a pain, because pod2mdoc(1) was still full of bugs and had gaping holes in functionality. For example, Anthony was forced to basically translate the SYNOPSIS sections by hand, and to fix up .Fn and .Xr in the body by hand as well. All the same, he speedily finished all of libssl, and in the autumn of the same year, he mustered the courage to commit his work.”

> “Near the end of the following winter, i improved the pod2mdoc(1) tool to actually become convenient in practice and started work on libcrypto, converting about 50 out of the about 190 manuals. Max Fillinger also helped a bit, converting a handful of pages, but i fear i tarried too much checking and committing his work, so he quickly gave up on the task. After that, almost nothing happened for a full year.”

> “Now i was finally fed up with the messy situation and decided to put an end to it. So i went to Toulouse and finished the conversion of the remaining 130 manual pages in libcrypto, such that you can now view the documentation of all functions”

Interactive Terminal Utility: smenu

Ok, I’ve made no secret of my love for shell scripting. Well today we have a new (somewhat new to us) tool to bring your way.
Have you ever needed to deal with large lists of data, perhaps as the result of a long specially crafted pipe?
What if you need to select a specific value from a range and then continue processing?
Enter ‘smenu’ which can help make your scripting life easier.

> “smenu is a selection filter just like sed is an editing filter.

> This simple tool reads words from the standard input, presents them in a cool interactive window after the current line on the terminal and writes the selected word, if any, on the standard output.

> After having unsuccessfully searched the NET for what I wanted, I decided to try to write my own.

> I have tried hard to made its usage as simple as possible. It should work, even when using an old vt100 terminal and is UTF-8 aware.“

What this means, is in your interactive scripts, you can much easier present the user with a cursor driven menu to select from a range of possible choices. (Without needing to craft a bunch of dialog flags)
Take a look, and hopefully you’ll be able to find creative uses for your shell scripts in the future. ***

Ubuntu still isn't free software

> “Any redistribution of modified versions of Ubuntu must be approved, certified or provided by Canonical if you are going to associate it with the Trademarks. Otherwise you must remove and replace the Trademarks and will need to recompile the source code to create your own binaries. This does not affect your rights under any open source licence applicable to any of the components of Ubuntu. If you need us to approve, certify or provide modified versions for redistribution you will require a licence agreement from Canonical, for which you may be required to pay. For further information, please contact us”

> “Mark Shuttleworth just blogged about their stance against unofficial Ubuntu images. The assertion is that a cloud hoster is providing unofficial and modified Ubuntu images, and that these images are meaningfully different from upstream Ubuntu in terms of their functionality and security. Users are attempting to make use of these images, are finding that they don't work properly and are assuming that Ubuntu is a shoddy product. This is an entirely legitimate concern, and if Canonical are acting to reduce user confusion then they should be commended for that.”

> “The appropriate means to handle this kind of issue is trademark law. If someone claims that something is Ubuntu when it isn't, that's probably an infringement of the trademark and it's entirely reasonable for the trademark owner to take action to protect the value associated with their trademark. But Canonical's IP policy goes much further than that - it can be interpreted as meaning[1] that you can't distribute works based on Ubuntu without paying Canonical for the privilege, even if you call it something other than Ubuntu. [1]: And by "interpreted as meaning" I mean that's what it says and Canonical refuse to say otherwise”

> “If you ask a copyright holder if you can give a copy of their work to someone else (assuming it doesn't infringe trademark law), and they say no or insist you need an additional contract, it's not free software. If they insist that you recompile source code before you can give copies to someone else, it's not free software. Asking that you remove trademarks that would otherwise infringe trademark law is fine, but if you can't use their trademarks in non-infringing ways, that's still not free software.”

> “Canonical's IP policy continues to impose restrictions on all of these things, and therefore Ubuntu is not free software.”

Beastie Bits

Feedback/Questions

171: The APU - BSD Style!

JT Pennington — Wed, 07 Dec 2016 08:00:00 -0500

Today on the show, we’ve got a look at running OpenBSD on a APU, some BSD in your Android, managing your own FreeBSD cloud service with ansible and much more. Keep it turned on your place to B...SD!

This episode was brought to you by

Headlines

OpenBSD on PC Engines APU2

A detailed walkthrough of building an OpenBSD firewall on a PC Engines APU2
It starts with a breakdown of the parts that were purchases, totally around $200
Then the reader is walked through configuring the serial console, flashing the ROM, and updating the BIOS
The next step is actually creating a custom OpenBSD install image, and pre-configuring its serial console. Starting with OpenBSD 6.0, this step is done automatically by the installer
Installation:
- Power off the APU2
- Insert the bootable OpenBSD installer USB flash drive to one of the USB slots on the APU2
- Power on the APU2, press F10 to get to the boot menu, and choose to boot from USB (usually option number 1)
- At the boot> prompt, remember the serial console settings (see above)
- Also at the boot> prompt, press Enter to start the installer
- Follow the installation instructions

> The driver used for wireless networking is athn(4). It might not work properly out of the box. Once OpenBSD is installed, run fw_update with no arguments. It will figure out which firmware updates are required and will download and install them. When it finishes, reboot.

Where the rubber meets the road… (part one)

A user describes their adventures installing OpenBSD and Arch Linux on a new Lenovo X1 Carbon (4th gen, skylake)
They also detail why they moved away from their beloved Macbook, which while long, does describe a journey away from Apple that we’ve heard elsewhere.
The journey begins with getting a new Windows laptop, shrinking the partition and creating space for a triple-boot install, of Windows / Arch / OpenBSD
Brian then details how he setup the partitioning and performed the initial Arch installation, getting it tuned to his specifications.
Next up was OpenBSD though, and that went sideways initially due to a new NVMe drive that wasn’t fully supported (yet)
The article is split into two parts (we will bring you the next installment at a future date), but he leaves us with the plan of attack to build a custom OpenBSD kernel with corrected PCI device identifiers.
We wish Brian luck, and look forward to the “rest of the story” soon. ***

Howto setup a FreeBSD jail server using iocage and ansible.

Setting up a FreeBSD jail server can be a daunting task. However when a guide comes along which shows you how to do that, including not exposing a single (non-jailed) port to the outside world, you know we had a take a closer look.
This guide comes to us from GitHub, courtesy of Joerg Fielder.
The project goals seem notable:
Ansible playbook that creates a FreeBSD server which hosts multiple jails.
- Travis is used to run/test the playbook.
- No service on the host is exposed externally.
- All external connections terminate within a jail.
- Roles can be reused using Ansible Galaxy.
- Combine any of those roles to create FreeBSD server, which perfectly suits you.
To get started, you’ll need a machine with Ansible, Vagrant and VirtualBox, and your credentials to AWS if you want it to automatically create / destroy EC2 instances.
There’s already an impressive list of Anisible roles created for you to start with:
- freebsd-build-server - Creates a FreeBSD poudriere build server
- freebsd-jail-host - FreeBSD Jail host
- freebsd-jailed - Provides a jail
- freebsd-jailed-nginx - Provides a jailed nginx server
- freebsd-jailed-php-fpm - Creates a php-fpm pool and a ZFS dataset which is used as web root by php-fpm
- freebsd-jailed-sftp - Installs a SFTP server
- freebsd-jailed-sshd - Provides a jailed sshd server.
- freebsd-jailed-syslogd - Provides a jailed syslogd
- freebsd-jailed-btsync - Provides a jailed btsync instance server
- freebsd-jailed-joomla - Installs Joomla
- freebsd-jailed-mariadb - Provides a jailed MariaDB server
- freebsd-jailed-wordpress - Provides a jailed Wordpress server.
Since the machines have to be customized before starting, he mentions that cloud-init is used to do the following:
activate pf firewall
add a pass all keep state rule to pf to keep track of connection states, which in turn allows you to reload the pf service without losing the connection
install the following packages:
- sudo
- bash
- python27
allow passwordless sudo for user ec2-user
“
From there it is pretty straight-forward, just a couple commands to spin up the VM’s either locally on your VirtualBox host, or in the cloud with AWS. Internally the VM’s are auto-configured with iocage to create jails, where all your actual services run.
A neat project, check it out today if you want a shake-n-bake type cloud + jail solution.

Colin Percival's bsdiff helps reduce Android apk bandwidth usage by 6 petabytes per day

A post on the official Android-Developers blog, talks about how they used bsdiff (and bspatch) to reduce the size of Android application updates by 65%
bsdiff was developed by FreeBSD’s Colin Percival

> Earlier this year, we announced that we started using the bsdiff algorithm (by Colin Percival). Using bsdiff, we were able to reduce the size of app updates on average by 47% compared to the full APK size.

This post is actually about the second generation of the code.

> Today, we're excited to share a new approach that goes further — File-by-File patching. App Updates using File-by-File patching are, on average, 65% smaller than the full app, and in some cases more than 90% smaller.
> Android apps are packaged as APKs, which are ZIP files with special conventions. Most of the content within the ZIP files (and APKs) is compressed using a technology called Deflate. Deflate is really good at compressing data but it has a drawback: it makes identifying changes in the original (uncompressed) content really hard. Even a tiny change to the original content (like changing one word in a book) can make the compressed output of deflate look completely different. Describing the differences between the original content is easy, but describing the differences between the compressed content is so hard that it leads to inefficient patches.

So in the second generation of the code, they use bsdiff on each individual file, then package that, rather than diffing the original and new archives
bsdiff is used in a great many other places, including shrinking the updates for the Firefox and Chrome browsers
You can find out more about bsdiff here: http://www.daemonology.net/bsdiff/

> A far more sophisticated algorithm, which typically provides roughly 20% smaller patches, is described in my doctoral thesis.

Considering the gains, it is interesting that no one has implemented Colin’s more sophisticated algorithm
Colin had an interesting observation last night: “I just realized that bandwidth savings due to bsdiff are now roughly equal to what the total internet traffic was when I wrote it in 2003.” ***

News Roundup

Distrowatch does an in-depth review of NAS4Free

Jesse Smith over at DistroWatch has done a pretty in-depth review of Nas4Free.
The review starts with mentioning that NAS4Free works on 3 platforms, ARM/i386/AMD64 and for the purposes of this review he would be using AMD64 builds.
After going through the initial install (doing typical disk management operations, such as GPT/MBR, etc) he was ready to begin using the product.
One concern originally observed was that the initial boot seemed rather slow. Investigation revealed this was due to it loading the entire OS image into memory, and the first (long) disk read did take some time, but once loaded was super responsive.
The next steps involved doing the initial configuration, which meant creating a new ZFS storage pool. After this process was done, he did find one puzzling UI option called “VM” which indicated it can be linked to VirtualBox in some way, but the Docs didn’t reveal its secrets of usage.
Additionally covered were some of the various “Access” methods, including traditional UNIX permissions, AD and LDAP, and then various Sharing services which are typical to a NAS, Such as NFS / Samba and others.
One neat feature was the built-in file-browser via the web-interface, which allows you another method of getting at your data when sometimes NFS / Samba or WebDav aren’t enough.
Jesse gives us a nice round-up conclusion as well

> Most of the NAS operating systems I have used in the past were built around useful features. Some focused on making storage easy to set up and manage, others focused on services, such as making files available over multiple protocols or managing torrents. Some strive to be very easy to set up. NAS4Free does pretty well in each of the above categories. It may not be the easiest platform to set up, but it's probably a close second. It may not have the prettiest interface for managing settings, but it is quite easy to navigate. NAS4Free may not have the most add-on services and access protocols, but I suspect there are more than enough of both for most people.

> Where NAS4Free does better than most other solutions I have looked at is security. I don't think the project's website or documentation particularly focuses on security as a feature, but there are plenty of little security features that I liked. NAS4Free makes it very easy to lock the text console, which is good because we do not all keep our NAS boxes behind locked doors. The system is fairly easy to upgrade and appears to publish regular security updates in the form of new firmware. NAS4Free makes it fairly easy to set up user accounts, handle permissions and manage home directories. It's also pretty straight forward to switch from HTTP to HTTPS and to block people not on the local network from accessing the NAS's web interface.

> All in all, I like NAS4Free. It's a good, general purpose NAS operating system. While I did not feel the project did anything really amazing in any one category, nor did I run into any serious issues. The NAS ran as expected, was fairly straight forward to set up and easy to manage. This strikes me as an especially good platform for home or small business users who want an easy set up, some basic security and a solid collection of features.

Browsix: Unix in the browser tab

Browsix is a research project from the PLASMA lab at the University of Massachusetts, Amherst.
The goal: Run C, C++, Go and Node.js programs as processes in browsers, including LaTeX, GNU Make, Go HTTP servers, and POSIX shell scripts.
“Processes are built on top of Web Workers, letting applications run in parallel and spawn subprocesses. System calls include fork, spawn, exec, and wait.”

> Pipes are supported with pipe(2) enabling developers to compose processes into pipelines.

> Sockets include support for TCP socket servers and clients, making it possible to run applications like databases and HTTP servers together with their clients in the browser.

Browsix comprises two core parts:
- A kernel written in TypeScript that makes core Unix features (including pipes, concurrent processes, signals, sockets, and a shared file system) available to web applications.
- Extended JavaScript runtimes for C, C++, Go, and Node.js that support running programs written in these languages as processes in the browser.
This seems like an interesting project, although I am not sure how it would be used as more than a toy ***

Book Review: PAM Mastery

nixCraft does a book review of Michael W. Lucas’ “Pam Mastery”

> Linux, FreeBSD, and Unix-like systems are multi-user and need some way of authenticating individual users. Back in the old days, this was done in different ways. You need to change each Unix application to use different authentication scheme.

Before PAM, if you wanted to use an SQL database to authenticate users, you had to write specific support for that into each of your applications. Same for LDAP, etc.

> So Open Group lead to the development of PAM for the Unix-like system. Today Linux, FreeBSD, MacOS X and many other Unix-like systems are configured to use a centralized authentication mechanism called Pluggable Authentication Modules (PAM). The book “PAM Mastery” deals with the black magic of PAM.

Of course, each OS chose to implement PAM a little bit differently

> The book starts with the basic concepts about PAM and authentication. You learn about Multi-Factor Authentication and why use PAM instead of changing each program to authenticate the user. The author went into great details about why PAM is useful for developers and sysadmin for several reasons. The examples cover CentOS Linux (RHEL and clones), Debian Linux, and FreeBSD Unix system.

> I like the way the author described PAM Configuration Files and Common Modules that covers everyday scenarios for the sysadmin. PAM configuration file format and PAM Module Interfaces are discussed in easy to understand language. Control flags in PAM can be very confusing for new sysadmins. Modules can be stacked in a particular order, and the control flags determine how important the success or failure of a particular module.

> There is also a chapter about using one-time passwords (Google Authenticator) for your application.

> The final chapter is all about enforcing good password policies for users and apps using PAM.

> The sysadmin would find this book useful as it covers a common authentication scheme that can be used with a wide variety of applications on Unix. You will master PAM topics and take control over authentication for your organization IT infrastructure. If you are Linux or Unix sysadmin, I would highly recommend this book. Once again Michael W Lucas nailed it. The only book you may need for PAM deployment.

get “PAM Mastery” ***

Reflections on Trusting Trust - Ken Thompson, co-author of UNIX

> Ken Thompson's "cc hack" - Presented in the journal, Communication of the ACM, Vol. 27, No. 8, August 1984, in a paper entitled "Reflections on Trusting Trust", Ken Thompson, co-author of UNIX, recounted a story of how he created a version of the C compiler that, when presented with the source code for the "login" program, would automatically compile in a backdoor to allow him entry to the system. This is only half the story, though. In order to hide this trojan horse, Ken also added to this version of "cc" the ability to recognize if it was recompiling itself to make sure that the newly compiled C compiler contained both the "login" backdoor, and the code to insert both trojans into a newly compiled C compiler. In this way, the source code for the C compiler would never show that these trojans existed.

The article starts off by talking about a content to write a program that produces its own source code as output. Or rather, a C program, that writes a C program, that produces its own source code as output.

> The C compiler is written in C. What I am about to describe is one of many "chicken and egg" problems that arise when compilers are written in their own language. In this case, I will use a specific example from the C compiler.

> Suppose we wish to alter the C compiler to include the sequence "\v" to represent the vertical tab character. The extension to Figure 2 is obvious and is presented in Figure 3. We then recompile the C compiler, but we get a diagnostic. Obviously, since the binary version of the compiler does not know about "\v," the source is not legal C. We must "train" the compiler. After it "knows" what "\v" means, then our new change will become legal C. We look up on an ASCII chart that a vertical tab is decimal 11. We alter our source to look like Figure 4. Now the old compiler accepts the new source. We install the resulting binary as the new official C compiler and now we can write the portable version the way we had it in Figure 3.

> The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions.

> Next “simply add a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere.

> So now there is a trojan’d version of cc. If you compile a clean version of cc, using the bad cc, you will get a bad cc. If you use the bad cc to compile the login program, it will have a backdoor. The source code for both backdoors no longer exists on the system. You can audit the source code of cc and login all you want, they are trustworthy.

> The compiler you use to compile your new compiler, is the untrustworthy bit, but you have no way to know it is untrustworthy, and no way to make a new compiler, without using the bad compiler.

> The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

> Acknowledgment: I first read of the possibility of such a Trojan horse in an Air Force critique of the security of an early implementation of Multics. I can- not find a more specific reference to this document. I would appreciate it if anyone who can supply this reference would let me know.

Beastie Bits

Custom made Beastie Stockings
Migrating ZFS from mirrored pool to raidz1 pool
OpenBSD and you
Watson.org FreeBSD and Linux cross reference
OpenGrok
FreeBSD SA-16:37: libc -- A 26+ year old bug found in BSD’s libc, all BSDs likely affected -- A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions.
HardenedBSD issues correction for libc patch -- original patch improperly calculates how many bytes are remaining in the buffer.

> From December the 27th until the 30th there the 33rd Chaos Communication Congress[0] is going to take place in Hamburg, Germany. Think of it as the yearly gathering of the european hackerscene and their overseas friends. I am one of the persons organizing the "BSD assembly" as a gathering place for BSD enthusiasts and waving the flag amidst the all the other projects / communities.

Feedback/Questions

170: Sandboxing Cohabitation

JT Pennington — Wed, 30 Nov 2016 08:00:00 -0500

This week on the show, we’ve got some new info on the talks from EuroBSDCon, a look at sharing a single ZFS pool between Linux and BSD, Sandboxing and much more! Stay tuned for your place to B...SD!

This episode was brought to you by

Headlines

EuroBSDcon 2016 Presentation Slides

Due to circumstances beyond the control of the organizers of EuroBSDCon, there were not recordings of the talks given at the event.
However, they have collected the slide decks from each of the speakers and assembled them on this page for you
Also, we have some stuff from MeetBSD already:
Youtube Playlist
Not all of the sessions are posted yet, but the rest should appear shortly
MeetBSD 2016 Trip Report: Domagoj Stolfa ***

Cohabiting FreeBSD and Gentoo Linux on a Common ZFS Volume

Eric McCorkle, who has contributed ZFS support to the FreeBSD EFI boot-loader code has posted an in-depth look at how he’s setup dual-boot with FreeBSD and Gentoo on the same ZFS volume.
He starts by giving us some background on how the layout is done. First up, GRUB is used as the boot-loader, allowing boot of both Linux and BSD
The next non-typical thing was using /etc/fstab to manage mount-points, instead of the typical ‘zfs mount’ usage, (apart from /home datasets)
data/home is mounted to /home, with all of its child datasets using the ZFS mountpoint system
data/freebsd and its child datasets house the FreeBSD system, and all have their mountpoints set to legacy
data/gentoo and its child datasets house the Gentoo system, and have their mountpoints set to legacy as well
So, how did he set this up? He helpfully provides an overview of the steps:
- Use the FreeBSD installer to create the GPT and ZFS pool
- Install and configure FreeBSD, with the native FreeBSD boot loader
- Boot into FreeBSD, create the Gentoo Linux datasets, install GRUB
- Boot into the Gentoo Linux installer, install Gentoo
- Boot into Gentoo, finish any configuration tasks
The rest of the article walks us through the individual commands that make up each of those steps, as well as how to craft a GRUB config file capable of booting both systems.
Personally, since we are using EFI, I would have installed rEFInd, and chain-loaded each systems EFI boot code from there, allowing the use of the BSD loader, but to each their own!

HardenedBSD introduces Safestack into base

HardenedBSD has integrated SafeStack into its base system and ports tree
SafeStack is part of the Code Pointer Integrity (CPI) project within clang.
“SafeStack is an instrumentation pass that protects programs against attacks based on stack buffer overflows, without introducing any measurable performance overhead. It works by separating the program stack into two distinct regions: the safe stack and the unsafe stack. The safe stack stores return addresses, register spills, and local variables that are always accessed in a safe way, while the unsafe stack stores everything else. This separation ensures that buffer overflows on the unsafe stack cannot be used to overwrite anything on the safe stack.”
“As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries.”
SafeStack is only enabled on AMD64 ***

pledge(2)… or, how I learned to love web application sandboxing

We’ve talked about OpenBSD’s sandboxing mechanism pledge() in the past, but today we have a great article by Kristaps Dzonsons, about how he grew to love it for Web Sandboxing. +First up, he gives us his opening argument that should make most of you sit up and listen:

> I use application-level sandboxing a lot because I make mistakes a lot; and when writing web applications, the price of making mistakes is very dear.

> In the early 2000s, that meant using systrace(4) on OpenBSD and NetBSD. Then it was seccomp(2) (followed by libseccomp(3)) on Linux. Then there was capsicum(4) on FreeBSD and sandbox_init(3) on Mac OS X.

> All of these systems are invoked differently; and for the most part, whenever it came time to interface with one of them, I longed for sweet release from the nightmare. Please, try reading seccomp(2). To the end. Aligning web application logic and security policy would require an arduous (and usually trial-and-error or worse, copy-and-paste) process. If there was any process at all — if the burden of writing a policy didn't cause me to abandon sandboxing at the start.

> And then there was pledge(2).

> This document is about pledge(2) and why you should use it and love it. “

+Not convinced yet? Maybe you should take his challenge:

> Let's play a drinking game. The challenge is to stay out of the hospital.

> 1.Navigate to seccomp(2).

> 2. Read it to the end.

> 3. Drink every time you don't understand.

> For capsicum(4), the challenge is no less difficult. To see these in action, navigate no further than OpenSSH, which interfaces with these sandboxes: sandbox-seccomp-filter.c or sandbox-capsicum.c. (For a history lesson, you can even see sandbox-systrace.c.) Keep in mind that these do little more than restrict resources to open descriptors and the usual necessities of memory, signals, timing, etc. Keep that in mind and be horrified. “

Now Kristaps has his theory on why these are so difficult (NS..), but perhaps there is a better way. He makes the case that pledge() sits right in that sweet-spot, being powerful enough to be useful, but easy enough to implement that developers might actually use it.
All in all, a nice read, check it out! Would love to hear other developer success stories using pledge() as well. ***

News Roundup

Unix history repository, now on GitHub

OS News has an interesting tidbit on their site today, about the entire commit history of Unix now being available online, starting all the way back in 1970 and bringing us forward to today.
From the README

> The history and evolution of the Unix operating system is made available as a revision management repository, covering the period from its inception in 1970 as a 2.5 thousand line kernel and 26 commands, to 2016 as a widely-used 27 million line system. The 1.1GB repository contains about half a million commits and more than two thousand merges. The repository employs Git system for its storage and is hosted on GitHub. It has been created by synthesizing with custom software 24 snapshots of systems developed at Bell Labs, the University of California at Berkeley, and the 386BSD team, two legacy repositories, and the modern repository of the open source FreeBSD system. In total, about one thousand individual contributors are identified, the early ones through primary research. The data set can be used for empirical research in software engineering, information systems, and software archaeology.

This is a fascinating find, especially will be of value to students and historians who wish to look back in time to see how UNIX evolved, and in this repo ultimately turned into modern FreeBSD. ***

Yandex commits improvements to FreeBSD network stack

“Rework ip_tryforward() to use FIB4 KPI.”
This commit brings some code from the experimental routing branch into head
As you can see from the graphs, it offers some sizable improvements in forwarding and firewalled packets per second
commit ***

The brief history of Unix socket multiplexing – select(2) system call

Ever wondered about the details of socket multiplexing, aka the history of select(2)?
Well Marek today gives a treat, with a quick look back at the history that made today’s modern multiplexing possible.
First, his article starts the way all good ones do, presenting the problem in silent-movie form:

> In mid-1960's time sharing was still a recent invention. Compared to a previous paradigm - batch-processing - time sharing was truly revolutionary. It greatly reduced the time wasted between writing a program and getting its result. Batch-processing meant hours and hours of waiting often to only see a program error. See this film to better understand the problems of 1960's programmers: "The trials and tribulations of batch processing".

Enter the wild world of the 1970’s, and we’ve now reached the birth of UNIX which tried to solve the batch processing problem with time-sharing.

> These days when a program was executed, it could "stall" (block) only on a couple of things1:

wait for CPU
wait for disk I/O
wait for user input (waiting for a shell command) or console (printing data too fast)“
- Jump forward another dozen years or so, and the world changes yet again:

> This all changed in 1983 with the release of 4.2BSD. This revision introduced an early implementation of a TCP/IP stack and most importantly - the BSD Sockets API.Although today we take the BSD sockets API for granted, it wasn't obvious it was the right API. STREAMS were a competing API design on System V Revision 3.

Coming in along with the sockets API was the select(2) call, which our very own Kirk McKusick gives us some background on:

> Select was introduced to allow applications to multiplex their I/O.

> Consider a simple application like a remote login. It has descriptors for reading from and writing to the terminal and a descriptor for the (bidirectional) socket. It needs to read from the terminal keyboard and write those characters to the socket. It also needs to read from the socket and write to the terminal. Reading from a descriptor that has nothing queued causes the application to block until data arrives. The application does not know whether to read from the terminal or the socket and if it guesses wrong will incorrectly block. So select was added to let it find out which descriptor had data ready to read. If neither, select blocks until data arrives on one descriptor and then awakens telling which descriptor has data to read.

> [...] Non-blocking was added at the same time as select. But using non-blocking when reading descriptors does not work well. Do you go into an infinite loop trying to read each of your input descriptors? If not, do you pause after each pass and if so for how long to remain responsive to input? Select is just far more efficient.

Select also lets you create a single inetd daemon rather than having to have a separate daemon for every service.

The article then wraps up with an interesting conclusion: > CSP = Communicating sequential processes

> In this discussion I was afraid to phrase the core question. Were Unix processes intended to be CSP-style processes? Are file descriptors a CSP-derived "channels"? Is select equivalent to ALT statement?

> I think: no. Even if there are design similarities, they are accidental. The file-descriptor abstractions were developed well before the original CSP paper.

> It seems that an operating socket API's evolved totally disconnected from the userspace CSP-alike programming paradigms. It's a pity though. It would be interesting to see an operating system coherent with the programming paradigms of the user land programs.

A long (but good) read, and worth your time if you are interested in the history how modern multiplexing came to be. ***

How to start CLion on FreeBSD?

CLion (pronounced "sea lion") is a cross-platform C and C++ IDE
By default, the Linux version comes bundled with some binaries, which obviously won’t work with the native FreeBSD build
Rather than using Linux emulation, you can replace these components with native versions
- pkg install openjdk8 cmake gdb
- Edit clion-2016.3/bin/idea.properties and change run.processes.with.pty=false
- Start CLion and open Settings | Build, Execution, Deployment | Toolchains
- Specify CMake path: /usr/local/bin/cmake and GDB path: /usr/local/bin/gdb
Without a replacement for fsnotifier, you will get a warning that the IDE may be slow to detect changes to files on disk
But, someone has already written a version of fsnotifier that works on FreeBSD and OpenBSD
fsnotifier for OpenBSD and FreeBSD -- The fsnotifier is used by IntelliJ for detecting file changes. This version supports FreeBSD and OpenBSD via libinotify and is a replacement for the bundled Linux-only version coming with the IntelliJ IDEA Community Edition. ***

Beastie Bits

Feedback/Questions

169: Scheduling your NetBSD

JT Pennington — Wed, 23 Nov 2016 08:00:00 -0500

On today’s episode, we are loaded and ready to go. Lots of OpenBSD news, a look at LetsEncrypt usage, the NetBSD scheduler (oh my) and much more. Keep it tuned to your place to B...SD!

This episode was brought to you by

Headlines

Production ready

Ted Unangst brings us a piece on what it means to be Production Ready
He tells the story of a project he worked on that picked a framework that was “production ready”
They tested time zones, and it all seemed to work
They tested the unicode support in english and various european languages, and it was all good
They sent some emails with it, and it just worked
The framework said “Production Ready” on the tin, and it passed all the tests. What is the worst that could happen?

> Now, we built our product on top of this. Some of the bugs were caught internally. Others were discovered by customers, who were of course a little dismayed. Like, how could you possibly ship this? Indeed. We were doing testing, quite a bit really, but when every possible edge case has a bug, it’s hard to find them all.

A customer from Arizona, which does not observe Daylight Saving Time, crashed the app
Some less common unicode characters caused a buffer overflow
The email system did not properly escape a period on its own line, truncating the email
“Egregious performance because of a naive N² algorithm for growing a buffer.”
“Egregious performance on some platforms due to using the wrong threading primitives.”
“Bizarre database connection bugs for some queries that I can’t at all explain.”
“In short, everything was “works for me” quality. But is that really production quality?”
“There are some obvious contenders for the title of today’s most “production ready” software, but it’s a more general phenomenon. People who have success don’t know what they don’t know, what they didn’t test, what unused features will crash and burn.”

Using Let's Encrypt within FreeBSD.org

> I decided to give Let's Encrypt certificates a shot on my personal web servers earlier this year after a disaster with StartSSL. I'd like to share what I've learned.

> The biggest gotcha is that people tend to develop bad habits when they only have to deal with certificates once a year or so. The beginning part of the process is manual and the deployment of certificates somehow never quite gets automated, or things get left out.

> That all changes with Let's Encrypt certificates. Instead of 1-5 year lifetime certificates the Let's Encrypt certificates are only valid for 90 days. Most people will be wanting to renew every 60-80 days. This forces the issue - you really need to automate and make it robust.

> The Let's Encrypt folks provide tools to do this for you for the common cases. You run it on the actual machine, it manages the certificates and adjusts the server configuration files for you. Their goal is to provide a baseline shake-n-bake solution. I was not willing to give that level of control to a third party tool for my own servers - and it was absolutely out of the question for for the FreeBSD.org cluster.

> I should probably mention that we do things on the FreeBSD.org cluster that many people would find a bit strange. The biggest problem that we have to deal with is that the traditional model of a firewall/bastion between "us" and "them" does not apply. We design for the assumption that hostile users are already on the "inside" of the network. The cluster is spread over 8 distinct sites with naked internet and no vpn between them. There is actually very little trust between the systems in this network - eg: ssh is for people only - no headless users can ssh. There are no passwords. Sudo can't be used. The command and control systems use signing. We don't trust anything by IPv4/IPv6 address because we have to assume MITM is a thing. And so on. In general, things are constructed to be trigger / polling / pull based.

> The downside is that this makes automation and integration of Let's Encrypt clients interesting. If server configuration files can't be modified; and replicated web infrastructure is literally read-only (via jails/nullfs); and DNS zone files are static; and headless users can't ssh and therefore cannot do commits, how do you do the verification tokens in an automated fashion? Interesting, indeed.

> We wanted to be able to use certificates on things like ldap and smtp servers. You can't do http file verification on those so we had to use dns validation of domains.

First, a signing request is generated, and the acme-challenge is returned
Peter’s post then walks through how the script adds the required TXT record to prove control of the domain, regenerates the zone file, DNSSEC signs it, and waits for it to be published, then continues the letsencrypt process.
Letsencrypt then issues the actual certificate

> We export the fullchain files into a publication location. There is another jail that can read the fullchain certificates via nullfs and they are published with our non-secrets update mechanism

> Since we are using DNSSEC, here is a good opportunity to maintain signed TLSA fingerprints. The catch with TLSA record updates is managing the update event horizon. You are supposed to have both fingerprints listed across the update cycle. We use 'TLSA 3 1 1' records to avoid issues with propagation delays for now. TLSA 3 0 1 changes with every renewal, while 3 1 1 only changes when you generate a new private key.

> The majority of TLS/SSL servers require a full restart to re-load the certificates if the filename is unchanged. I found out the hard way.

There is a great deal more detail in the blog post, I recommend you check it out

Learning more about the NetBSD scheduler (... than I wanted to know)

> Today I had a need to do some number crunching using a home-brewn C program. In order to do some manual load balancing, I was firing up some Amazon AWS instances (which is Xen) with NetBSD 7.0. In this case, the system was assigned two CPUs I started two instances of my program, with the intent to have each one use one CPU. Which is not what happened! Here is what I observed, and how I fixed things for now.

~~
load averages: 2.14, 2.08, 1.83; up 0+00:45:56 18:01:32
27 processes: 4 runnable, 21 sleeping, 2 on CPU
CPU0 states: 100% user, 0.0% nice, 0.0% system, 0.0% interrupt, 0.0% idle
CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
Memory: 119M Act, 7940K Exec, 101M File, 3546M Free
~~

~~
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
2791 root 25 0 8816K 964K RUN/0 16:10 54.20% 54.20% myprog
2845 root 26 0 8816K 964K RUN/0 17:10 47.90% 47.90% myprog
~~

> I expected something like WCPU and CPU being around 100%, assuming that each process was bound to its own CPU. The values I actually saw (and listed above) suggested that both programs were fighting for the same CPU. Huh?! NetBSD allows to create "processor sets", assign CPU(s) to them and then assign processes to the processor sets. Let's have a look!

~~
# psrset -c
1
# psrset -b 0 2791
# psrset -b 1 2845
load averages: 2.02, 2.05, 1.94; up 0+00:59:32 18:15:08
27 processes: 1 runnable, 24 sleeping, 2 on CPU
CPU0 states: 100% user, 0.0% nice, 0.0% system, 0.0% interrupt, 0.0% idle
CPU1 states: 100% user, 0.0% nice, 0.0% system, 0.0% interrupt, 0.0% idle
Memory: 119M Act, 7940K Exec, 101M File, 3546M Free

  PID USERNAME PRI NICE   SIZE   RES STATE      TIME   WCPU    CPU COMMAND
 2845 root      25    0  8816K  964K CPU/1     26:14   100%   100% myprog
 2791 root      25    0  8816K  964K RUN/0     25:40   100%   100% myprog

> Things are as expected now, with each program being bound to its own CPU. Now why this didn't happen by default is left as an exercise to the reader.

> I had another look at this today, and was able to reproduce the behaviour using VMWare Fusion with two CPU cores on both NetBSD 7.0_STABLE as well as -current

> The one hint that I got so far was from Michael van Elst that there may be a rouding error in sched_balance(). Looking at the code, there is not much room for a rounding error. But I am not familiar enough (at all) with the code, so I cannot judge if crucial bits are dropped here, or how that function fits in the whole puzzle.

> Pondering on the "rounding error", I've setup both VMs with 4 CPUs, and the behaviour shown there is that load is distributed to about 3 and a half CPU - three CPUs under full load, and one not reaching 100%. There's definitely something fishy in there.

> With multiple CPUs, each CPU has a queue of processes that are either "on the CPU" (running) or waiting to be serviced (run) on that CPU. Those processes count as "migratable" in runqueue_t. Every now and then, the system checks all its run queues to see if a CPU is idle, and can thus "steal" (migrate) processes from a busy CPU. This is done in sched_balance().

> Such "stealing" (migration) has the positive effect that the process doesn't have to wait for getting serviced on the CPU it's currently waiting on. On the other side, migrating the process has effects on CPU's data and instruction caches, so switching CPUs shouldn't be taken too easy.

> All in all, I'd say the patch is a good step forward from the current situation, which does not properly distribute pure CPU hogs, at all.

Building Cost-Effective 100-Gbps Firewalls for HPC with FreeBSD

> The continuous growth of the NASA Center for Climate Simulation (NCCS) requires providing high-performance security tools and enhancing the network capacity. In order to support the requirements of emerging services, including the Advanced Data Analytics Platform (ADAPT) private cloud, the NCCS security team has proposed an architecture to provide extremely cost-effective 100-gigabit-per-second (Gbps) firewalls.

> The aim of this project is to create a commodity-based platform that can process enough packets per second (pps) to sustain a 100-Gbps workload within the NCCS computational environment. The test domain consists of several existing systems within the NCCS, including switches (Dell S4084), routers (Dell R530s), servers (Dell R420s, and C6100s), and host card adapters (10-Gbps Mellanox ConnectX2 and Intel 8259 x Ethernet cards).

> Previous NCCS work testing the FreeBSD operating system for high-performance routing reached a maximum of 4 million pps. Building on this work, we are comparing FreeBSD-11.0 and FreeBSD-Current along with implementing the netmap-fwd Application Programming Interface (API) and tuning the 10-gigabit Ethernet cards. We used the tools iperf3, nuttcp, and netperf to monitor the performance of the maximum bandwidth through the cards. Additional testing has involved enabling the Common Address Redundancy Protocol (CARP) to achieve an active/active architecture.

> The tests have shown that at the optimally tuned and configured FreeBSD system, it is possible to create a system that can manage the huge amounts of pps needed to create a 100-Gbps firewall with commodity components.

Some interesting findings:
- FreeBSD was able to send more pps as a client than Centos 6.
- Netmap-fwd increased the pps rate significantly.
- The choice of network card can have a significant impact on pps, tuning, and netmap support.

> Further tests will continue verifying the above results with even more capable systems-such as 40-gigabit and 100-gigabit Ethernet cards-to achieve even higher performance. In addition to hardware improvements, updates to the network capabilities in the FreeBSD-Current version will be closely monitored and applied as appropriate. The final result will be a reference architecture with representative hardware and software that will enable the NCCS to build, deploy, and efficiently maintain extremely cost-effective 100-Gbps firewalls.

> Netflix has already managed to saturate a 100 Gbps interface using only a single CPU Socket (rather than a dual socket server). Forwarding/routing is a bit different, but it is definitely on track to get there. Using a small number of commodity servers to firewall 100 Gbps of traffic just takes some careful planning and load balancing. Soon it will be possible using a single host.

News Roundup

iocell - A FreeBSD jail manager.

Another jail manager has arrived on the scene, iocell, which begins life as a fork of the “classic” iocage.
Due to its shared heritage, it offers much of the same functionality and flags as iocage users will be familiar with.
For those who aren’t up to speed with either products, some of those features include:
- Templates, clones, basejails, fully independent jails
- Ease of use
- Zero configuration files
- Rapid thin provisioning within seconds
- Automatic package installation
- Virtual networking stacks (vnet)
- Shared IP based jails (non vnet)
- Resource limits (CPU, MEMORY, DISK I/O, etc.)
- Filesystem quotas and reservations
- Dedicated ZFS datasets inside jails
- Transparent ZFS snapshot management
- Binary updates
- Differential jail packaging
- Export and import
- And many more!
The program makes extensive use of ZFS for performing jail operations, so a zpool will be required (But doesn’t have to be your boot-pool)
It still looks “very” fresh, even using original iocage filenames in the repo, so a safe guess is that you’ll be able to switch between iocage and iocell with relative ease.

Fail2ban on OpenBSD 6.0

We’ve used Fail2Ban in PC-BSD before, due to it’s ability to detect and block brute force attempts against a variety of services, including SSH, mail, and others. It even can work to detect jail brute force attempts, blocking IPs on the hosts firewall.
However what about OpenBSD users? Well, Gordon Turner comes to the rescue today with a great writeup on deploying Fail2Ban specifically for that platform.
Now, Fail2Ban is a python program, so you’ll need to pkg install Python first, then he provides instructions on how to manually grab the F2B sources and install on OpenBSD.
Helpfully Gordon gives us some handy links to scripts and modifications to get F2B running via RC as well, which is a bit different since F2B has both a server and client that must run together.
With the installation bits out of the way, we get to next hit the “fun” stuff, which comes in the way of SSH brute force detection.
Naturally we will be configuring F2B to use “pf” to do our actual blocking, but the examples shown give us full control over the knobs used to detect, and then ultimately call ‘pfctl’ to do our heavy lifting.
The last bits of the article give us a runthrough on how to “prime” pf with the correct block tables and performing basic administrative tasks to control F2B in production.
A great article, and if you run an OpenBSD box exposed to the internet, you may want to bookmark this one.

openbsd changes of note

Continuing with our OpenBSD news for the week, we have a new blog post by TedU, which gives us a bunch of notes on the things which have changed over there as of late:
Some of the notables include:
- mcl2k2 pools and the em conversion. The details are in the commits, but the short story is that due to hardware limitations, a number of tradeoffs need to be made between performance and memory usage. The em chip can (mostly) only be programmed to write to 2k buffers. However, ethernet payloads are not nicely aligned. They’re two bytes off. Leading to a costly choice. Provide a 2k buffer, and then copy all the data after the fact, which is slow. Or allocate a larger than 2k buffer, and provide em with a pointer that’s 2 bytes offset. Previously, the next size up from 2k was 4k, which is quite wasteful. The new 2k2 buffer size still wastes a bit of memory, but much less.
- FreeType 2.7 is prettier than ever.
- vmm for i386. Improve security. vmm is still running with a phenomenal set of privileges, but perhaps some cross-VM attacks may be limited. On the other side of the world, hyperv support is getting better.
- Remove setlocale. setlocale was sprinkled all throughout the code base many years ago, even though it did nothing, in anticipation of a day when it would do something. We’ve since decided that day will never come, and so many setlocale calls can go.
- syspatch is coming. Lots of commits actually. Despite the name, it’s more like a system update, since it replaces entire binaries. Then again, replacing a few binaries in a system is like patching small parts of the whole. A syspatch update will be smaller than an entire release.
- There’s a new build system. It kind of works like before, but a lot of the details have changed to support less root. Actually, it’d be accurate to say the whole build privilege system has been flipped. Start as root, which drops down to the build user to do the heavy lifting, instead of starting as a user that can elevate to root at any time. This no longer requires the build user to be pseudo-root; in fact, the goal is that the build user can’t elevate.
There’s several other items on this list, take a look for more details, and he also helpfully provides commit-links if you want to see more about any of these topics.

It came from Bell Labs

A little late for a halloween episode, we have “It came from Bell Labs”, a fascinating article talking about the successor to UNIX, Plan9

> There was once an operating system that was intended to be the successor to Unix. Plan 9 From Bell Labs was its name, and playing with it for five minutes is like visiting an alternate dimension where computers are done differently. It was so ahead of its time that it would be considered cutting edge, even today. Find out the weird and woolly history to Plan Nine’s inception and eventual consignment as a footnote of operating systems today.

So, if you’ve never heard of Plan 9, how did it exactly differ from the UNIX we know and love today?

> Here’s just a few of the key features under Plan 9’s hood + 9P – The distributed file system protocol. Everything runs through this, there is no escaping it. Since everything runs on top of 9P, that makes everything running on a Plan 9 box distributed as well. This means, for example, you can import /dev/audio from another machine on the network to use its sound card when your own machine doesn’t have one. + ndb – The namespace server. In conjunction with 9P, it bosses all the programs around and forces them to comply to the Plan 9 way. + Instead of Unix sockets, all the networking just runs through 9P. Thus, everything from ethernet packets to network cards are all just one more kind of file. + While Unicode is implemented ad-hoc in other systems, it’s baked into Plan 9 from the first int main(). In fact, even users who don’t like Plan 9 have to admit that the character encoding support, together with the beautiful built-in rio font, makes every other operating system look primitive. + The system’s own internal programs are built to be a rounded set of user tools from the ground up. So, for instance, it comes with its own editor, acme, built to be its own weird morphing thing that plays nice with the 9P protocol.

Sounds neat, but how did it work in the real world?

> The result was a mixture of both breathtaking efficiency and alienating other-worldliness. Trying out the system is like a visit to an alternate reality where time-traveling gremlins changed how computers are made and used. You can execute anycommand anywhere just by typing its name and middle-clicking on it, even in the middle of reading a file. You can type out your blog post in the middle of a man page and save it right there. Screenshots are made by pointing /dev/screen to a file. When you execute a program in a terminal, the terminal morphs into the program you launched instead of running in the background. The window manager, rio, can be invoked within rio to create an instance of itself running inside itself. You can just keep going like that, until, like Inception, you get lost in which layer you’re in. Get used to running Plan 9 long enough, and you will find yourself horribly ill-adapted for dealing with the normal world.

> While system administrators can’t stop praising it, the average home user won’t see much benefit unless they happen to run about eight desktop machines scattered all over. But to quote legendary hacker tribal bard Eric S. Raymond: “…Plan 9 failed simply because it fell short of being a compelling enough improvement on Unix to displace its ancestor.”

A fascinating article, worth your time to read it through, even though we’ve pulled some of the best bits here. Nice look at the alternative dimension that could have been.

Beastie Bits

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

168: The Post Show Show

JT Pennington — Wed, 16 Nov 2016 08:00:00 -0500

This week on BSDNow. Allan and I are back from MeetBSD! A good time was had by all, lots to discuss, so let’s jump right into it on your place to B...SD!

This episode was brought to you by

Headlines

Build a FreeBSD 11.0-release Openstack Image with bsd-cloudinit

> We are going to prepare a FreeBSD image for Openstack deployment. We do this by creating a FreeBSD 11.0-RELEASE instance, installing it and converting it using bsd-cloudinit. We'll use the CloudVPS public Openstack cloud for this. Create an account there and install the Openstack command line tools, like nova, cinder and glance.

> A FreeBSD image with Cloud Init will automatically resize the disk to the size of the flavor and it will add your SSH key right at boot. You can use Cloud Config to execute a script at first boot, for example, to bootstrap your system into Puppet or Ansible. If you use Ansible to manage OpenStack instances you can integrate it without manually logging in or doing anything manually.

> Since FreeBSD 10.2-RELEASE there is an rc script which, when the file /firstboot exists, expands the root filesystem to the full disk. While bsd-cloudinit does this as well, if you don't need the whole cloudinit stack, (when you use a static ssh key for example), you can touch that file to make sure the disk is expanded at the first boot

A detailed tutorial that shows how to create customized cloud images using the FreeBSD install media
There is also the option of using the FreeBSD release tools to build custom cloud images in a more headless fashion
Someone should make a tutorial out of that ***

iXsystems Announces TrueOS Launch

As loyal listeners to this show, you’ve no doubt heard by now that we are in the middle of undergoing a shift in moving PC-BSD -> TrueOS.
Last week during MeetBSD this was made “official” with iX issuing our press release and I was able to give a talk detailing many of the reasons and things going on with this change.
The talk should be available online here soon(ish), but for a quick recap:
TrueOS is moving to a rolling-release model based on FreeBSD -CURRENT
Lumina has become the default desktop for TrueOS
LibreSSL is enabled top to bottom
We are in the middle of working on conversion to OpenRC for run-control replacement
The TrueOS pico was announced, which is our “Thin-Client” solution, right now allowing you to use a TrueOS server pared with a RPI2 device. ***

Running FreeBSD 11 on Raspberry Pi

This article covers some of the changes you will notice if you upgrade your RPI to FreeBSD 11.0
It covers some of the changes to WiFi in 11.0
Pro Tip: you can get a list of WiFi devices by doing: sysctl net.wlan.devices
There are official binary packages for ARM with 11.0, so you can just ‘pkg install’ your favourite apps
Many of the LEDs are exposed via the /dev/led/ interface, which you can just echo 0 or 1 to, or use morse(6) to send a message
gpioctl can be used to control the various GPIO pins
The post also covers how to setup the real-time clock on the Raspberry Pi
There is also limited support for adjusting the CPU frequency of the Pi
There are also tips on configuring a one-wire temperature sensor ***

void-zones-tools for FreeBSD

Adblock has been in the news a bit recently, with some of the more popular browser plugins now accepting brib^{...contributions} to permit specific ads through.
Well today the ad-blockers strike back. We have a great tutorial up on GitHub which demonstrates one of the useful features of using Unbound in FreeBSD to do your own ad-blocking with void-zones.
Specifically, void-zones are a way to return NXDOMAIN when DNS requests are made to known malicious or spam sites.
Using void-zones-tools software will make managing this easy, by being able to pull in known lists of sites to block from several 3rd party curators.
When coupled with our past tutorials on setting up your own FreeBSD router, this may become very useful for a lot of folks who want to do ad-blocking ad at a lower level, allowing it to filter smart-phones or any other devices on a network. ***

News Roundup

BSD Socket API Revamp

Martin Sustrik has started a draft RFC to revamp the BSD Sockets API:

> The progress in the area of network protocols is distinctively lagging behind. While every hobbyist new to the art of programming writes and publishes their small JavaScript libraries, there's no such thing going on with network protocols. Indeed, it looks like the field of network protocols is dominated by big companies and academia, just like programming as a whole used to be before the advent of personal computers.

> the API proposed in this document doesn't try to virtualize all possible aspects of all possible protocols and provide a single set of functions to deal with all of them. Instead, it acknowledges how varied the protocol landscape is and how much the requirements for individual protocols differ. Therefore, it lets each protocol define its own API and asks only for bare minimum of standardised behaviour needed to implement protocol composability.

> As a consequence, the new API is much more lightweight and flexible than BSD socket API and allows to decompose today's monolithic protocol monsters into small single-purpose microprotocols that can be easily combined together to achieve desired functionality.

The idea behind the new design is to allow the software author to define their own protocols via a generic interface, and easily stack them on top of the existing network protocols, be they the basic protocols like TCP/IP, or a layer 7 protocol like HTTP
Example of creating a stack of four protocols: ~~ int s1 = tcp_connect("192.168.0.111:5555"); int s2 = foo_start(s1, arg1, arg2, arg3); int s3 = bar_start(s2); int s4 = baz_start(s3, arg4, arg5); ~~
It also allows applying generic transformations to the protocols: ~~ int tcps = tcp_connect("192.168.0.111:80"); /* Websockets is a connected protocol. / int ws = websock_connect(tcps); uint16_t compression_algoritm; mrecv(ws, &compression_algorithm, 2, -1); / Compression socket is unconnected. / int cs = compress_start(ws, compression_algorithm); ~~ **

Updated version of re(4) for DragonflyBSD

Sephe over at the Dragonfly project has issued a CFT for a newer version of the “re” driver
For those who don’t know, that is for Realtek nics, specifically his updates add features:

> I have made an updated version of re(4), which leverages Realtek driver's chip/PHY reset/initialization code. I hope it can resolve all kinds of weirdness we encountered on this chip so far.

Testers, you know what to do! Give this a whirl and let him know if you run into any new issues, or better yet, give feedback if it fixes some long-standing problems you’ve run into in the past. ***

Hackathon reports from OpenBSD’s B2K16

b2k16 hackathon report: Jeremy Evans on ports cleaning, progress on postgres, nginx, ruby and more
b2k16 hackathon report: Landry Breuil on various ports progress
b2k16 hackathon report: Antoine Jacoutot on GNOME's path forward, various ports progress
We have a trio of hackathon reports from OpenBSD’s B2K16 (Recently held in Budapest)
First up - Jeremy Evans give us his rundown which starts with sweeping some of the cruft out of the barn:

> I started off b2k16 by channeling tedu@, and removing a lot of ports, including lang/ruby/2.0, lang/io, convertors/ruby-json, databases/dbic++, databases/ruby-swift, databases/ruby-jdbc-*, x11/ruby-profiligacy, and mail/ruby-mailfactory.

After that, he talks about improvements made to postgres, nginx and ruby ports, fixing things such as pg_upgrade support, breaking nginx down into sub-packages and a major ruby update to about 50% of the packages.
Next up - Landry Breuil tells us about his trip, which also started with some major ports pruning, including some stale XFCE bits and drupal6.
One of the things he mentions is the Tor browser:

> Found finally some time again to review properly the pending port for Tor Browser, even if i don't like the way it is developed (600+ patches against upstream firefox-esr !? even if relationship is improving..) nor will endorse its use, i feel that the time that was spent on porting it and updating it and maintaining it shouldn't be lost, and it should get commited - there are only some portswise minor tweaks to fix. Had a bit of discussions about that with other porters...

Lastly, Antoine Jacoutot gives us a smaller update on his work:

> First task of this hackathon was for Jasper and I to upgrade to GNOME 3.22.1 (version 3.22.2 hit the ports tree since). As usual I already updated the core libraries a few days before so that we could start with a nice set of fully updated packages. It ended up being the fastest GNOME update ever, it all went very smoothly. We're still debating the future of GNOME on OpenBSD though. More and more features require systemd interfaces and without a replacement it may not make sense to keep it around. Implementing these interfaces requires time which Jasper and I don't really have these days... Anyway, we'll see.

All-n-all, a good trip it sounds like with some much needed hacking taking place. Good to see the cruft getting cleaned up, along with some new exciting ports landing. ***

July to September 2016 Status Report

The latest FreeBSD quarterly status report is out
It includes the induction of the new Core team, and reports from all of the other teams, including Release Engineering, Port Manager, and the FreeBSD Foundation
Some other highlights:
Capsicum Update
- The Graphics Stack on FreeBSD
- Using lld, the LLVM Linker, to Link FreeBSD
- VirtualBox Shared Folders Filesystem
evdev support (better mouse, keyboard, and multi-touch support)
- ZFS Code Sync with Latest OpenZFS/Illumos
  - The ARC now mostly stores compressed data, the same as is stored on disk, decompressing them on demand.
  - The L2ARC now stores the same (compressed) data as the ARC without recompression, and its RAM usage was further reduced.
  - The largest size of indirect block possible has been increased from 16KB to 128KB, and speculative prefetching of indirect blocks is now performed.
Improved ordering of space allocation.
The SHA-512t256 and Skein hashing algorithms are now supported. ***

Beastie Bits

Feedback/Questions

William - Show Music
Ray - Mounting a Cell Phone
Ron - TrueOS + Radeon (Follow-up - He used nvidia card)
Kurt - ZFS Migration
Matt Dillon (Yes that Matt Dillon) - vkernels ***

167: Playing the Long Game

JT Pennington — Wed, 09 Nov 2016 08:00:00 -0500

This week on BSDNow, Allan & Kris are out at MeetBSD, but we never forget our loyal listeners. We have a great interview Allan did with Scott Long of Netflix & FreeBSD fame, as well as your questions on the place to B...SD!

This episode was brought to you by

Interview - Scott Long - scottl@freebsd.org

FreeBSD & Netflix ***

Feedback/Questions

166: Pass that UNIX Pipe

JT Pennington — Wed, 02 Nov 2016 08:00:00 -0400

This week on the show, we’re loaded up with great stories ranging from System call fuzzing, a history of UNIX Pipes, speeding up MySQL imports and more. Stay tuned, BSDNow is coming your way right now.

This episode was brought to you by

Headlines

System call fuzzing of OpenBSD amd64 using TriforceAFL (i.e. AFL and QEMU)

The NCCGroup did a series of fuzz testing against the OpenBSD syscall interface, during which they found a number of vulnerabilities, we covered this back in the early summer
What we didn’t notice, is that they also made the tools they used available.
A combination of AFL (American Fuzzy Lop), QEMU, OpenBSD’s FlashRD image generation tool, and the “Triforce” driver
The other requirement is “a Linux box as host to run the fuzzer (other fuzzer hosts may work as well, we've only run TriforceAFL from a Linux host, specifically Debian/Ubuntu”
It would be interesting to see if someone could get this to run from a BSD host
It would also be interesting to run the same tests against the other BSDs ***

On the Early History and Impact of Unix: the Introduction of Pipes

Pipes are something we just take for granted today, but there was a time before pipes (How did anything get done?)
Ronda Hauben writes up a great look back at the beginning of UNIX, and specifically at how pipes were born:

> One of the important developments in Unix was the introduction of pipes. Pipes had been suggested by McIlroy during the early days of creating Unix. Ritchie explains how "the idea, explained one afternoon on a blackboard, intrigued us but failed to ignite any immediate action. There were several objections to the idea as put....What a failure of imagination," he admits.(35) McIlroy concurs, describing how the initial effort to add pipes to Unix occurred about the same time in 1969 that Ritchie, Thompson and Canaday were outlining ideas for a file system. "That was when," he writes, "the simple pipeline as a way to combine programs, with data notationally propagating along a chain of (not necessarily concurrent) filters was articulated."(36) However, pipes weren't implemented in Unix until 1972.

We also have a great quote from McIlroy on the day pipes were first introduced:

> Open Systems! Our Systems! How well those who were there remember the pipe-festooned garret where Unix took form. The excitement of creation drew people to work there amidst the whine of the computer's cool- ing fans, even though almost the same computer ac- cess, could be had from one's office or from home. Those raw quarters saw a procession of memorable events. The advent of software pipes precipitated a day-long orgy of one-liners....As people reveled in the power of functional composition in the large, which is even today unavailable to users of other systems.

The paper goes on to talk about the invention of other important tools, such as “grep”, “diff” and more. Well worth your time if you want a glimpse into the history of UNIX ***

Speeding up MySQL Import on FreeBSD

Mark Felder writes a blog post explaining how to speed up MySQL bulk data imports
“I was recently tasked with rebuilding a readonly slave database server which only slaves a couple of the available databases. The backup/dump is straightforward and fast, but the restore was being excruciatingly slow. I didn't want to wait a week for this thing to finish, so I had to compile a list of optimizations that would speed up the process. This is the best way to do it on FreeBSD, assuming you're working with InnoDB. Additional optimizations may be required if you're using a different database engine.”
“Please note this is assuming no other databases are running on this MySQL instance. Some of these are rather dangerous and you wouldn't want to put other live data at risk.”
Most of the changes are meant to be temporary, used on a new server to import a dump of the database, then the settings are to be turned off.
Specifically:
- sync_binlog = 0
- innodb_flush_log_at_trx_commit = 0
- innodb-doublewrite = 0
He also prepends the following but of SQL before importing the data:
- set sql_log_bin=0; set autocommit=0; set unique_checks=0; set foreign_key_checks=0;
You can also help yourself if your MySQL database lives on ZFS
- zfs set recordsize=16k pool/var/db/mysql
- zfs set redundant_metadata=most pool/var/db/mysql
Remember, this tuning is ONLY for the initial import, leaving these settings on long term risks losing 5-10 seconds of your data if the server reboots unexpectedly
- zfs set sync=disabled pool/var/db/mysql
- zfs set logbias=throughput pool/var/db/mysql ***

PostgreSQL and FreeBSD Quick Start

There’s lots of databases to choose from, but Postgres always has a special place on FreeBSD. Today we have a look at a ‘getting started’ guide for those taking the plunge and using it for the first time.
Naturally getting started will look familiar to many, a couple simple “pkg” and “sysrc” commands later, and you’ll be set.
After starting the service (With the “service” command) you’ll be ready to start setting up your postgres instance.
Next up you’ll need to create your initial user/password combo, and a database with access granted to this particular user.
If you plan to enable remote access to this DB server, you’ll need to make some adjustments to one of the .conf files, allowing other IP’s to connect. (If you are hosting something on the same system, this may not be needed)
Now yous should be good to go! Enjoy using your brand new Postgres database. If this is your first rodeo, maybe start with something easy, like Apache or Nginx + Wordpress to try it out. ***

News Roundup

OpenBSD vmm hypervisor test drive

As we asked for a week or two ago, someone has taken OpenBSD’s vmm for a test drive, and made a video of it
The command line interface for vmm, vmctl, looks quite easy to use. It takes an approach much closer to some of the bhyve management frameworks, rather than bhyve’s rather confusing set of switches
It also has a config file, the format of which looks very similar to what I designed for bhyveucl, and my first effort to integrate a config file into bhyve itself.
The video also looks at accessing the console, configuring the networking, and doing an OpenBSD install in a fresh VM
Currently vmm only supports running OpenBSD VMs ***

FreeBSD Foundation October 2016 Update

Wow, November is already upon us with the Holidays just around the corner. Before things get lost in the noise we wanted to highlight this update from the FreeBSD foundation.
Before getting into the stories, they helpfully provide a list of upcoming conferences for this fall/winter, which includes a couple of USENIX gatherings, and the Developer Summit / MeetBSD next week. +The foundation gives us a quick hardware update initially, discussing some of the new ThunderX Cavium servers which are deployed (ARMv8 64Bit) and yes I’m drooling a bit. They also mention that work is ongoing for the RPi3 platform and PINE64.
GNN also has an article reprinted from the FreeBSD journal, talking about the achievement of making it to 11.0 over the span of 23 years now. Of course he mentions that the foundation is open to all, and welcomes donations to continue to keep up this tradition of good work being done.
Deb Goodkin gives us an update on the “Grace Hopper” convention that took place in Houston TX several weeks back. Roughly 14k women in Tech attended, which is a great turnout, and FreeBSD was well represented there.
Next we have a call to potential speakers, don’t forget that there are plenty of places you can help present about FreeBSD, not just at *BSD centered conferences, but the SCALES of the world as well.
We wrap up with a look at EuroBSDCon 2016, quite a nice writeup, again brought to us by Deb at the foundation, and includes a list of some of those recognized for their contributions to FreeBSD. ***

Adhokku – a toy PaaS powered by FreeBSD jails and Ansible

Described as a toy Platform-as-a-Service, Adhokku is an ansible based automated jail creation framework
Based on the concept of Dokku, a single-host open source PaaS for Linux powered by Docker

> When you deploy an application using Adhokku, Adhokku creates a new jail on the remote host and provisions it from a fixed clean state using the instructions in the Jailfile in your Git repository. All jails sit behind a reverse proxy that directs traffic to one of them based on the domain name or the IP address in the HTTP request. When a new jail has been provisioned for an application, Adhokku seamlessly reconfigures the reverse proxy to send traffic to it instead of the one currently active for that application.

> The following instructions show how to get Adhokku and an example application running in a VM on your development machine using Vagrant. This process should require no FreeBSD-specific knowledge, through modifying the Jailfile to customize the application may.

This seems like an interesting project, and it is good to see people developing workflows so users familiar with docker etc, can easily use BSD instead ***

Installing OpenBSD 6.0 on your laptop is really hard (not)

OpenBSD on a laptop? Difficult? Not hardly.
We have a great walkthrough by Keith Burnett, which demonstrates just how easy it can be to get up and running with an XFCE desktop from a fresh OpenBSD installation.
For those curious,this was all done with a Thinkpad X60 and 120GB SSD and OpenBSD 6.0.
He doesn’t really cover the install process itself, that is well covered by the link to the OpenBSD FAQ pages.
Once the system is up and running though, we start with the most important portion, getting working internet access (Via wifi)
Really just a few ‘ifconfig’ commands later and we are in business.
Step 2 was getting the package configuration going. (I’ve never understood why this is still a thing, but no fret, its easy enough to do)
With package repos available, now you can grab the binaries for XFCE and friends with just a few simple “pkg_add” commands
Steps 4-6 are some specific bits to enable XFCE services, and some handy things such as setting doas permissions to get USB mounting working (For graphical mount/unmount)
Lastly, keeping the system updated is important, so we have a nice tutorial on how to do that as well, using a handy “openup” script, which takes some of the guesswork out of it.
Bonus! Steps for doing FDE as also included, which isn’t for everyone, but you may want it ***

Beastie Bits

Feedback/Questions

165: Vote4BSD

JT Pennington — Wed, 26 Oct 2016 08:00:00 -0400

This week on BSDNow, we’ve got voting news for you (No not that election), a closer look at

This episode was brought to you by

Headlines

ARIN 38 involvement, vote!

Isaac (.Ike) Levy, one of our interview guests from earlier this year, is running for a seat on the 15 person ARIN Advisory Council
His goal is to represent the entire *BSD community at this important body that makes decisions about how IP addresses are allocated and managed
Biographies and statements for all of the candidates are available here
The election ends Friday October 28th
If elected, Ike will be looking for input from the community ***

LibreSSL not just available but default (DragonFlyBSD)

DragonFly has become the latest BSD to join the growing LibreSSL family. As mentioned a few weeks back, they were in the process of wiring it up as a replacement for OpenSSL.
With this latest commit, you can now build the entire base and OpenSSL isn’t built at all.
Congrats, and hopefully more BSDs (and Linux) jump on the bandwagon Compat_43 is gone
RiP 4.3 Compat support.. Well for DragonFly anyway.
This commit finally puts out to pasture the 4.3 support, which has been disabled by default in DragonFly for almost 5 years now.
This is a nice cleanup of their tree, removing more than a thousand lines of code and some of the old cruft still lingering from 4.3. ***

Create your first FreeBSD kernel module

This is an interesting tutorial from Abdelhadi Khiati, who is currently a master's student in AI and robotics

> I have been lucky enough to participate in Google Summer of Code with the FreeBSD foundation. I was amazed by the community surrounding it which was noob friendly and very helpful (Thank you FreeBSD <3)

> I wanted to make a starting tutorial for people to write a simple module for kernel before diving inside more complicated kernel shizzle

> The kernel module that we will be working on is a simple event handler for the kernel. It will be composed of 2 parts, the event handling function, and the module declaration

> The module event handler is a function that handles different events for the module. Like the module being loaded, unloaded or on system shutdown

> Now that we have the events handling function ready. We need to declare the moduledata_t to be able to use it inside DECLARE_MODULE macro and load it into the kernel. It has the module name and a pointer to the event handling function

> Lastly, we need to declare the module using the DECLARE_MODULE macro. Which has the following structure:

~~
DECLARE_MODULE(name, moduledata_t data, sub, order);
~~

> name: The module name that will be used in the SYSINIT() call to identify the module.
> data: The moduledata_t structure that we already presented.
> sub : Since we are using a driver here so the value will be SI_SUB_DRIVERS this argument specify the type of system startup interface.
> order : Represents the order of initialization within the subsystem, we will us the SI_ORDER_MIDDLE value here.

To compile the previous file you need to use a Makefile as following:
~~
KMOD=hello
SRCS=module.c
.include
~~
We look forward to a future post where more functionality is added to the kernel module

Installing Windows 10 Under the bhyve Hypervisor.

Looking for your Bhyve fix? If so, then Trent (Of iohyve fame) has a nice blog post today with a detailed look at how to get Windows 10 up and running in bhyve.
First up, Trent gives us a nice look back at how far we’ve come in only a single year. Just a year ago, initial support for UEFI was landing, there was no VNC option, leaving us to only serial console goodness. Fast-forward to today and Windows 10 + Bhyve + Vnc is a go.
He immediately jumps us into the good stuff, talking about what you’ll need to follow along. His tutorial was written on 12-CURRENT, but running 11.0-RELEASE should work as well.
Of course, he does mention that before starting on this quest, make sure to read the bhyve handbook, specifically check that your CPU is supported. If you are running something without the correct Vt extensions, then your journey will end prematurely in sadness.
Next up is some of the prep work needed to get your box ready to run VM’s. Loading the kernel module, creating “tap” devices for networking and such are detailed.
If you are lazy (like me) then you’ll want to copy-n-paste his handy scripts which automate this process for you.
With the system prepped, we get to the good stuff. You’ll need to install the bhyve-firmware package (which enables UEFI booting) and get your handy Windows 10 ISO.
From here Trent has helpfully again provided us with handy scripts to both do the bhyve startup, as well as enabling VNC support over a SSH tunnel.
At this point you are good to go, fire up your VNC client and you should be greeted with the typical Windows “Press any key to boot from CD” message. No, he doesn’t provide instructions on how to install / Use / Like Windows, but we’ll leave that up to you. ***

News Roundup

Lumina version 1.1.0 Released

A new version of Lumina has just landed! 1.1.0 brings with it some important fixes, as well as new utilities that make your desktop computing easier than ever.
First up, all i18n files have been re-worked, instead of needing to install another package, they are included with the build when WITH_I18N is set.
A handy new “start-lumina-desktop” command has been added, which makes it easy to get lumina running from your Login Manager or even manually in .xinitrc or the like.
A bunch of internals related to how it tracks installed Applications and start-menu entries has been re-worked, fixing some memory issues and speeding things up.
The default “Insight” file-manager has been given an overhaul, which includes some new features like “git” support.
A new Qt5 “lumina-calculator” has also joined the family, which means not needing to use kcalc or xcalc on TrueOS anymore.
A nice “TrueOS” specific option has also landed. Specifically now when System Updates are waiting to install at shutdown, Lumina will detect and prompt if you want to install or skip the update. Handy when on the road, or if you don’t have the time to wait for an update to complete. ***

OpenBGPD Large Communities support in –current

A blog post from OpenBSD’s Peter Hessler:

> On Friday, I committed support for Large Communities to OpenBGPD. This is a draft-RFC that I am pretty excited about.

> Back in the early days of The Internet, when routers rode dinosaurs to work and nerds weren't cool, we wanted to signal to our network neighbours certain information about routes. To be fair, we still do. But, back then everyone had 16 bit ASNs, so there was a simple concept called 'communities'. This was a 32bit opaque value, that was traditionally split into two 16bit values. Conveniently, we were able to encode an "us" and a "them", and perform actions based on what our neighbours told us.

>But, 16bits is pretty limiting. There could only be ~65'000 possible networks on The Internet total? Eeek. So, we created 32bit ASNs. 4 billion networks is seen as a quite reasonable limitation. However, you can't really encode a 32bit "us" and a 32bit "them" value into 32bits of total space. Something called "Extended Communities" was invented, but it tries to solve everything except the case of a 32bit ASN signalling to another 32bit ASN.

> Enter Large Communities. This is 3 32bit values. The first one is the "owner" of the namespace. Normally, you would put in your own ASN, or the ASN that you wish to signal. The second two 32bit values are opaque and only have meaning from the originating operator, but normally people will use "myasn":"verb":"noun" Or "myasn":"noun":"verb". Either way, it fits very nicely.

> Having previously ran a 32bit ASN, it became quickly obvious the lack of suitable communities was a critical problem. It was even the way to request an "old style" 16bit ASN from RIPE, "I need to use communities". Even the ability to say "do this to that ASN" was ugly, since you couldn't really communicate who the community was supposed to matter to. Clearly, we The Internet Community screwed up by not addressing this need earlier.

> OpenBGPD in OpenBSD -current has support for Large Communities, and this will be available in the 6.1 release and later. This was based partially on a patch from Job Snijders, thanks!

First look at the renewed CTL High Availability implementation in FreeBSD

Following up on a previous post about making a high availability dual head storage controller, the new post looks at using FreeBSD’s CTL HA implementation, and FreeBSD 11.0 to do that:

> This enhancement looks extremely important for the BeaST storage system as implementation of high available native ALUA in FreeBSD can potentially replace the BeaST arbitration mechanism (“Arbitrator”), which is completely described in the papers on the BeaST project page

> ALUA in storage world terminology means Asymmetric Logical Unit Assignment. In simple words this set of technologies allows a host to access any LUN via both controllers of a storage system

> As I still do not have any real hardware drive-enclosures, we will use Oracle Virtual Box and iSCSI protocol. I have already deployed this environment for the BeaST development, so we can use the similar, yet more simplified template for the renewed CTL HA testing purpose.

If anyone has access to hardware of this nature (a storage shelf with 2 heads connected to it), that they could lend the author to help validate the design on real hardware, that would be most helpful. > We will run two storage controllers (ctrl-a, ctrl-b) and a host (cln-1). A virtual SAS drive (da0) of 256 MB is configured as “shareable” in Virtual Media Manager and simultaneously connected with both storage controllers
The basic settings are applied to both controllers
One interesting setting is:
> kern.cam.ctl.ha_role – configures default role for the node. So ctrl-a is set as 0 (primary node), ctrl-b – 1 (secondary node). The role also can be specified on per-LUN basis which allows to distribute LUNs over both controllers evenly.
> Note, kern.cam.ctl.ha_id and kern.cam.ctl.ha_mode are read-only parameters and must be set only via the /boot/loader.conf file.
Once kern.cam.ctl.ha_peer is set, and the peers connect to each other, the log messages should reflect this:
- CTL: HA link status changed from 0 to 1
- CTL: HA link status changed from 1 to 2

> The link states can be: 0 – not configured, 1 – configured but not established and 2 – established

Then ctld is configured to export /dev/da0 on each of the controllers
Then the client is booted, and uses iscsid to connect to each of the exposed targets

> sysctl kern.iscsi.fail_on_disconnection=1 on the client is needed to drop connection with one of the controllers in case of its failure

> As we know that da0 and da1 on the client are the same drive, we can put them under multipathing control: gmultipath create -A HA /dev/da0 /dev/da1

The document them shows a file being copied continuously to simulate load. Because the multipath is configured in ‘active/active’ mode, the traffic is split between the two controllers
Then the secondary controller is turned off, and iscsi disconnects that path, and gmultipath adapts and sends all of the traffic over the primary path.
When the secondary node is brought back up, but the primary is taken down, traffic stops
The console on the client is filled with errors: “Logical unit not accessible, asymmetric access state transition”
The ctl(4) man page explains: > If there is no primary node (both nodes are secondary, or secondary node has no connection to primary one), secondary node(s) report Transitioning state. > Therefore, it looks like a “normal” behavior of CTL HA cluster in a case of disaster and loss of the primary node. It also means that a very lucky administrator can restore the failed primary controller before timeouts are elapsed.
If the primary is down, the secondary needs to be promoted by some other process (CARP maybe?): sysctl kern.cam.ctl.ha_role=0
Then traffic follows again
This is a very interesting look at this new feature, and I hope to see more about it in the future ***

Is SPF Simply Too Hard for Application Developers?

Peter Hansteen asks an interesting question:

> The Sender Policy Framework (SPF) is unloved by some, because it conflicts with some long-established SMTP email use cases. But is it also just too hard to understand and to use correctly for application developers?

He tells a story about trying to file his Norwegian taxes, and running into a bug

> Then in August 2016, I tried to report a bug via the contact form at Altinn.no, the main tax authorities web site.

> The report in itself was fairly trivial: The SMS alert I had just received about an invoice for taxes due contained one date, which turned out to be my birth date rather than the invoice due date. Not a major issue, but potentially confusing to the recipient until you actually log in and download the invoice as PDF and read the actual due date and other specifics.

> The next time I checked my mail at bsdly.net, I found this bounce:

> support@altinn.no: SMTP error from remote mail server after RCPT TO:: host mx.isp.as2116.net [193.75.104.7]: 550 5.7.23 SPF validation failed

> which means that somebody, somewhere tried to send a message to support@altinn.no, but the message could not be delivered because the sending machine did not match the published SPF data for the sender domain.

> What happened is actually quite clear even from the part quoted above: the host mx.isp.as2116.net [193.75.104.7] tried to deliver mail on my behalf (I received the bounce, remember), and since I have no agreement for mail delivery with the owners and operators of that host, it is not in bsdly.net's SPF record either, and the delivery fails.

After having a bunch of other problems, he finally gets a message back from the tax authority support staff:

> It looks like you have Sender Policy Framework (SPF) enabled on your mailserver, It is a known weakness of our contact form that mailervers with SPF are not supported.

> The obvious answer should be, as you will agree if you're still reading: The form's developer should place the user's email address in the Reply-To: field, and send the message as its own, valid local user. That would solve the problem.

> Yes, I'm well aware that SPF also breaks traditional forwarding of the type generally used by mailing lists and a few other use cases. Just how afraid should we be when those same developers come to do battle with the followup specifications such as DKIM and (shudder) the full DMARC specification?

Beastie Bits

Feedback/Questions

164: Virtualized COW / PI?

JT Pennington — Wed, 19 Oct 2016 08:00:00 -0400

This week on the show, we’ve got all sorts of goodies to discuss. Starting with, vmm, vkernels, raspberry pi and much more! Some iX folks are visiting from out of

This episode was brought to you by

Headlines

vmm enabled

VMM, the OpenBSD hypervisor, has been imported into current
It has similar hardware requirements to bhyve, a Intel Nehalem or newer CPU with the hardware virtualization features enabled in the BIOS
AMD support has not been started yet
OpenBSD is the only supported guest
It would be interesting to hear from viewers that have tried it, and hear how it does, and what still needs more work ***

vkernels go COW

The DragonflyBSD feature, vkernels, has gained a new Copy-On-Write functionality
Disk images can now be mounted RO or RW, but changes will not be written back to the image file
This allows multiple vkernels to share the same disk image
“Note that when the vkernel operates on an image in this mode, modifications will eat up system memory and swap, so the user should be cognizant of the use-case. Still, the flexibility of being able to mount the image R+W should not be underestimated.”
This is another feature we’d love to hear from viewers that have tried it out. ***

Basic support for the RPI3 has landed in FreeBSD-CURRENT

The long awaited bits to allow FreeBSD to boot on the Raspberry Pi 3 have landed
There is still a bit of work to be done, some of the as mentioned in Oleksandr’s blog post:
Raspberry Pi support in HEAD

> “Raspberry Pi 3 limited support was committed to HEAD. Most of drivers should work with upstream dtb, RNG requires attention because callout mode seems to be broken and there is no IRQ in upstream device tree file. SMP is work in progress. There are some compatibility issue with VCHIQ driver due to some assumptions that are true only for ARM platform. “

This is exciting work. No HDMI support (yet), so if you plan on trying this out make sure you have your USB->Serial adapter cables ready to go.
Full Instructions to get started with your RPI 3 can be found on the FreeBSD Wiki
Relatively soon, I imagine there will be a RaspBSD build for the RPI3 to make it easier to get started
Eventually there will be official FreeBSD images as well ***

OpenBSD switches softraid crypto from PKCS5 PBKDF2 to bcrypt PBKDF.

After the discussion a few weeks ago when a user wrote a tool to brute force their forgotten OpenBSD Full Disk Encryption password (from a password list of possible variations of their password), it was discovered that OpenBSD defaulted to using just 8192 iterations of PKCSv5 for the key derivation function with a SHA1-HMAC
The number of iterations can be manually controlled by the user when creating the softraid volume
By comparison, FreeBSDs GELI full disk encryption used a benchmark to pick a number of iterations that would take more than 2 seconds to complete, generally resulting in a number of iterations over 1 million on most modern hardware. The algorithm is based on a SHA512-HMAC
However, inefficiency in the implementation of PKCSv5 in GELI resulted in the implementation being 50% slower than some other implementations, meaning the effective security was only about 1 second per attempt, rather than the intended 2 seconds. The improved PKCSv5 implementation is out for review currently.
This commit to OpenBSD changes the default key derivation function to be based on bcrypt and a SHA512-HMAC instead.
OpenBSD also now uses a benchmark to pick a number of of iterations that will take approximately 1 second per attempt
“One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using application-specific integrated circuits or graphics processing units relatively cheap. The bcrypt key derivation function requires a larger amount of RAM (but still not tunable separately, i. e. fixed for a given amount of CPU time) and is slightly stronger against such attacks, while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.”
The upgrade to the bcrypt, which has proven to be quite resistant to cracking by GPUs is a significant enhancement to OpenBSDs encrypted softraid feature ***

Interview - Josh Paetzel - email@email / @bsdunix4ever

MeetBSD
ZFS Panel
FreeNAS - graceful network reload
Pxeboot ***

News Roundup

EC2's most dangerous feature

Colin Percival, FreeBSD’s unofficial EC2 maintainer, has published a blog post about “EC2's most dangerous feature”
“As a FreeBSD developer — and someone who writes in C — I believe strongly in the idea of "tools, not policy". If you want to shoot yourself in the foot, I'll help you deliver the bullet to your foot as efficiently and reliably as possible. UNIX has always been built around the idea that systems administrators are better equipped to figure out what they want than the developers of the OS, and it's almost impossible to prevent foot-shooting without also limiting useful functionality. The most powerful tools are inevitably dangerous, and often the best solution is to simply ensure that they come with sufficient warning labels attached; but occasionally I see tools which not only lack important warning labels, but are also designed in a way which makes them far more dangerous than necessary. Such a case is IAM Roles for Amazon EC2.”
“A review for readers unfamiliar with this feature: Amazon IAM (Identity and Access Management) is a service which allows for the creation of access credentials which are limited in scope; for example, you can have keys which can read objects from Amazon S3 but cannot write any objects. IAM Roles for EC2 are a mechanism for automatically creating such credentials and distributing them to EC2 instances; you specify a policy and launch an EC2 instance with that Role attached, and magic happens making time-limited credentials available via the EC2 instance metadata. This simplifies the task of creating and distributing credentials and is very convenient; I use it in my FreeBSD AMI Builder AMI, for example. Despite being convenient, there are two rather scary problems with this feature which severely limit the situations where I'd recommend using it.”
“The first problem is one of configuration: The language used to specify IAM Policies is not sufficient to allow for EC2 instances to be properly limited in their powers. For example, suppose you want to allow EC2 instances to create, attach, detach, and delete Elastic Block Store volumes automatically — useful if you want to have filesystems automatically scaling up and down depending on the amount of data which they contain. The obvious way to do this is would be to "tag" the volumes belonging to an EC2 instance and provide a Role which can only act on volumes tagged to the instance where the Role was provided; while the second part of this (limiting actions to tagged volumes) seems to be possible, there is no way to require specific API call parameters on all permitted CreateVolume calls, as would be necessary to require that a tag is applied to any new volumes being created by the instance.”
“As problematic as the configuration is, a far larger problem with IAM Roles for Amazon EC2 is access control — or, to be more precise, the lack thereof. As I mentioned earlier, IAM Role credentials are exposed to EC2 instances via the EC2 instance metadata system: In other words, they're available from http://169.254.169.254/. (I presume that the "EC2ws" HTTP server which responds is running in another Xen domain on the same physical hardware, but that implementation detail is unimportant.) This makes the credentials easy for programs to obtain... unfortunately, too easy for programs to obtain. UNIX is designed as a multi-user operating system, with multiple users and groups and permission flags and often even more sophisticated ACLs — but there are very few systems which control the ability to make outgoing HTTP requests. We write software which relies on privilege separation to reduce the likelihood that a bug will result in a full system compromise; but if a process which is running as user nobody and chrooted into /var/empty is still able to fetch AWS keys which can read every one of the objects you have stored in S3, do you really have any meaningful privilege separation? To borrow a phrase from Ted Unangst, the way that IAM Roles expose credentials to EC2 instances makes them a very effective exploit mitigation mitigation technique.”
“To make it worse, exposing credentials — and other metadata, for that matter — via HTTP is completely unnecessary. EC2 runs on Xen, which already has a perfectly good key-value data store for conveying metadata between the host and guest instances. It would be absolutely trivial for Amazon to place EC2 metadata, including IAM credentials, into XenStore; and almost as trivial for EC2 instances to expose XenStore as a filesystem to which standard UNIX permissions could be applied, providing IAM Role credentials with the full range of access control functionality which UNIX affords to files stored on disk. Of course, there is a lot of code out there which relies on fetching EC2 instance metadata over HTTP, and trivial or not it would still take time to write code for pushing EC2 metadata into XenStore and exposing it via a filesystem inside instances; so even if someone at AWS reads this blog post and immediately says "hey, we should fix this", I'm sure we'll be stuck with the problems in IAM Roles for years to come.”
“So consider this a warning label: IAM Roles for EC2 may seem like a gun which you can use to efficiently and reliably shoot yourself in the foot; but in fact it's more like a gun which is difficult to aim and might be fired by someone on the other side of the room snapping his fingers. Handle with care!” ***

Open-source storage that doesn't suck? Our man tries to break TrueNAS

The storage reviewer over at TheRegister got their hands on a TrueNAS and gave it a try
“Data storage is difficult, and ZFS-based storage doubly so. There's a lot of money to be made if you can do storage right, so it's uncommon to see a storage company with an open-source model deliver storage that doesn't suck.”
“To become TrueNAS, FreeNAS's code is feature-frozen and tested rigorously. Bleeding-edge development continues with FreeNAS, and FreeNAS comes with far fewer guarantees than does TrueNAS.”
“iXsystems provided a Z20 hybrid storage array. The Z20 is a dual-controller, SAS-based, high-availability, hybrid storage array. The testing unit came with a 2x 10GbE NIC per controller and retails around US$24k. The unit shipped with 10x 300GB 10k RPM magnetic hard drives, an 8GB ZIL SSD and a 200GB L2ARC SSD. 50GiB of RAM was dedicated to the ARC by the system's autotune feature.”
The review tests the performance of the TrueNAS, which they found acceptable for spinning rust, but they also tested the HA features
While the look of the UI didn’t impress them, the functionality and built in help did
“The UI contains truly excellent mouseover tooltips that provide detailed information and rationale for almost every setting. An experienced sysadmin will be able to navigate the TrueNAS UI with ease. An experienced storage admin who knows what all the terms mean won't have to refer to a wiki or the more traditional help manual, but the same can't be said for the uninitiated.”
“After a lot of testing, I'd trust my data to the TrueNAS. I am convinced that it will ensure the availability of my data to within any reasonable test, and do so as a high availability solution. That's more than I can say for a lot of storage out there.”
“iXsystems produce a storage array that is decent enough to entice away some existing users of the likes of EMC, NetApp, Dell or HP. Honestly, that's not something I thought possible going into this review. It's a nice surprise.” ***

OpenBSD now officially on GitHub

Got a couple of new OpenBSD items to bring to your attention today.
First up, for those who didn’t know, OpenBSD development has (always?) taken place in CVS, similar to NetBSD and previously FreeBSD.
However today, Git fans can rejoice, since there is now an “official” read-only github mirror of their sources for public consumption.
Since this is read-only, I will assume (unless told otherwise) that pull-requests and whatnot aren’t taken. But this will come in handy for the “git-enabled” among us who need an easier way to checkout OpenBSD sources.
There is also not yet a guarantee about the stability of the exporter. If you base a fork on the github branch, and something goes wrong with the exporter, the data may be reexported with different hashes, making it difficult to rebase your fork.

How to install LibertyBSD or OpenBSD on a libreboot system

For the second part of our OpenBSD stories, we have a pretty detailed document posted over at LibreBoot.org with details on how to boot-strap OpenBSD (Or LibertyBSD) using their open-source bios replacement.
We’ve covered blog posts and other tidbits about this process in the past, but this seems to be the definitive version (so far) to reference.
Some of the niceties include instructions on getting the USB image formatted not just on OpenBSD, but also FreeBSD, Linux and NetBSD.
Instructions on how to boot without full-disk-encryption are provided, with a mention that so far Libreboot + Grub does not support FDE (yet). I would imagine somebody will need to port over the openBSD FDE crypto support to GRUB, as was done with GELI at some point.
Lastly some instructions on how to configure grub, and troubleshoot if something goes wrong will help round-out this story. Give it a whirl, let us know if you run into issues.
Editorial Aside - Personally I find the libreboot stuff fascinating. It really is one of the last areas that we don’t have full control of our systems with open-source. With the growth of EFI, it seems we rely on a closed-source binary / mini-OS of sorts just to boot our Open Source solutions, which needs to be addressed. Hats off to the LibreBoot folks for taking on this important challenge. ***

FreeNAS 9.10 – LAGG & VLAN Overview

A video tutorial on FreeNAS’s official YouTube Channel
Covers the advanced networking features, Link Aggregation and VLANs
Covers what the features do, and in the case of LAGG, how each of the modes work and when you might want to use it ***

Beastie Bits

Feedback/Questions

163: Return of the Cantrill

JT Pennington — Wed, 12 Oct 2016 08:00:00 -0400

The wait is over, 11.0 of FreeBSD has (officially) launched. We’ll have coverage of this, plus a couple looks back at UNIX history, and a crowd-favorite guest today.

This episode was brought to you by

Headlines

FreeBSD 11.0-RELEASE Now Available

FreeBSD 11.0-RELEASE is now officially out.
A last minute reroll to pickup OpenSSL updates and a number of other security fixes meant the release was a little behind schedule, and shipped as 11.0-RELEASE-p1, but the release is better for it
Improved support for 802.11n and various wifi drivers
Support for the AArch64 (arm64) architecture has been added.
Native graphics support has been added to the bhyve(8) hypervisor.
A new flag, “onifconsole” has been added to /etc/ttys. This allows the system to provide a login prompt via serial console if the device is an active kernel console, otherwise it is equivalent to off.
The xz(1) utility has been updated to support multi-threaded compression.
A number of kernel panics related to VNET have been fixed
The IMAGACT_BINMISC kernel configuration option has been enabled by default, which enables application execution through emulators, such as QEMU via binmiscctl(8).
The GENERIC kernel configuration has been updated to include the IPSEC option by default.
The kern.osrelease and kern.osreldate are now configurable jail(8) parameters
A new sysctl(8), kern.racct.enable, has been added, which when set to a non-zero value allows using rctl(8) with the GENERIC kernel. A new kernel configuration option, RACCT_DISABLED has also been added.
The minimum (arc_min) and maximum (arc_max) values for the ZFS adaptive replacement cache can be modified at runtime.
Changes to watch out for:
- OpenSSH DSA key generation has been disabled by default. It is important to update OpenSSH keys prior to upgrading. Additionally, Protocol 1 support has been removed.
- By default, the ifconfig(8) utility will set the default regulatory domain to FCC on wireless interfaces. As a result, newly created wireless interfaces with default settings will have less chance to violate country-specific regulations.
- An issue was discovered with Amazon® EC2™ images which would cause the virtual machine to hang during boot when upgrading from previous FreeBSD versions. New EC2™ installations are not affected, but existing installations running earlier releases are advised to wait until the issue is resolved in an Errata Notice before upgrading. An Errata Notice to address this is planned following the release. ***

process listing consistency

Ted Unangst asks: how consistent is the output of ps(1)?
If processes are starting and exiting constantly, and you run ps(1), is the output guaranteed to reflect that exact moment in time, or might it include some processes that have gone away before ps(1) exited, and include some processes that did not exist when ps(1) was started?
Ted provides a little example chicken/egg program to try to create such an inconsistency, so you can test out your OS
On OpenBSD ps(1) was switched away from the reading kernel memory directly, and instead uses the KERN_PROC_ALL sysctl

> Thus sysctl can iterate over the entire process list, copying out information to ps(1), without blocking. If we prevent processes from forking or exiting during this time, we get a consistent snapshot. The snapshot may be stale, but it will never show us a viewpoint that never happened.

So, OpenBSD will always be consistent, or will it?

> Is there a way to trick ps on OpenBSD? Not everything is consistent. There’s a separate sysctl, KERN_PROC_ARGV, that reads the command line arguments for a process, but it only works on one process at a time. Processes can modify their own argv at any time.

A second test program changes the process title of both the chicken and the egg, and if you run ps(1), you can get back a result that never actually happened.
The argv of the first program is read by ps(1), and in the meantime, it changes to a different value. The second program also changes its value, so now when ps(1) reads it, it sees the new value, not the original value from when ps(1) was started.
So the output is not that consistent, but is it worth the effort to try to make it so?

DragonFlyBSD - if_iwm - Add basic powermanagement support via ifconfig wlan0 powersave

WiFi can often be one of the biggest drains on your laptop battery, so anything we can do to improve the situation should be embraced.
Imre VadÃ¡sz over at the DragonFly project has done that, porting over a new set of power management support from Linux to the if_iwm driver.

> if_iwm - Add basic powermanagement support via ifconfig wlan0 powersave.

> + The DEVICE_POWER_FLAGS_CAM_MSK flag was removed in the upstream iwlwifi in Linux commit ceef91c89480dd18bb3ac51e91280a233d0ca41f.

> + Add sc_ps_disabled flag to struct iwm_softc, which corresponds to mvm->ps_disabled in struct iwl_mvm in Linux iwlwifi.

> + Adds a hw.iwm.power_scheme tunable which corresponds to the power_scheme module parameter in Linux iwlwifi. Set this to 1 for completely disabling power management, 2 (default) for balanced powermanagement, and 3 for lowerpower mode (which does dtim period skipping).

> + Imports the constants.h file from iwlwifi as if_iwm_constants.h.

> + This doesn't allow changing the powermanagement setting while connected,
also one can only choose between enabled and disabled powersaving with
ifconfig (so switching between balanced and low-power mode requires
rebooting to change the tunable).

> + After any changes to powermanagement (i.e. "ifconfig wlan0 powersave" to
enable powermanagement, or "ifconfig wlan0 -powersave" for disabling
powermanagement), one has to disconnect and reconnect to the accespoint
for the change to take effect.“

Good stuff! These positive changes need to happen more often and sooner, so we can all eek out every drop of power from our respective laptops. ***

Helping out an Internet Friend…Dual boot OpenBSD

Dual-booting OpenBSD and Linux, via UEFI. A year ago we wouldn’t be discussing this, but today we have an article where somebody has done exactly that.
This Journey was undertaken by Brian Everly (Indiana Bug), partly due to a friend who wanted to dual-boot his laptop which already has an existing UEFI install on it.
As a proof of concept, he began by replicating the setup in VMware with UEFI
He started by throwing Ubuntu into the VM, with some special attention paid to partitioning to ensure enough room left-over for OpenBSD later.

>I created a 64MB EFI partition at the front of the disk. Next, I created a 20GB primary partition at the beginning of the space, mounted as the root (/) filesystem.

> I then added a 4096MB swap partition for Ubuntu. Finally, I used the rest of the free space to create a Reserved BIOS Boot Area FAT32 partition that was not associated with a mount point – this is where I will be installing OpenBSD.

With that done, he wrapped up the Ubuntu installation and then turned over to to the OpenBSD side. Some manual partitioning was required to install to the “Reserved FAT32” partition.

> I mashed through the defaults in the OpenBSD installer until I got to the disk partitioning. Since I told VMWare to make my hard drive an IDE one, I knew I was playing around with wd0 and not sd0 (my USB key). I dumped into fdisk by selecting to (E)dit the partition scheme and saw my setup from Linux. First was the EFI partition (I am guessing I’ll have to copy my bootx64.efi file to that at some point), second was the Linux etx4 partition, third was my Linux swap partition and fourth was a weird looking one that is the “Reserved BIOS Boot” partition. That’s the one I’ll fiddle with.

> Issuing the command “edit 3” allowed me to fiddle with that partition #3 (remember, we start counting at zero). I set it’s type to “A6” (OpenBSD) and then took the defaults with the exception of naming it “OpenBSD”. A quick “write” followed by a “quit” allowed me to update my new partition and get back to the installer.

Once the installation was wrapped up (OpenBSD helpfully already created the /boot/EFI partition with the correct EFI loader installed) he was able to reboot and select between the two systems at the UEFI bios screen.
For kicks, he lastly went into Ubuntu and grabbed refind. Installing refind provided a fancy graphical selector between the two systems without too much trouble.
Next step will be to replicate this process on his friend’s laptop. Wishing you luck with that journey!

Interview - Bryan Cantrill - email@email / @twitter

CTO of Joyent ***

News Roundup

After 22 Years, 386BSD Gets An Update

Slashdot brings us an interesting mention this week, specifically that after 22 years, we now have an update to 386BSD.

> 386BSD was last released back in 1994 with a series of articles in Dr. Dobb's Journal -- but then developers for this BSD-based operating system started migrating to both FreeBSD and NetBSD. An anonymous Slashdot reader writes: The last known public release was version 0.1. Until Wednesday, when Lynne Jolitz, one of the co-authors of 386BSD, released the source code to version 1.0 as well as 2.0 on Github.

> 386BSD takes us back to the days when you could count every file in your Unix distribution and more importantly, read and understand all of your OS source code. 386BSD is also the missing link between BSD and Linux. One can find fragments of Linus Torvalds's math emulation code in the source code of 386BSD. To quote Linus: "If 386BSD had been available when I started on Linux, Linux would probably never had happened.”

> Though it was designed for Intel 80386 microprocessors, there's already instructions for launching it on the hosted hardware virtualization service Qemu.

There you have it! Go grab the new hotness that is 386BSD and run it in 2016! Or perhaps you want FreeBSD 11, but to each their own. ***

Progress of the OpenBSD Limited Edition Signed CD set

An update from a story last week! We mentioned the “very” limited edition OpenBSD 6.0 signed CD sets that had gone up for Auction on Ebay. (With proceeds to support for Foundation)
As of today, here’s where we stand:
- CD set #1 (Sep 29th + 5 days) sold for $4200
- CD set #2 (Oct 4th + 3 days) sold for $3000
- CD set #3 (Oct 8th + 3 days) sold for $817
- CD set #4 (Oct 11th + 3 days) is currently up for bidding
There you have it! The 4th set is almost wrapped up bidding, and the 5th and last set is not far behind. Be sure to grab your piece of BSD history before its gone!

PROTOTYPE FreeBSD Jail/ZFS based implementation of the Application Container Specification

> “Jetpack is an experimental and incomplete implementation of the App Container Specification for FreeBSD. It uses jails as isolation mechanism, and ZFS for layered storage.”
> “This document uses some language used in Rocket, the reference implementation of the App Container Specification. While the documentation will be expanded in the future, currently you need to be familiar at least with Rocket's README to understand everything.”

A standard with multiple implementations, that allow substitution of components, such as FreeBSD Jails instead of docker/lxc etc, and ZFS instead of overlayfs etc, is very exciting ***

Microsoft’s Forgotten Unix-based Operating System

Do you remember the good old days. You know, when Microsoft was the driving force behind UNIX? Wait, what did you say you may be thinking? It’s true, and lets sit back and let FossBytes tell us a tale of what once was reality.
The story begins sometime in the late 70’s:

> Turning back the pages to the late 1970’s, Microsoft entered into an agreement with AT&T Corporation to license Unix from AT&T. While the company didn’t sell the OS to public, it licensed it to other OEM vendors like Intel, SCO, and Tandy.

> As Microsoft had to face legal trouble due to “Unix” name, the company renamed it and came up with its own Unix distribution. So, AT&T licensed Unix to Redmond that was passed on to other OEMs as Xenix.

> It’s interesting to recall a time when Microsoft enabled people to run Unix — an operating system originally designed for large and multiuser systems — on a microcomputer. Even though it came first, Unix was probably more powerful than MS-DOS.

So whatever happened to this microsoft-flavored UNIX you may ask? Sadly it was ditched for DOS due to $REASONS:

> In early 1980’s, IBM was looking for an OS to power its PC. As IBM didn’t want to maintain any ties with the recently split AT&T, Xenix was automatically rejected. To fulfill, the tech giant’s demand, Microsoft bought 86-DOS from Seattle Computer Products and managed to convince IBM to use it in their systems.

> Slowly, Microsoft started losing interest in Xenix and traded the full rights of Xenix with SCO, a Xenix partner company. The company filed bankruptcy in 2007 before taking the Xenix legacy to the 21st century in the form of Open Server, previously known as SCO Unix and SCO Open Desktop.

An interesting chapter in UNIX history to be sure, and funny enough may come full-circle someday with Microsoft beginning to show interest in UNIX and BSD once again. ***

Beastie Bits

Feedback/Questions

162: The Foundation of NetBSD

JT Pennington — Wed, 05 Oct 2016 08:00:00 -0400

This week on the show, we’ll be talking to Petra about the NetBSD foundation, about how they operate and assist NetBSD behind the scenes. That plus lots of news

This episode was brought to you by

Headlines

What is new on EC2 for FreeBSD 11.0-RELEASE

“FreeBSD 11.0-RELEASE is just around the corner, and it will be bringing a long list of new features and improvements — far too many for me to list here. I think there are some improvements in FreeBSD 11.0 which are particularly noteworthy for EC2 users.”
“First, the EC2 Console Screenshot functionality now works with FreeBSD. This provides a "VGA" output as opposed to the traditional "serial port" which EC2 has exposed as "console output" for the past decade, and is useful largely because the "VGA" output becomes available immediately whereas the "serial port" output can lag by several minutes. This improvement is a simple configuration change — older releases didn't waste time writing to a non-serial console because it didn't go anywhere until Amazon added support on their side — and can be enabled on older FreeBSD releases by changing the line console="comconsole" to boot_multicons="YES" in /boot/loader.conf.”
“The second notable change is support for EC2 "Enhanced Networking" using Intel 82599 hardware; on the C3, C4, R3, I2, D2, and M4 (excluding m4.16xlarge) families, this provides increased network throughput and reduced latency and jitter, since it allows FreeBSD to talk directly to the networking hardware rather than via a Xen paravirtual interface. Getting this working took much longer than I had hoped, but the final problem turned out not to be in FreeBSD at all — we were tickling an interrupt-routing bug in a version of Xen used in EC2. Unfortunately FreeBSD does not yet have support for the new "Elastic Network Adapter" enhanced networking used in P2 and X1 instance families and the m4.16xlarge instance type; I'm hoping that we'll have a driver for that before FreeBSD 11.1 arrives.”
“The third notable change is an improvement in EC2 disk throughput. This comes thanks to enabling indirect segment I/Os in FreeBSD's blkfront driver; while the support was present in 10.3, I had it turned off by default due to performance anomalies on some EC2 instances. (Those EC2 performance problems have been resolved, and disk I/O performance in EC2 on FreeBSD 10.3 can now be safely improved by removing the line hw.xbd.xbd_enable_indirect="0" from /boot/loader.conf.)”
“Finally, FreeBSD now supports all 128 CPUs in the x1.32xlarge instance type. This improvement comes thanks to two changes: The FreeBSD default kernel was modified in 2014 to support up to 256 CPUs (up from 64), but that resulted in a (fixed-size) section of preallocated memory being exhausted early in the boot process on systems with 92 or more CPUs; a few months ago I changed that value to tune automatically so that FreeBSD can now boot and not immediately panic with an out-of-the-box setup on such large systems.”
“I think FreeBSD/EC2 users will be very happy with FreeBSD 11.0-RELEASE; but I'd like to end with an important reminder: No matter what you might see on FTP servers, in EC2, or available via freebsd-update, the new release has not been released until you see a GPG-signed email from the release engineer. This is not just a theoretical point: In my time as a FreeBSD developer I've seen multiple instances of last-minute release re-rolls happening due to problems being discovered very late, so the fact that you can see bits doesn't necessarily mean that they are ready to be downloaded. I hope you're looking forward to 11.0-RELEASE, but please be patient.” ***

Upgrading Amazon EC2 instance from 10.3 to 11.0-PRERELEASE results in hang at boot

As if to underscore that last point, a last minute bug was found on sunday night
A user reported that they used freebsd-update to upgrade an EC2 instance from 10.3 to 11.0 and it started hanging during boot
After some quick investigation by Colin, the problem was reproduced
Since I had done a lot of work in the loader recently, I helped Colin build a version of the loader with a lot of the debugging enabled, and some more added to try to isolate where in the loader the freeze was happening
Colin and I worked late into the night, but eventually found the read from disk that was causing the hang
Unlike most of the other reads, that were going into the heap, this read was into a very low memory address, right near the 640kb border. This initially distracted us from the real cause of the problem
With more debugging added, it was determined that the problem was in the GELIBoot code, when reading the last sector of each partition to determine if it is encrypted. In cases where the partition is not 4k aligned, and butts up against the end of the disk, the formula used could result in a read past the end of the disk
The formula rounds the last sector byte address down to the nearest factor of 4096, then reads 4096 bytes. Then that buffer is examined to determine if the partition is encrypted. If it is a 512b sector drive, the metadata will be in the last 512 bytes of that 4096 byte buffer.
However, if the partition is not 4k aligned, the rounding will produce a value that is less than 4096 bytes from the end of the disk, and attempting to read 4096 bytes, will read past the end of the disk
Normally this isn’t that big of a problem, the BIOS will just return an error. The loader will retry up to three times, then give up and move on, continuing to boot normally.
Some BIOSes are buggy, and will initiate their own retries, and the combination might result in a stall of up to 30 seconds for each attempt to read past the end of the disk
But it seems that Amazon EC2 instances, (and possibly other virtual instances), will just hang in this case.
This bug has existed for 6 months, but was not caught because almost all installations are 4k aligned thanks to changes made to the installer over the last few years, and most hardware continues to boot with no sign of a problem
Even the EC2 snapshot images of 11.0 do not have the problem, as they use a newer disk layout that is 4k aligned by default now. The problem only seems to happen when older disk images are upgraded
The fix has been committed and will be merged the the branches over the next few days
An Errata notice will be issues, and the fix will be available via freebsd-update
It is recommended that EC2 users, and anyone who wants to be especially cautious, wait until this errata notice goes out before attempting to upgrade from FreeBSD 10.3 to 11.0
You can determine if your partitions are 4k aligned by running ‘gpart show’. If there is free space after your last partition, you won’t have any issues. ***

OpenBSD 6.0 Limited Edition CD set (signed by developers)

The first one went for .$4,200.00

Looking for your piece of OpenBSD history? At the recent g2k16 hackathon in Cambridge UK, 40 OpenBSD developers put pen to paper and signed 5 copies of the new 6.0 release.
Each of these will be auctioned off on ebay, with the proceeds to benefit the OpenBSD foundation.
The first auction has already ended, and CD set went for a whopping $4200!
The next set only has 2 days left, and currently stands at $3000! (http://www.ebay.com/itm/-/331990536246)
Get your bids in soon, these are VERY unique, the odds of getting the same 40 developers in a room together and signing a new .0 release may make this a once-in-a-lifetime opportunity.
Additionally, if you are just starting your OpenBSD collection, here’s a nice image to make you envious: A nice collection of OpenBSD CD Sets ***

[What typing ^D really does on Unix

](https://utcc.utoronto.ca/~cks/space/blog/unix/TypingEOFEffects)

How often have you used a ^D to generate an EOF? Do you really know what that does?
Chris Siebenmann has posted a look at this on his blog, which might not be what you think

> “Typing ^D causes the tty driver to immediately finish a read().”

He continues on:

>Normally doing a read() from a terminal is line-buffered inside the tty driver; your program only wakes up when the tty driver sees the newline, at which point you get back the full
line. (Note that this buffering is distinct from anything that your language's IO system may be doing.)

> Typing ^D causes the tty driver to stop waiting for a newline and immediately return from the read() with however much of the line has been accumulated to date. If you haven't
typed anything on the line yet, there is nothing accumulated and the read() will return 0 bytes, which is conveniently the signal for end of file. If you have typed something the
program will get it; because it doesn't have a trailing newline, the program's own line-buffering may take over and keep read()ing to get the rest of the line.

> (Other programs will immediately process the partial line with no buffering; cat is one example of this.)

> Once you've typed ^D on a partial line, that portion of the line is immutable because it's already been given to the program. Most Unixes won't let you backspace over such partial
lines; effectively they become output, not input.

> (Note that modern shells are not good examples of this, because they don't do line-buffered input; to support command line editing, they switch terminal input into an uninterpreted
mode. So they get the raw ^D and can do whatever they want with it, and they can let you edit as much of the pending line as they want.)

Fascinating stuff, and interesting to see behind the curtain at exactly what’s going on with your programs buffering and tty driver interaction.

Interview - Petra Zeidler - spz@netbsd.org

NetBSD Foundation ***

News Roundup

Running FreeBSD in Travis-CI Thanks to KQEmu

Travis-CI is the most popular testing framework on Github, but it doesn’t support any of the BSDs
This didn’t discourage Even Rouault, who managed to run FreeBSD in KQEMU on the Linux instances provided by Travis-CI
“Travis-CI has a free offer for software having public repository at GitHub. Travis-CI provides cloud instances running Linux or Mac OS X. To increase portability tests of GDAL, I wondered if it was somehow possible to run another operating system with Travis-CI, for example FreeBSD. A search lead me to this question in their bug tracker but the outcome seems to be that it is not possible, nor in their medium or long term plans.”
“One idea that came quickly to mind was to use the QEMU machine emulator that can simulate full machines, of several hardware architectures.”
They found an existing image of FreeBSD 9.2 and configured the Travis job to download it and fire it up in QEMU.
“Here we go: ./configure && make ! That works, but 50 minutes later (the maximum length of a Travis-CI job), our job is killed with perhaps only 10% of the GDAL code base being compiled. The reason is that we used the pure software emulation mode of QEMU that involves on-the-fly disassembling of the code to be run and re-assembling.”
Travis-CI runs in Google Compute Engine, which does not allow nested virtualization, so hardware virtualization is not an option to speed up QEMU
“Here comes the time for good old memories and a bit of software archeology. QEMU was started by Fabrice Bellard. If you didn't know his name yet, F. Bellard created FFMPEG and QEMU, holds a world record for the number of decimals of Pi computed on a COTS PC, has ported QEMU in JavaScript to run the Linux kernel in your browser, devised BPG, a new compression based on HEVC, etc....”
“At the time where his interest was focused on QEMU, he created KQemu, a kernel module (for Linux, Windows, FreeBSD hosts), that could significantly enhance QEMU performance when the guest and hosts are x86/x86_64 and does not require (nor use) hardware virtualization instructions.”
“Running it on Travis-CI was successful too, with the compilation being done in 20 minutes, so probably half of the speed of bare metal, which is good enough.”
“I could also have potentially tried VirtualBox because, as mentioned above, it supports software virtualization with acceleration. But that is only for 32 bit guests (and I didn't find a ready-made FreeBSD 32bit image that you can directly ssh into). For 64 bit guests, VirtualBox require hardware virtualization to be available in the host. To the best of my knowledge, KQemu is (was) the only solution to enable acceleration of 64 bit guests without hardware requirements.”
It will be interesting to see if enough people do this hack, maybe Travis-CI will consider properly supporting FreeBSD ***

OpenBSD EuroBSDcon 2016 Papers are online

Slides from the OpenBSD talks at EuroBSDCon are online now
- Landry Breuil, Building packages on exotic architectures
- Peter Hessler, Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD
- Ingo Schwarze, Why and how you ought to keep multibyte character support simple (roff/mm/gpresent source code)
- Stefan Sperling, OpenBSD meets 802.11n
- Antoine Jacoutot, OpenBSD rc.d(8)
- Marc Espie, Retrofitting privsep into dpb and pkg_add
- Martin Pieuchot, Embracing the BSD routing table
I am working to build a similar website for the FreeBSD project, but there is still a lot of work to do
I also managed to find the slides from the keynotes:
Opening Keynote: George Neville-Neil: Looking Backwards: The coming decades of BSD
Closing Keynote: Gert Döring: Internet Attacks, Self-Governance, and the Consequences ***

VirtualBox Shared Folders on FreeBSD: progress report

In the past month or so, VirtualBox in the FreeBSD ports tree got bumped to version 5, which while bringing new features, did cause a regression in Shared Folders.
FreeBSD developer gonzo@ (Oleksandr Tymoshenko) has been tackling this issue in recent days and provides us with a look behind the curtain at the challenges involved.
Specifically he started by implementing the various needed VOPs: “lookup, access, readdir, read, getattr, readlink, remove, rmdir, symlink, close, create, open, write.”
He then continues with details about how complete this is:

““Kind of implemented” means that I was able to mount directory, traverse it, read file, calculate md5 sums and compare with host’s md5sum, create/remove directories,
unzip zip file, etc but I doubt it would survive stress-test. Locking is all wrong at the moment and read/write VOPs allocate buffers for every operation.”

The bigger issue faced is with the rename VOP though:

> I hit a roadblock with rename VOP: it involves some non-trivial locking logic and also there is a problem with cached paths. VBox hypervisor operates on full paths so we cache them
in vboxfs nodes, but if one of parent directories is renamed, all cached names should be modified accordingly. I am going to tackle these two problems once I have long enough stretch
of time time sit and concentrate on task.

We wish him luck in getting those issues solved. I know quite a few of our users rely on shared folders as well. ***

FreeBSD News Issue #1

Issue #1 of FreeBSD News, from summer of 1997
Contains an article by Yahoo! co-founder David Filo about their early use of FreeBSD, on 100mhz Pentium machines with 64MB of ram
Java Development Kit 1.0.2 ported to FreeBSD
What is FreeBSD?
Running the world’s busiest FTP site (cdrom.com) on FreeBSD
Xi Graphics announces the release of CDE Business Desktop, the first and only integrated desktop for FreeBSD, on AcceleratedX, a fully supported commercial grade X display server
Get FreeBSD 2.2.2 Today! ***

Beastie Bits

Feedback/Questions

161: The BSD Bromance

JT Pennington — Wed, 28 Sep 2016 08:00:00 -0400

This week on BSDNow, we’re going to be hearing about Allan’s trip to EuroBSDCon, plus an Interview about “Bro on BSD”! Stay tuned, for your place to

This episode was brought to you by

Headlines

EuroBSDCon 2016 Wrapup

NetBSD for newbies - Develop your own Power PC

We don’t get to feature too many stories on NetBSD being deployed as a Power PC (Not PowerPC, you know, a Powerful “PC”), so we jumped at this one.
Specifically it starts off with some of the pre-req’s that you’ll need to get started, such as NetBSD 7.0.1 / amd64, along with some information about which wireless nics you may be using. (NetBSD like other BSD’s will give a driver based device name for network interfaces)
From there, instructions on how to write your WPA_supplicant config are provided, in order for us to fetch the NetBSD sources and convert to their -STABLE branch.
After doing a CVS checkout of the sources, he then provides a walkthrough of doing a kernel compile / install, however it mentions changing the config, but doesn’t provide an example of what options were changed. Perhaps to remove drivers we don’t need?
At this point the rest of the “desktop” setup is pretty straight forward. Some packages are added such as openbox, lxappearance, firefox, etc.
To get working sound, firefox requires pulseaudio, which in turn needs dbus, so instructions on getting that service up and running are provided as well.
When it’s all said and done, you’ll end up with your shiny new NetBSD -STABLE desktop (or laptop), bragging rights achieved! ***

More about OpenSMTPD 6.0.0

OpenSMTPd 6.0.0 has just been released “and it's quite different from former releases.”
“Unlike most of our releases, it comes out with almost no new feature.”, “Turns out most of the changes are not visible.”
Changelog:
- new fork+reexec model so each process has its own randomized memory space
- logging format has been reworked
- a "multi-line response" bug in the LMTP delivery backend has been fixed
- connections concurrency limits have been bumped
- artificial delaying in remote sessions have been reduced
- dhparams option has been removed
- dhe option has been added, supporting auto and legacy modes
- smtp engine has been simplified
- various cosmetic changes, code cleanup and documentation improvement
“The OpenSMTPD bootstrap process was quite simple: Upon executation, the parent process would read configuration, build a memory representation of it and would then create a bunch of socketpair() before fork()-ing all of its child processes.”
The problem is that this does not take advantage of the new address randomization feature. Each child will have the same memory layout, copied from the parent process
“So deraadt@ suggested that if OpenSMTPD would not just fork() children but instead fork() them and reexecute the smtpd binary, then each of the children would have its own randomized memory space.”
“The idea itself is neat, however not so trivial to implement because when we reexec the whole "inherit configuration and descriptors" part goes away. It's not just fork and exec, it's fork and exec and figure a way for the parent to pass back all the information and descriptors back to the new post-fork instance so it is the new instance that allocates memory and decides where the information goes.” ***

Upgrade a FreeBSD 10.3 Installation with ZFS on Root and Full Disk Encryption to 11.0

While FreeBSD 11.0 is not out yet, Joseph Mingrone has helped me work out and test the instructions for upgrading a FreeBSD 10.3 ZFS on full disk encryption setup (bootpool + zpool) to the new GELIBoot feature, which does not require any unencrypted partitions, just the 128kb bootcode
Note: Do not upgrade to FreeBSD 11.0 yet. While some images have landed on the FTP server, they do not contain the final openssl fix and are going to be recreated.
Currently, GELIBoot does not support key files, so the first step is to reencrypt the master key with only a passphrase.
Next, to avoid GELIBoot picking up encrypted partitions that it does not support, or partitions you do not want decrypted at boot, only partitions with the GELIBoot flag are decrypted, so set the flag on your root partition
Then, move the loader, kernel, and other files into /boot on the root filesystem, instead of them living on the bootpool. This allows the kernel to be versioned with boot environments, and is the main purpose of this work
Then, install the newer gptzfsboot, as this is required to support GELIBoot
The old 2gb bootpool partition is then purposely mislabeled as freebsd-vinum, so it is not picked up by the boot blocks. Later, if the upgrade is successful, this partition can be deleted, and used as addition swap or something
In order to boot correctly, you want all boot environments to have the ‘canmount’ ZFS property set to ‘noauto’
Thank you to Joseph for taking the time to prod me for the information required to write this up, and for testing it and finding all of the issues ***

Interview - Michael Shirk - mshirk@daemon-security.com / @shirkdog

Running Bro on BSD ***

News Roundup

FreeBSD based distro for virtual hosting platform and appliance

An interesting new FreeBSD-based project as shown up online, called “ClonOS”, which bills itself as a “free open-source FreeBSD-based platform for virtual environments creation and management”
It looks to be leveraging an impressive list of technologies, including Bhyve, Xen, Jails and CBSD / Puppet for management tasks.
Among its list of features:
- ZFS features support;
- VM cloning, export, import
- Ethernet SoftSwitch for separated networking
- jails for lightweight container
- VNC terminal for VM/containers
- Templates for VM/containers
- Configuration management/helpers
- Multi-node operation
Multi-Node? Color me intrigued!
Right now it appears to be under heavy development, but we’ll reach out to the developer to see if we can get an interview lined up at some point!

The Raspberry PI Platform and The Challenges of Developing FreeBSD

BSDMag recently did an interview with FreeBSD developer Olesandr Rybalko!
Oleksandr lives in the Ukraine, and while you may not have heard of him, he has worked on some cool projects for FreeBSD including the new “vt” console driver (Which a lot of people are using now), and ARM/MIPS support.
The interview covers some of the work he’s done to get the PI support working with FreeBSD:

> I think, my main help here was a USB OTG driver, which I wrote before for another device (Ralink RT3052), then port it to R-Pi. But it was rewritten by Hans Peter Selasky. I do not know so much about USB as Hans knows.

> Another useful part of my help is Xorg support. I did a simple Xorg video driver which uses framebuffer exported by virtual terminal subsystem. That is help to many guys to start use RPi as a simple desktop system.

He was also asked the question “Why would FreeBSD be good fit for ARM?”

>FreeBSD is very powerful as a network server. All modern network features in one box, with very fast processing.

> Another good side of FreeBSD is modularity. It is not required to write code to use some driver that was already written for another system, you can just define it in configuration files (kernel config, kernel hints, FDT). So if you want build a nice, R-Pi based, home server – use FreeBSD. If you want to play with devices attached to R-Pi’s GPIO – use FreeBSD.

He also discusses his work on the ZRouter project, which is a very light-weight platform for tiny routers / embedded devices. But lastly the RPI comes up again, specifically asking him how interested individuals can get involved. Specifically the wiki.freebsd.org is a great reference point for those intested in getting started with FreeBSD on embedded. The warm community is also a plus!

Trying out the FreeBSD powered TrueOS

The folks over at Phoronix have done an early look at the new TrueOS desktop images and given some of their thoughts.
First up he gives props to the installer, noting that:

> The TrueOS desktop installer is basically the same as from the PC-BSD days, just re-branded. Still one of the easiest BSD graphical installers I've dealt with and makes it a breeze for setting up a FreeBSD-on-ZFS system by default.

After that they took it for a minimal spin, and thing mostly seem to be working. He mentions some of the default apps (Such as qupzilla and trojita) aren’t their favorite, but Lumina has come quite a ways for 1.0, despite a few rough edges still. (We are in the process of changing those default e-mail / browser apps)
Lastly the article mentions that it’s time to do a more full BSD round-up to see the state of installation of them, which we happen to have next!

Trying out 8 BSDs on a modern PC

First up was TrueOS again, which no major changes there, easy install and done.
From there he tries out DragonFlyBSD, which he mentions that while the installer isn’t as easy, it is still one of his favorite BSD’s, working with all the hardware they’ve thrown at it.
Next up was GhostBSD, which also has an Easy-To-Use graphical installer similar to TrueOS that made it quick to get loaded and up to the Mate desktop.
Also tested was FreeBSD 11.0-RC2, which he mentions was easy to installed, and once done then ‘pkg’ could be used to easily get the setup he wanted setup.
Turning over to page two we get to the naughty list of BSD’s he had troubles with.
First up was OpenBSD which he tried 6.0. After installation and first boot, the display kept ‘disappearing’ which meant he couldn’t get IP information to try SSH’ing into the box. Perhaps a display driver error?
NetBSD 7 was up next, where the installer couldn’t get past a root device prompt. Most likely trouble finding the install media, which was the same story with MightnightBSD as well.
Also tested was “PacBSD” (Formerly ArchBSD) which he did manage to get installed, but not after major fighting with the process. After the process he ran into some issues getting packages up and running, but mentions it may have been bad timing due to them moving to a new server at the time. ***

IllumOS imports a modified FreeBSD boot loader to replace grub 0.97

Toomas Soome’s work to port the FreeBSD boot loader to IllumOS has been merged into illumos-gate, the upstream repository for all IllumOS distributions
Toomas’ work has also resulted in a number of commits to FreeBSD, and code sharing in both directions
Toomas helped me a lot with the building of the ZFS boot environment listing menu, even though on IllumOS they use a configuration file to list the BEs, rather than interrogating the live zpool like we do in FreeBSD
Toomas’ work to improve msdosfs and the block cache to speed up booting IllumOS also greatly helped FreeBSD
This work means IllumOS can now boot from a RAID-Z (the old grub they used could not), and if the work Toomas has done on FreeBSD is any indication, support for almost all other zpool features is also on the way
This work also sets IllumOS on a path to eventually having UEFI boot as well
It is good to see this work happening, FreeBSD technology being reused elsewhere, but also the improvements being made for IllumOS are coming back to FreeBSD, often landing upstream first, to make merging them into IllumOS easier.
The mailing list post describes how to convert existing systems away from grub, as well as how to opt to remain on grub for a while longer.
Grub 0.97 is expected to be removed from IllumOS within a year. ***

Beastie Bits

Feedback/Questions

160: EuroBSD-Dreamin

JT Pennington — Wed, 21 Sep 2016 08:00:00 -0400

This week on BSDNow, Allan is currently at EuroBSDCon! However due to the magic of video (or time travel), you still get a new episode. (You’re Welcome!). Stay tuned

This episode was brought to you by

Headlines

Performance Improvements for FreeBSD Kernel Debugging

“We previously explored FreeBSD userspace coredumps. Backtrace’s debugging platform supports FreeBSD kernel coredumps too, and their traces share many features. They are constructed somewhat differently, and in the process of adding support for them, we found a way to improve performance for automated programs accessing them.”
“A kernel core is typically only generated in exceptional circumstances. Unlike userspace processes, kernel routines cannot fault without sacrificing the machine’s availability. This means things like page faults and illegal instructions inside the kernel stop the machine, instead of just one process. At that point, in most cases, it is only usable enough to inspect its state in a debugger, or to generate a core file.”
No one likes it when this happens. This is why backtrace.io is focused on being able to figure out why it is happening
“A FreeBSD kernel core file can be formatted in several different ways. This depends on which type of dump was performed. Full core dumps are ELF files, similar in structure to userspace core files. However, as RAM size grew, this became more difficult to manage. In 2006, FreeBSD introduced minidumps, which are much smaller without making the core file useless. This has been the default dump type since FreeBSD 6.0.”
The article goes into detail on the minidump format, and some basic debugging techniques
“Libkvm will first determine whether the virtual address lies within the kernel or direct maps. If it lies in the kernel map, libkvm will consult the page table pages to discover the corresponding physical address. If it lies in the direct map, it can simply mask off the direct map base address. If neither of these applies, the address is illegal. This process is encapsulated by va_to_pa, or “virtual address to physical address”. Once the physical address is determined, libkvm consults the core file’s bitmap to figure out where in the core file it is located.”
“minidumps include a sparse bitmap indicating the pages that are included. These pages are dumped sequentially in the last section. Because they are sparse in a not entirely predictable way, figuring the offset into the dump for a particular physical address cannot be reduced to a trivial formula.”
The article goes into detail about how lookups against this map are slow, and how they were improved
“For typical manual debugger use, the impact of this change isn’t noticeable, which is probably why the hash table implementation has been in use for 10 years. However, for any automated debugging process, the extra latency adds up quickly.”
“On a sample 8GB kernel core file (generated on a 128GB server), crashinfo improves from 44 seconds to 9 seconds, and uses 30% less memory”
“Backtrace began shipping a version of this performance improvement in ptrace in February 2016. This enables us to also offer significantly faster tracing of FreeBSD kernel cores to customers running current and older releases of FreeBSD. On July 17, 2016, our work improving libkvm scaling was committed to FreeBSD/head. It will ship with FreeBSD 12.0.” ***

OpenBSD gunzip pipeline tightening

OpenBSD has rethought the way they handle package signing
Changing from: 1/ fetch data -> 2/ uncompress it -> 3/ check signature -> 4/ process data
To: 1/ fetch data -> 2/ check signature -> 3/ uncompress -> 4/ process data
“The solution is to move the signature outside of the gzip header”
“Now, Since step 1/ is privsep, as long as step 2 is airtight, 3/ and 4/are no longer vulnerable”
Guidelines:
- small, self-contained code to parse simple gzip headers
- signify-style signature in the gzip comment. Contains checksums of 64K blocks of the compressed archive
- don't even think about passing the original gzip header through
- use as a pipeline step: does not need to download full archive to use it, and never ever pass any data to the gunzip part before it's been verified.
“Note that afaik we haven't had any hole in our gunzipping process. Well… waiting for an accident to happen is not how we do things. Hopefully, this should prevent future mishaps.” ***

OpenVPN On FreeBSD 10.3

“While trying to setup OpenVPN, I noticed there was no up-to-date information with correct instructions. OpenVPN uses EasyRSA to setup keys, it has recently been changed in version 3. As a result of this, the old steps to configure OpenVPN are no longer correct. I went through the process of setting up a VPN using OpenVPN on FreeBSD 10.3.”
I know FreeBSD developer Adrian Chadd complained about this exact problem when he was trying to setup a VPN before attending DEFCON
The tutorial walks through the basic steps:
- Install the needed software
- Configure EasyRSA
- Create a CA
- Generate keys and DH params
- OpenVPN Server Config
- OpenVPN Client Config
- Starting the daemon
It even finishes off with bonus instructions on Port Forwarding, Firewalls, and Dynamic DNS ***

lsop

LSOP is the tool a bunch of users have been asking for
“a FreeBSD utility to list all processes running with outdated binaries or shared libraries”
How does it work? “lsop iterates over all running processes and looks through memory-mapped files with read + execute access; then it checks if those files are still available or have been modified/deleted.”
How would you use it? After installing an system update (that doesn’t require a reboot to update the kernel), or upgrade your packages, you still need to know which daemons need to be restarted to use the patched libraries and binaries
This tool gives you that list
Thanks to Bogdan Boyadzhiev for writing this much needed tool ***

News Roundup

OpenBSD 2016 Fundraising Campaign

The OpenBSD fund-raising campaign has given us a status update on the state of 2016.
They start by giving us a re-cap of previous years:
“2015 was a good year for the foundation financially, with one platinum, one gold, four silver and 3 bronze donors providing half of our total donations. 680 individuals making smaller contributions provided the other half. While the total was down significantly after 2014’s blockbuster year, we again exceeded our goal.”
As of Sept 5th, they were at approx $115k out of a total goal of 250k.
If you are an OpenBSD user, remember to contribute before the end of the year. Small amounts help, and the money of course goes to great causes such as hackathons and running the OpenBSD infrastructure.

Update firewall Bad Countries

Network and Systems admins know, sometimes when all else fails you need to break out the HUGE ban-hammer. In this case sometimes entire countries get put on the excrement list until the attacks stop.
We have a handy GitHub project today, which will assist you in doing exactly that, enter update-fw-BC. (Update firewall by country)
This perl script may be your savior when dealing with instances that require major brute force. It specifically works with IPFW, PF and IPTABLES, which will allow it to run across a variety of BSD’s or even Linux.
It will ingest a list of IP’s that you feed it (perhaps from another tool such as sshguard) and determine what block the IP belongs to, and match according to country.
Detailed setup instructions for the various firewalls are included, and some instructions for FreeBSD, although using it on OpenBSD or other $BSD should also be easy to adapt. ***

More utilities via moreutils

In most BSDs, the “core” set of utilities and commands are just part of the base system, but on Linux, they are usually provided by the “coreutils” package.
However, on Linux and now FreeBSD, there is a “moreutils” package, that provides a number of interesting additional basic utilities, including:
- chronic: Run a task via crontab, and only generate output if the task fails
- combine: binary AND two text files together, only displaying lines that are in both files
- errno: look up the text description of a specific error number
- ifdata: parse out specific information from ifconfig
- ifne: if-not-empty, only run a command if the output of the pipe is not blank
- isutf8: determine if a file or stdin contains utf8
- lckdo: execute a command with a lock held, to prevent a second copy from spawning
- mispipe: return the exit code of the first command in a pipe chain, rather than the last
- parallel: run multiple jobs at once
- pee: tee standard input to multiple pipes
- sponge: write standard input to a file, allows you to overwrite a file in place: sort file | sponge file
- ts: add a timestamp to each line of standard input
- vidir: edit a directory in vi, great for bulk renames
- vipe: insert vi into a pipe, edit the content before it is passed to the next command
- zrun: uncompress the arguments before passing them. Like gzless and friends, but for any command
Just goes to show the power of the original UNIX philosophy, chaining together a bunch of small useful tools to do really powerful things ***

OpenBSD: SNI support added to libtls, httpd in –current

libtls, LibreSSL’s improved API to replace the OpenSSL standard, now has a set of functions to implement SNI (Server Name Indication)
Until a few years ago, each different SSL/TLS enabled website required a unique IP address, because typical HTTP Virtual Hosting (differentiating which content to serve based on the Host header in the HTTP request), didn’t work because the request was encrypted.
Finally the TLS standard was updated to include the hostname of the site the user is requesting in the TLS handshake, so the server can return the corresponding certificate, and multiple TLS enabled websites can be hosted on a single IP address
The new API includes the ability to provide additional keypairs (via tls_config_add_keypair_{file,mem}())
And allow the server to determine what servername the client requested viatls_conn_servername()
This is much easier to use, and therefore safer and less error prone, than the OpenSSL API
The libtls API is used in a number of OpenBSD tools, including the httpd ***

Beastie Bits

Feedback/Questions

159: Net Scaling Privacy (Flix Style)

JT Pennington — Wed, 14 Sep 2016 08:00:00 -0400

This week on BSDNow! We’ve got Netflix + FreeBSD news to discuss, always a crowd pleaser, that plus EuroBSDCon is just around the corner. Stick around for your place

This episode was brought to you by

Headlines

Protecting Netflix Viewing Privacy at Scale, with FreeBSD

This blog post from Netflix tells the story of how Netflix developed in-kernel TLS to speed up delivery of video via HTTPS

> Since the beginning of the Open Connect program we have significantly increased the efficiency of our OCAs - from delivering 8 Gbps of throughput from a single server in 2012 to over 90 Gbps from a single server in 2016. We contribute to this effort on the software side by optimizing every aspect of the software for our unique use case - in particular, focusing on the open source FreeBSD operating system and the NGINX web server that run on the OCAs.

> In the modern internet world, we have to focus not only on efficiency, but also security. There are many state-of-the-art security mechanisms in place at Netflix, including Transport Level Security (TLS) encryption of customer information, search queries, and other confidential data. We have always relied on pre-encoded Digital Rights Management (DRM) to secure our video streams. Over the past year, we’ve begun to use Secure HTTP (HTTP over TLS or HTTPS) to encrypt the transport of the video content as well. This helps protect member privacy, particularly when the network is insecure - ensuring that our members are safe from eavesdropping by anyone who might want to record their viewing habits.

> The goal is to ensure that your government, ISP, and wifi sniffing neighbour cannot tell which Netflix videos you are watching

> Netflix Open Connect serves over 125 million hours of content per day, all around the world. Given our scale, adding the overhead of TLS encryption calculations to our video stream transport had the potential to greatly reduce the efficiency of our global infrastructure.

> We evaluated available and applicable ciphers and decided to primarily use the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM), available starting in TLS 1.2. We chose AES-GCM over the Cipher Block Chaining (CBC) method, which comes at a higher computational cost. The AES-GCM cipher algorithm encrypts and authenticates the message simultaneously - as opposed to AES-CBC, which requires an additional pass over the data to generate keyed-hash message authentication code (HMAC). CBC can still be used as a fallback for clients that cannot support the preferred method.

> All revisions of Open Connect Appliances also have Intel CPUs that support AES-NI, the extension to the x86 instruction set designed to improve encryption and decryption performance. We needed to determine the best implementation of AES-GCM with the AES-NI instruction set, so we investigated alternatives to OpenSSL, including BoringSSL and the Intel Intelligent Storage Acceleration Library (ISA-L).

> Netflix and NGINX had previously worked together to improve our HTTP client request and response time via the use of sendfile calls to perform a zero-copy data flow from storage (HDD or SSD) to network socket, keeping the data in the kernel memory address space and relieving some of the CPU burden. The Netflix team specifically added the ability to make the sendfile calls asynchronous - further reducing the data path and enabling more simultaneous connections. However, TLS functionality, which requires the data to be passed to the application layer, was incompatible with the sendfile approach.

> To retain the benefits of the sendfile model while adding TLS functionality, we designed a hybrid TLS scheme whereby session management stays in the application space, but the bulk encryption is inserted into the sendfile data pipeline in the kernel. This extends sendfile to support encrypting data for TLS/SSL connections.

> We tested the BoringSSL and ISA-L AES-GCM implementations with our sendfile improvements against a baseline of OpenSSL (with no sendfile changes), under typical Netflix traffic conditions on three different OCA hardware types. Our changes in both the BoringSSL and ISA-L test situations significantly increased both CPU utilization and bandwidth over baseline - increasing performance by up to 30%, depending on the OCA hardware version. We chose the ISA-L cipher implementation, which had slightly better results. With these improvements in place, we can continue the process of adding TLS to our video streams for clients that support it, without suffering prohibitive performance hits.

If you would like more detail, check out the papers from AsiaBSDCon 2015 and the updated one from 2016 ***

OpenBSD on HP Stream 7

> Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but with free space requirements such that it’s nigh impossible to install on cheap 32GB eMMC equipped devices such as the HP Stream series, leaving users searching for a new lightweight operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7.

> The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they’re real boys, er PCs, with Intel Atom CPUs.

> To install OpenBSD on such a device, we need a few parts. Obviously, the tablet itself. There’s a dearth of ports on these things, but there is a micro USB port. Attaching anything useful requires an OTG “on the go” cable that creates a type A port. Attaching more than one useful thing requires a mini hub. And completing the install requires one each USB stick, keyboard, and network adapter.

> First, we need to prep the machine to boot from USB. Actually, before doing anything, make sure you have a full charge. It’s going to be battery only from here on out. Plug everything in. Flash drive, keyboard, and network into the hub, hub into the OTG cable, cable into the port on top of the Stream.

> Turn on the machine while holding the volume down button. This launches a mini menu from which we can enter the BIOS. There’s a little on screen keyboard in the corner, so this can be done even without a keyboard attached, but the USB keyboard should work. We need to change two settings in the boot section. First, turn off secure boot. Second, switch boot order to prefer USB. Save and exit. The first reboot reveals a confirmation screen checking that we really want to disable secure boot. We must enter a PIN and press enter. Enter the PIN shown on the screen and press enter. And we are go.

Then boot up OpenBSD from the USB drive
Ted then works there a number of kernel panics and device driver issues, but after disabling ACPI and IntelDRM, the device boots OpenBSD.

> Of course, there’s no X at this point. And definitely no touch screen. And no internal networking. However, by keeping our USB hub attached, we can drive the console and access the network. At least until the battery is depleted, even if we have no way of knowing how long that will be since we disabled all the ACPI devices, which also means no suspend or resume.

With some xorg.conf hacking, he did get Xorg working ***

DragonflyBSD steps towards base LibreSSL

Project: DragonFlyBSD / Switch base to use private LibreSSL libraries
DragonFly BSD adopts uses of LibreSSL
The number of projects beginning to switch over to LibreSSL is growing and it appears we can now throw DragonFly into that camp.
Following something that sounds vaguely familiar (Allan!) DFLY is now creating “private” LibreSSL libraries which are only linked against by base system binaries.
For the moment OpenSSL is still built, primarily so that various ports and 3rd party apps can continue to function as before.
A NO_OPENSSL option has also been added, but doesn’t really do much (yet), since it’ll still build and install headers / libraries even if set. ***

OpenBSD g2k16 Hackathon

News Roundup

OpenBSD (with encrypted softraid) on the Chromebook Pixel

Looking for a Laptop to make your OpenBSD road-warrior? If so, we have a great blog tutorial on getting OpenBSD setup on the Chromebook Pixel with encrypted softraid!
Author Joshua Stein gives us a very verbose look at how to install and dial-in the laptop perfectly. But first for those wondering about the hardware in the pixel:

> The Chromebook Pixel LS (2015) has an Intel Core i7 processor (Broadwell) at 2.4Ghz, 16Gb of RAM, a 2560x1700 400-nit IPS screen (239ppi), and Intel 802.11ac wireless. It has a Kingston 64Gib flash chip, of which about 54Gib can be used by OpenBSD when dual-booting with a 1Gb Chrome OS partition.

Due to this being a chromebook with seaBIOS, some manual key-press trickery will be required to initially get the OpenBSD Installer up and running.
From here you’ll want to pay special close attention to the disk partitioning. In particular Joshua will show us how to shrink the existing encrypted /home that ChromeOS uses, keeping the dual-boot intact. This will become important if you ever plan on updating the device.
From here, we move back to a more traditional setup, but with the added bonus of doing a soft-raid setup.
But the fun isn’t over yet! If you want to make OpenBSD the default boot, that’ll require cracking the lid on the device and removing a special pink write-protect screw. And of course if you want to remove the default splash-screen image, Joshua has you covered as well, although some flashrom magic will be required.
At this point you are nearly done. Final details on enabling specific bits of hardware are discussed. Most things work, apart from Audio and Bluetooth as of right now. ***

doas mastery

“doas” mastery - Paging MWL!
Our buddy Ted Unangst has written up a great ‘mastery’ guide of the doas command, which can come in handy if you are among the un-initiated in doas land.

> UNIX systems have two classes of user, the super user and regular users. The super user is super, and everybody else is not. This concentration of power keeps things simple, but also means that often too much power is granted. Usually we only need super user powers to perform one task. We would rather not have such power all the time. Think of the responsibility that would entail! Like the sudo command, doas allows for subdivision of super user privileges, granting them only for specific tasks.

He starts with the basic doas.conf setup, which starts with an empty config file
The doas config is much like a pf ruleset, the default is to block everything > We add the root rule second because doas evaluates rules in a last match manner. root is in the wheel group, so the first rule will match, and then we need to override that with a second rule. Remember to always start with general rules, then make them more specific. ***

iXsystems

iXsystems to host MeetBSD

FreeBSD Foundation Welcomes New Board Members

New Board Members
The FreeBSD Foundation has added two new board members
Interview with Kylie Liang
Kylie will focus on representing FreeBSD at conferences and businesses in China

> I live in China. There, I can act as a bridge between Chinese companies and the FreeBSD community to help drive FreeBSD adoption. Through my leadership role in the FreeBSD Foundation, I will help promote FreeBSD in China and also represent the Foundation at conferences and events in my region.

Kylie leads the team the ensures FreeBSD runs well on Hyper-V and Azure, including providing commercial support for customers who run FreeBSD or FreeBSD based appliances on the Azure Cloud

> I joined Microsoft and started to lead the project called FreeBSD Integration Service to get FreeBSD running well on Hyper-V and Azure. To promote our work and to understand the FreeBSD ecosystem, I started to participate in FreeBSD events where I was inspired by this technical community.

Interview with Philip Paeps
Philip started with FreeBSD in the early 2000s and got his commit bit in 2004

> The patches I submitted to make ACPI and input devices work on that laptop led to a src commit bit in 2004. While I haven’t worked on ACPI or input devices since, I have been contributing to different areas of the kernel. Taking up maintainership of some ports I cared about also got me a ports commit bit after some time.

Philip will continue to help run EuroBSDCon, but is also spreading the word about FreeBSD in India and Africa

> Primarily, I think I can be useful! I attend (and organize) a number of conferences around the world every year, particularly in regions that have a mostly “stealthy” FreeBSD community. While I clearly don’t need to be on the FreeBSD Foundation board to advocate for FreeBSD, joining as a director will provide an additional asset when working in areas of the world where organizational affiliations are meaningful.

Philip has also developed network drivers and various other bits and pieces, and has extensive experience working with and for hardware vendors and appliance vendors

> Despite intending to eventually contribute their code to the FreeBSD Project as open source, many hardware vendors still find it very difficult to engage directly with the FreeBSD development community. The Foundation helps bridge that gap and helps facilitate collaboration between commercial vendors and the FreeBSD community.

> I hope to make FreeBSD more visible in regions of the world where it is historically under-represented. I expect I will be attending even more conferences and getting myself invited to even more organizations.

more, less, and a story of typical Unix fossilization

Chris Siebenmann from the University of Toronto digs into the history of the difference between ‘less’ and ‘more’

> In the beginning, by which we mean V7, Unix didn't have a pager at all. That was okay; Unix wasn't very visual in those days, partly because it was still sort of the era of the hard copy terminal. Then along came Berkeley and BSD. People at Berkeley were into CRT terminals, and so BSD Unix gave us things like vi and the first pager program, more (which showed up quite early, in 3BSD, although this isn't as early as vi, which appears in 2BSD). Calling a pager more is a little bit odd but it's a Unix type of name and from the beginning more prompted you with '--More--' at the bottom of the screen.

> All of the Unix vendors that based their work on BSD Unix (like Sun and DEC) naturally shipped versions of more along with the rest of the BSD programs, and so more spread around the BSD side of things. However, more was by no means the best pager ever; as you might expect, it was actually a bit primitive and lacking in features. So fairly early on Mark Nudelman wrote a pager with somewhat more features and it wound up being called less as somewhat of a joke.

> In a sane world, Unix vendors would have either replaced their version of more with the clearly superior less or at least updated their version of more to the 4.3 BSD version. Maybe less wouldn't have replaced more immediately, but certainly over say the next five years, when it kept on being better and most people kept preferring it when they had a choice.”

“This entire history has led to a series of vaguely absurd outcomes on various modern Unixes. On Solaris derivatives more is of course the traditional version with source code that can probably trace itself all the way back to 3BSD, carefully updated to SUS compliance. Solaris would never dream of changing what more is, not even if the replacement is better. Why, it might disturb someone.

> Oddly, FreeBSD has done the most sensible thing; they've outright replaced more with less. There is a /usr/bin/more but it's the same binary as less and as you can see the more manpage is just the less manpage. OpenBSD has done the same thing but has a specific manpage for more instead of just giving you the less manpage.

> So, now you can see why I say that less is more, or more, or both, at several levels. less is certainly more than more, and sometimes less literally is more (or rather more is less, to put it the right way around).

Beastie Bits

PC-BSD listed in the top 8 'best' alternatives to Windows 10
Creating a quick DNS server with a Rapsberry Pi2 and FreeBSD 11.0-RC1
Dual Boot OpenBSD and Linux + UEFI
DesktopBSD 2.0 various versions available (Gnome, Lumina, KDE, LXDE)
FreeBSD gets new ZFS features including: Compressed ARC and ZFS Allocation Throttle
One Floppy NetBSD Distribution
A Compendium of BUGs

Feedback/Questions

158: Ham, Radio and Pie (oh my)

JT Pennington — Wed, 07 Sep 2016 08:00:00 -0400

This week on BSDNow, we’ll be talking to Diane Bruce about using it for Ham Radio Enthusiasts, the RPi3 and much more! That plus all the latest news from the week,

This episode was brought to you by

Headlines

PC-BSD is now TrueOS

If you’ve been watching this show the past few months, I’ve been dropping little hints about the upcoming rename of PC-BSD -> TrueOS. We’ve made that more official finally, and are asking folks to test out the software before a wider announcement this fall.
For those wondering about the name change, it’s been something discussed over the past few years at different times. With us beginning to move more aggressively with changes for 11.0 (and eventually 12-CURRENT), the time seemed right to have a fresh start, using it as a spring-board to introduce all the changes in both software, and development / release model.
I’ll be discussing more about this shift in a talk at MeetBSD2016 (Another reason for you to go), but here’s some of the highlights.
No longer tied to specific FreeBSD point-releases, TrueOS will instead follow a rolling-release model based upon FreeBSD -CURRENT.
Special tooling and features (Such as boot-environments) make this a feasible option that we didn’t have as easily in the early days of PC-BSD.
In addition, TrueOS builds some things different from vanilla FreeBSD. Specifically Matt Macy’s DRM and Linux Compat work, LibreSSL directly in base, built from External Toolchain (No clang in base system package) and much more.
New tools have have replaced, and are in the process of replacing the legacy PC-BSD control panel as well, which allows remote operation, either via Qt GUI, or WebSockets / REST API’s.
I’ll be talking about more as things unfold, but for now please feel free to test and let us have feedback while we push towards a more stable release. ***

The Voicemail Scammers Never Got Past Our OpenBSD Greylisting

Peter Hansteen (That grumpy BSD guy) gives us an interesting look at how their OpenBSD grey-listing prevented spam from ever making it to their inbox.
Specifically it looks like it occurred during Aug 23rd and 24th, with a particularly nasty ransomware payload destined to play havoc with Windows systems.
Peter then walks us through their three-server mail setup, and how spamd is run in greylisting mode on each.
The results? Nothing short of perfection: > “From those sources we can see that there were a total of 386 hosts that attempted delivery, to a total of 396 host and target email pairs (annotated here in a .csv file with geographic origin according to whois). The interesting part came when I started looking at the mail server logs to see how many had reached the content filtering or had even been passed on in the direction of users' mailboxes. There were none. The number of messages purportedly from voicemail@ in any of the domains we handle that made it even to the content filtering stage was 0. Zero. Not a single one made it through even to content filtering.”
Not bad at all! Looks like spam-trap addresses + grey-listing is the way to go for stopping this kind of foolishness. Checkout Peter’s blog post for more details, but perhaps this will encourage you to setup a similar-type system for your business. ***

FreeBSD on a tiny system; what’s missing

Adrian Chadd talks about some of the bits that are missing to make FreeBSD truly useful on small embedded devices
Some of this stuff can be done now, but requires more work than it should
“The first is a lack of real service management. FreeBSD doesn't have a service management daemon - the framework assumes that daemons implement their own background and monitoring. It would be much nicer if init or something similar to init could manage services and start/restart them where appropriate.”
Of course, on a system with 32mb of memory, such a service manager would need to be very light weight
“maybe I want to only start telnetd or dropbear/sshd whenever a connection comes in. But I'd also like to be able to add services for monitoring, such as dnsmasq and hostapd.”
telnetd and sshd can be run from inetd, but often depend on special support from the daemon
“The next is a lack of suitable syslog daemon. Yes, I'd like to be able to log some messages locally - even if it's only a couple hundred kilobytes of messages. I'd also like to be able to push messages to a remote service. Unfortunately the FreeBSD syslog daemon doesn't do log rotation or maximum log file sizes itself - it's done by "newsyslog" which runs out of cron. This isn't any good for real embedded systems with limited storage.”
Syslog leaves much to be desired, especially in its configuration syntax, and filtering capabilities. Having it be able to detect with log files have grown beyond a reasonable size and fire off newsyslog would be very interesting
“Then yes, there's a lack of a cron service. It'd be nice to have that integrated into the service management framework so things could be easily added/removed. I may just use cron, but that means cron is also always running which adds memory footprint (~1.3 megabytes) for something that is almost never actually active. When you have 32MB of RAM, that's quite a bit of wasted memory.”
Systems have come back full circle, to where 32MB and 64MB are amounts of memory people expect to work with, while other people still want the system to perform well with 32 or 64 GB of memory
It will be interesting to see how this balancing act plays out, trying to make the same codebase useful for extremely small and extremely large systems at the same time, while also running it on your middle of the road laptop. ***

So I lost my OpenBSD FDE password

“The other day I set up a new OpenBSD instance with a nice RAID array, encrypted with Full Disk Encryption. And promptly proceeded to forget part of the passphrase.”
So they started a little project
Goal: “We need to extract enough info from the encrypted disk and rebuild enough of the decryption algorithm to be able to rapidly try many passphrases.”
The post walks through how they reverse engineered the encryption system from the source code and a hexdump of a small encrypted memory disk
“Now that we know how to extract the data and how to try passphrases against it, it will be trivial to write a bruteforce tool to recover the part of passphrase I forgot.”
So, rather than having to try every possible passphrase, they only had to try fuzzing around the known keyword that was their passphrase.
“UPDATE: I found it! After fixing a bug or two in the brute force tool and almost losing hope, it found the right combination of forgotten word and (Italian) misspelling.”
This work lead to the author recommending that OpenBSD consider strengthening the key derivation algorithm used in its FDE.
Rather than using a fixed number of rounds (8000 currently), do a small benchmark and determine how much work can be done in a reasonable amount of time
This is what FreeBSD’s GELI FDE does, targeting ‘over 2 million microseconds’ of work. On my desktop i5-3570 this results in 974842 rounds. The number will likely not be the same twice because of minor variations in how long it will take in microseconds. ***

Interview - Diane Bruce - db@freebsd.org / @Dianora_1

Ham Radio, RPi3 and more!

News Roundup

See Me _{^{(Michael W. Lucas)}} in 2016

Looking for a chance to interact with author Michael W Lucas in meat-space? (That sounds wrong)
If so, he has posted a list of the up-coming conferences he’ll be speaking at, starting with Ohio LinuxFest Oct 7-8, where he’ll be giving an introduction to ZFS talk.
Nov 8th, he’ll also be at MUG (Michigan User Group) giving a PAM talk.
Sadly, no MeetBSD for Michael this year [moment of silence], but if you are able to make it to one of the aforementioned gatherings, be sure to bring your books for autographs. We promise he doesn’t bite. Much. ***

It’s hard work printing nothing

“It all starts with a bug report to LibreSSL that the openssl tool crashes when it tries to print NULL. This bug doesn’t manifest on OpenBSD because libc will convert NULL strings to ”(null)” when printing. However, this behavior is not required, and as observed, it’s not universal. When snprintf silently accepts NULL, that simply leads to propagating the error.”
“There’s an argument to be made that silly error messages are better than crashing browsers, but stacking layers of sand seems like a poor means of building robust software in the long term.”
“As soon as development for the next release of OpenBSD restarted, some developers began testing a patch that would remove this crutch from printf.”
If you’d like to help with this work, see our call for volunteers from 2 weeks ago: opportunity to help: %s audit in mandoc
Of course, immediately things started to complain. The configure script for talloc does a number of checks (check out the additional interesting observations by TedU here)
“The test checking that our snprintf function conforms to the C99 standard actually contains, at a minimum, 3 deviations from the standard. It should say “Checking for non-conformant vsnprintf”.”
“Of course, we’re dealing with NULL pointers, so all bets are off, but I wonder what people who expect printf NULL to work expect out of strlen? Does it return 0? Does it crash?”
So, talloc decides that the system printf is no good, and it should use its own bundled implementation
“After all the configure testing, eventually the build will fail, because somebody forgot to actually add the replacement object file to the Makefile.”
“If the replacement function has never been used, that’s hardly reassuring that it is actually better tested than the version we have in libc.” ***

Revisiting W^X with OpenBSD 6.0

OpenBSD 6.0 includes enforcement of W^X in user-land
This prevents an application from being able to map a page of memory with both Write and Execute permissions (protecting mmap(2))
Once mapped a page of memory should not be able to have permissions escalated (protecting mprotect(2))
OpenBSD 6.0 enforces the strict W^X definition, and not the PaX/grsec “once write never execute” type of policy ***

OpenBSD imports a letsencrypt client into the base system

We’ve mentioned letskencrypt before (A native C version of the letsencrypt client, developed by Kristaps).
Looks like it’s undergoing a name-change to “acme-client” and has made it’s way into OpenBSD’s base system!
This should ensure first-class support for management of Let’s Encrypt certificates, here’s hoping the portable version continues to thrive as well.
Congrats to Kristaps! ***

Beastie Bits

Feedback/Questions

157: ZFS, The “Universal” File-system

JT Pennington — Wed, 31 Aug 2016 08:00:00 -0400

This week on BSDNow, we have an interview with Richard Yao, who will be telling us about the experience and challenges of porting ZFS to Linux. That plus the latest news and feedback is coming your way, on your place

This episode was brought to you by

Headlines

Registration for MeetBSD 2016 is now Open

“Beastie’s coming home!” This year, MeetBSD will be held at UC Berkeley’s Clark Kerr Campus
November 11th and 12th, preceded by a two day FreeBSD Vendor/Dev Summit (Nov 9th and 10th)

> MeetBSD can be traced back to its humble roots as a local workshop for BSD developers and users, hosted annually in Poland since 2004. Since then, MeetBSD’s popularity has spread, and it’s now widely recognized as its own conference with participants from all over the world.

The US version runs every two years in California since 2008, and now trades off with the east coast vBSDCon which runs on the odd years.
“MeetBSD 2016 uses a mixed unConference format featuring both scheduled talks and community-driven events such as birds-of-a-feather meetings, lightning talks, hackable presentations, stump the chumps, and speed geeking sessions. Speakers are to be determined – stay tuned for more information!”
Register before September 30th, and get $30 off
Kris and I will be there, along with lots of other FreeBSD Developers, Vendors, and Users.
MeetBSD’s unconference style does a very good job of mingling users with developers and is one of my favourite conferences. ***

Dual Booting FreeBSD and Windows UEFI

Looking to install FreeBSD alongside Windows 10? What happens if that that system is pre-installed and UEFI? Well you could run TrueOS, but if that isn’t your bag and you want vanilla FreeBSD we have you covered this week!
Over on Kevin Bowling’s blog, we have a detailed article showing exactly how to do that.
First up, as prep you’ll need to go into the Windows disk manager and shrink your existing NTFS partition.
You’ll need to next boot FreeBSD 11 or later.
From there the walkthrough takes us through disk partitioning using gpart, and setup of ZFS into a boot-environment friendly layout.
Once you get through the typical FreeBSD setup / extraction, the tutorial gives us a nice bonus, showing how to setup “rEFInd” for a graphical boot-menu.
A great walkthrough, and hopefully it encourages others to try out dual-booting “EFI-style”. ***

ZFS High-Availability NAS

Interested in a DiY HA ZFS NAS? Edmund White (ewwhite on github) has posted a very detailed look at how he has custom-rolled his own Linux + ZFS + HA setup.
Most of the concepts are already ones used in various other HA products, but it is interesting and informative to see a public detailed look at how ZFS and HA works.
In particular this setup require some very specific hardware, such as dual-port SAS drives, so you will have to pre-plan according.
The only bummer is this is a ZFS on Linux setup. Maybe this can serve as the guide / inspiration for somebody in our community to do their own FreeBSD + HA + ZFS setup and blog about it in similar detail. ***

First public release of chyves - version 0.1.0

As bhyve continues to mature we are seeing tooling evolve around it. Enter ‘chyves’ which started life as a fork of iohyve.
We are looking to do an interview with the author in the near future, but we still want to bring you some of the new features / changes in this evolution of bhyve management.
First up, nearly every function from iohyve has either been re-written in part or full.
Among the new features, a full logging system (master and per-vm logs), multiple pool configurations, properties stored outside of ZFS (for speed) and self-upgrading. (Will that work with pkg’d version?)
In addition to the above features, the website has a large chart showing the original ‘iohyve’ commands, and how that usage has changed moving to chyves.
Give it a spin, let the author know of issues! ***

Interview - Richard Yao - ryao@gentoo.org

Sr. Kernel Engineer at ClusterHQ - Major Contributor to ZFS on Linux

News Roundup

ZFS Deadlock: 'Directory of Death'

A user reports that when they try to install npm (the Node.js package manager), their system deadlocks
It turns out, this was also hitting the FreeBSD package building machines
PR 209158
The problem was a race condition in the way renames are handled in the FreeBSD VFS vs how ZFS does them internally
This bug has existed since the original import of ZFS, but some other change caused it to happen much more frequently
“ZFS POSIX Layer is originally written for Solaris VFS which is very different from FreeBSD VFS. Most importantly many things that FreeBSD VFS manages on behalf of all filesystems are implemented in ZPL in a different Way. Thus, ZPL contains code that is redundant on FreeBSD or duplicates VFS functionality or, in the worst cases, badly interacts / interferes with VFS.”
“The most prominent problem is a deadlock caused by the lock order reversal of vnode locks that may happen with concurrent zfs_rename() and lookup(). The deadlock is a result of zfs_rename() not observing the vnode locking contract expected by VFS.”
The fixes have been merged to the 10.x and 11.x branches ***

New BSD Magazine out (2016-07)

Articles include: Implementing in-memory cache in the BeaST architecture, Docker Cleanup, FreeNAS Getting Started Guide, and starting at the very beginning with open source
The August issue is also out
This issue features two articles about MINIX 3, continues the FreeNAS getting started guide, Optimizes the in-memory cache for the BeaST architecture, and talks about fixing failed ports for Hardened and LibreBSD
We hope to have an interview with the creator of the BeaST architecture in the coming weeks ***

DragonflyBSD and UEFI

We’ve featured a few stories and walkthroughs about using UEFI to dual-boot BSD, and now its Dragonfly BSD’s turn.
Dave McFarlane writes into the DF mailing lists, telling us about the specific steps taken to get UEFI installed and boot-strapped on his system.
If you’ve done a FreeBSD manual UEFI install, the process looks very similar, but you will end up manually running ‘gpt’ to create partitions, installing dist files, and eventually installing boot1.efi into the FAT EFI partition.
Dave also ran into an issue with resulted in no /etc/fstab being present, and helpfully includes what his system needed to fully boot hammer properly.
Somebody should document this fully for DFLY, since I would expect to become more commonplace as commodity hardware is shipped with UEFI on by default. ***

Netflix and Fill

The Netflix team has produced a technical blog post describing how their OpenConnect appliances work
First the content is received from the content provider, and the Netflix content team makes it ready for deployment, by transcoding the various bitrates, packaging the subtitles, etc.
The finished files are then pushed to Amazon S3 storage
“We deploy the majority of our updates proactively during configured fill windows. An important difference between our OpenConnect CDN and other commercial CDNs is the concept of proactive caching. Because we can predict with high accuracy what our members will watch and what time of day they will watch it, we can make use of non-peak bandwidth to download most of the content updates to the OCAs in our network during these configurable time windows. By reducing disk reads (content serving) while we are performing disk writes (adding new content to the OCAs), we are able to optimize our disk efficiency by avoiding read/write contention. The predictability of off-peak traffic patterns helps with this optimization, but we still only have a finite amount of time every day to get our content pre-positioned to where it needs to be before our traffic starts to ramp up and we want to make all of the OCA capacity available for content serving.”
The OCA may actually contain more than one copy of the same video, because each disk in the OCA is independent, storing the same video on two different disks will provide twice the available read bandwidth
Normally the filesystem cache would obviate the need for this, but the Netflix OCA has so much storage, and not a lot of memory, and the requests from users are offset enough that the cache is useless
“OCAs communicate at regular intervals with the control plane services, requesting (among other things) a manifest file that contains the list of titles they should be storing and serving to members. If there is a delta between the list of titles in the manifest and what they are currently storing, each OCA will send a request, during its configured fill window, that includes a list of the new or updated titles that it needs. The response from the control plane in AWS is a ranked list of potential download locations, aka fill sources, for each title.”
“It would be inefficient, in terms of both time and cost, to distribute a title directly from S3 to all of our OCAs, so we use a tiered approach. The goal is to ensure that the title is passed from one part of our network to another using the most efficient route possible.”
The article then goes on to explain how they calculate the least cost filling source
“Now that Netflix operates in 190 countries and we have thousands of appliances embedded within many ISP networks around the world, we are even more obsessed with making sure that our OCAs get the latest content as quickly as possible while continuing to minimize bandwidth cost to our ISP partners.” ***

Beastie Bits:

Feedback/Questions

155: Cabling up FreeBSD

JT Pennington — Wed, 17 Aug 2016 08:00:00 -0400

This week on BSDNow, Allen is away in the UK (For BSDCam), but we still have a full episode for you! Don’t miss our interview with

This episode was brought to you by

Headlines

My two year journey to becoming an OS Developer

A blog post by Ryan Zezeski about how he ended doing OS Development instead of working on application
We have featured his posts before, including The illumos SYSCALL Handler

> It started in the summer of 2014: I had just left Basho after 3.5 years of working on Riak, when I decided I wanted to become an OS developer. I purchased Solaris Internals, cloned illumos-gate, fired up cscope, and got to work. I hardly knew any C, x86 might as well have been Brainfuck, and, frankly, I knew shit about operating systems. But I was determined.
> I’ve always learned best by beating my head against something until it makes sense. I’m not a fast learner; I’m persistent. What others have in ability I make up for in effort. And when it comes to OS internals it’s all about work ethic. The more you look, the more you realize it’s just another program. The main difference being: it’s the program all the other programs run on.
> My strategy: to pick something, anything, that looked interesting, and write a post describing how it works. I wrote several of these posts in 2014 and 2015. More important, it put me in touch with Roger Faulkner: the creator of truss(1), the Solaris process model, and the real /proc filesystem. At the time I didn’t like my interaction with Roger. He explained, in what I would later find out to be his typical gruff manner, that I was wrong; so I concluded he is a prick. But over the years I realized that I was being a brat—he was trying to teach me something and I let my ego get in the way. I’ve come to view that interaction as a blessing. I interacted with one of the greats, a mentor of my mentor’s mentor (a Great Great Mentor).
> A couple of weeks later something even more surreal happened, at illumos Day 2014. Bryan Cantrill was the last speaker of the day. One of my mentors and someone I admire greatly. He was there to regale us with the story of Joyent’s resurrection of lx-branded zones: Linux system call emulation on top of the illumos kernel. But before he would do that he decided to speak about me! I couldn’t believe it. I was so overwhelmed that I don’t remember most of what he said. I was too busy flipping shit—Bryan Cantrill is on stage, in front of other kernel developers I look up to, saying my name. I was in a dream. It turns out, unknown to me at the time, that he wrote the POSIX queue code for both Solaris and QNX, which I wrote about. He compared me to the great expository technical writers Elliott Organick and Richard Stevens. And it was at this moment that I knew I could do this: I could become an OS developer.
> Never underestimate the effect kind words can have on someone that looks up to you.

There is a lot more to the story, and it is definitely worth the read
The story then goes on to talk about his recent run in with Bryan Cantrill > A week from now my two year journey to become an OS developer comes to an end; and a new chapter begins. I don’t know what specific things I’m going to work on, but I’m sure it will push me to the limit. I look forward to the challenge. ***

Version 1.0 of the Lumina Desktop released

After 4 years of development, Lumina Desktop has now hit version 1.0!
This release brings with it a slew of new features and support:

> + Completely customizable interface! Rather than having to learn how to use a new layout, change the desktop to suit you instead!
> + Simple shortcuts for any application! The “favorites” system makes it easy to find and launch applications at any time.
> + Extremely lightweight! Allows applications to utilize more of your system hardware and revitalizes older systems!
> + Multiple-monitor support! Each monitor is treated as an independent entity – making it great for presentation systems which use a temporary monitor or for workstations which utilize an array of monitors for various tasks.

While originally developed on PC-BSD, it already has been ported to a variety of different platforms, including OpenBSD, DragonFly, NetBSD, Debian and Gentoo
Lumina has become the defacto desktop environment for TrueOS (Formerly PC-BSD), and looks like will provide a solid framework to continue growing desktop features. ***

n2k16 hackathon report: Ken Westerback on dhclient, bridges, routing and more

Next up, we have a report from Ken Westerback talking about the recent OpenBSD hackathon in Prague
He starts by telling us about the work in bpf:

>First order of business, stsp@'s weird setup involving bridges and multiple dhclient clients. A bit of bpf(4) programming to restrict dhclient to handling ethernet packets unicast to its interface worked. Cool. Unfortunately it turned out some lazy dhcp servers always use ethernet broadcasts just because some lesser, non-OpenBSD clients ignore unicast packets until they have configured IP. Classic chicken and egg. So this was backed out just before 6.0. Sigh.

Next up, he talks about an idea he had on the flight over, specifically with regard to how DHCP leases are stored, and how keeping the SSID information with them could speed up re-connection times, by only trying leases for current SSID’s connected. After a day or so of hacking, it was working! However for $REASONS it was shelved for post 6.0, bummer!
He then discusses an on-going project with Peter Hessler on passing along relevant PIDs in response to routing messages generated by kernel from ioctl events. This is something they’ve been hacking at, in order to allow dhclient to recognize its own routing messages. Sounds like they are both still works-in-progress.
However, Ken did get something in for 6.0:

> Diving back into dhclient code I discovered that in situations where multiple offers were received the unused offers were not being declined and discarded. Despite a clear comment saying that's what was being done! Thus dhclient might gradually use up more and more memory. And possibly be retrying offers that should have been discarded. The fix for this did make 6.0! Yay!

In Memoriam Roger Faulkner

USENIX has re-released Roger Faulkner’s original paper on /proc as a free download
The UNIX community recently lost one of its original pioneers, Roger Faulkner, whom one commenter described as “The godfather of post-AT&T UNIX”
In his memory, the USENIX group as re-released his original paper on the /proc file-system from 1991.
Roger worked in many area’s of UNIX, however the process file system /proc was his special baby.
“/proc began as a debugger interface superseding ptrace(2) but has evolved into a general interface to the process model.”
The original /proc only had a file for each process, not a directory. "Data may be transferred from or to any valid locations in the process's address space by applying lseek(2) to position the file at the virtual address of interest followed by read(2) or write(2)."
Processes could be controlled using IOCTLs on the file
As the USENIX article states:
> Roger believed that terrible things were sometimes required to create beautiful abstractions, and his trailblazing work on /proc embodies this burden: the innards may be delicate and nasty ("vile," as Roger might say in his distinguished Carolinian accent)—but the resulting abstractions are breathtaking in their power, scope and robustness.
RIP Roger, and thanks for the wonderful UNIX legacy you’ve left us all.

Interview - Myke Geiger - myke@servernorth.net / @mWare

Using FreeBSD at a DSL/Cable ISP ***

News Roundup

New options in bsdinstall - some sysctls and date/time settings

bsdinstall in FreeBSD 11.0 will feature a number of new menus.
The first, well allow you to set the date and time. Often on computers that have been in storage, or some embedded type devices that have no RTC, the date will be wildly wrong, and ntpd will refuse to run until the date is correctly set. This feature makes it easy to enter the date and time using dialog(1)
The second menu, inspired by the existing ‘services’ menu, offers a number of ‘hardening’ options
This menu allows users to easily enable a number of security features, including:
- Hide processes running as other users/groups
- Disable reading the kernel message buffer and debugging processes for unprivileged users
- Randomize the PID of newly created processes
- Enable the stack guard
- Erase /tmp at boot
- Disable remote syslog
- Disable sendmail
All of these options are off by default, so that an install done with the installer will be the same as an install from source, or an upgrade.
A number of these options are candidates to become on-by-default in the future, so the hope is that this menu will get more users to test these features and find any negative interactions with applications or general use, so they can be fixed. ***

Rawrite32: the NetBSD image writing tool

Martin of the NetBSD project has released a new version of his USB imaging tool, rawrite32
For those who’ve not used this tool before, it is a Windows Application that allows writing NetBSD images directly to USB media (other other disk media)
This update brings with it support for writing .xz file, and binary signing
This may come in handy for writing other OS images to memory sticks as well, especially for those locked into a windows environment who need to switch. ***

ZFS-Snap-Diff -- A pretty interface for viewing what changed after a ZFS snapshot

There are lots of nice little utilities to help create and maintain your ZFS snapshots. However today we have something unique to look at, ‘zfs-snap-diff’.
What makes it unique, is that it ships with a built-in golang / angularjs GUI for snapshot management
It looks very powerful, including a built-in diff utility, so you can even see the changes in text-files, in addition to downloading files, restoring old versions and more.
Its nice to see so many ZFS utilities starting to take off, and evolve file-management further. ***

Dtrace Conf 2016 Event Videos

The videos from Dtrace.conf 2016 have been posted
Some highlights:
- Useful DTrace Intro
- CTF Everywhere
- Distributed DTrace
- DTrace for Apps
- DTrace json() subroutine
- Implementing (or not) fds[] in FreeBSD
- OpenDTrace
- DTrace performance improvements with always-on instrumentation
- D Syntactic Sugar
- DTrace and Go, DTrace and Postgres
dtrace.conf(16) wrap-up by Bryan Cantrill

> Once again, it was an eclectic mix of technologists — and once again, the day got kicked off with me providing an introduction to dtrace.conf and its history. (Just to save you the time filling out your Cantrill Presentation Bingo Card: you can find me punching myself at 16:19, me offering unsolicited personal medical history at 20:11, and me getting trolled by unikernels at 38:25.)

The next DTrace.conf isn’t until 2020 ***

Beastie Bits

Feedback/Questions

154: Myths, Pi’s & Features, oh my!

JT Pennington — Wed, 10 Aug 2016 08:00:00 -0400

This week on BSDNow, we are taking a look at a few different tutorials, including running your very own RPi web-server. (Come-on, you

This episode was brought to you by

Headlines

broken features aren't used

This post from TedU talks about the difficulty of removing features from an operating system
“One of the difficulties in removing a feature is identifying all the potential users. A feature here could be a program bundled with an operating system, or a command line option, or maybe just a function in a library. If we remove a feature, users that depend on it will be sad. Unfortunately, absence of evidence is not evidence of absence. I’ve never heard of anybody running ls -p but it’s not impossible that somebody does.”
“The reasons why we want to remove an existing feature can vary. Sometimes it’s old code that interferes with maintenance. Sometimes a nearly complete rewrite can improve performance. In other cases, the feature in question is really more of a misfeature. It may have security implications, where the existence of the feature can be used to facilitate the exploitation of other vulnerabilities, and removing the feature will help mitigate the exploit.”
“There’s no general test that can be used, but there is one test that works in many cases. Test that the feature works. If the feature doesn’t work, that’s compelling evidence that nobody is using it, because nobody can be using it. You don’t need to fix it. You can just remove it.”
He makes some interesting comments about exhaustive unit tests and the push to keep everything working all the time. If you never break anything to see if someone complains, how do you know if it is still being used? ***

A Raspberry Pi FreeBSD Web Server

Looking at a super-low power solution to host some webpages? If so, we have the tutorial for you.
Specifically a walkthrough of getting FreeBSD up on a Pi, and setting up nginx, OpenNTPD, LibreSSL and friends.
The walkthrough starts with grabbing a FreeBSD 11 snapshot for arm64 and doing the initial setup process to get to a bootable FreeBSD system.
If you are an extreme noob, not to fear. The tutorial walks you through setting up usernames, timezones, even a larger /tmp directory on your new MiniBSD setup.
The tedious part comes to play during the setup of packages. The author walks us through setting up LibreSSL and various other packages via ports (Since LibreSSL isn’t the default in FreeBSD). This will take some time to compile on your humble RPi device. (Go make a sandwich, walk the dog, fix the gutters, etc)
When it’s all said and done, you’ll end up with a secure little web-server that you’ve configured all by yourself! (Wondering what the word-press performance would be like on that box) ***

Uber switches from PostgreSQL back to MySQL

We often hear success stories of people switching to PostgreSQL and getting huge performance gains, but this stories is the reverse
Uber’s engineering team has switched back to MySQL, because for their specific workload and design, MySQL’s innodb has better performance
Of course, it is not just vanilla MySQL, but “Schemaless”, a sharding system that sits on top of MySQL
The article goes into detail about the on-disk format used by Postgres, and the specific shortcomings that Uber encountered
Uber admits that all of its testing was against the older PostgreSQL 9.2, but one of their complaints is about having difficulty upgrading
“We started out with Postgres 9.1 and successfully completed the upgrade process to move to Postgres 9.2. However, the process took so many hours that we couldn’t afford to do the process again. By the time Postgres 9.3 came out, Uber’s growth increased our dataset substantially, so the upgrade would have been even lengthier. For this reason, our legacy Postgres instances run Postgres 9.2 to this day, even though the current Postgres GA release is 9.5.”
There is a followup, from the Postgres side
“Why we lost Uber as a user”
This thread goes into detail about the specific types of problematic queries that Uber was using
“The Uber guy is right that InnoDB handles this better as long as you don't touch the primary key (primary key updates in InnoDB are really bad)”
“This is a common problem case we don't have an answer for yet.”
The thread then goes on to discuss possibly supporting a “pluggable heap storage layer”, to allow different workloads to use different on-disk formats for best performance ***

Getting started with GhostBSD and FreeBSD

Part 1
Part 2
Part 3
Part 4
In what may be our first GhostBSD tutorial, we have a nice walkthrough on the initial getting started with it.
For those who don’t know, GhostBSD provides a nice XFCE or Mate desktop out of box, and still supports 32bit installs for those who want to keep that older hardware running.
The walkthough takes us through the process of grabbing GhostBSD images and getting the installer up and running via bootable USB stick.
Once booted, the graphical installer is straight-forward and short, allowing you to get the bits on disk as quickly as possible. (The actual installation took around 45 Minutes on an old Toshiba NB520)
The author then takes us on a tour of some of GhostBSD’s out-of-box bundled applications (Along with XFCE) and how it compares to similar Linux setups.
Lastly covered is the setup of Wireless (The manual way with WPA supplicant, since the GUI tool appeared to not work in this particular case)
All in all a good walkthrough, especially if you’ve not seen GhostBSD in action before, the screenshots are very informative! ***

News Roundup

Steam on FreeBSD 11-CURRENT

Steam on FreeBSD. Yes, we’ve heard of setups using WINE, but what about running the Linux binaries natively?
Well you are in luck. We have a github project that details getting the Linux native client up and running on a FreeBSD 11-CURRENT system.
This github project is rather mysterious, with only the instructions to download a pre-packaged steam.txz file, extract and run the provided install.sh script.
Curious I inspected some of the scripts, the installer.sh is fairly straight-forward, but does some ‘non-standard’ freebsd things, like fetching packages and extracting specific files/libaries into a new /compat/ubuntu directory.
After that, it goes through a huge list of debian/ubuntu packages, also throwing them into the aforementioned ubuntu directory.
At runtime, the wrapper script ensures that various linux compat file-systems are mounted in the correct location, then proceeds to run steam with some LD_LIBRARY_FLAGS set from the users .local/share/steam directory.
A tad scary if honest, however it is a neat PoC to see Steam working on FreeBSD. Hopefully somebody can turn this into a more traditional package which can be easily removed / cleaned up afterwards. ***

How to run Enlightenment on OpenBSD

Are you an enlightenment fan? Be honest, we know there are quite a few of you out there!
If so, we have a tutorial for you today, which talks about how to run E on OpenBSD.
The process is pretty easy, but some steps might be overlooked if you are new to OpenBSD or don’t know how to tune / compile things on your own.
It starts out with adjusting some sysctl’s for better tuning that works on an E based desktop.
Next is installing from package some pre-reqs that will enable us to build E from source.
After that, we need to download and install EFL from github, and the autogen / gmake commands are helpfully provided for you.
Lastly the same is done for E itself, and TADA, E is installed and ready to go on your OpenBSD system. If you do this right, should only take 5-10 minutes to be up and running. ***

Myths about FreeBSD

Over on the FreeBSD wiki, we have a new “Myths” page which we’ve never highlighted on the show before.
First up, and one I’ve very familiar with, is the usual “FreeBSD is only for Servers and not Desktops”, along with a good rebuttal about what it does offer and mention of projects such as PC-BSD which do it also.
Another prevalent one is the “FreeBSD has a closed development model”, which is easily refuted:

> FreeBSD has over 400 developers around the world who have commit access to the repository. Many of these are willing to commit patches from third parties. If you want to get an idea of the number of patches that have been committed on behalf of other developers, then search for 'Submitted by' in the commit logs. At the time of writing, this is just under twenty thousand, or about ten percent of all commits. After having a few patches accepted, regular contributors are usually encouraged to apply for commit access.

Another one that we are still hearing (Although it is less and less now) was the common “FreeBSD makes me compile everything from source”. Listeners of this show will know that pkg has pretty much made this irrelevant in recent years. However the option to compile yourself from source still exists, but most users won’t find this ever necessary.
A good list, with many more items on it than we’ve mentioned here. Take a look, you might find something there you’ve heard in the wild, or maybe even thought yourself at one point!

FreeBSD Area51 testing repo, KDE 5

This github GIST from Steve Wills provides the instructions to enable the FreeBSD xorg teams unofficial ‘Area51’ testing repo on your machine
This gives you access to the new KDE 5
Users should obviously be careful testing early-access software, but bug reports are very welcome, and important to getting KDE 5 working well under FreeBSD ***

Beastie Bits

Feedback/Questions

153: Big int trouble

JT Pennington — Wed, 03 Aug 2016 08:00:00 -0400

This week on BSDNow, we have a variety of news to discuss, covering quite the spectrum of BSD. (Including a new DragonFly release!).

This episode was brought to you by

Headlines

my int is too big

“The NCC Group report describes the bugs, but not the history of the code.”
“Several of them, as reported by NCC, involved similar integer truncation issues. Actually, they involved very similar modern 64 bit code meeting classic 32 bit code”
“The thrsleep system call is a part of the kernel code that supports threads. As the name implies, it gives userland a measure of control over scheduling and lets a thread sleep until something happens. As such, it takes a timeout in the form of a timespec. The kernel, however, internally implements time keeping using ticks (there are HZ, 100, ticks per second). The tsleep function (t is for timed) takes an int number of ticks and performs basic validation by checking that it’s not negative. A negative timeout would indicate that the caller has miscalculated. The kernel panics so you can fix the bug, instead of stalling forever.”
“The trouble therefore is when userland is allowed to specify a timeout that could be negative. The existing code made an attempt to handle various tricks by converting the timespec to a ticks value stored as a 64 bit long long which was checked against INT_MAX before passing to sleep. Any value over INT_MAX would be truncated, so we can’t allow that. Instead, we saturate the value to INT_MAX. Unfortunately, this check didn’t account for the possibility that the tick conversion from the timespec could also overflow and result in a negative value.”
Then there is the description of the kqueue flaw:
“Every kqueue keeps a list of all the attached events it’s watching for. A simple array is used to store file events, indexed by fd.”
“This array is scaled to accommodate the largest fd that needs to be stored. This would obviously cause trouble, consuming too much memory, if the identifier were not validated first. Which is exactly what kqueue tries to do. The fd_getfile function checks that the identifier is a file that the process has open. One wrinkle. fd_getfile takes an int argument but ident is a uintptr_t, possibly 64 bits. An ident of 2³² + 2 will look like a valid file descriptor, but then cause the array to be resized to gargantuan proportions.”
“Again, the fix is pretty simple. We must check that the ident is bounded by INT_MAX before calling fd_getfile. This bug likely would have been exploitable beyond a panic, but the array allocation was changed to use mallocarray instead of multiplying arguments by hand, thus preventing another overflow.”
Then there is a description of the anonymous mmap flaw, and the “secret magic” __MAP_NOFAULT flag ***

FreeBSD Quarterly Status Report Q2 2016

It’s time for another round of FreeBSD Quarterly Status Reports!
In this edition, we have status updates from the various teams, including IRC/Bugs/RE/Ports/Core and Foundation
We also have updates on some specific projects, including from Konstantin on the on-going work for his implementation of ASLR, including the new ‘proccontrol’ command which provides the following: > “The proccontrol(1) utility was written to manage and query ASLR enforcement on a per-process basis. It is required for analyzing ASLR failures in specific programs. This utility leverages the procctl(2) interface which was added to the previous version of the patch, with some bug fixes.”
Next are updates on porting CEPH to FreeBSD, the ongoing work to improve EFI+GELI (touched on last week) and more robust Mutexes.
Additionally we have an update from Matt Macy and the Xorg team discussing the current work to update FreeBSD’s graphic stack: > “All Intel GPUs up to and including the unreleased Kaby Lake are supported. The xf86-video-intel driver will be updated soon. Updating this driver requires updating Xorg, which in turn is blocked on Nvidia updates.”
The kernel also got some feature status updates, including on the new Allwinner SoC support, an update on FreeBSD in Hyper-V and VIMAGE
In addition to a quick update on the arm64 architecture (It’s getting there, RPi3 is almost a thing), we also have a slew of port updates, including support for GitLab in ports, updates on GNOME / KDE and some additional Intel-specific networking tools. ***

Vulnerabilities discovered in freebsd-update and portsnap

There are two vulnerabilities discovered in freebsd-update and portsnap, where an attacker could place files in the portsnap directory and they would be used without being subject to having their checksum verified (but this requires root access), and the second where a man-in-the-middle attacker could guess the name of a file you will fetch by exploiting the time-gap between when you download the initial snapshot, and when you fetch the updated files.
There are a number of vulnerabilities that were discovered in libarchive/tar as well
There is also an issue with bspatch. A security advisory for bspatch has already been released, as this vulnerabilities was also discovered by the Chromium team, which uses this same code. The patch discussed in this mailing list thread is larger, but secteam@ believes at least one of the additional checks introduced is incorrect and may prevent a valid patch from being applied. The smaller patch was pushed out first, to solve the main attack vector, while the larger patch is investigated. Automated fuzz testing is underway. Great care is being taken fixing bspatch, as if it is broken installing future updates becomes much more difficult
secteam@ and core@ would like to emphasize that the FreeBSD project takes these issue very seriously and are working on it > “As a general rule, secteam@ does not announce vulnerabilities for which we don't have patches, but we concede that we should have considered making an exception in this case”
Work is underway to re-architect freebsd-update and portsnap to do signature verification on all files before they are passed to libarchive/tar, to help protect users from any future vulnerabilities in libarchive.
However, this requires changes to the metadata format to provide these additional signatures, and backwards compatibilities must be preserved, so people can update to the newer versions to get these additional security features
There is also discussion of using HTTPS for delivery of the files, but certificate verification and trust are always an issue. FreeBSD does not distribute a certificate trust store by default.
There will be more on this in the coming days. ***

OpenSSH 7.3 Released

OpenSSH 7.3 has landed!
Primarily a bug-fix release, the release notes do mention the pending deprecation of some more legacy Crypto in the future, including denying all RSA keys < 1024bit, and removal of SSHv1 support. (Already disabled via compile option)
On the bug side, there was a security issue addressed in sshd:
> “sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters”
Also a timing issue was resolved in regard to password auth, which could possibly allow an attacker to discern between valid/invalid account names.
On the feature side, we have the new ProxyJump option (-J flag) which allows you to do simplified indirection through various SSH jump hosts.
Various bugs were fixed, and some compile failures resolved in the portable version to auto-disable some ciphers not supported by OpenSSL.

News Roundup

OpenBSD Ports - Integrating Third Party Applications [pdf]

A talk from Josh Grosse, presented at SEMIBUG (South-East Michigan BSD Users Group), about OpenBSD Ports
It opens by explaining the separation of the ‘base system’ from ‘packages’, as is common in most all BSDs
It explains the contents of OpenBSD package tar file, which contain some metadata files (+CONTENTS and +DESC) and then the actual package files
The talk goes on to explain the different branches (-release, -stable, and -current), and warn users that there are no official -stable packages from the project
Then it goes on into the development model, including what new contributors should expect
Then it walks through the entire process of creating a port and getting it contributed ***

NetBSD removes last RWX page in amd64 kernel

NetBSD has purged the last holdout RWX page on the amd64 platform > “Use UVM_PROT_ALL only if UVM_KMF_EXEC is given as argument. Otherwise, if UVM_KMF_PAGEABLE is also given as argument, only the VA is allocated and UVM waits for the page to fault before kentering it. When kentering it, it will use the UVM_PROT_ flag that was passed to uvm_map; which means that it will kenter it as RWX. With this change, the number of RWX pages in the amd64 kernel reaches strictly zero.”
Break out the party favors! Hopefully any last stragglers in any of the other BSD’s gets retired soon as well. ***

DragonFly BSD 4.6 launches with home-grown support for NVMe Controllers

Softpedia picked up on the release of DragonFlyBSD 4.6, specifically about their new home-grown NVMe driver. > “We now have a NVMe driver (PCIe SSDs). It currently must be kldloaded with nvme_load="YES" in /boot/loader.conf. The driver uses all concurrency features offered by the chip and will distribute queues and interrupts across multiple CPUs to maximize performance. It has been tested up to around 1.05M IOPS @4K, and roughly 6.5 GBytes/sec @32K (random read from urandom-filled partition, physio, many threads), with the 2xE5-2620v4 (xeon) test server 78% idle in the IOPS test and 72% idle on the bandwidth test. In other words, we maxed out the three NVMe devices we had plugged in and the system still had plenty of suds left over. Please note that a machine's ability to boot from an NVMe device depends on the BIOS, and not DragonFly. Most BIOSes cannot boot from NVMe devices and those that can probably only do it through UEFI. Info on device state is available with the new utility nvmectl.“
In addition to this improved support, 4.6 also brings in the improved graphics support, matching what is in Linux 4.4 and support for Broadwell/Skylake.
SMP also got some love: > “SMP performance was already very good. As part of the NVMe driver work we revamped the buffer cache subsystem and a number of other I/O related paths, further reducing lock contention and IPI signalling overheads. We also put topology-aware cpu cache localization into the kernel memory allocator (primarily helps multi-socket systems and systems with high core counts). The network subsystem also continues to receive significant improvement, with modest machine configurations now capable of handling upwards of 580K conns/sec.“ +Full Release Notes ***

The powerd++ daemon monitors the system load and adjusts the CPU clock accordingly and is a drop-in replacement for FreeBSD's native powerd(8).

As mentioned in our EuroBSDCon 2016 rundown, Dominic Fandrey will be giving a presentation about his powerd replacement, powerd++
The source code is already available on github, and is in ports
The major difference is the newer design handle many-core systems much better. The original powerd was written at a time when most laptops only had a single core, and maybe a hyperthread.
The new design decides which CPU frequency to use by looking at the busiest core, rather than the average across the cores, resulting in a more meaningful result. It also supports averaging over a longer period of time, to avoid jumping to a higher frequency to quickly
powerd++ also avoids ‘slewing’ the cpu frequency, ratching it up and down one step at a time, and instead jumps directly to the target frequency.
Often times, you will use less battery by jumping to maximum frequency, finishing the work, and going back to a low power state, than trying to do that work over a longer period of time in low power mode ***

Beastie Bits

Hyper-V: Unmapped I/O improves userland direct disk performance by 35% ~ 135%

One does not simply remove FreeBSD

A new BSD Podcast "BSD Synergy" has started

KnoxBug - Next Meeting - Aug 30th

Feedback/Questions

152: The Laporte has landed!

JT Pennington — Wed, 27 Jul 2016 08:00:00 -0400

This week on BSDNow, we have some big breaking news about another major switcher to FreeBSD, plus early information about the pending

This episode was brought to you by

Headlines

Leo Laporte tries FreeBSD

Leo Laporte, formerly of TechTV, and now of TWiT.tv, is switching to FreeBSD
“The latest debacle over the "forced" upgrade to Windows 10 and Apple's increasingly locked-in ecosystem has got me thinking. Do I really need to use a proprietary operating system to get work done? And while I'm at it, do I need to use commercial cloud services to store my data?”
A sometimes Linux user since the mid 90s, Leo talks about his motivations:
“But as time went by, even Ubuntu began to seem too commercial to me”
“So now for the grand experiment. Is it possible, I wonder, to do everything I need to do on an even more venerable, more robust system: a true UNIX OS, FreeBSD? Here are my requirements”
Browsing
Email with PGP signing and encryption
Coding - I'm a hobbyist programmer requiring support for lisp/scheme/racket, rust, and python (and maybe forth and clojure and meteor and whatever else is cool and new)
Writing
A password vault. I currently use Lastpass because it syncs with mobile but eventually I'll need to find a FOSS replacement for that, too
Photo editing - this is the toughest to replace. I love Photoshop and Lightroom. Can I get by with, say, GIMP and Darktable?
I do all of those things on my PCBSD machine all the time
“I love Linux and will continue to use it on my laptops, but for my main workhorse desktop I think FreeBSD will be a better choice. I also look forward to learning and administering a true UNIX system.”
He got a nice SuperMicro based workstation, with an Intel Xeon E3-1275v5 and an NVIDIA GeForce GTX 960 GPU
I have a server with one of those Skylake E3s, it is very nice
“450Mbps Wireless N Dual Band PCI-e Adapter w/ 3x 2dBi Antennas (Yes, sad to say, unless I rewire my house I'll have to use Wi-Fi with this beast. I'll probably rewire my house.)”
He plans to have a 4x 1TB ZFS pool, plus a second pool backed by a 512 GB NVMe m.2 for the OS
“And I'll continue to chronicle my journey into the land of FOSS here when The Beast arrives. But in the meantime, please excuse me, I've got some reading to do.”
Leo went so far as to slap a “Power By FreeBSD” sticker on the back of his new Tesla ***

OpenBSD 6.0 to be released on Sept 1st, 2016

OpenBSD 6.0 Tenative Released Notes
OpenBSD 6.0 is just around the corner, currently slated for Sept 1st and brings with it a whole slew of exciting new features
First up, and let’s get this right out of the way.. VAX support has been dropped!! Oh no!
However to make up for this devastating loss, armv7 has been added to this release.
The tentative release notes are very complete and marks 6.0 as quite an exciting release
OpenBSD 6.0 Pre-orders up

OpenBSD 6.0 tightens security by losing Linux compatibility

In related news, infoworld picked up on the pending removal of Linux compat from OpenBSD 6.0.
Touted as a security feature, you will soon be unable to run legacy linux binaries on OpenBSD. This has both positives and negatives depending upon your use case. Ironically we’re excitedly awaiting improved Linux Compat support in FreeBSD, to allow running some various closed-source applications. (Netflix DRM, Steam, Skype to name a few) ***

EuroBSDCon 2016 Schedule released

EuroBSDCon 2016 Tutorial Schedule released
EuroBSDCon has announced the list of talks and tutorials for September 22nd-25th’s conference!
George Neville Neil (Who we’ve interviewed in the past) is giving the keynote about “The Coming Decades of BSD” ***

News Roundup

Blast from the past

No interview again this week, we’re working on getting some people lined up.
The Leo Laporte story brought these old gem from TechTV into my youtube playlist:
Matt Olander and Murrey Stokey explain FreeBSD on TechTV
Matt Olander and Brooks Davis explain building a cluster with FreeBSD on TechTV
FreeBSD vs Linux Part 1
FreeBSD vs Linux Part 2 ***

Running FreeBSD on the LibreM

Eric McCorkle (Who has worked on the EFI loader for a while now) has written an update on his efforts to get FreeBSD working properly on the LibreM 13 laptop.
Since April the work seems to be progressing nicely
- Matt Macy’s i915 graphics patch works well on the Librem 13, and I personally made sure that the suspend/resume support works. The patch is very stable on the Librem, and I’ve only had one kernel panic the entire time testing it.
- The HDMI output Just Works™ with the i915 driver. Even better, it works for both X11 and console modes.
- Full support for the Atheros 9462 card has been merged in. I’ve had some occasional issues, but it works for the most part.
- The vesa weirdness is obviated by i915 support, but it was resolved by using the scfb driver.
Some of the outstanding issues still being worked on are support for Synaptics on this particular touchpad, as well as hotkey support for the keyboard, and brightness controls.
In addition Eric is still working on the EFI + Geli support, with the eventual goal of getting EFI secure-boot working out of box as well.

More OpenBSD syscall fuzzing

NCC Group’s Project Triforce continues its work of fuzzing OpenBSD
This time they have found a flaw that allows any user to panic the kernel
Attempting to read from the tmpfs_vfsops sysctl tree will panic the system: “attempt to execute user address 0x0 in supervisor mode”
This is actually a “good” thing…
“Impact: Any user can panic the kernel by using the sysctl call. If a user can manage to map a page at address zero, they may be able to gain kernel code execution and escalate privileges”
OpenBSD’s default configuration prevents mapping a page at address zero, so the code execution is prevented
So while a panic is a bad outcome, it is a lot better than it could have been ***

Root privilege escalation on NetBSD

This post described a root privilege escalation in NetBSD
mail.local is a utility included in the base system for delivering mail to other users on the same system, rather than invoking a mail client and going through the mail server.
The mail.local utility contains a ‘time of check / time of use’ vulnerability. This means that it checks if a file or permission is valid, and then later accesses that file. If an attacker can change that file between the time when it is checked, and the time when it is used, they may be able to exploit the system by evading the check
This is exactly what happens in this case
mail.local appends a message to the indicated user’s mailbox
It first checks if the target user already has an existing mailbox file. If the file exists, but is a link, mail.local exits with an error (to prevent exploits)
If the file does not exist, it is created
The message is then appended to the file
If the file needed to be created, it is chown’d to the owner of the mailbox
This is where the problem lies, if mail.local checks and does not find the mailbox, but an attacker then creates a link from the target mailbox to some other file
mail.local then appends to that file instead, thinking it is creating the new mailbox
Then, mail.local chown’s the target file to the user the attacker was trying to send mail to
The article explains how this could be used to replace /etc/master.passwd etc, but opts for an easier proof of concept, replacing /usr/bin/atrun, which is run as root every 5 minutes from crontab with a script that will copy the shell to /tmp and mark it setuid
The attacker can then run that shell out of /tmp, and be root
NetBSD fixed the vulnerability by changing the code flow, separating the cases for opening an existing file from creating a new file.
In the case where an existing file is opened, the code then verifies that the file that was opened has the same inode number and is on the same device, as the file that was checked earlier, to ensure it was not a link ***

FreeBSD Heap vulnerability in bspatch

An important vuln has been found and fixed in FreeBSD this past week, specifically relating to the ‘bspatch’ utility.
“Upstream's bspatch.c implementation doesn't check for negative values on the number of bytes to read from the "diff" and "extra" streams, allowing an attacker controlling the patch file to write at arbitrary locations in the heap.”
This could result in a crash, or running arbitrary code as the user running bspatch. (Often root)
“bspatch's main loop reads three numbers from the "control" stream in the patch: X, Y and Z. The first two are the number of bytes to read from "diff" and "extra" (and thus only non-negative), while the third one could be positive or negative and moves the oldpos pointer on the source image. These 3 values are 64bits signed ints (encoded somehow on the file) that are later passed the function that reads from the streams, but those values are not verified to be non-negative.”
“Chrome[OS] has four different implementations of this program, all derived from the same original code by Colin Percival.”
Chromium Issue Tracker
Patch your systems now! ***

Beastie Bits:

Feedback/Questions

151: Fuzzy Auditing

JT Pennington — Wed, 20 Jul 2016 08:00:00 -0400

This week on BSDNow, we have all sorts of interesting news, including a Kernel Fuzzing audit done for OpenBSD, a much improved

This episode was brought to you by

Headlines

Multiple Bugs in OpenBSD Kernel

Its patch Wednesday! (OR last Thursday if you were watching the mailing lists)
Jesse Hertz and Tim Newsham (part of the NCC Group calling themselves project Triforce) have been working with the OpenBSD team to fix some newly discovered bugs in the kernel using fuzzing.
Specifically they were able to track down several potential methods to corrupt memory or panic the kernel:
- mmap_panic: Malicious calls to mmap() can trigger an allocation panic or trigger memory corruption.
- kevent_panic: Any user can panic the kernel with the kevent system call.
- thrsleep_panic: Any user can panic the kernel with the __thrsleep system Call.
- thrsigdivert_panic: Any user can panic the kernel with the __thrsigdivert system call.
- ufs_getdents_panic: Any user can panic the kernel with the getdents system call.
- mount_panic: Root users, or users on systems with kern.usermount set to true, can trigger a kernel panic when mounting a tmpfs filesystem.
- unmount_panic: Root users, or users on systems with kern.usermount set to true, can trigger a kernel panic when unmounting a filesystem.
- tmpfs_mknod_panic: Root can panic kernel with mknod on a tmpfs filesystem.
This was a great find, and we have a link to more of the results, if you would like to explore them in more detail.
NCC Group OpenBSD Kernel fuzzing results
Would like to see more work like this done in all of the BSDs ***

Running CockroachDB in a FreeBSD Jail

The developers behind CockroachDB have written up a nice walkthrough of getting their software to run inside FreeBSD jails.

> “Manually encapsulating CockroachDB using Linux cgroups is no easy task, which is why tools like Docker exist in the first place. By comparison, running server processes natively in FreeBSD jails is straightforward and robust.”

The walkthrough begins with compiling CockroachDB straight from source (A port is pending), which is pretty easy relying upon bash / git / gmake and GO.
With the compile finished, the next step will be mounting linprocfs, although that may be going away in the future:

> “(Note: Linux compatibility files / packages / libraries are not needed further. CockroachDB uses Linux’s procfs to inspect system properties via gosigar. If/when gosigar evolves to read FreeBSD properties natively, CockroachDB will not need linprocfs any more.)”

With the initial setup complete, the walkthrough then takes us through the process of creating the rc.d script (Which should be included with the port) and ultimately setting up ezjail and deploying CockroachDB within.
With the word getting out about jails and their functionality, we hope to see more projects also provide walkthroughs and FreeBSD support natively. Kudos to the CockroachDB team! ***

Usermount bugs

kern.usermount, (vfs.usermount on FreeBSD) is a sysctl that can be enabled to allow an unprivileged user to mount filesystems. It is very useful for allowing non-root users to mount a USB stick or other external media.
It is not without its dangers though: > “kern.usermount=1 is unsafe for everyone, since it allows any non-pledged program to call the mount/umount system calls. There is no way any user can be expected to keep their system safe / reliable with this feature. Ignore setting to =1, and after release we'll delete the sysctl entirely.”
In OpenBSD 6.0 and forward, the setting will no longer work, and root privileges will be required to mount a filesystem
If there is a bug in the filesystem driver, the user could potentially exploit that and root the system > “In addition to the patched bugs, several panics were discovered by NCC that can be triggered by root or users with the usermount option set. These bugs are not getting patched because we believe they are only the tip of the iceberg. The mount system call exposes too much code to userland to be considered secure”
This is a very pragmatic way of dealing with these issues, as it is not really possible to be sure that EVERY bug has been fixed, and that this feature is no longer an exploit vector
usermount being removed from OpenBSD
I use this facility in FreeBSD extensively, combined with ZFS permission delegation, to allow non-root users to create and mount new ZFS datasets, and to do replication without requiring any root access
There are some safety belts, for instance: the user must own the directory that the new filesystem will be mounted to, so they can’t mount to /etc and replace the password file with their own ***

Let's Encrypt client from BSD in C

File this one under the category of “It’s about time!”, but Kristaps (Who we’ve interviewed in the past) has released some new software for interacting with letsencrypt.
The header for the project site sums it up nicely:

> “Be up-front about security: OpenSSL is known to have issues, you can't trust what comes down the pipe, and your private key's integrity is a hard requirement. Not a situation where you can be careless. letskencrypt is a client for Let's Encrypt users, but one designed for security. No Python. No Ruby. No Bash.A straightforward, open source implementation in C that isolates each step of the sequence.”

What specifically does it isolate you ask? Right now it is broken down into 6 steps:

read and parse an account and domain private key
authenticate with the Let's Encrypt server
authorise each domain listed for the certificate
submit the X509 request
receive and serialise the signed X509 certificate
request, receive, and serialise the certificate chain from the issuer

I don’t know about all of you, but I’m going to be switching over one of my systems this weekend. ***

News Roundup

Videos from the FOSDEM BSD Dev room are now online

The videos from the BSD Dev room at FOSDEM have been stealthily posted online at some point since last I checked
The videos are individually linked from the talks on the Schedule
The talk pages also include the slides, which can help you to follow along ***

FreeBSD on Jetson TK1

The nVidia Jetson TK1 is a medium sized ARM device that is a big more than your standard Raspberry Pi
The device has:
- NVIDIA 4-Plus-1™ Quad-Core ARM® Cortex™-A15 CPU (2.3 GHz)
- NVIDIA Kepler GPU with 192 CUDA Cores
- 2 GB DDR3L x16 Memory with 64-bit Width
- 16 GB 4.51 eMMC Memory
- 1 Half Mini-PCIE Slot
- 1 Full-Size SD/MMC Connector
- 1 Full-Size HDMI Port
- 1 USB 2.0 Port, Micro AB
- 1 USB 3.0 Port, A
- 1 RS232 Serial Port
- 1 ALC5639 Realtek Audio Codec with Mic In and Line Out
- 1 RTL8111GS Realtek GigE LAN
- 1 SATA Data Port
- SPI 4 MByte Boot Flash
The following signals are available through an expansion port:
- DP/LVDS
- Touch SPI 1x4 + 1x1 CSI-2
- GPIOs
- UART
- HSIC
- i2c
The device costs $192 USD from nVidia or Amazon
Oleksandr Tymoshenko (gonzo@freebsd.org) has a post describing what it takes to get FreeBSD running on the Jetson TK1 > “First of all – my TK1 didn’t have U-Boot. Type of bootloader depends on the version of Linux4Tegra TK1 comes with. Mine had L4T R19, with some kind of “not u-boot” bootloader.”
They tried using the provided tool, compiled on FreeBSD since it uses libusb, but it gave an error. Falling back to trying from Ubuntu, they got the same error.
They then flashed the TK1 with newer firmware, and suddenly, uboot is available.
The post then walks through pxe booting FreeBSD on the TK1
The guide then walks through replacing the UBoot with a version compatible with UBLDR, for more features
We’ll have to wait for another post to get FreeBSD burned onto the device, but at this point, you can reliably boot it without any user interaction
I have one of these devices, so I am very interested in this work ***

Why we use OpenBSD at VidiGaurd

VidiGuard (Which makes autonomous drone solutions for security monitoring) has posted an interesting write-up on why they use OpenBSD.
Specifically they start by mentioning while they are in business to provide physical security, they just as equally value their data security, especially their customer data.
They name 4 specific features that matter to them, starting with Uncompromising Quality and Security:

> “Over the past 20 years, OpenBSD’s focus on uncompromising quality and code correctness has yielded an operating system second-to-none. Code auditing and review is core to the project’s development process. The team’s focus on security includes integrated cryptography, new security mitigation techniques, and an optional-security-is-no-security stance, making it arguably the most secure operating system available today. This approach pays off in the form of only a few security updates for a given release, compared to other operating systems that might release a handful of updates every week.”

High praise indeed! They also mention the sane-defaults, documentation and last but not least, the license as also winning factors in making OpenBSD their operating system of choice.
Thanks to VidiGuard for publically detailing the use of BSD, and we hope to see other business follow suit! ***

"You can (and should) slow down and learn how things work" – Interview with Dru Lavigne

If you’ve been around the BSD community for any length of time, you no doubt have heard of Dru Lavigne (Or perhaps own one of her books!)
She was recently interviewed by Luca Ferrari for BSD Magazine and you may find it a fascinating read.
The 2nd question asked sounded a lot like our opener to an interview (How did you get into BSD)

> “ In the mid 90s, I went back to school to learn network and system administration. As graduation grew near and I started looking for a work, I noticed that all the interesting jobs wanted Unix skills. Wanting to increase my skills, and not having any money, I did an Internet search for “Free Unix”. The first hit was freebsd.org. I went to the website and started reading the Handbook and thought “I can do this”. Since I only had access to one computer and wanted to ramp up my skills quickly, I printed out the installation and networking chapters of the Handbook. I replaced the current operating system with FreeBSD and forced myself to learn how to do everything I needed to do on that computer in FreeBSD. It was a painful (and scary) few weeks as I figured out how to transition the family’s workflow to FreeBSD, but it was also exhilarating to learn that “yes, I can do this!. Since then, I’ve had the opportunity to try out or administer the other BSDs, several Linux distros, SCO, and Solaris. I found that the layout, logic, and release engineering process of the BSDs makes the most sense to me and I’m happiest when on a BSD system.”

When asked, Dru also had a good response to what challenges potential new UNIX or BSD users may face:

> “Students who haven’t been exposed to open source before are used to thinking of technology in terms of a purchasable brand consisting of “black boxes” that are supposed to “just work”, without having to think about how they work. You can (and should) slow down and learn how things work. It can be a mind shift to learn that the freedom to use and change how something works does exist, and isn’t considered stealing. And that learning how something works, while hard, can be fun. BSD culture, in particular, is well suited for those who have the time and temperament to dive into how things work. With over 40 years of freely available source and commit messages, you can dive as deep as you want into learning how things came to be, how they evolved over the years, how they work now, and how they can be improved. There is a diverse range of stuff to choose from: from user tools to networking to memory management to hardware drivers to security mechanisms and so on. There is also a culture of sharing and learning and encouragement for users who demonstrate that they have done their homework and have their own ideas to contribute.”

The interview is quite long, and Dru provides fantastic insights into more aspects of BSD in general. Well worth your time to read! ***

Beastie Bits:

Feedback/Questions

150: Sprinkle a little BSD into your life.

JT Pennington — Wed, 13 Jul 2016 08:00:00 -0400

Today on the show, we are going to be talking to Jim Brown (of BSD Cert Fame) about his home-brew sprinkler system… Wait for it…

This episode was brought to you by

Headlines

Distrowatch reviews OpenBSD and PCBSD's live upgrade method

Upgrading… The bane of any sysadmin! Distrowatch has recently done a write-up on the in-place upgrading of various distros / BSDs including PC-BSD and OpenBSD.
Lets look first at the PC-BSD attempt, which was done going from 9.2 -> 10.

> “I soon found trying to upgrade either the base system or pkg would fail. The update manager did not provide details as to what had gone wrong and so I decided to attempt a manual upgrade by following the FreeBSD Handbook as I had when performing a live upgrade of FreeBSD back in May. At first the manual process seemed to work, downloading the necessary patches for FreeBSD 10 and getting me to resolve conflicts between my existing configuration files and the new versions. Part way through, we are asked to reboot and then continue the upgrade process using the freebsd-update command utility. PC-BSD failed to reboot and, in fact, the boot loader no longer found any operating systems to run.”

Ouch! I’m not sure on the particular commands used, but to lose the boot-loader indicates something went horribly wrong. There is good news in this though. After the pain experienced in the 9.X upgrade process, 11.0 has been vastly improved to help fix this going forward. The updater is also self-updating, which means future changes to tools such as package can be accounted for in previously released versions.
Moving on to OpenBSD, Jesse had much better luck: > “The documentation provided explains how to upgrade OpenBSD 5.8 to version 5.9 step-by-step and the instructions worked exactly as laid out. Upgrading requires two reboots, one to initiate the upgrade process and one to boot into the new version of OpenBSD. Upgrading the base operating system took approximately ten minutes, including the two reboots. Upgrading the third-party packages took another minute or two. The only quirk I ran into was that I had to manually update my repository mirror information to gain access to the new packages available for OpenBSD 5.9. If this step is not done, then the pkg_add package manager will continue to pull in packages from the old repository we set up for OpenBSD 5.8. “
A good read, and they covered some Linux distros such as Mint and OpenMandriva as well, if you want to find out how they fared. ***

A curated list of awesome DTrace books, articles, videos, tools and resources

The website awesome-dtrace.com compiles a list of resources, including books, articles, videos, tools, and other resources, to help you get the most out of DTrace
The list of books includes 2 open source books that are available on the web, and of course Brendan Gregg’s official DTrace book
There are also cheat sheets, one-liner collections, and a set of DTrace war stories
A breakdown of different PID providers and the userspace statically defined tracepoints
The videos from DTrace.conf 2008, 2012, and soon 2016
And links to the tools to start using DTrace with your favourite programming language, including Erlang, Node.JS, Perl, PHP, Python, or Ruby
There are also DTrace setups for MySQL/MariaDB, and PostreSQL
Joyent has even written a mod_usdt DTrace module for the Apache web server
This seems like a really good resource, and with the efforts of the new OpenDTrace project, to modernize the dtracetoolkit and make it more useful across the different supported operating systems, there has never been a better time to start learning DTrace ***

Installing OpenBSD using a serial console with no external monitor

Have you found yourself needing to install OpenBSD from USB, but with a twist, as in no external monitor? Well somebody has and asked the question on stackexchange.
The answer provided is quite well explained, but in a nut-shell the process involves downloading the USB image and making some tweaks before copying it to the physical media.
Specifically with a couple of well-placed echo’s into boot.conf, the serial-port can be enabled and ready for use:

> echo "stty com0 115200" > /mnt/etc/boot.conf
> echo "set tty com0" >> /mnt/etc/boot.conf

After that, simply boot the box and you are ready to access the serial console and drive the installation as normal! #bsdhacks ***

GSoC 2016 Reports: Split debug symbols for pkgsrc builds

The NetBSD blog provides a status report on one of the GSoC projects that is nearing its midterm evaluation
The project to split debugging data into separate pkgsrc packages, so that users can install the debugging symbols if they need them to debug a failing application
The report is very detailed, and includes “A quick introduction to ELF and how debug information are stored/stripped off”
It walks through the process of writing a simple example application, compiling it, and dealing with the debug data
It includes a number of very useful diagrams, and a summary of what changes needed to be make to the pkgsrc makefile infrastructure
With this as a recipe, someone should be able to do something quite similar for FreeBSD’s ports tree ***

iXsystems

iXsystems’ TrueNAS Firmware Update Delivers Compelling Performance, Replication, and Graphing Improvements ***

Interview - Jim Brown - jpb@jimby.name

FreeBSD+BBB Sprinkler System

News Roundup

From the past : A Research Unix Reader

A paper by by Douglas McIlroy
“Selected pages from the nine research editions of the UNIX® Programmer’s Manual illustrate the development of the system”
“Accompanying commentary recounts some of the needs, events, and individual contributions that shaped this evolution.”
Interesting insight into the evolution of the origin UNIX operating system ***

Evolution of C programming practices – Unix 1973–2015

From the author of the recent post we covered, “20 years of NetBSD code bloat”, comes a new post
“I found a recent paper that also looks at how the BSD code base has evolved, but from a very different perspective compared to my code-size investigation.”
The paper "The Evolution of C Programming Practices: A Study of the Unix Operating System 1973–2015" investigates coding style, and tests seven hypotheses by looking at metrics (line length, number of volatile in the source code, etc.) in 66 releases of Unix from 1973 to 2014. The hypotheses are: > + Programming practices reflect technology affordances (e.g. developers may be more liberal with screen space when using high resolution displays) > + Modularity increases with code size > + New language features are increasingly used to saturation point > + Programmers trust the compiler for register allocation > + Code formatting practices converge to a common standard > + Software complexity evolution follows self correction feedback mechanisms > + Code readability increases
and the result is that they seem to be true, as interpreted through the metrics. > “The data points for the releases have somewhat random dates. One issue is that the paper use each release's mean file date (the average of the files' last modification time) instead of the release date (that is why the graphs stop at November 2010, even though FreeBSD 10 was released in 2014). The idea is that this better reflects the age of the code base, but this has the effect of compressing some of the data points (especially the clustering around 1993-1994), and it makes the spline fitting even more suspect.” > “One other problem is that the original data used by the researchers seems to have incorrect timestamps. For example, 4.3BSD Net/1 was released in 1989, but is listed as 1993-12-25 in the paper. The same is true for at least the Net/2 release too, which was released in 1991, but the paper list it as 1993-07-02.” ***

[old release pictures]

FreeBSD: Just in Time

Another BSDMag goodie this week, we have a small article written by Jonathan Garrido which details their experience switching to FreeBSD for a NTP server.
The article is short, but a good read: > “A Few years ago we had a time problem. Suddenly our linux NTP server, for a reason that I still do not know, started to fail giving us a lot of issues within all the equipment and services within our network. After a quick and brief meeting with management, I found out that there was not sufficient budget left for a fancy and well-suited appliance. So, with no time (literally) and no money to spend, I decided to give it a try and utilized a homemade open source solution, and the operating system of choice was FreeBSD 10.0.”

> “Now, let’s pause for a second. You may be thinking, why in the world is this guy doing this, when he has never installed a BSD machine in his life? The answer is very simple; here, in the Dominican Republic, in the heart of the Caribbean, FreeBSD has a very good reputation when it comes to reliability and security. In fact, there is some collective thought within the sysadmin community that says something like: “If you want to deal only once with a service, install it over FreeBSD.””

Jonathan then goes through some of the steps taken to initial deploy NTP services, but with that out of the way, he has a great summary: > “Fascinated with the whole experience, we migrate one of our internal dns servers to a second FreeBSD machine and at the moment of this writing we are testing haproxy, an open source load-balancing proxy into a another server with the same OS. > After all this, no time issues have been reported in the past 2 years, so at least for my environment, FreeBSD came just in time.“ ***

Beastie Bits

Feedback/Questions

149: The bhyve has been disturbed, and a wild Dexter appears!

JT Pennington — Wed, 06 Jul 2016 08:00:00 -0400

Today on the show, we are going to be chatting with Michael Dexter about a variety of topics, but of course including bhyve! That plus

This episode was brought to you by

Headlines

NetBSD Introduction

We start off today’s episode with a great new NetBSD article!
Siju Oommen George has written an article for BSDMag, which provides a great overview of NetBSD’s beginnings and what it is today.
Of course you can’t start an article about NetBSD without mentioning where the name came from:

“The four founders of the NetBSD project, Chris Demetriou, Theo de Raadt, Adam Glass, and Charles Hannum, felt that a more open development model would benefit the project: one centered on portable, clean and correct code. They aimed to produce a unified, multi-platform, production-quality, BSD-based operating system. The name “NetBSD” was suggested by de Raadt, based on the importance and growth of networks, such as the Internet at that time, the distributed and collaborative nature of its development.”

From there NetBSD has expanded, and keeping in line with its motto “Of course it runs NetBSD” it has grown to over 57 hardware platforms, including “IA-32, Alpha, PowerPC,SPARC, Raspberry pi 2, SPARC64 and Zaurus”
From there topics such as pkgsrc, SMP, embedded and of course virtualization are all covered, which gives the reader a good overview of what to expect in the modern NetBSD today.
Lastly, in addition to mentioning some of the vendors using NetBSD in a variety of ways, including Point-Of-Sale systems, routers and thin-clients, you may not have known about the research teams which deploy NetBSD:

> NASA Lewis Research Center – Satellite Networks and Architectures Branch use NetBSD almost exclusively in their investigation of TCP for use in satellite networks.
> KAME project – A research group for implementing IPv6, IPsec and other recent TCP/IP related technologies into BSD UNIX kernels, under BSD license.
> NEC Europe Ltd. established the Network Laboratories in Heidelberg, Germany in 1997, as NEC’s third research facility in Europe. The Heidelberg labs focus on software-oriented research and development for the next generation Internet.
> SAMS-II Project – Space Acceleration Measurement System II. NASA will be measuring the microgravity environment on the International Space Station using a distributed system, consisting of NetBSD.“

My condolences, you’re now the maintainer of a popular open source project

A presentation from a Wordpress conference, about what it is like to be the maintainer of a popular open source project
The presentation covers the basics:
Open Source is more than just the license, it is about community and involvement
The difference between Maintainers and Contributors
It covers some of the reasons people do not open up their code, and other common problems people run into:
- “I'm embarrassed by my code” (Hint: so is everyone else, post it anyway, it is the best way to learn)
- “I'm discouraged that I can't finish releases on time”
- “I'm overwhelmed by the PR backlog”
- “I'm frustrated when issues turn into flamewars”
- “I'm overcommitted on my open source involvement”
- “I feel all alone”
Each of those points is met with advice and possible solutions
So, there you have it. Open up your code, or join an existing project and help maintain it ***

FreeBSD Committer Allan Jude Discusses the Advantages of FreeBSD and His Role in Keeping Millions of Servers Running

An interesting twist on our normal news-stories today, we have an article featuring our very own Allan Jude, talking about why FreeBSD and the advantages of working on an open-source project.

> “When Allan started his own company hosting websites for video streaming, FreeBSD was the only operating system he had previously used with other hosts. Based on his experience and comfort with it, he trusted the system with the future of his budding business.A decade later, the former-SysAdmin went to a conference focused on the open-source operating system, where he ran into some of the folks on its documentation team. “They inspired me,” he told our team in a recent chat. He began writing documentation but soon wanted to contribute improvements beyond the docs.Today, Allan sits as a FreeBSD Project Committer. It’s rare that you get to chat with someone involved with a massive-scale open-source project like this — rare and awesome.”

From there Allan goes into some of the reasons “Why” FreeBSD, starting with Code Organization being well-maintained and documented:

> “The FreeBSD Project functions like an extremely well-organized world all its own. Allan explained the environment: “There’s a documentation page that explains how the file system’s laid out and everything has a place and it always goes in that place.””

In addition, Allan gives us some insight into his work to bring Boot-Environments to the loader, and other reasons why FreeBSD “just makes sense”
In summary Allan wraps it up quite nicely:

> “An important take-away is that you don’t have to be a major developer with tons of experience to make a difference in the project,” Allan said — and the difference that devs like Allan are making is incredible. If you too want to submit the commit that contributes to the project relied on by millions of web servers, there are plenty of ways to get involved!

> We’re especially talking to SysAdmins here, as Allan noted that they are the main users of FreeBSD. “Having more SysAdmins involved in the actual build of the system means we can offer the tools they’re looking for — designed the way a SysAdmin would want them designed, not necessarily the way a developer would think makes the most sense”

A guide to saving electricity and time with poudriere and bhyve

“This article goes over running poudriere to built packages for a Raspberry Pi with the interesting twist of running it both as a bhyve guest and then switching to running on bare metal via Fiber Channel via ctld by sharing the same ZFS volume.”
“Firstly, poudriere can build packages for different architectures such as ARM. This can save hours of build time compared to building ports from said ARM device.”
“Secondly, let’s say a person has an always-on device (NAS) running FreeBSD. To save power, this device has a CPU with a low clock-rate and low core count. This low clock-rate and core count is great for saving power but terrible for processor intensive application such as poudriere. Let’s say a person also has another physical server with fast processors and a high CPU count but draws nearly twice the power and a fan noise to match.”
“To get the best of both worlds, the goal is to build the packages on the fast physical server, power it down, and then start the same ZFS volume in a bhyve environment to serve packages from the always-on device.”
The tutorial walks through setting up ‘ahost’, the always on machine, ‘fhost’ the fast but noisy build machine, and a raspberry pi
It also includes creating a zvol, configuring iSCSI over fibre channel and exporting the zvol, booting an iSCSI volume in bhyve, plus installing and setting up poudriere
This it configures booting over fibre channel, and cross-building armv6 (raspberry pi) packages on the fast build machine
Then the fast machine is shut down, and the zvol is booted in bhyve on the NAS
Everything you need to know to make a hybrid physical/virtual machine
The same setup could also work to run the same bhyve VM from either ahost or fhost
bhyve does not yet support live migration, but when it does, having common network storage like the zvol will be an important part of that ***

Interview - Michael Dexter - editor@callfortesting.org / @michaeldexter

The RoloDexter ***

iXSystems

Children's Minnesota Star Studio Chooses iXsystems' TrueNAS Storage ***

News Roundup

FreeBSD Foundation June 2016 Update

The FreeBSD Foundation’s June newsletter is out
Make sure you submit the FreeBSD Community Survey by July 7th:
In addition to the opening message from the executive director of the foundation, the update includes details to sponsored work on the FreeBSD VM system, reports from a number of conferences the Foundation attended, including BSDCan
The results of the foundation's yearly board meeting
People the foundation recognized for their contributions to FreeBSD at BSDCan
And an introduction to their new “Getting Started with FreeBSD” project ***

[How-To] Building the FreeBSD OS from scratch

A tutorial over at the All-NetTools.com forums that walks through building FreeBSD from scratch
I am not sure why anyone would want to build Xorg from source, but you can
It covers everything in quite a bit of detail, from the installation process through adding Xorg and a window manager from source
It also includes tweaking some device node permissions for easier operation as a non-root user, and configuring the firewall ***

Window Systems Should Be Transparent + Rob Pike of AT&T Labs writes about why Window Systems should be transparent

This is an old paper (undated, but I think from the late 80s), but may contain some timeless insights
“UNIX window systems are unsatisfactory. Because they are cumbersome and complicated, they are unsuitable companions for an operating system that is appreciated for its technical elegance”
“A good interface should clarify the view, not obscure it”
“Mux is one window system that is popular and therefore worth studying as an example of good design. (It is not commercially important because it runs only on obsolete hardware.) This paper uses mux as a case study to illustrate some principles that can help keep a user interface simple, comfortable, and unobtrusive. When designing their products, the purveyors of commercial window systems should keep these principles in mind.”
There are not many commercial window systems anymore, but “open source” was not really a big thing when this paper was written ***

Roger Faulkner, of Solaris fame passed away

“RIP Roger Faulkner: creator of the One and True /proc, slayer of the M-to-N threading model -- and the godfather of post-AT&T Unix”
@bcantrill: Another great Roger Faulkner story
The story of how pgrep -w saved a monitor -- if not a life
@bcantrill: With Roger Faulkner, Tim led an engineering coup inside Sun that saved Solaris circa 2.5 ***

Beastie Bits:

BUG Update

Feedback/Questions

148: The place to B...A Robot!

JT Pennington — Wed, 29 Jun 2016 08:00:00 -0400

This week on the show, Allan and I are going to be showing you a very interesting interview we did talking about using FreeBSD to drive

This episode was brought to you by

Headlines

FreeBSD Core Team Election

Core.9 has been elected, and will officially take over from Core.8 on Wednesday, 6 July 2016
Many thanks to the outgoing members of the core team for their service over the last 2 years
214 out of 325 eligible voters (65.8%) cast their votes in an election counting 14 candidates.
The top nine candidates are, in descending order of votes received:
180 84.1% Ed Maste (incumbent)
176 82.2% George V. Neville-Neil (incumbent)
171 79.9% Baptiste Daroussin (incumbent)
168 78.5% John Baldwin
166 77.6% Hiroki Sato (incumbent)
147 68.7% Allan Jude
132 61.7% Kris Moore
121 56.5% Benedict Reuschling
108 50.5% Benno Rice
There was no tie for ninth.
BSDNow and the entire community would also like to extend their thanks to all those who stood for election to the core team
Next week’s core meeting will encompass the members of Core.8 and Core.9, as responsibility for any outstanding items will be passed from outgoing members of core to the new incoming members ***

Why I run OpenBSD

This week we have a good article / blog post talking about why the posted has moved to OpenBSD from Linux.

> “One thing I learned during my travels between OSs: consistency is everything.

> Most operating systems seem to, at least, keep a consistent interface between themselves and binaries / applications. They do this by keeping consistent APIs (Application Programming Interfaces) and ABIs (Application Binary Interfaces). If you take a binary from a really old version of Linux and run or build it on a brand-spanking new install of Linux, it will likely Just Work™. This is great for applications and developers of applications. Vendors can build binaries for distribution and worry less about their product working when it gets out in the wild (sure this binary built in 2016 will run on RedHat AS2.1!!).“

The author then goes through another important part of the consistency argument, with what he calls “UPI” or “User Program Interfaces”. In other words, while the ABI may be stable, what about the end-user tooling that the user directly has to interact with on a daily basis?

> “This inconsistency seems to have come to be when Linux started getting wireless support. For some reason someone (vendors, maybe?) decided that ifconfig wasn’t a good place to let users interact with their wireless device. Maybe they felt their device was special? Maybe there were technical reasons? The bottom line is, someone decided to create a new utility to manage a wireless device… and then another one came along… pretty soon there was iwconfig(8), iw(8), ifconfig(8), some funky thing that let windows drivers interface with Linux.. and one called ip(8) I am sure there are others I am forgetting, but I prefer to forget. I have moved onto greener pastures and the knowledge of these programs no longer serves me.”

The article then goes through the rundown of how he evaluated the various BSD’s and ultimately settled on OpenBSD:

> “OpenBSD won the showdown. It was the most complete, simple, and coherent system. The documentation was thorough, the code was easy to follow
and understand.
It had one command to configure all of the network interfaces!
I didn’t have wireless, but I was able to find a cheap USB adapter that worked by simply running man -k wireless and reading about the USB
entries.
It didn’t have some of the applications I use regularly, so I started reading about ports (intuitively, via man ports!).”

The ultimate NetBSD Router

> “So yesterday I spent the day setting up a new firewall at home here, based off of this BSD Now tutorial. Having set up a couple of OpenBSD routers before, either based on old laptops, bulky old power-sucking desktops or completely over-specced machines like the Intel NUC, I wanted to get some kind of BSD onto a low-powered ARM board and use that instead.”
> “I've had a couple of Cubietrucks lying around for a while now, I've used them in a couple of art installations, running Debian and Pure Data, but over all they've been a bit disappointing. It's more the manufacturer's fault but they require blobs for the graphics and audio, which Debian won't allow, so as a multimedia board they're dud for video, and only passable for audio work with a usb sound card. So they've been collecting dust.”
> “Only thing missing is a second NIC, luckily I had an Apple USB->Ethernet dongle lying around, which when I bought it was the cheapest thing I could find on eBay that OpenBSD definitely supported. There, and on NetBSD, it's supported by the axe(4) driver. USB 2.0 works fine for me as I live in Australia and my ISP can only give me 30Mbps, so this should do for the forseeable future.”

The article then walks through installing and configuring NetBSD
Configuration includes: pf, unbound, and dhcpd > “This project has been really fun, I started with basically no experience with NetBSD and have finished with a really useful, low-powered and robust appliance. It's a testament to the simplicity of the NetBSD system, and the BSD design principles in general, that such a novice as myself could figure this out. The NetBSD project has easily the most polished experience on Allwinner ARM boards, even Debian doesn't make it this easy. It's been a joy running the system, it has the bits I love from OpenBSD; ksh(1), tmux(1), an http daemon in base and of course, pf(4). This is mixed with some of the pragmatism I see in FreeBSD; a willingness to accept blobs if that really is the only way to boot, or get audio, or a video console.” ***

bhyve-Bootable Boot Environments

We have a lengthy article also today from our friend Michael Dexter, who asks the basic question “What if multibooting and OS upgrades weren't horrible?”
No doubt if you’ve been a frequent listener to this show, you’ve heard Allan or Myself talking about ZFS Boot Environments, and how they can “change your life”.
Well today Michael goes further into detail on how the BE’s work, and how they can be leveraged to do neat things, like installing other versions of an operating system from the original running system.

> “If you are reading this, you have probably used a personal computer with a BSD or GNU/Linux operating system and at some point attempted to multiboot between multiple operating systems on the same computer. This goal is typically attempted with complex disk partitioning and a BSD or GNU/Linux boot loader like LILO or GRUB, plus several hours of frustrating experimentation and perhaps data loss. While exotic OS experimentation has driven my virtualization work since the late 1990s, there are very pragmatic reasons for multibooting the same OS on the same hardware, notable for updates and failback to "known good" versions. To its credit, FreeBSD has long had various strategies including the NanoBSD embedded system framework with primary and secondary root partitions, plus the nextboot(8) utility for selecting the "next" kernel with various boot parameters. Get everything set correctly and you can multiboot "with impunity".

> “That's a good start, and over time we have seen ZFS "boot environments" be used by PC-BSD and FreeNAS to allow for system updates that allow one to fall back to previous versions should something go wrong. Hats off to these efforts but they exist in essentially purpose-built appliance environments. I have long sensed that there is more fun to be had here and a wonderful thing happened with FreeBSD 10.3 and 11.0: Allan Jude added a boot environment menu to the FreeBSD loader”

From here Michael takes us through the mechanical bits of actually creating a new ZFS dataset (BE) and performing a fresh FreeBSD 10.3 installation into this new boot-environment.
The twist comes at the end, where he next sets up the BE to be a root NFS for booting in bhyve! This is interesting and gives you a way to test booting into your new environment via a VM, before rebooting the host directly into it. ***

Interview - Edicarla Andrade & Vinícius Zavam - @egypcio

BSD-Powered Robots

News Roundup

Tomohiro Kasumi explains what “@@” means, in the context of the Hammer filesystem

A post from the Dragonfly users’ mailing list about what the @@ construct means in the Hammer filesystem
“@@ represents the existence of a PFS which is logically separated pseudo filesystem space within HAMMER's B-Tree”
“HAMMER only has 1 large B-Tree per filesystem (not per PFS), so all the PFS exist within that single B-Tree. PFS are separated by localization parameter which is one of the B-Tree keys used to lookup the tree.”
Each substring in "@@-1:00001" means:
1. "@@" means it's a PFS or snapshot.
2. "-1" means it's a master.
3. ":" is just a separator.
4. "00001" means it's PFS#1, where PFS#0 is the default PFS created on newfs. There is no "00000" because that's what's mounted on /HAMMER. PFS# is used for localization parameter.
“Localization parameter has the highest priority when inserting or looking up B-Tree elements, so fs elements that belong to the same PFS# tend to be localized (clustered) within the B-Tree”
There is also a note about how snapshots are named: "@@0x00..."
A user points out that having : in the path can confuse some applications, such as in the case of adding the current directory or a relative path to the $PATH environment variable, which is a colon delimited list of paths
This seems quite a bit more confusing that the datasets created by ZFS, but they might have other useful properties ***

FreeBSD 11.0 nearing RC1

We’ve all been eagerly awaiting the pending release of FreeBSD 11.0, and the schedule has now been updated!
The first release candidate is slated for July 29th!
If all goes well (and we stick to schedule) there will be another RC2 and possible RC3 release, before 11.0 officially drops near the end of August.
Start playing with those builds folks, be sure to send your feedback to the team to make this the best .0 release ever! ***

TensorFlow on FreeBSD

Next we have a blog post about the experience of a “new” FreeBSD user trying to deploy some non-ported software to his new system.
Specifically he was interested in running TensorFlow, but not doing a port himself, because in his words:

> “First, I apologize for not supplying a port archive myself. After reading the FreeBSD handbook for creating a port, it's too complex of a task for me right now. I've only been using FreeBSD for two weeks. I would also not like to waste anyone's time giving them a terrible port archive and mess up their system.”

First of all, good ports are often born out of bad ports! Don’t let the porting framework daunt you, give it a go, since that's the only way you are going to learn how to write “good” ports over time. The porters-handbook is a good first place to start, plus the community usually is very helpful in providing feedback.
He then walks us through the changes made to the TensorFlow code (starting with the assumption that OSX was a good “flavor” to begin porting from) and ultimately compiling.
This ends up with the creation of a pip package which works!
A good tutorial, and also very similar to what goes on in the porting process. With this write-up perhaps somebody will take up creating a port of it… hint hint! ***

NetBSD: A New Beginning?

We don’t get enough NetBSD news at times, but this post by James Deagle talks about his adventure with NetBSD 7.0 and making it his “new beginning”

> “After a few months of traipsing around the worlds of SunOS and Linux, I'm back to NetBSD for what I hope will be a lengthy return engagement. And while I'm enamored of NetBSD for all the previously-mentioned reasons, I'm already thinking ahead to some problems to solve, some of which have also been mentioned before.”

He then goes through and lists some of the small nits he’s still running into during the daily workflow
YouTube audio - Specifically he mentions that no audio is playing, but wonders if Flash plays some part. (Ideally you’re not using Flash though, in which case you need to check the audio backend FF is using. Try PulseAudio since it seems the best supported. If pulse is already enabled, install ‘pavucontrol’ to make sure audio is playing to the correct sound device)
Slow gaming performance (TuxKart and Celestia) - Check DRI / Xorg? Or is it CPU bound?
Lastly some unspecified Wireless issues, which typically end up being driver related. (Or use another chipset)

Beastie Bits

Feedback/Questions

147: Release all the things!

JT Pennington — Wed, 22 Jun 2016 08:00:00 -0400

On this episode of BSDNow, we will be talking to Glen Barber and Peter Wemm of the FreeBSD RE and Cluster Admin teams! That plus our

This episode was brought to you by

Headlines

2016 FreeBSD Community Survey

We often get comments from our listeners, “I’m not a developer, how can I help out”?
Well today is your chance to do something. The FreeBSD Foundation has its 2016 Community Survey online, where they are asking for feedback from you!
I just did the survey, it’ll take you about 5 minutes, but gives you a chance to provide valuable feedback to the foundation about things that are important to you.
Be sure to answer in as much detail as possible and the foundation will review and use this feedback for its operations going forward. ***

ART, OpenBSDs new routing table, single thread performances

OpenBSD has changed the way routes are looked up in the kernel as part of their path to an SMP networking stack
The “Allotment Routing Table” (ART) is a performance tradeoff, where more memory is used to store the routing table, in exchange for faster lookups
With this new arrangement, a full BGP routing table will grow from 130MB to 180MB of memory
“ART is a free multibit trie based routing table. To keep it simple, it can be seen as using more memory for fewer CPU cycles. In other words, we get a faster lookup by wasting memory. The original paper presents some performance comparisons between two ART configurations and the BSD Radix. But how does this apply to OpenBSD?”
“I asked Hrvoje Popovski to run his packet forwarding test on his Xeon box (E5-2620 v2 @ 2.10GHz, 2400.34 MHz) with ix(4) (82599) interfaces. The test setup consist of three machines with the OpenBSD box in the middle”
“The simulations have been performed with an OpenBSD -current from June 9th. The machine is configured with pf(4) disabled in order to force a single route lookup for every IPv4 packet. Based on the result of the lookup the kernel decide if it should forward, deliver or drop the packet” ***

BSDCan 2016 Playlist

The complete set of videos from BSDCan is online and ready to be consumed
Remember the good-ole days where we would wait months (or years) to get videos posted from conferences?
Well, who are we kidding, some conferences STILL do that, but we can’t count BSDCan among them.
Only two weeks out from this years exciting BSDCan, and all the videos have now landed on YouTube.
Granted, this is no substitute for actually being at the conference, but even if you attended you probably missed quite a few of the talks.
There are no videos of the hallway track, which is the best part of the conference
Except the dinner discussion of course.
and don’t forget the hacker lounge ***

Should you be scared of Unix signals?

Do you know much about UNIX Signals?
Are you afraid of their complexity?
Do you know there are signals other than SIGKILL?
This article talks about the practical implications of signals from a programming perspective
The things you need to consider when dealing with signals
Basically, you register a “signal handler”, the function that will be run when a signal arrives
As you program is running, if a signal arrives, your program will be interrupted. Its current state will be saved and any system calls in progress will return EINTR (Error, Interrupted), then your signal handler will be run.
Once the signal handler is complete, the state of your application will be restored, and execution will resume
As long as your program properly handles this interruption, and errors that might result from it (getting EINTR from a read() call, instead of the data you expected), then everything should be fine.
Of course, you need to be careful what you do inside your signal handler, as if you modify any variables or state in your application, it might be very confused when it resumes. ***

Interview - Glen and Peter-

News Roundup

Unik - The Unikernel Compilation and Deployment Platform (uses NetBSD's Rump)

We’ve talked a bit about NetBSD’s RUMP (unikernel) in the past, including articles on how to deploy services using it.
Now we have an interesting project which makes the process super-easy, and dare-we-say almost “Docker-Like?”
The Unik project has a fairly complete walkthrough right on their GitHub project page, including details on installation and creating your own unikernel containers.
In addition, it provides instructions on boot-strapping your own Go/Node.js/Python/Java applications, and supports out of Box VCenter / AWS / Qemu / VirtualBox providers. ***

PkgSrc 50th Release Highlights

pkgsrc is celebrating its 50th release, and to highlight this, they have posted a series of interviews from people who have been active in the project
pkgsrc 50th release interviews - Jonathan Perkin
pkgsrc 50th release interviews - Ryo ONODERA
pkgsrc 50th release interviews - Joerg Sonnenberg
pkgsrc 50th release interviews - Sevan Janiyan ***

Migrating to FreeBSD from Solaris 11

How to chroot www/firefox on NetBSD

Looking for a jail-like method of running FireFox on NetBSD? (Or possibly other BSDs?)
We have a github repo with details on how to setup and run FireFox using a chroot using a “webuser” account for safety.
Think of this as a jail alternative, may be useful on systems with no jail support.
Of interest is the method used to do X forwarding. It uses Xorg TCP listen option (which is often off by default for security reasons). Perhaps SSH X forwarding would be a better alternative. (Or nullfs mounts of /tmp) ***

Beastie Bits

Feedback/Questions

146: Music to Beastie’s ears

JT Pennington — Thu, 16 Jun 2016 08:00:00 -0400

Kris is on vacation this week, so allan flies solo, provides a recap of BSDCan & cover's a boatload of news including Microsoft

This episode was brought to you by

Headlines

BSDCan Recap and Live Stream Videos

Media Coverage of Microsoft + FreeBSD story

Microsoft has released their own custom image of FreeBSD 10.3 for the Azure Cloud
“This means that not only can you quickly bring-up a FreeBSD VM in Azure, but also that in the event you need technical support, Microsoft support engineers can assist.”
“Microsoft is the publisher of the FreeBSD image in the marketplace rather than the FreeBSD Foundation. The FreeBSD Foundation is supported by donations from the FreeBSD community, including companies that build their solutions on FreeBSD. They are not a solution provider or an ISV with a support organization but rather rely on a very active community that support one another. In order to ensure our customers have an enterprise SLA for their FreeBSD VMs running in Azure, we took on the work of building, testing, releasing and maintaining the image in order to remove that burden from the Foundation. We will continue to partner closely with the Foundation as we make further investments in FreeBSD on Hyper-V and in Azure.”
"It's quite a significant milestone for FreeBSD community and for Microsoft to publish a supported FreeBSD image on Azure Marketplace. We really appreciate Microsoft's commitment and investment in FreeBSD project". - Justin T. Gibbs, President of FreeBSD Foundation
Microsoft took a FreeBSD 10.3-RELEASE image and added additional patches, most of which they have upstreamed but that were too late for the regular 10.3 release cycle.
Rather than requiring users to use a snapshot of the stable/10 branch, which would complicate the user experience, and complicate the job of the Microsoft support engineers, they created their own “certified” release
This allows Microsoft to selectively deploy errata fixes to the image as well
It is not clear how this affects update mechanisms like freebsd-update(8)
The Register
The Inquirer
Infoworld
The Hacker News
Windows Report
Windows Club ***

Select works poorly

“At the bottom of the OpenBSD man page for select is a little note. “Internally to the kernel, select() and pselect() work poorly if multiple processes wait on the same file descriptor.” There’s a similar warning in the poll man page. Where does this warning come from and what does it mean?”
Ted found that at first glance, OpenBSD’s select() appears to be quite bad:
“whenever some data gets written, we call wakeup(&selwait);. Based on what we’ve seen so far, one can conclude that this is likely to be inefficient. Every time any socket has some data available, we wake up every selecting process in the system. Works poorly indeed.”
After further investigation, it turns out to not be quite as bad
When the select() is first setup, the PID of the process that cares about the FD is recorded in the selinfo struct
If a second process runs select() on the same FD, the SI_COLL (Select Collision) flag is set on the selinfo struct
When selwakeup() is called, if SI_COLL is set, all select()ing processes are woken up, and the sysctl kern.nselcoll is incremented. If the flag is not set, and only a single PID is waiting for activity on that FD, only that process is woken up
“This is not an intractable problem. kevent avoids it entirely. Other implementations may too. But practically, does it need to be solved? My laptop says it’s happened 43 times. A server with substantially more uptime says 0. Doesn’t seem so bad.” ***

Interview - Hans Petter Selasky - hps@freebsd.org / @twitter

Designing FreeBSD’s USB drivers, hooking up a piano to FreeBSD & more! ***

News Roundup

145: At the Core of it all

JT Pennington — Wed, 08 Jun 2016 08:00:00 -0400

It’s BSDCan time! Allan and I are both enjoying what is sure to be a super-busy week, but don’t think we’ve forgotten about

This episode was brought to you by

Interview - Benno Rice - benno@freebsd.org / @jeamland

Manager, OS & Networking at EMC Isilon
Emily Dunham: Community Automation

iXsystems

1U Rackmount Server - 4 Bay Hot-Swap SAS/SATA Drive Bays 400W Redundant Power Supply - Single Socket Embedded CPU (48 cores) - 8 DIMM Slots with
16GB DIMMs for a total of 128GB RAM – Dual Gigabit LAN, Dual 10GbE SFP+ and 1 x 40Gb QSFP+ port, (1) PCI-E Expansion Slots + IPMI Dedicated LAN -
Cavium ThunderX ARM CN8890 48 Core ThunderX CPU - 2.5GHz per core
System has 128GB RAM, 4 x 2TB SATA HDD, Additional Intel i350 (2 x 1GbE)

Beastie Bits

Feedback/Questions

144: The PF life

JT Pennington — Wed, 01 Jun 2016 08:00:00 -0400

It’s only one-week away from BSDCan, both Allan and I are excited to meet some of you in person! However, the show keeps on

This episode was brought to you by

Headlines

dotSecurity 2016 - Theo de Raadt - Privilege Separation and Pledge

Video
Slides
Interested in Privilege Separation and security in general? If so, then you are in for a treat, we have both the video and slides from Theo de Raadt at dotSecurity 2016.
Specifically the the talk starts off looking at Pledge (no copyright issues with the pictures I hope??) and how their NTP daemon uses it.
After going through some internals, Theo reveals that around 10% of programs “pledged” so far were found to be trying to do actions outside of their security scope.
On the future-work side, they mention going back and looking at OpenSSH privilege separation next, as well as working with other OS’s that may want pledge support. ***

bhyve now supports UEFI GOP

The log awaited UEFI GOP (Graphics Output Protocol) features has landed in bhyve
This provides emulated graphics via an internal VNC server, allowing users to have full graphical access to the guest OS
This allows installation of Windows guests without needing to create a modified ISO with an unattended installation script
The code has not actually landed in FreeBSD head yet, but has been committed to a project branch
Following a few simple commands, you can compile the new bhyve binary on your -CURRENT system and get started right away
This feature is expected to be included in the upcoming FreeBSD 11.0
This commit drop also brings with it:
- XHCI -- an emulated usb tablet device that provides exact mouse positioning in supported OSs
- PS2 mouse for fallback if the guest does not support XHCI (Windows 7)
- PS2 keyboard
“The code has been tested with Windows 7/8/8.1/10 and Server 2k12/2k16, Ubuntu 15.10, and FreeBSD 10.3/11-CURRENT”
“For VNC clients, TightVNC, TigherVNC, and RealVNC (aka VNC Viewer) have been tested on various hosts. The OSX VNC client is known not to work.”
The VNC server supports an optional ‘wait’ parameter, that causes the VM to not actually boot until the VNC client connects, allowing you to interrupt the boot process if need be
Related user blog post
SVN commit ***

zfsd lands in FreeBSD HEAD, in time for 11.0-RELEASE

zfsd has been committed to FreeBSD -CURRENT in time to be included in FreeBSD 11.0
zfsd is the missing piece required to make ‘hot spares’ work properly in FreeBSD ZFS
“zfsd attempts to resolve ZFS faults that the kernel can't resolve by itself. It listens to devctl(4) events, which is how the kernel notifies of events such as I/O errors and disk removals. Zfsd attempts to resolve these faults by activating or deactivating hotspares and onlining offline vdevs.”
“The administrator never interacts with zfsd directly. Instead, he controls its behavior indirectly through zpool configuration. There are two ways to influence zfsd: assigning hotspares and setting pool properties. Currently, only the autoreplace property has any effect. See zpool(8) for details.”
So, what example does it do?
Device Removal: “When a leaf vdev disappears, zfsd will activate any available hotspare.”
Device Arrival: “When a new GEOM device appears, zfsd will attempt to read its ZFS label, if any. If it matches a previously removed vdev on an active pool, zfsd will online it. Once resilvering completes, any active hotspare will detach automatically.”
So if you disconnect a drive, then reconnect it, it will automatically be brought back online. Since ZFS is smart, the resilver will only have to copy data that has changed since the device went offline.
“If the new device has no ZFS label but its physical path matches the physical path of a previously removed vdev on an active pool, and that pool has the autoreplace property set, then zfsd will replace the missing vdev with the newly arrived device. Once resilvering completes, any active hotspare will detach automatically.”
If the new drive is in the same slot in your hot swap array as a failed device, it will be used as a replacement immediately.
vdev degrade or fault events: “If a vdev becomes degraded or faulted, zfsd will activate any available hotspare. If a leaf vdev generates more than 50 I/O errors in a 60 second period, then zfsd will mark that vdev as FAULTED. zfs(4) will no longer issue any I/Os to it. zfsd will activate a hotspare if one is available.” Same for checksum errors.
So if zfsd detects a drive is going bad, it brings the hotspare online before it is too late
Spare addition: “If the system administrator adds a hotspare to a pool that is already degraded, zfsd will activate the spare.”
Resilver complete: “zfsd will detach any hotspare once a permanent replacement finishes resilvering.”
Physical path change: “If the physical path of an existing disk changes, zfsd will attempt to replace any missing disk with the same physical path, if its pool's autoreplace property is set.”
In general, this tool means less reliance on the system administrator to keep the pool healthy ***

W^X now mandatory in OpenBSD

We’ve talked a bit about W^X in the past. (Refresher: Memory being writable and executable at once)
Well, this major security no-no is no-more on OpenBSD. Theo has committed a change which now prevents violations of this policy:

> “W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation.”

There are a few cases where you may still need W^X, which Theo points out can be enabled on a file-system basis.

> “W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs.”

This is a great ability to grow, since now users can begin doing auditing of programs that violate this principle and making noise to upstream. ***

Interview - Kristof Provost - kp@freebsd.org @kprovst

pf improvements on FreeBSD ***

News Roundup

GELI Support for the EFI Loader

We’ve had Allan’s work to bring GELI support to the GPT / BIOS / ZFS loader for a while now, but the missing piece has been support for EFI.
No longer, Eric McCorkle has posted a blog entry (with relevant github links) introducing us to his work to bring GELI encryption support to EFI.
First the bad-news. This won’t make it into 11.0. (Maybe PC-BSD, TBD)
Next he explains why this is more than just a new feature, but a re-factor of the EFI boot code:

> I have already written extensively about my EFI refactoring here. The reason for undertaking this effort, however, was driven by GELI support. Early in my work on this, I had implemented a non-EFI “providers” framework in boot1 in order to support the notion of disk partitions that may contain sub-partitions.

This was deeply unsatisfying to me for several reasons:
- It implemented a lot of the same functionality that exists in the EFI framework.
- It involved implementing a GPT partition driver to deal with partition tables inside GELI partitions (GPT detection and support is guaranteed by the EFI spec).
- The interface between the EFI framework and the custom “providers” framework was awkward.
- The driver was completely boot1-specific, and exporting it to something like GRUB probably involved a total rewrite.
- Implementing it within loader was going to involve a lot of code duplication.
- There was no obvious was to pass keys between boot1, loader, and the kernel.
With the issues known, Eric seems pleased with the results of the conversion so far:
- The GELI driver can be extracted from the FreeBSD codebase without too much trouble.
- While I was unable to go all the way to the EFI driver model, the only blocker is the bcache code, and once that is resolved, we can have hotplug support in the boot loader!
- The boot1 and loader codebases are now sharing all the backend drivers, and boot1 has been reduced to one very small source file.
An interesting read, looking forward to playing with EFI more in the future! ***

Faces of FreeBSD 2016: Michael W. Lucas

On this edition of “Faces of FreeBSD”, Michael W Lucas tells the story of how he got started with FreeBSD
After an amusing re-telling of his childhood (The words “Purina Monkey Chow” were mentioned), he then tells us how he got into BSD.
His being thrown into the project may sound familiar to many:

> I came in at 11 PM one night and was told “The DNS administrator just got walked out the door. You’re the new lead DNS administrator. Make those servers work. Good luck.”

From there (because he wanted more sleep), he began ripping out the systems that had been failing and waking him up at night. Good-bye UnixWare, Good-bye Solaris, hello BSD!
A very amusing read, check it out! ***

High Availability with PostgreSQL on FreeBSD

A talk by Sean Chittenden, who we interviewed previously on episode Episode 95
Explains how to setup Multi Data Center High Availability for PostgreSQL using consul
Goes into how consul works, how it does the election, the gossip protocol, etc
The HA setup uses DNS Failover, and the pros and cons of that approach are discussed
Then he walks through the implementation details, and example configuration ***

New FreeBSD i915 testing images

Still need users to test the Linux Kernel 4.6 DRM update to FreeBSD’s graphics stack
Download the test image and write it to a USB stick and boot from it
It will not modify your installed system, it runs entirely off of the USB drive
Allows you to test the updated drivers without having to install the development branch on your device
you can tell them that ATI/AMD support will be coming shortly
and that stability has been steadily improving
and that I'll do another announcement as soon as I've had a chance to test the newest Xorg bits ***

Beastie Bits

143: One small step for DRM, one giant leap for BSD

JT Pennington — Wed, 25 May 2016 08:00:00 -0400

This week on BSDNow, we have an interview with Matthew Macy, who has some exciting news to share with us regarding the state of graphics

This episode was brought to you by

Headlines

How the number of states affects pf’s performance of FreeBSD

Our friend Olivier of FreeNAS and BSDRP fame has an interesting blog post this week detailing his unique issue with finding a firewall that can handle upwards of 4 million state table entries.
He begins in the article with benchmarking the defaults, since without that we don’t have a framework to compare the later results. All done on his Netgate RCC-VE 4860 (4 cores ATOM C2558, 8GB RAM) under FreeBSD 10.3.
“We notice a little performance impact when we reach the default 10K state table limit: From 413Kpps with 128 states in-used, it lower to 372Kpps.”
With the initial benchmarks done and graphed, he then starts the tuning process by adjusting the “net.pf.states_hashsize”sysctl, and then playing with the number of states for the firewall to keep.
“For the next bench, the number of flow will be fixed for generating 9800 pf state entries, but I will try different value of pf.states_hashsize until the maximum allowed on my 8GB RAM server (still with the default max states of 10k):”
Then he cranks it up to 4 million states
“There is only 12% performance penalty between pf 128 pf states and 4 million pf states.”
“With 10M state, pf performance lower to 362Kpps: Still only 12% lower performance than with only 128 states”
He then looks at what this does of pfsync, the protocol to sync the state table between two redundant pf firewalls
Conclusions:

There need to be a linear relationship between the pf hard-limit of states and the pf.states_hashsize; RAM needed for pf.states_hashsize = pf.states_hashsize * 80 Byte and pf.states_hashsize should be a power of 2 (from the manual page); Even small hardware can manage large number of sessions (it's a matter of RAM), but under too lot's of pressure pfsync will suffer.

Introducing the BCHS Stack = BSD, C, httpd, SQLite

Pronounced Beaches
“It's a hipster-free, open source software stack for web applications”
“Don't just write C. Write portable and secure C.”
“Get to know your security tools. OpenBSD has systrace(4) and pledge(2). FreeBSD has capsicum(4).”
“Statically scan your binary with LLVM” and “Run your application under valgrind”
“Don't forget: BSD is a community of professionals. Go to conferences (EuroBSDCon, AsiaBSDCon, BSDCan, etc.)”
This seems like a really interesting project, we’ll have to get Kristaps Dzonsons back on the show to talk about it ***

Installing OpenBSD's httpd server, MariaDB, PHP 5.6 on OpenBSD 5.9

Looking to deploy your next web-stack on OpenBSD 5.9? If so this next article from rootbsd.net is for you.
Specifically it will walk you through the process of getting OpenBSD’s own httpd server up and running, followed by MariaDB and PHP 5.6.
Most of the setup is pretty straight-forward, the httpd syntax may be different to you, if this is your first time trying it out.
Once the various packages are installed / configured, the rest of the tutorial will be easy, walking you through the standard hello world PHP script, and enabling the services to run at reboot.
A good article for those wanting to start hosting PHP/DB content (wordpress anyone?) on your OpenBSD system. ***

The infrastructure behind Varnish

Dogfooding. It’s a term you hear often in the software community, which essentially means to “Run your own stuff”. Today we have an article by PKH over at varnish-cache, talking about what that means to them.
Specifically, they recently went through a website upgrade, which will enable them to run more of their own stuff.
He has a great quote on what OS they use:“So, dogfood: Obviously FreeBSD. Apart from the obvious reason that I wrote a lot of FreeBSD and can get world-class support by bugging my buddies about it, there are two equally serious reasons for the Varnish Project to run on FreeBSD: Dogfood and jails.Varnish Cache is not “software for Linux”, it is software for any competent UNIX-like operating system, and FreeBSD is our primary “keep us honest about this” platform.“
He then goes through the process of explaining how they would setup a new Varnish-cache website, or upgrade it.
All together a great read, and if you are one of the admin-types, you really should pay attention to how they build from the ground up. Some valuable knowledge here which every admin should try to replicate.
I can not reiterate the value of having your config files in a private source control repo strongly enough
The biggest take-away is: “And by doing it this way, I know it will work next time also.” ***

Interview - Matt Macy - mmacy@nextbsd.org Graphics Stack Update

News Roundup

Followup on packaging base with pkg(8)

In spite of the heroic last minute effort by a team of contributors, pkg’d base will not be ready in time for FreeBSD 11.0
There are just too many issues that were discovered during testing
The plan is to continue using freebsd-update in the meantime, and introduce a pkg based upgrade mechanism in FreeBSD 11.1
With the new support model for the FreeBSD 11 branch, 11.1 may come sooner than with previous major releases ***

FreeBSD Core Election

It is time once again for the FreeBSD Core Election
Application period begins: Wednesday, 18 May 2016 at 18:00:00 UTC
Application period ends: Wednesday, 25 May 2016 at 18:00:00 UTC
Voting begins: Wednesday, 25 May 2016 at 18:00:00 UTC
Voting ends: Wednesday, 22 June 2016 at 18:00:00 UTC
Results announced Wednesday, 29 June 2016
New core team takes office: Wednesday, 6 July 2016
As of the time I was writing these notes, 3 hours before the application deadline, the candidates are:
Allan Jude: Filling in the potholes
Marcelo Araujo: We are not vampires, but we need new blood.
Baptiste Daroussin (incumbent): Keep on improving
Benedict Reuschling: Learn and Teach
Benno Rice: Revitalising The Community
Devin Teske: Here to help
Ed Maste (incumbent): FreeBSD is people
George V. Neville-Neil (incumbent): There is much to do…
Hiroki Sato (incumbent): Keep up with our good community and technical strength
John Baldwin: Ready to work
Juli Mallett: Caring for community.
Kris Moore: User-Focused
Mathieu Arnold: Someone ask for fresh blood ?
Ollivier Robert: Caring for the project and you, its developers
The deadline for applications is around the time we finish recording the live show
We welcome any of the candidates to schedule an interview in the next few weeks. We will make an attempt to hunt many of them down at BSDCan as well. ***

Wayland/Weston with XWayland works on DragonFly

We haven’t talked a lot about Wayland on BSD recently (or much at all), but today we have a post from Peter to the dragonfly mailing list, detailing his experience with it.
Specifically he talks about getting XWayland working, which provides the compat bits for native X applications to run on WayLand displays.
So far on the working list of apps: “gtk3:
- gedit
- nautilus
- evince

xfce4:

xfce4-terminal
atril
- firefox
- spyder
- scilab”
- A pretty impressive list, although he said “chrome” failed with a seg-fault
- This is something I’m personally interested in. Now with the newer DRM bits landing in FreeBSD, perhaps it’s time for some further looking into Wayland. ***

Broadcom WiFi driver update

In this blog post Adrian Chadd talks about his recent work on the bwn(4) driver for Broadcom WiFi chips
This work has added support for a number of older 802.11g chips, including the one from 2009-era Macbooks
Work is ongoing, and the hope is to add 802.11n and 5ghz support as well
Adrian is mentoring a number of developers working on embedded or wifi related things, to try to increase the projects bandwidth in those areas
If you are interested in driver development, or wifi internals, the blog post has lots of interesting details and covers the story of Adrian’s recent adventures in bringing the drivers up ***

Beastie Bits

The Design of the NetBSD I/O Subsystems (2002)

ZFS, BTRFS, XFS, EXT4 and LVM with KVM – a storage performance comparison

Swift added to FreeBSD Ports

misc@openbsd: 'NSA addition to ifconfig'

Papers We Love: Memory by the Slab: The Tale of Bonwick's Slab Allocator

Feedback/Questions

142: Diving for BSD Perls

JT Pennington — Wed, 18 May 2016 08:00:00 -0400

This week on the show, we have all the latest news and stories! Plus an interview with BSD developer Alfred Perlstein, that you

This episode was brought to you by

Headlines

The May issus of BSDMag is now out

GhostBSD
Reusing OpenBSD's arc4random in multi-threaded user space programs
Securing VPN's with GRE / Strongswan
Installing XFCE 4.12 on NetBSD 7
Interview with Fernando Rodriguez, the co-founder of KeepCoding ***

A rundown of the FPT_W^X_EXT.1 security reqiurement for General Purpose Operating Systems by the NSA

NIST/NSA Validation Scheme Report
The SFR or Security Functional Requirement requires that; "The OS shall prevent allocation of any memory region with both write and execute permissions except for [assignment: list of exceptions]."
While nearly all operating systems currently support the use of the NX bit, or the equivalent on processors such as SPARC and ARM, and will correctly mark the stack as non-executable, the fact remains that this in and of itself is deemed insufficient by NIST and NSA.
OpenBSD 5.8, FreeBSD, Solaris, RHEL, and most other Linux distro have failed.
HardenedBSD passes all three tests out of the box.
NetBSD will do so with a single sysctl tweak. Since they are using the PaX model, anything else using PaX, such as a grsecurity-enabled Linux distribution pass these assurance activities as well.
OpenBSD 5.9 does not allow memory mapping due to W^X being enforced by the kernel, however the kernel will panic if there are any attempts to create such mappings. ***

DistroWatch reviews new features in FreeBSD 10.3

DistroWatch did a review of FreeBSD 10.3
They ran into a few problems, but hopefully those can be fixed
An issue with beadm setting the canmount property incorrectly causing the ZFS BE menu to not work as expected should be resolved in the next version, thanks to a patch from kmoore
The limitations of the Linux 64 support are what they are, CentOS 6 is still fairly popular with enterprise software, but hopefully some folks are interested in working on bringing the syscall emulation forward
In a third issue, the reviewer seemed to have issues SSHing from inside the jail. This likely has to do with how they got a console in the jail. I remember having problems with this in the past, something about a secure console. ***

BSD Unix: Power to the people, from the code

Salon.com has a very long article, chronicling much of the history behind BSD UNIX.
It starts with detailing the humble origins of BSD, starting with Bill Joy in the mid-70’s, and then goes through details on how it rapidly grew, and the influence that the University of Berkeley had on open-source.

> “But too much focus on Joy, a favorite target for business magazine hagiography, obscures the larger picture. Berkeley’s most important contribution was not software; it was the way Berkeley created software. At Berkeley, a small core group — never more than four people at any one time — coordinated the contributions of an ever-growing network of far-flung, mostly volunteer programmers into progressive releases of steadily improving software. In so doing, they codified a template for what is now referred to as the “open-source software development methodology.” Put more simply, the Berkeley hackers set up a system for creating free software.”

The article goes on to talk about some of the back and forth between Linux and BSD, and why Linux has captured more of the market in recent years, but BSD is far from throwing in the towel.

> “BSD patriots argue that the battle is far from over, that BSD is technically superior and will therefore win in the end. That’s for the future to determine. What’s indisputable is BSD’s contribution in the past. Even if, by 1975, Berkeley’s Free Speech Movement was a relic belonging to a fast-fading generation, on the fourth floor of Evans Hall, where Joy shared an office, the free-software movement was just beginning.”

An excellent article (If a bit long), but well worth your time to understand the origins of what we consider modern day BSD, and how the University of Berkley helped shape it. ***

iXsystems

#ServerEnvy: It's over 10,000 Terabytes! ***

Interview - Alfred Perlstein - alfred@freebsd.org / @splbio

Using BSD for projects ***

News Roundup

.NET framework ported to NetBSD

This pull request adds basic support for the .NET framework on NetBSD 7.x amd64
It includes documentation on how to get the .NET framework installed
It uses pkgsrc to bootstrap the required tools
pkgsrc-wip is used to get the actual .NET framework, as porting is still in progress
The .NET Core-CLR is now available for: FreeBSD, Linux, NetBSD, and OS X ***

OpenBSD SROP mitigation – call for testing

A new technique for exploiting flaws in applications and operating systems has been developed, called SROP
“we describe Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. Like return-oriented programming (ROP), sigreturn oriented programming constructs what is known as a ‘weird machine’ that can be programmed by attackers to change the behavior of a process. To program the machine, attackers set up fake signal frames and initiate returns from signals that the kernel never really delivered. This is possible, because UNIX stores signal frames on the process’ stack.”
“Sigreturn oriented programming is interesting for attackers, OS developers and academics. For attackers, the technique is very versatile, with pre-conditions that are different from those of existing exploitation techniques like ROP. Moreover, unlike ROP, sigreturn oriented programming programs are portable. For OS developers, the technique presents a problem that has been present in one of the two main operating system families from its inception, while the fixes (which we also present) are non-trivial. From a more academic viewpoint, it is also interesting because we show that sigreturn oriented programming is Turing complete.”
Paper describing SROP
OpenBSD has developed a mitigation against SROP
“Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.”
“As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context.”
This is just a draft of the patch, not yet considered production quality ***

Running Tor in a NetBSD rump unikernel

We’ve talked about “rump” kernels before, and also Tor pretty frequently, but this new github project combines the two!
Specifically, this set of Makefile and scripts will prep a system to run Tor via the Unikernel through Qemu.
The script mainly describes how to do the initial setup on Linux, using iptables, but could easily be adapted to a BSD if somebody wants to do so. (Send them a pull request with the instructions!)
All in all, this is a fascinating way to run a Tor node or relay, in the most minimal operating environment possible. ***

An update on SSH protocol 1 ("we're most of the way towards fully deprecating SSH protocol 1"

Damien Miller has given us an update on the status of the “SSH protocol 1”, and the current plans to deprecate it in an upcoming version of openssh.

> “We've had this old protocol in various stages of deprecation for almost 10 years and it has been compile-time disabled for about a year.
> Downstream vendors, to their credit, have included this change in recent OS releases by shipping OpenSSH packages that disable protocol 1 by default and/or offering separate, non-default packages to enable it.

> This seems to have proceeded far more smoothly than even my most optimistic hopes, so this gives us greater confidence that we can complete the removal of protocol 1 soon. We want to do this partly to hasten the demise of this cryptographic trainwreck, but also because doing so removes a lot of legacy code from OpenSSH that inflates our attack surface. Having it gone will make our jobs quite a bit easier as we maintain and refactor.”

The current time-line looks like removing server-size protocol 1 support this August after OpenSSH 7.4 is released, leaving client-side disabled.
Then a year from now (June 2017) all protocol 1 code will be removed.

Beastie Bits

Feedback/Questions

141: BSD Likes Ike!

JT Pennington — Wed, 11 May 2016 08:00:00 -0400

This week on the show, we have all the latest news and stories! Plus we’ll be hearing more about OpnSense from the man himself, Ike!

This episode was brought to you by

Headlines

Regarding Embargoes

Our buddy TedU has a great thought piece today on the idea of “embargoes” for security advisories.
This all stemmed from a recent incident with LibreSSL patches from embargoed OpenSSL vulns, that accidentally got committed too early.
Ted makes a pretty good case on the difficulties of having embargos, and maybe the reason there shouldn’t be. Couple of quotes to give you a taste:

> “There are several difficulties maintaining embargoes. Keeping secrets is against human nature. I don’t want to be the one who leaks, but if I see something that looks like the secret is out, it’s a relief to be able to speak freely. There is a bias towards recognizing such signs where they may not really exist. (Exacerbated by broad embargoes where some parts leak but other parts don’t. It’s actually very hard to tell what’s not publicly known when you know everything.)

> The most thorough embargo and release timeline reconstruction is the heartbleed timeline. It’s another great case study. Who exactly decided who were the haves and have nots? Was it determined by who needed to know or who you needed to know? Eventually the dam started to crack.”

> “When Cloudflare brags that they get advance notice of vulnerabilities, attracting more customers, and therefore requiring even more early access, how are smaller players to compete? What happens if you’re not big enough to prenotify?

> Sometimes vulnerabilities are announced unplanned. Zero day cyber missiles are part of our reality, which means end users don’t really have the luxury of only patching on Tuesday. They need to apply patches when they appear. If applying patches at inconvenient times is a problem, make it not a problem. Not really a gripe about embargoes per se, but the scheduled timing of coordinated release at the end of the embargo is catering to a problem that shouldn’t exist.”

I will admit that CloudFlare bragging around Heartbleed was upsetting
The biggest issue here is the difficulty with coordinating so many open source projects, which are often done by volunteers, in different countries and time zones
The other issue is determining when the secret is “out of the bag” ***

MAJOR ABI BREAK: csu, ld.so, libc, libpthread update

OpenBSD warns those following the -current (development) branch to be careful as they upgrade because of a major ABI break that will result in applications not working
“Handling of single-threaded programs is now closer to multi-threaded, with ld.so and libc.a doing thread information base (TIB) allocation. Threaded programs from before the 2016/03/19 csu and ld.so update will no longer run. An updated ld.so must be built and installed before running make build.”
A special note for those on PowerPC: “PowerPC has been updated to offset the TIB from the hardware register. As a result, all threaded programs are broken until they have been rebuilt with the new libc and libpthread. perl must be built after building the libraries and before building the rest of base.”
“The definitions of environ and __progname for dynamically linked programs have been moved from the C startup code to ld.so(1). An updated ld.so must be built and installed before running make build.”
The link provides instructions on how to update your system properly ***

How to install FreeBSD 10.3 on VMWare Workstation 12 Pro

This tutorial starts at the very basics, running through the FreeBSD installer
But then it goes on to configuring the machine specifically for VMWare
After the system has been booted, the tutorial walks through installing the VMWare tools
Then networking is configured in both VMWare and FreeBSD
A small hack is required to make the VMWare tools startup script wait until the network is up
A very nice tutorial for people using VMWare
I am working on a patch to bsdinstall to ensure that the swap partition is put before the main partition, so it can more easily be resized if you later decide you need more space in your VM
the camcontrol reprobe subcommand has been added ,
“This makes it possible to manually force updating capacity data after the disk got resized. Without it it might be necessary to reboot before FreeBSD notices updated disk size under eg VMWare.” ***

BSD Router project releases v1.59

We’ve talked about the BSD Router project a bit in the past, but today we have a brand new release to bring to you.
For those who don’t remember, the BSDrp is a router aimed at replacing more of your big-commercial type systems.
First up in the new hotness, we have it based upon recently released FreeBSD 10.3!
In addition, there is a new package: New package: mlvpn (aggregated network links in order to benefit from the bandwidth of multiple links)
Other packages have gotten a bump with this release as well:
- bsnmp-ucd to 0.4.2
- dma to 0.11
- dmidecode to 3.0
- exabgp to 3.4.15
- iperf3 to 3.1.2
- monit to 5.17
- mpd5 to 5.8
- openvpn to 2.3.10
- python to 2.7.11
- quagga to 1.0.20160315
- strongswan to 5.4.0
What are you waiting for? Amd64 and i386 images are ready for you to download now.

Interview - Isaac (.Ike) Levy -

See Ike again at SEMIBug in Troy, Michigan on May 17th ***

News Roundup

Tredly - Prebuilt containers on FreeBSD

Discussion regarding its GPLv3 licensing
A new “container” solution called “Trendly” has started making some news around various tech sites.
In particular, this new project uses FreeBSD as its base OS and jail functionality in the backend.
Their solution seems based around the idea of shipping containers as manifests, such as lists of packages to install and configuration knobs.
The project is still rather new, and we’ll be keeping an eye on it for the future.
One notable change already though, it was (for some reason) released under GPLv3. Understandably this caused quite a ruckus with various folks in the community, since it’s built specifically on BSD. Since this, the code has been re-licensed as MIT, which is far more in the spirit of a traditional BSD license. ***

NVMe driver added to NetBSD - ported from OpenBSD

NetBSD has gained support for Non-Volatile Memory Express, the new standard for PCIe attached Flash Memory
The change of interface from SATA to NVMe offers a number of advantages, mostly, it doesn’t require the device to pretend to be a spinning disk
One of the biggest advantages is that it supports completing multiple operations at once, with the Intel hardware I have tested, 63 I/Os can happen concurrently, so a very large queue depth is required to keep the device busy. The 64th I/O channel is reserved for administrative commands, to keep them from being delayed by the large queue depth
The device I tested could read at 3800 MB/s, and write 1700MB/s, something that wouldn’t be possible with a normal SSD
It is interesting that NetBSD took the NVMe support from OpenBSD, whereas the FreeBSD implementation was contributed directly by Intel
This may have to do with that fact that OpenBSD’s device model is closer to that of NetBSD
Commit Log ***

New BSDNow T-Shirts

By popular demand, we have created a more subtle BSDNow shirt
Featuring only the smallish BSDNow logo over the left breast
Available in a number of styles (T-Shirt, Women’s T-Shirt, Long Sleeve, and Hoodie) as well as a number of colours: Black, Blue, Grey, and White
The hope is that enough orders come though so we can get them shipped in and your sweaty little hands in time for BSDCan. (I’ll be wearing mine, will you B...SD?)
If you still want one of our now-famous “The Usual BSD’s” t-shirts, you can also indicate your interest here, and once 10 or more shirts are ordered, a reprint will happen automatically ***

PC-BSD 11-CURRENT with Package Base

Looking for a way to play with the new FreeBSD base package system?
This month’s PC-BSD -CURRENT image now used packages for base system installation, and is asking for testers to help find bugs.
Known issues so far:
- setuid binaries (Fix in works)
- Missing tzone files
- Distrib packages
If all that doesn’t scare you away, then give it a whirl! Upgrades for previous APRIL images are now online also. ***

BeastieBits

Feedback/Questions

140: Tracing it back to BSD

JT Pennington — Wed, 04 May 2016 08:00:00 -0400

This week on BSDNow, Allan is back in down from Europe! We’ll get to hear some of his wrap-up and get caught up on the latest BSD

This episode was brought to you by

Headlines

FreeBSD Quarterly Report

This quarterly status report starts with a rather interesting introduction by Warren Block
ASLR
Porting CEPH to FreeBSD
RCTL I/O Rate Limiting
The Graphics Stack on FreeBSD (Haswell is in, work is progressing on the next update)
CAM I/O Scheduler
NFS Server updates, working around the 16 group limit, and implementing pNFS, allowing NFS to scale beyond a single server
Static Analysis of the FreeBSD Kernel with PVS Studio
PCI-express HotPlug
GitLab Port committed!
WITH_FAST_DEPEND and other improvements to the FreeBSD build system
Lots of other interesting stuff ***

A Prog By Any Other Name

Ted Unangst looks at what goes into the name of a program
“Sometimes two similar programs are really the same program with two names. For example, grep and egrep are two commands that perform very similar functions and are therefore implemented as a single program. Running ls -i and observing the inode number of each file will reveal that there is only one file. Calling the program egrep is a shorthand for -E and does the same thing.”
So BSD provides __progname in libc, so a program can tell what its name is
But, what if it has more than one name?
“In fact, every program has three names: its name in the filesystem, the name it has been invoked with, and whatever it believes its own name to be.”
Of course it is not that easy.
“there’s another set of choices for each name, the full path and the basename”
“It’s even possible on some systems for argv[0] to be NULL.”
He then goes on to rename doas (the OpenBSD light replacement for sudo) to banana and discuss what happens
“On that note, another possible bug is to realize that syslog by default uses progname. A user may be able to evade log monitoring by invoking doas with a different name. (Just fixed.)”
Another interesting article from our friend Ted ***

FreeBSD and NetBSD Google Summer of Code projects have been announced

Some FreeBSD highlights:
- Add SCSI passthrough to CTL (share an optical drive via iSCSI)
- Add USB target mode driver based on CTL (share a USB device via iSCSI)
- API to link created /dev entries to sysctl nodes
- Implement Ethernet Ring Protection Switching (ERPS)
- HD Audio device model in userspace for bhyve
Some NetBSD highlights:
- Implement Ext4fs support in ReadOnly mode
- NPF and blacklistd web interface
- Port U-Boot so it can be compiled on NetBSD
- Split debug symbols for pkgsrc builds ***

libressl - more vague priomises

We haven’t had a Ted U article on the show as of late, however this week we get several! In his next entry “LibreSSL, more vague promises”
He then goes into some detail on what has happened with LibreSSL in the past while, as well as future plans going forward.
“With an eye to the future, what new promises can we make? Some time ago I joked that we only promised to make a better TLS implementation, not a better TLS. Remains true, but fortunately there are people working on that, too. TLS 1.3 support is on the short term watchlist. The good news is we may be ahead of the game, having already removed compression. How much more work can there be?”
“LibreSSL integrated the draft chacha20-poly1305 construction from BoringSSL. The IETF has since standardized a slightly different version because if it were the same it wouldn’t be different. Support for standard variant, and the beginning of deprecation for the existing code, should be landing very shortly. Incidentally, some people got bent out of shape because shipping chacha20 meant exposing non IANA approved numbers to Internet. No promises that won’t happen again.” ***

Interview - Samy Al Bahra - @0xF390

Backtrace ***

News Roundup

systrace(1) is removed for OpenBSD 6.0

OpenBSD has removed systrace, an older mechanism for limiting what syscalls an application can make
It is mostly replaced by the pledge() system
OpenBSD was the first implementation, most others have been unmaintained for some time
The last reported Linux version was for kernel 2.6.1
NetBSD removed systrace in 2007 ***

pfSense Video Series: Comprehensive Guide To pfSense 2.3

A series of videos (11 so far), about pfSense
Covers Why you would use it, how to pick your hardware, and installation
Then the series covers some networking basics, to make sure you are up to speed before configuring your pfSense
Then a comprehensive tour of the WebUI
Then goes on to cover graphing, backing up and restoring configuration
There are also videos on running DHCP, NTP, and DNS servers ***

DuckDuckGo announces its 2016 FOSS Donations

The theme is “raising the standard of trust online”
Supported projects include:
OpenBSD Foundation announces DuckDuckGo as a Gold Sponsor
the Freedom of the Press Foundation for SecureDrop
the Freenet Project
the CrypTech Project
the Tor Project
Fight for the Future for Save Security
Open Source Technology Improvement Fund for VeraCrypt (based on TrueCrypt)
Riseup Labs for LEAP (LEAP Encryption Access Project)
GPGTools for GPGMail ***

Larry the BSD Guy hangs up his hat at FOSS Force

After 15 years, Larry the BSD Guy has decided to hang it up, and walk into the sunset! (Figuratively of course)
After wrapping up coverage of recent LinuxFest NorthWest (Which he didn’t attend), Larry has decided it’s time for a change and is giving up his column over at FOSS Force, as well as stepping away from all things technical.
His last write-up is a good one, and he has some nice plugs for both Dru Lavigne and Michael Dexter of the BSD community.
He will be missed, but we wish him all the luck with the future! He also puts out the plug that FOSS Force will be needing a new columnist in the near future, so if you are interested please let them know! ***

Beastie Bits

Feedback/Questions

139: Cheri-picking BSD

JT Pennington — Wed, 27 Apr 2016 08:00:00 -0400

This week, Allan is out of town, but since when has that ever stopped us from bringing you a new episode of BSDNow? We have news,

This episode was brought to you by

Headlines

Unix's file durability problem

Another article by Chris Siebenmann from the University of Toronto
This time, the issue was a lost comment on his Python based blog which uses files on disk rather than a database
After an unexpected restart of the system, a recently posted comment no longer existed
The post goes on to investigate what the ‘right way’ to ensure file durability is
The answer, as you might expect, is “it depends…”
Normally, fsync() should work, but it seems with ext4 and some other file systems, you must also fsync() the directory where the file was created, or it might not be possible to find the file after a crash
Do you need to fsync() the parent of that directory too? Then what is fdatasync() for? What about just calling sync()?
“One issue is that unlike many other Unix API issues, it's impossible to test to see if you got it all correct and complete. If your steps are incomplete, you don't get any errors; your data is just silently sometimes at risk. Even with a test setup to create system crashes or abrupt power loss (which VMs make much easier), you need uncommon instrumentation to know things like if your OS actually issued disk flushes or just did normal buffered writes. And straightforward testing can't tell you if what you're doing will work all the time, because what is required varies by Unix, kernel version, and the specific filesystem involved.”
Second post by author: How I'm trying to do durable disk writes
Additional Discussion on Hacker News
The discussion on HN also gets into AIO and other more complicated facilities, but even those seem to be vague about when your data is actually safe
At least ZFS ensures you never get half of your new data, and half of your old data. ***

Build a FreeBSD 10.3-release Openstack Image with bsd-cloudinit

Are you using FreeBSD and OpenStack or would you like to be? We next have a great tutorial which explains the ins-and-outs of doing exactly that.
Remy van Elst brings us a great walkthrough on his site on how to get started, and hint it involves just a few ‘pip’ commands.
After getting the initial Python tools bootstrapped, next he shows us how to save our OpenStack settings in a sourceable shell command, which comes in handy before doing admin on a instance.
Next the ‘glance’ and ‘cinder’ tools are used to upload the target OS ISO file and then create a volume for it to install onto.
Next the VM is started and some specific steps are outlined on getting FreeBSD 10.3 installed into the instance. It includes some helpful hints as how to fix a mountroot error, if you installed to ada0, but need to mount via vtdb0 instead now.
After the installation is finished, the prep for ‘cloudinit’ is done, and the resulting image is compressed and made ready for deployment.
We’ve kinda stepped through some of the more gory steps here, but if OpenStack is something you work with, this tutorial should be at the top of your “must read” list. ***

Undeadly and HTTPS

Undeadly, the OpenBSD journal, is thinking of moving to HTTPS only
In order to do this, they would like some help rewriting part of the site
Currently, when you login to post comments, this is done over HTTPS, but to an stunnel instance running a custom script that gives you a cookie, and sends you back to the non-HTTPS site
They would like to better integrate the authentication system, and otherwise improve the code for the site
There is some pushback as well, questioning whether it makes sense to block users who are unable to use HTTPS for one reason or another
I think it makes sense to have the site default to HTTPS, but, maybe HTTPS only doesn’t make sense. There is nothing private on the site, other than the authentication system which is optional, not required to post a comment.
There is also some discussion about the code for the site, including the fact that when the code was released, the salt for the password database was included
This is not actually a security problem, but the discussion may be interesting to some viewers ***

FreeBSD Journal March/April Edition

The next issue of the FreeBSD Journal is here, and this time it is about Teaching with Operating Systems
In addition to the usual columns, including: svn update, the ports report, a conference report from FOSDEM, a meetup report from PortsCamp Taipei, A book review of "The Algorithm Design Manual", and the Events Calendar; there are a set of feature articles about teaching
Teaching with FreeBSD through Tracing, Analysis, and Experimentation
CHERI: Building a foundation for secure, trusted computing bases
A brief history of Fast Filesystems
There is also an interview with Gleb Smirnoff, a member of the Core team, release engineering, and the deputy security officer, as well as a senior software developer at Netflix
Get the latest issue from your favourite mobile store, or the “Desktop Edition” directly in your browser from the FreeBSD Foundation’s website ***

Interview - Brooks Davis - brooks@FreeBSD.org / @brooksdavis

CHERI and Capabilities ***

TrueNAS Three-Peats!!!

News Roundup

UbuntuBSD Is Looking To Become An Official Ubuntu Flavor

You may recall a few weeks back that we were a bit surprised by the UbuntuBSD project and its longevity / goals.
However the project seems to be pushing forward, with news on softpedia.com that they are now seeking to become an ‘official’ Ubuntu Flavor.
They’ve already released a forth beta, so it seems the project currently has some developers pushing it forward:

> "I would like to contribute all my work to Ubuntu Community and, if you think it is worthy, make ubuntuBSD an official Ubuntu project like Xubuntu or Edubuntu," said Jon Boden. "If you're interested, please let me know how would you like me to proceed."

It's Just Bits

We have next an interesting blog post talking about the idea that “It’s just all bits!”
The author then takes us down the idea of no matter how old or mysterious the code may be, in the end it is ending up as bits arranged a certain way.
Then the article transitions and takes us through the idea that old bits, and bits that have grown too large should often be good candidates for replacement by “simpler” bits, using OpenBSD as an example.

> “The OpenBSD community exemplifies this in many ways by taking existing solutions and simplifying them. Processing man pages is as old as Unix, and even in the 21st century OpenBSD has taken the time to rewrite the existing solution to be simpler and safer. It's just bits that need to be turned into other bits. Similarly, OpenBSD has introduced doas as an alternative to sudo. While not replacing sudo entirely, doas makes the 99.99% case of what people use sudo for easier and safer. They are just bits that need to be authenticated. “

All in all, a good read, and it reinforces the point that nothing is really truly “finished”. As computing advances and new technologies / practices are made available, sometimes it makes a lot of sense to go back and re-write things in order to simplify the complexity that has snuck in over time. ***

Disk IO limiting is coming to FreeBSD

A much requested feature for both Jails and VM’s on FreeBSD has just landed with experimental support in -HEAD, Disk IO limiting!
The Commit message states as follows:

> “Add four new RCTL resources - readbps, readiops, writebps and writeiops,
> for limiting disk (actually filesystem) IO.

> Note that in some cases these limits are not quite precise. It's ok,
> as long as it's within some reasonable bounds.

> Testing - and review of the code, in particular the VFS and VM parts - is
> very welcome.”

Well, what are you waiting for? This is a fantastic new feature which I’m sure will get incorporated into other tools for controlling jails and VM’s down the road.
If you give it a spin, be sure to report back bugs so they can get quashed in time for 11. ***

BeastieBits

Feedback/Questions

138: Rushing into BSD

JT Pennington — Wed, 20 Apr 2016 08:00:00 -0400

This week on the show, we will be talking to Benedict Reushling about his role with the FreeBSD foundation and the journey that took him

This episode was brought to you by

Headlines

HardenedBSD introduces full PIE support

PIE base for amd64 and i386
Only nine applications are not compiled as PIEs
Tested PIE base on several amd64 systems, both virtualized and bare metal
Hoped to be to enabled it for ARM64 before or during BSDCan.
Shawn will be bringing ten Raspberry Pi 3 devices (which are ARM64) with to BSDCan, eight of which will be given out to lucky individuals. “We want the BSD community to hack on them and get ARM64/Aarch64 fully functional on them.” ***

Lessons learned from 30 years of MINIX

Eat your own dog food.
By not relying on idiosyncratic features of the hardware, one makes porting to new platforms much easier.
The Internet is like an elephant; it never forgets.
When standards exist (such as ANSI Standard C) stick to them.
Even after you have adopted a strategy, you should nevertheless reexamine it from time to time.
Keep focused on your real goal, Einstein was right: Things should be as simple as possible but not simpler. ***

pfSense 2.3 released

Rewrite of the webGUI utilizing Bootstrap
TLS v1.0 disabled for the GUI
Moved to a FreeBSD 10.3-RELEASE base
PHP Upgraded to 5.6
The "Full Backup" feature has been deprecated
Closed 760 total tickets of which 137 are fixed bugs
Known Regressions
OpenVPN topology change
IP aliases with CARP IP parent lose their parent interface association post-upgrade
IPsec IPComp does not work.
IGMP Proxy does not work with VLAN interfaces.
Many other updates and changes ***

OPNsense 16.1.10 released

openvpn: revive windows installer binaries
system: improved config history and backup pages layout
system: increased backup count default from 30 to 60
system: /var /tmp MFS awareness for crash dumps added
trust: add “IP security IKE intermediate” to server key usage
firmware: moved reboot, halt and defaults pages to new home
languages: updates to Russian, French, German and Japanese
Many other updates and changes ***

Interview - Benedict Reuschling - bcr@freebsd.org

FreeBSD Foundation in Europe ***

News Roundup

Write opinionated workarounds

Colin Percival has written a great blog post this past week, specifically talking about his policy of writing “opinionated workarounds”.
The idea came about due to his working on multi-platform software, and the frustrations of dealing with POSIX violations
The crux of the post is how he deals with these workarounds. Specifically by only applying them to the particular system in which it was required. And doing so loudly.
This has some important benefits. First, it doesn’t potentially expose other systems to bugs / security flaws when a workaround doesn’t “work” on a system for which it wasn’t designed. Secondly it’s important to complain. Loudly. This lets the user know that they are running on a system that doesn’t adhere to POSIX compliance, and maybe even get the attention of a developer who could remedy the situation. ***

Privilege escalation in calendar(1)

File this one under “Ouch that hurts” a new security vuln has been posted, this time against NetBSD’s ‘calendar’ command.
Specifically it looks like some of the daily scripts uses the ‘-a’ flag, which requires super-user privs in order to process all users calendar files and mail the results.
However the bug occurred because the calendar command didn’t drop priv properly before executing external commands (whoops!)
To workaround you can set run_calendar=NO in the daily.conf file, or apply the fixed binary from upstream. ***

PGCon 2016

PGCon 2016 is now only 4 weeks away
The conference will be held at the University of Ottawa (same venue as BSDCan) from May 17th to 20th
Tutorials: 17-18 May 2016 (Tue & Wed)
Talks: 19-20 May 2016 (Thu-Fri)
Wednesday is a developer unconference.
Saturday is a user unconference.
“PGCon is an annual conference for users and developers of PostgreSQL, a leading relational database, which just happens to be open source. PGCon is the place to meet, discuss, build relationships, learn valuable insights, and generally chat about the work you are doing with PostgreSQL. If you want to learn why so many people are moving to PostgreSQL, PGCon will be the place to find out why. Whether you are a casual user or you've been working with PostgreSQL for years, PGCon will have something for you.”
New to PGSQL? Just a user? Long time developers? This conference has something for you. A great lineup of talks, plus unconference days focused on both users and developers ***

CfP EuroBSDCon 2016

The call for papers has been issued for EuroBSDCon 2016 in Belgrade, Serbia
The conference will be held from the 22nd to 25th of September, 2016
The deadline for talk submissions is: Sunday the 8th of May, 2016
Submit your talk or tutorial proposal before it is too late ***

Beastie Bits

Feedback/Questions

137: FreeNAS Mini XL

JT Pennington — Wed, 13 Apr 2016 08:00:00 -0400

This week on BSD Now, I’m out of town for the week, but we have a special unboxing video to share with you, that you won’t want to miss. That, plus the latest BSD news, is coming your way right now!

This episode was brought to you by

Headlines

Example of a FreeBSD bug hunting session by a simple user

Don’t be fooled, Olivier Cochard-Labbé is a bit more than just a FreeBSD user
Original founder of the FreeNAS project many years ago, and currently leads the BSD Router Project (designed as a replacement for “Big Iron” routers like Cisco’s etc)
However, he is not actually a committer on any of the BSD projects, and is mostly focused on networking, rather than development, so it is fair to call him a user
He walks us through a bug hunting session that started when he updated his wireless router
“My wireless-router configuration was complex: it involves routing, wireless in hostap mode, ipfw, snort, bridge, openvpn, etc.”
Provides helpful advice on writing problem reports to developers, including trying to reproduce your issue with as minimal a setup as possible. This both reduces the amount of setup a developer has to do to try to recreate your issue, and can often make it more obvious where the problem actually lies
As you might expect, the more he researched the problem, the more questions he had
The journey goes through the kernel debugger, learning dtrace, and reading some source code
In the end it seems the problem is that the bridge interface marks itself as down if none of the interfaces are in an ‘UP’ state. The wireless interface was in the unknown state, and was actually up, but when the wired interface was disconnected, this caused the bridge to mark it self as down. ***

How-to Install OpenBSD 5.9 plus XFCE desktop and basic applications

Now this is the way to do videos. Over at the RibaLinux blogspot site, we have a great video showing how to setup and install OpenBSD 5.9 with XFCE and basic desktop applications.
Along with the video tutorial, another nicety is the commands-used script, so you can see exactly how the setup was done, without having to pause/rewind the video to keep up. How to install PC-BSD 10.3
In addition to the OpenBSD 5.9 setup video, they just published a PC-BSD 10.3 installation video as well, check it out! ***

FreeBSD on xhyve tutorial

Originally only able to boot linux, xhyve, a “sort of” port of bhyve to OS X, can now run FreeBSD
This tutorial makes it much easier, providing a script
There are a few small command line flag differences from bhyve on FreeBSD
The tutorial also covers sharing a directory between the guest and the host, resizing and growing the disk for the guest, and converting a QEMU image to be run under xhyve ***

How to Configure SSHguard With IPFW Firewall On FreeBSD

It’s been a while, but UNIXMen has dropped on us another FreeBSD tutorial, this time on how to setup IPFW and ‘sshguard’ to protect your system.
In this tutorial they first lay down the rationale for picking IPFW as the firewall, but the reasons mainly boil down to IPFW being developed primarily on FreeBSD, and as such isn’t lagging behind when it comes to features / support.
Interestingly enough, they also go the route of adding their own /usr/local/etc/rc.firewall script which will be used to specify TCP/UDP ports to open through IPFW via the rc.conf file
Once that setup is complete (which you can just copy-n-paste) they then move onto ‘sshguard’ setup.
Specifically you’ll need to be sure to install the correct port/pkg, sshguard-ipfw in order to work in this setup, although sshguard-pf and friends are available also.
The article mentions that the name ‘sshguard’ can also be misleading, since it can be used to detect brute force attempts into a number of services.
From there a bunch of configuration is thrown at you, which will allow you to start making the most out of sshguard’s potential, well worth your read if you are using IPFW, or even PF and want to get the basics down of using sshguard properly. ***

FreeNAS Mini XL Video Unboxing

Beastie Bits

Amazon lists FreeBSD as 'Other Linux'

sbin/hammer: Make hammer commands print root volume path

sbin/hammer: Print volume list after volume-add|del

Front cover reveal for the upcoming 'FreeBSD Mastery: Advanced ZFS" book

If you don’t already have one, get your FreeBSD Pillow

Feedback/Questions

Daniel - SysVIPC
Shane - OpenToonz ***

136: This is GNN

JT Pennington — Wed, 06 Apr 2016 08:00:00 -0400

This week on the show, we will be interviewing GNN of the FreeBSD project to talk about the new TeachBSD initiative. That plus the latest BSD headlines, all coming your way right now!

This episode was brought to you by

Headlines

FreeBSD 10.3-RELEASE Announcement

FreeBSD 10.3 has landed, with extended support until April 30, 2018
This is likely to be the last extended support release, as starting with 11, the new support model will encourage upgrading to the latest minor version by ending support for the previous minor version approximately 2 months after each point release. The Major version / stable branch will still be supported for the same 5 year term. This will allow the FreeBSD project to move forward more quickly, while still providing the same level of long term support
The UEFI boot loader is much improved, and now supports booting root-on-ZFS, and the beastie menu
The beastie menu itself has been updated with support for ZFS Boot Environments
The CAM Target Layer (CTL) now supports High Availability, allowing the construction of much more advanced storage systems
The 64bit Linux Emulation Layer was backported
Reroot support was added, allowing the system to boot off of a minimal image, such as a mfsroot and then reload all of userland from a different root file system (such as iSCSI, NFS, etc)
The version of xz(1) has been updated to support multi-threaded compression
sesutil(8) has been introduced, making it easier to manage large storage nodes
Various ZFS updates
As usual, a huge number of driver updates are also included ***

How to use OpenBSD with Libreboot: detailed instructions

This tutorial covers installing OpenBSD on a Thinkpad X200 using Libreboot, a replacement for the traditional BIOS/firmware that comes from the manufacturer
“Since 5.9, OpenBSD supports EFI boot mode, which means that it also have had to support framebuffer out of the box, so lack of proprietary VGA BIOS blob is no longer a problem and you can boot it with unmodified Libreboot binary release 20150518.”
“In order to install OpenBSD on such a machine you will need someadditional preparations, since regular install59.fs won't work because bsd.rd doesn't have a framebuffer console.”
A few extra steps are required to get it going, but they are outlined in the post
This may be very interesting to those who prefer not to depend on binary blobs ***

Linking the FreeBSD base system with lld -- status update

The FreeBSD Foundation’s Ed Maste provides an update on the LLVM mailing list about the progress of replacing the GNU linker with the lld in the FreeBSD base system
“I'm pleased to report that I can now build a runnable FreeBSD system using lld as the linker (for buildworld), with a few workarounds and work-in-progress patches. I have not yet extensively tested the result but it is possible to login to the resulting system, and basic sanity tests I've tried are successful. Note that the kernel is still linked with ld.bfd.”
Outstanding Issues
- Symbol version support (PR 23231). FreeBSD uses symbol versioning for backwards compatibility
- Linker script expression support (PR 26731). The FreeBSD kernel linker scripts contain expressions not currently supported by lld
- Library search paths. GNU LD automatically searches /lib, and lld does not
- the -N flag makes the text and data sections RW and does not page-align data. It is used by boot loader components.
- The -dc flag assigns space to common symbols when producing relocatable output (-r). It is used by the /rescue build, which is a single binary assembled from a collection of individual tools (sh, ls, fsck, ...)
- -Y adds a path to the default library search path. It is used by the lib32 build, which provides i386 builds of the system libraries for compatibility with i386 applications.
With the ongoing work, it might be possible for FreeBSD 11 to use lld by default, although it might be best to wait to throw that particular switch ***

Your favorite billion user company using BSD just flipped on encryption for all their users -- and it took 15 Engineers to do it

With the help of Moxie Marlinspike’s Open Whisper Systems, WhatsApp has integrated the ‘Signal’ encryption system for all messages, class, pictures, and videos sent between individuals or groups
It uses public key cryptography, very similar to GPG, but with automated public key servers
It also includes a system of QR codes to verify the identity of individuals in person, so you can be sure the person you are talking to is actually the person you met with
WhatsApp runs their billion user network, using FreeBSD, with only about 50 engineers
Only 15 of those engineers we needed to work on the project that has now deployed complete end-to-end encryption across the entire network
The Wired article is very detailed and well worth the read ***

Interview - George Neville-Neil - gnn@freebsd.org / @gvnn3

Teaching BSD with Tracing

News Roundup

Faces of FreeBSD 2016: Scott Long

It’s been awhile since we’ve had a new entry into the “Faces of FreeBSD” series, but due to popular demand it’s back!
This installment features developer Scott Long, who currently works at NetFlix, previously at Yahoo and Adaptec.
Scott got a very early start into BSD, first discovering i386BSD 0.1 on a FTP server at Berkeley, back at 1992. From there on it’s been a journey, following along with FreeBSD since version 1.0 in 1993.
So what stuff can we blame Scott for? In his own words:

> I’ve been a source committer since 2000. I got my start by taking over maintainership of the Adaptec ‘aac’ RAID driver. From 2002-2006 I was the Release Engineer and was responsible for the 5.x and 6.x releases. Though the early 5.x releases were not great, they were necessary stepping stones to the success of FreeBSD 6.x and beyond. I’m exceptionally proud of my role in helping FreeBSD move forward during that time.

> I authored and maintained the ‘mfi’ and ‘mps’ storage drivers, the ‘udf’ filesystem driver, and several smaller sound and USB drivers. I’ve maintained, or at least touched, most of the storage device drivers in the system to some extent, and I implemented medium-grained locking on the CAM storage stack. Recently I’ve been working on overall system scalability and performance.

ASCII Flow

A website that lets to draw and share ASCII diagrams
Great for network layout maps, rack diagrams, protocol analysis etc
Use it in your presentations and slides
Sample ***

System Under Test: FreeBSD

Part of a series looking at testing across a number of projects
Outlines the testing framework of FreeBSD
Provides a mini-tutorial on how to run the tests
There are some other tests that are now covered, but this is due to a lack of documentation on the fact that the tests exist, and how to run them
There is much ongoing work in this area ***

Worst April Fools Joke EVER!

While a bad April Fool’s joke, it also shows some common misconceptions
The FreeBSD Foundation does not own the source repository, it is only the care taken of the trademark, and other things that require a single legal entity
OpenBSD and NetBSD are not ‘sub brands’ of FreeBSD
Bash was not ported to Windows, but rather Windows gained a system similar to FreeBSD’s linux_compat
It would be nice to have ZFS on Windows ***

Beastie Bits

Feedback/Question

135: Speciality MWL

JT Pennington — Wed, 30 Mar 2016 08:00:00 -0400

This week on the show, we interview author Michael W Lucas to discuss his new book in the FreeBSD

This episode was brought to you by

Headlines

OpenBSD 5.9 Released early

Finished ahead of schedule! OpenBSD 5.9 has officially landed
We’ve been covering some of the ongoing changes as they landed in the tree, but with the official release it’s time to bring you the final list of the new hotness which landed.
First up:
- Pledge - Over 70%! Of the userland utilities have been converted to use it, and the best part, you probably didn’t even notice
- UEFI - Laptops which are pre-locked down to boot UEFI only can now be installed and used - GPT support has also been greatly improved
- ‘Less’ was replaced with a fork from Illumos, and has been further improved
- Xen DomU support - OpenBSD now plays nice in the cloud
- X11 - Broadwell and Bay Trail are now supported
- Initial work on making the network stack better support SMP has been added, this is still ongoing, but things are starting to happen
- 802.11N! Specifically for the iwn/iwm drivers
- In addition to support for UTF-8, most other locales have been ripped out, leaving only C and UTF-8 left standing in the wake
- All and all, sounds like a solid new release with plenty of new goodies to play with. Go grab a copy now! ***

New routing table code (ART) enabled in -current

While OpenBSD 5.9 just landed, we also have some interesting work landing right now in -CURRENT as well. Specifically the new routing table code (ART) has landed:

> “I just enabled ART in -current, it will be the default routing table backend in the next snapshots.
> The plan is to squash the possible regressions with this new routing table backend then when we're confident enough, take its route lookup out of the KERNEL_LOCK(). Yes, this is one of the big steps for our network SMP improvements.
> In order to make progress, we need your help to make sure this new backend works well on your setup. So please, go download the next snapshot and report back.
> If you encounter any routing table regression, please make sure that you cannot reproduce it with your old kernel and include the output of # route -n show
> for the 2 kernels as well as the dmesg in your report.
> I know that simple dhclient(8) based setups work with ART, so please do not flood us too much. It's always great to know that things work, but it's also hard to keep focus ;)
> Thank your very much for your support!”

There you have it folks! If 5.9 is already too stale for you, time to move over to -CURRENT and give the new routing tables a whirl. ***

fractal cells - FreeBSD-based All-In-One solution for software development startups

Fractal Cells is a suite that transforms a stock FreeBSD installation into an instant “Startup Software Development Platform”
It Integrates ZFS, PostgreSQL, OpenSMTPD, NGINX, OpenVPN, Redmine, Jenkins, Zabbix, Gitlab, and Ansible, all under OpenLDAP common authentication
The suite is available under the 2-clause BSD license
Provides all of the tools and infrastructure to build your application, including code review, issue tracking, continuous integration, and monitoring
An interesting way to make it easier for people to start building new applications and startups on top of FreeBSD ***

LinuxSecrets publishes guide on installing FreeBSD ezJail

Covers all of the steps of setting up ezjail on FreeBSD
Includes the instructions for updating the version of the OS in the jail
In a number of places the tutorial uses:
> cat << EOF >> /etc/rc.conf > setting=”value”
Instead, use: sysrc setting=”value”
It is safer, and easier to type
When you create the jail, if you specify an IP address, it is expected that this IP address is already setup on the host machine
If instead you specify: ‘em0|192.168.1.105’ (where em0 is your network interface), the IP address will be added as an alias when the jail starts, and removed from the host when the jail is stopped
You can also comma separate a list of addresses to have multiple IPs (possibly on different interfaces) in the jail
Although recently posted, this appears as if it might be an update to a previous tutorial, as there are a few old references that have not been updated (pkg_add, rc.d/ezjail.sh), while the start of the article clearly covers pkg(8) ***

Interview - Michael W. Lucas - mwlucas@michaelwlucas.com /

@mwlauthor

New Book: “FreeBSD Mastery: Specialty Filesystems”

News Roundup

NetBSD on Dreamcast

Ahh the dreamcast, so much promise. So much potential. If you are still holding onto your beloved dreamcast hoping that someday Sega will re-enter the console market… Then give it up now!
In the meantime, you can now do something more interesting with that box taking up space in the closet. We have a link to a GitHub repo where a user has uploaded his curses-based slide-show for the upcoming Fort-Wayne, Indiana meetup.
Aside from the novelty of using a curses-based slide setup, the presenter will also be displaying them from his beloved dreamcast, which “of course” runs NetBSD 7
The slide source code is available, which you too can view / compile and find out details of getting NetBSD boot-strapped on the DC. ***

OPNsense 16.1.7 Released

captive portal: add session timeout to status info
firewall: fix non-report of errors when filter reload errors couldn’t be parsed
proxy: adjust category visibility as not all of them were shown before
firmware: fix an overzealous upgrade run when the package tool only changes options
firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD’s package tool
system: removed NTP settings from general settings
access: let only root access status.php as it leaks too much info
development: remove the automount features
development: addition of “opnsense-stable” package on our way to nightly builds
development: opnsense-update can now install locally available base and kernel sets ***

“FreeBSD Mastery: Advanced ZFS” in tech review

Most of the tech review is finished
It was very interesting to hear from many ZFS experts that they learned something from reading the review copy of the book, I was not expecting this
Many minor corrections and clarifications have been integrated
The book is now being copy edited ***

Why OpenBSD?

Frederic Cambus gives us a nice perspective piece today on what his particular reasons are for choosing OpenBSD.
Frederic is no stranger to UNIX-Like systems, having used them for 20 years now. In particular starting on Slackware back in ‘96 and moving to FreeBSD from 2000-2005 (around the 4.x series)
His adventure into OpenBSD began sometime after 2005 (specific time unknown), but a bunch of things left a very good impression on him throughout the years.
First, was the ease of installation, with its very minimalistic layout, which was one of the fastest installs he had ever done.
Second was the extensive documentation, which extends beyond just manpages, but into other forms of documentation, such as presentations and papers as well.
He makes the point about an “ecosystem of quality” that surrounds OpenBSD:

> OpenBSD is an ecosystem of quality. This is the result of a culture of code auditing, reviewing, and a rigorous development process where each commit hitting the tree must be approved by other developers. It has a slower evolution pace and a more carefully planned development model which leads to better code quality overall. Its well deserved reputation of being an ultra secure operating system is the byproduct of a no compromise attitude valuing simplicity, correctness, and most importantly proactivity. OpenBSD also deletes code, a lot of code. Everyone should know that removing code and keeping the codebase modern is probably as important as adding new one. Quoting Saint-Exupery: "It seems that perfection is attained not when there is nothing more to add, but when there is nothing more to remove".

The article then covers security mechanisms, as well as the defaults which are turned specifically with an eye towards security.
All-in-all a good perspective piece about the reasons why OpenBSD is the right choice for Frederic, worth your time to read up on it if you want to learn more about OpenBSD’s differences. ***

BeastieBits

Feedback/Questions

134: Marking up the Ports tree

JT Pennington — Thu, 24 Mar 2016 08:00:00 -0400

This week on the show, Allan and I have gotten a bit more sleep since AsiaBSDCon, which is excellent since there is a LOT of news to cover. That plus our interview with Ports SecTeam member Mark Felder. So keep it

This episode was brought to you by

Headlines

FreeNAS 9.10 Released

OS:
- The base OS version for FreeNAS 9.10 is now FreeBSD 10.3-RC3, bringing in a huge number of OS-related bug fixes, performance improvements and new features. +Directory Services:
- You can now connect to large AD domains with cache disabled. +Reporting:
- Add the ability to send collectd data to a remote graphite server. +Hardware Support:
- Added Support for Intel I219-V & I219-LM Gigabit Ethernet Chipset
- Added Support for Intel Skylake architecture
- Improved support for USB devices (like network adapters)
- USB 3.0 devices now supported. +Filesharing:
- Samba (SMB filesharing) updated from version 4.1 to 4.3.4
- Added GUI feature to allow nfsv3-like ownership when using nfsv4
- Various bug fixes related to FreeBSD 10. +Ports:
- FreeBSD ports updated to follow the FreeBSD 2016Q1 branch. +Jails:
- FreeBSD Jails now default to a FreeBSD 10.3-RC2 based template.
- Old jails, or systems on which jails have been installed, will still default to the previous FreeBSD 9.3 based template. Only those machinesusing jails for the first time (or deleting and recreating their jails dataset) will use the new template. +bhyve: ++In the upcoming 10 release, the CLI will offer full support for managing virtual machines and containers. Until then, the iohyve command is bundled as a stop-gap solution to provide basic VM management support - ***

Ubuntu BSD's first Beta Release

Under the category of “Where did this come from?”, we have a first beta release of Ubuntu BSD.
Specifically it is Ubuntu, respun to use the FreeBSD kernel and ZFS natively.
From looking at the minimal information up on sourceforge, we gather that is has a nice text-based installer, which supports ZFS configuration and iSCSI volume creation setups.
Aside from that, it includes the XFCE desktop out of box, but claims to be suitable for both desktops and servers alike right now.
We will keep an eye on this, if anybody listening has already tested it out, maybe drop us a line on your thoughts of how this mash-up works out. ***

FreeBSD - a lesson in poor defaults

Former BSD producer, and now OpenBSD developer, TJ, writes a post detailing the defaults he changes in a fresh FreeBSD installation
Maybe some of these should be the defaults
While others are definitely a personal preference, or are not as security related as they seem
A few of these, while valid criticisms, but some are done for a reason
Specifically, the OpenSSH changes.
So, you’re a user, you install FreeBSD 10.0, and it comes with OpenSSH version X, which has some specific defaults
As guaranteed by the FreeBSD Project, you will have a nice smooth upgrade path to any version in the 10.x branch
Just because OpenSSH has released version Y, doesn’t mean that the upgrade can suddenly remove support for DSA keys, or re-adding support for AES-CBC (which is not really weak, and which can be hardware accelerated, unlikely most of the replacements)
“FreeBSD is the team trying to increase the risk.” Is incorrect, they are trying to reduce the impact on the end user
Specifically, a user upgrading from 10.x to 10.3, should not end up locked out of their SSH server, or otherwise confronted by unexpected errors or slowdowns because of upstream changes
I will note again, (and again), that the NONE cipher can NOT allow a user to “shoot themselves in the foot”, encryption is still used during the login phase, it is just disabled for the file transfer phase. The NONE cipher will refuse to work for an interactive session.
While the post states that the NONE cipher doesn’t improve performance that much, it infact does
In my own testing, chacha20-poly1305 1.3 gbps, aes128-gcm (fastest) 5.0 gbps, NONE cipher 6.3 gbps
That means that the NONE cipher is an hour faster to transfer 10 TB over the LAN.
The article suggests just removing sendmail with no replacement. Not sure how they expect users to deliver mail, or the daily/weekly reports
Ports can be compiled as a regular user. Only the install phase requires root
for ntpd, it is not clear that there is an acceptable replacement yet, but I will not that it is off by default
In the sysctl section, I am not sure I see how enabling tcp blackhole actually increases security at all
I am not sure that linking to every security advisory in openssl since 2001 is actually useful
Encrypted swap is an option in bsdinstall now, but I am not sure it is really that important
FreeBSD now uses the Fortuna PRNG, upgraded to replace the older Yarrow, not vanilla RC4.
“The resistance from the security team to phase out legacy options makes mewonder if they should be called a compatibility team instead.”
I do not think this is the choice of the security team, it is the ABI guarantee that the project makes. The stable/10 branch will always have the same ABI, and a program or driver compiled against it will work with any version on that branch
The security team doesn’t really have a choice in the matter. Switching the version of OpenSSL used in FreeBSD 9.x would likely break a large number of applications the user has installed
Something may need to be done differently, since it doesn’t look like any version of OpenSSL, (or OpenSSH), will be supported for 5 years ever again ***

ZFS Raidz Performance, Capacity and Integrity

An updated version of an article comparing the performance of various ZFS vdev configurations
The settings users in the test may not reflect your workload
If you are benchmarking ZFS, consider using multiple files across different datasets, and not making all of the writes synchronous
Also, it is advisable to run more than 3 runs of each test
Comparing the numbers from the 12 and 24 disk tests, it is surprising to see that the 12 mirror sets did not outperform the other configurations. In the 12 drive tests, the 6 mirror sets had about the same read performance as the other configurations, it is not clear why the performance with more disks is worse, or why it is no longer in line with the other configurations
More investigation of this would be required
There are obviously so other bottlenecks, as 5x SSDs in RAID-Z1 performed the same as 17x SSDs in RAID-Z1
Interesting results none the less ***

iXSystems

FreeNAS Mini Review

Interview - Mark Felder - feld@freebsd.org / @feldpos

Ports, Ports and more Ports

DigitalOcean

Digital Ocean's guide to setting up an OpenVPN server

News Roundup

AsiaBSDCon OpenBSD Papers

Undeadly.org has compiled a handy list of the various OpenBSD talks / papers that were offered a few weeks ago at AsiaBSDCon 2016.

Antoine Jacoutot (ajacoutot@) - OpenBSD rc.d(8) (slides | paper)
Henning Brauer (henning@) - Running an ISP on OpenBSD (slides)
Mike Belopuhov (mikeb@) - Implementation of Xen PVHVM drivers in OpenBSD (slides | paper)
Mike Belopuhov (mikeb@) - OpenBSD project status update (slides)
Mike Larkin (mlarkin@) - OpenBSD vmm Update (slides)
Reyk Floeter (reyk@) - OpenBSD vmd Update (slides)

Each talk provides slides, and some the papers as well. Also included is the update to ‘vmm’ discussed at bhyveCon, which will be of interest to virtualization enthusiasts. ***

Bitcoin Devs could learn a lot from BSD

An interesting article this week, comparing two projects that at first glance may not be entirely related, namely BitCoin and BSD.
The article first details some of the woes currently plaguing the BitCoin development community, such as toxic community feedback to changes and stakeholders with vested financial interests being unable to work towards a common development purpose.
This leads into the crux or the article, about what BitCoin devs could learn from BSD:

> First and foremost, the way code is developed needs change to stop the current negative trend in Bitcoin. The FreeBSD project has a rigid internal hierarchy of people with write access to their codebase, which the various Bitcoin implementations also have, but BSD does this in a way that is very open to fresh eyes on their code, allowing parallel problem solving without the petty infighting we see in Bitcoin. Anyone can propose a commit publicly to the code, make it publicly available, and democratically decide which change ends up in the codebase. FreeBSD has a tiny number of core developers compared to the size of their codebase, but at any point, they have a huge community advancing their project without hard forks popping up at every small disagreement. Brian Armstrong commented recently on this flaw with Bitcoin development, particularly with the Core Devs:

> “Being high IQ is not enough for a team to succeed. You need to make reasonable tradeoffs, collaborate, be welcoming, communicate, and be easy to work with. Any team that doesn’t have this will be unable to attract top talent and will struggle long term. In my opinion, perhaps the biggest risk in Bitcoin right now is, ironically, one of the things which has helped it the most in the past: the Bitcoin Core developers.”

A good summary of the culture that could be adopted is summed up as follows:

> The other thing Bitcoin devs could learn from is the BSD community’s adoption of the Unix Design philosophy. Primarily “Worse is Better,” The rule of Diversity, and Do One Thing and Do It Well. “Worse is Better” emphasizes using extant functional solutions rather than making more complex ones, even if they would be more robust. The Rule of Diversity stresses flexibility of the program being developed, allowing for modification and different implementations without breaking. Do one Thing and Do it well is a mantra of the BSD and Unix Communities that stresses modularity and progress over “perfect” solutions. Each of these elements help to make BSD a wildly successful open source project with a healthy development community and lots of inter-cooperation between the different BSD systems. While this is the opposite of what we see with Bitcoin at present, the situation is salvageable provided changes like this are made, especially by Core Developers.

All in all, a well written and interesting take on the FreeBSD/BSD project. We hope the BitCoin devs can take something useful from it down the road. ***

FreeBSD cross-compiling with gcc and poudriere

Cross-Compiling, always a challenge, has gotten easier using poudriere and qemu in recent years.
However this blog post details some of the particular issues still being face when trying to compile some certain ports for ARM (I.E. rPi) that don’t play nicely with FreeBSD’s default CLANG compiler.
The writer (Ben Slack) takes us through some of the work-arounds he uses to build some troublesome ports, namely lsof and libatomic_ops.
Note this is not just an issue with cross compile, the above mentioned ports also don’t build with clang on the Pi directly.
After doing the initial poudriere/qemu cross-compile setup, he then shows us the minor tweaks to adjust which compiler builds specific ports, and how he triggers the builds using poudriere.
With the actual Makefile adjustment being so minor, one wonders if this shouldn’t just be committed upstream, with some if (ARM) - USE_GCC=yes type conditional. ***

Nvidia releases new Beta graphics driver for FreeBSD

Added support for the following GPUs: GeForce 920MX & GeForce 930MX
Added support for the Vulkan API version 1.0.
Fixed a bug that could cause incorrect frame rate reporting on Quadro Sync configurations with multiple GPUs.
Added a new RandR property, CscMatrix, which specifies a 3x4 color-space conversion matrix.
Improved handling of the X gamma ramp on GF119 and newer GPUs. On these GPUs, the RandR gamma ramp is always 1024 entries and now applies to the cursor and VDPAU or workstation overlays in addition to the X root window.
Fixes for bugs and added several other EGL extensions ***

Beastie Bits

Feedback/Questions

133: The Tokyo Debrief

JT Pennington — Wed, 16 Mar 2016 08:00:00 -0400

This week on BSDNow, Allan and I are back from AsiaBSDCon and we have an interview with Brad Davis about the new “Packaging Base” call-for-testing. We’ll be sharing our thoughts and stories on how the week

This episode was brought to you by

Headlines

AsiaBSDCon 2016 - Wrap-up

FreeBSD gets Haswell graphics support in time for 11.0-RELEASE

The moment that many have been waiting for has finally arrived, support for Haswell graphics has been committed to FreeBSD -CURRENT
The brings the DRM/i915 code up to date with Linux kernel 3.8.13
Work has already started on updating to Linux kernel 3.9
It is hoped that subsequent updates will be much easier, and much faster
It does not appear to require setting the i915.preliminary_hw_support loader tunable ***

OpenBSD vmm/vmd Update

For the third year running, bhyvecon was held last week, during the lead up to AsiaBSDCon
Bhyvecon has expanded, and now covers all virtualization on BSDs
There were presentations on bhyve, Xen Dom0 on FreeBSD, Xen DomU for OpenBSD, and OpenBSD’s vmm
OpenBSD vmm started at the Brisbane 2015 hackathon in Australia
Work continued through the summer and fall thanks to funding by the OpenBSD Foundation
The presentation answered some outstanding questions, such as, why not just port bhyve?
Initial focus is OpenBSD on OpenBSD
Loader currently supports FreeBSD and NetBSD as well
After the initial commits, other developers joined in to help with the work
Reyk reworked the vmd and vmctl commands, to provide a better user interface
Future plans:
- Nested VMX
- i386 support
- AMD SVM support
- Filesystem passthru
- Live migration (with ZFS like command syntax)
Other developers are working on related projects:
- qemu interface: Allow qemu to be accelerated by the vmm backend, while providing emulated hardware, for legacy systems
- KVM interface: Make vmm look like KVM, so existing tools like openstack “just work” ***

Interview - Brad Davis - brd@freebsd.org / @so14k

Packaging Base

News Roundup

Packaging the base system with pkg(8)

The official call for testing for FreeBSD’s pkg(8)’d base is out
Users are requested to checkout the release-pkg branch, and build it as normal (buildworld, buildkernel)
Instead of installworld, run: make packages
This will produce a pkg repo in the /usr/obj directory
The post to the mailing list includes an example pkg repo config file to point to those packages
Run: pkg update -r FreeBSD-base
This will read the metadata from the new repository
Then run: pkg install -g 'FreeBSD-*'
This will find all packages that start with ‘FreeBSD-’ and install them
In the future, there will be meta packages, so you can just install FreeBSD-base and it will pull in other packages are dependencies
Currently, there are a large number of packages (over 700), because each shared library is packaged separately, and almost all optional features are in a separate package
The number of packages is also increased because there are separate -debug, -profiling, etc versions of each package
New features are being added to pkg(8) to mark important system components, like libc, as ‘vital’, so they cannot be deleted accidently
However, in the case of using pkg(8)’d base to create a jail, the administrator should be able to delete the entire base system
Classic conundrum: “UNIX does not stop you doing something stupid, as that would also stop you doing something clever”
Work is still ongoing
At AsiaBSDCon, after the interview was recorded, bapt@ and brd@ had a whiteboarding session and have come up with how they expect to handle the kernel package, to ensure there is a /boot/kernel.old for you to fall back to incase the newly installer kernel does not work correctly. ***

FreeBSD 10.3-RC2 Now Available

The second release candidate for FreeBSD 10.3 is now available for testing
Notable changes include:
- Import an upstream fix for ‘zfs send -i’ to avoid data corruption in specific instances
- Boot loaders and kernel have been taught to handle ELF sections of type SHT_AMD64_UNWIND. This does not really apply to FreeBSD 10.3, but is required for 11.0, so will make upgrades easier
- Various mkdb commands (/etc/services, /etc/login.conf, etc) commands now use fsync() instead of opening the files as O_SYNC, greatly increasing the speed of the database generation
From the earlier BETA3, the VFS improvements that were causing ZFS hangs, and the new ‘tryforward’ routing code, have been reverted
Work is ongoing to fix these issues for FreeBSD 11.0
There are two open issues:
- A fix for OpenSSH CVE-2016-3115 has not be included yet
- the re-addition of AES-CBC ciphers to the default server proposal list. AES-CBC was removed as part of the update to OpenSSH version 7.1p2, but the plan is to re-add it, specifically for lightweight clients who rely on hardware crypto offload to have acceptable SSH performance
Please go out and test ***

OPNsense 16.1.6 released

A new point-release of OPNsense has dropped, and apart from the usual security updates, some new features have been included

> + firmware: bootstrap utility can now directly install e.g. the development version
> + dhcp: all GUI pages have been reworked for a polished look and feel
> + proxy: added category-based remote file support if compressed file contains multiple files
> + proxy: added ICAP support (contributed by Fabian Franz)
> + proxy: hook up the transparent FTP proxy
> + proxy: add intercept on IPv6 for FTP and HTTP proxy options
> + logging: syslog facilities, like services, are now fully pluggable
> + vpn: stripped an invalid PPTP server configuration from the standard configuration
> + vpn: converted to pluggable syslog, menu and ACL
> + dyndns: all GUI pages have been reworked for a polished look and feel
> + dyndns: widget now shows IPv6 entries too
> + dns forwarder: all GUI pages have been reworked for a polished look and feel
> + dns resolver: all GUI pages have been reworked for a polished look and feel
> + dns resolver: rewrote the dhcp lease registration hooks
> + dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
> + firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly
> + interfaces: fix problem when VLAN tags weren't generated properly
> + interfaces: improve interface capability reconfigure
> + ipsec: fix service restart behaviour from GUI
> + captive portal: add missing chain in certificate generation
> + configd: improve recovery and reload behaviour
> + load balancer: reordered menu entries for clarity
> + ntp: reordered menu entries for clarity
> + traffic shaper: fix mismatch for direction + dual interfaces setup
> + languages: updated German and French

Call for testing - ASLR patch

A patch that provides a first pass implementation of basic ASLR (Address Space Layout Randomization) for FreeBSD has been posted to the mailing list
“Stack gap, W^X, shared page randomization, KASLR and other techniques are explicitly out of scope of this work.”
“ASLR is enabled on per-ABI basis, and currently it is only enabled on native i386 and amd64 (including compat 32bit) ABIs. I expect to test and enable ASLR for armv6 and arm64 as well, later”
“Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD project for pursuing ASLR for FreeBSD. Although this work is not based on theirs, it was inspired by their efforts.” ***

Feedback/Questions

132: Scaling up with BSD

JT Pennington — Tue, 08 Mar 2016 08:00:00 -0500

This week, Allan and I are away at AsiaBSDCon! (If you aren’t there, you are missing out). We will be back with a live episode next week. However, we’ve been asked for Allan to tell us about ScaleEngine’s

This episode was brought to you by

Interview - Allan Jude - allanjude@freebsd.org / @allanjude

Spotlight on ScaleEngine ***

Beastie Bits

131: BSD behind the chalkboard

JT Pennington — Wed, 02 Mar 2016 08:00:00 -0500

This week on the show, we have an interview with Jamie

This episode was brought to you by

Headlines

BSDCan 2016 List of Talks

We are all looking forward to BSDCan
Make sure you arrive in time for the Goat BoF, the evening of Tuesday June 7th at the Royal Oak, just up the street from the university residence
There will also be a ZFS BoF during lunch of one of the conference days, be sure to grab your lunch and bring it to the BoF room
Also, don’t forget to get signed up for the various DevSummits taking place at BSDCan. ***

What does Load Average really mean

Chris Siebenmann, a sysadmin at the University of Toronto, does some comparison of what “Load Average” means on different unix systems, including Solaris/IllumOS, FreeBSD, NetBSD, OpenBSD, and Linux
It seems that no two OSes use the same definition, so comparing load averages is impossible
On FreeBSD, where I/O does not affect load average, you can divide the load average by the number of CPU cores to be able to compare across machines with different core counts ***

GPL violations related to combining ZFS and Linux

As we mentioned in last week’s episode, Ubuntu was preparing to release their next version with native ZFS support. + As expected, the Software Freedom Conservancy has issued a statement detailing the legal argument why they believe this is a violation of the GPL license for the Linux kernel.
It’s a pretty long and complete article, but we wanted to bring you the summary of the whole, and encourage you to read the rest, since it’s good to be knowledgeable about the various open-source projects and their license conditions.

> “We are sympathetic to Canonical's frustration in this desire to easily support more features for their users. However, as set out below, we have concluded that their distribution of zfs.ko violates the GPL. We have written this statement to answer, from the point of view of many key Linux copyright holders, the community questions that we've seen on this matter. Specifically, we provide our detailed analysis of the incompatibility between CDDLv1 and GPLv2 — and its potential impact on the trajectory of free software development — below.

> However, our conclusion is simple: Conservancy and the Linux copyright holders in the GPL Compliance Project for Linux Developers believe that distribution of ZFS binaries is a GPL violation and infringes Linux's copyright. We are also concerned that it may infringe Oracle's copyrights in ZFS. As such, we again ask Oracle to respect community norms against license proliferation and simply relicense its copyrights in ZFS under a GPLv2-compatible license.”

DragonFly i915 reaches Linux 4.2

The port of the Intel i915 DRM/KMS Linux driver to DragonFlyBSD has been updated to match Linux kernel 4.2
Various improvements and better support for new hardware are included
One big difference, is that DragonFlyBSD will not require the binary firmware blob that Linux does
François Tigeot explains: "starting from Linux 4.2, a separate firmware blob is required to save and restore the state of display engines in some low-power modes. These low-power modes have been forcibly disabled in the DragonFly version of this driver in order to keep it blob-free."
Obviously this will have some disadvantage, but as those modes were never available on DragonFlyBSD before, users are not likely to miss them ***

Interview - Jamie McParland - mcparlandj@newberg.k12.or.us / @nsdjamie

FreeBSD behind the chalkboard ***

iXsystems

My New IXSystems Mail Server

News Roundup

Installing ELK on FreeBSD, Tutorial Part 1

Are you an ELK user, or interested in becoming one? If so, Gruppo Utenti has a nice blog post / tutorial on how to get started with it on FreeBSD.
Maybe you haven’t heard of ELK, but its not the ELK in ports, specifically in this case he is referring to “ElasticSearch/Logstash/Kibana” as a stack.
Getting started is relatively simply, first we install a few ports/packages:
- textproc/elasticsearch
- sysutils/logstash
- textproc/kibana43
- www/nginx
After enabling the various services for those (hint: sysrc may be easier), he then takes us through the configuration of ElasticSearch and LogStash. For the most part they are fairly straightforward, but you can always copy and paste his example config files as a template.
Follow up to Installing ELK on FreeBSD
Jumping directly into the next blog entry, he then takes us through the “K” part of ELK, specifically setting up Kibana, and exposing it via nginx publically.
At this point most of the CLI work is finished, and we have a great walkthrough of doing the Kibana configuration via their UI. We are still awaiting the final entry to the series, where the setup of ElastAlert will be detailed, and we will bring that to your attention when it lands. ***

From 1989: An Empirical Study of the Reliablity of Unix Utilities

A paper from 1989 on the results of fuzz testing various unix utilities across a range of available unix operating systems
Very interesting results, it is interesting to look back at before the start of the modern BSD projects
New problems are still being found in utilities using similar testing methodologies, like afl (American Fuzzy lop) ***

Google Summer of Code

Both FreeBSD
and NetBSD
Are running 2016 Google Summer of Code projects.
Students can start submitting proposals on March 14th.
In the meantime, if you have any ideas, please post them to the Summer Of Code Ideas Page on the FreeBSD wiki
Students can start looking at the list now and try to find mentors to get a jump start on their project. ***

High Availablity Sync for ipfw3 in Dragonfly

Similar to pfsync, this new protocol allows firewall dynamic rules (state) to be synchronized between two firewalls that are working together in HA with CARP
Does not yet sync NAT state, it seems libalias will need some modernization first
Apparently it will be relatively easy to port to FreeBSD
This is one of the only features ipfw lacks when compared to pf ***

Beastie Bits

Feedback/Questions

130: Store all the Things | BSD Now 130

JT Pennington — Wed, 24 Feb 2016 08:00:00 -0500

This week on BSDNow, Allan is back from the Storage Summit in Silicon Valley! We are going to get his thoughts on how the conference went, plus bring you the latest ZFS info discussed. That plus the usual BSD news is

This episode was brought to you by

Headlines

OpenBSD website operators urged to fix mind-alteringly bad bug

We start off a bit light-hearted this week, with the important, breaking news that finally a long-standing OpenBSD bug has been addressed for the HTTP daemon.
Specifically? It changes the default 404 page fonts away from Comic Sans, to a bit more crowd-pleasing alternative:
- “For some reason the httpd status pages (e.g. 404) use the Comic Sans typeface. This patch removes comic sans and sets the typeface to the default sans-serif typeface of the client.
- “This lowers the number of people contacting website maintainers with typeface complaints bordering on harassment”.
Operators running HTTPD are highly encouraged to update their systems to the latest code, right now……... No seriously, we are waiting for you. Get it done now and then we’ll continue with the show.

Registration for AsiaBSDCon 2016 is now open + Talk Schedule

After a few delays, the registration for AsiaBSDCon has now opened!
The conference starts in less than two weeks! now, so be sure to get signed up ASAP.
In addition the schedule has been posted, and here’s some of the highlights of this year’s conference.
In addition to FreeBSD and NetBSD dev summits on the first two days, we have some excellent tutorials being given this year by Kirk, Gnn, Dru and more! (https://2016.asiabsdcon.org/program.html.en)
The regular paper talks also have lots of good ones this year, including this crazy encrypted boot loader one given by our very own Allan Jude! ***

OPENBSD ON AWS : AN UNEXPECTED JOURNEY

We have a blog post from Antoine Jacoutot, talking about the process of getting OpenBSD up and running in AWS
It starts with his process of creating an AMI from scratch, which ended up not being that bad:
- create and loopback-mount a raw image containing a UFS filesystem extract the OpenBSD base sets (which are just regular tarballs) and kernel enable console output (so that one could “aws ec2 get-console-output”)
- install the boot loader on the image then use the ec2 tools to import the RAW image to S3, convert it into a volume (ec2-import-volume) which we can snapshot (ec2-create-snapshot) and create an AMI from (ec2-register)
The blog post also has a link to a script which automates this process, so don’t be daunted if you didn’t quite follow all of that.
Thanks to the recently landed DomU support, the final pieces of the puzzle fell into place, allowing OpenBSD to function as a proper guest (with networking!)
Next it details the process of injecting a public SSH key into the instances for instant remote access.
An ec2-init.sh script was created (also on github) which does the following:
- setting the hostname
- installing the provided SSH public key to /root/.ssh/authorized_keys
- executing user-data (if it starts with a shebang)
- displaying the host SSH fingerprints on the console (to match cloud-init)
With that done, OpenBSD is pretty much AWS ready! He then gives a brief walkthrough of setting up nginx for new users, but if you’ve already done this before then the instance is ready for you to hacking on.

Start thinking of ideas for things with FreeBSD for Google's 2016 Summer of Code

Students and Developers, listen up! It’s time to start thinking about GSoC again, and FreeBSD is looking to update its project ideas page.
There’s some good ones on the list, plus ones that should be pruned (such as GELI boot), but now is the time to start adding new ones before we get too deep into the process.
This goes for the other BSD’s as well, start thinking about your proposals, or if you are developer, which projects would be a good fit for mentoring.
(Improving the Linux Compat layer is one I think should be done!) Guide to getting started with kernel hacking
One of the things that’s been asked frequently is how to contribute towards the efforts to bring updated DRM / X drivers to the FreeBSD kernel.
Jean-Sébastien Pédron has started a great guide on the Wiki which details how to get started with the porting effort, and that developers need not be afraid of helping. ***

Storage Summit Roundup

Earlier this week a number of developers from FreeBSD, as well as various vendors that use FreeBSD, or provide products used with FreeBSD met for a Storage Summit, to discuss the future of these technologies
The summit was co-located with the USENIX FAST (Filesystems And Storage Technologies) conference
The summit was sponsored by the FreeBSD Foundation and FlightAware
After a short introduction, the event opened with a Networking Synergy panel
The focus of this panel was to see if there were techniques and lessons learned in improving the networking stack over the last 10 years that could be applied to improving the storage stack
A lot of time was spent discussing issues like multi-queue support, CPU scheduling, and ways to modernize the stack
CAM Scheduling & Locking Revamp
- No notes posted
User Space Storage Stack
- One of the user space storage stacks discussed was Diskmap
- Like netmap, but for disks (diskmap)
- Kernel bypass for accessing disks
- Ilias Marinos, who is working on diskmap at Cambridge University, described diskmap to the group
A design discussion then followed in which the memory management was covered as that's an issue for any sort of "IO" map system
- Action Items:
Discuss with Luigi the idea of code merges
Need a reset path API
Kernel buffer mapping for reliability
Support for other interfaces (SATA/SCSI)
GEOM layer adaptation
Adapting to New Storage Technologies
- This working group was led by Adrian Palmer, from Seagate
- SMR
- Persistent Memory
- Session 1: Device Identification and the structural requirements
  - Agenda: We'll look over the Identification nuances and what needs to change to support the structure. Support for IO order guarantees, forward-write only requirements, new commands and topology. Dig into CAM and GEOM layers. Solutions should be fast and have as few code paths as possible
  - Results: Small audience. We talked about zoned characteristics, and how it can be used in various workloads, projected to be implemented in years
- Session 2: Information dissemination and consumption
  - Agenda: Where and how will information from the report_zones command be gathered, stored, combined and used. This will include userspace storage and multi-volume management. Will CAM store this data, or will GEOM? How frequently will this need to be queried/updated/verified from the drive?
  - Results: Merged with ZFS working group to discuss SMR. Came up with idea that could be implemented as circular buffer zone type. Began to discuss solutions among developers
ZFS
- During the first session we discussed how to improve dedup support + A dedup throttle or cap was discussed. When the size of the DDT grows beyond this size, new entries would not be deduped.
  - An alternative to this was also discussed, where when the DDT reached the cap size, it would remove a random entry with only a single reference from the DDT to make room for the new entry. When a block is going to be freed, if it is not found in the DDT, it is assumed to have only 1 reference, and removed.
  - There was also discussion of replacing the DDT with an in-memory hash table and a “log” of increment/decrement operations, that is periodically compacted. The hash table is recreated from the log at pool import time. This would reduce the in-memory footprint of the DDT, as well as speed up all write operations as adding an entry to the dedup log will be less expensive than updating the DDT.
  - There was also discussion of using dedicated device(s) for the DDT, either using the DDT on SSD work by Nexenta, or the Metadata Classes work by Intel
- The first session also discussed Secure Delete and related things
  - The desire for an implementation of TRIM that uses the “secure erase” functionality provided by some disks was expressed
  - Overwriting sectors with patterns of garbage may be insufficient because SSDs may internally remap where a specific LBA physically resides
  - The possibility of using something like the “eager zero” feature to periodically write zeros over all free blocks in the pool to erase any lingering data fragments
  - Problems with the FreeBSD TRIM implementation were discussed, as well as looking at ways to implement the new ZFS TRIM implementation on FreeBSD
  - ABD (ARC Buf Data) was discussed, a new design that lessens the requirement for contiguous memory. Only a small area of contiguous blocks is reserved at boot, and compressed ARC blocks are constructed of scatter-gather lists of individual pages
- The second session combined with the SMR group and talked about SMR support in ZFS
  - Later in the second session ZFS Encryption was also discussed, mostly with a focus on what the use cases are
- The third session combined all of the groups for an overview of upcoming ZFS features including device removal and channel programs
- There was also a request for code review, for mostly finished projects like Persistent L2ARC, Writeback cache, and Large dnode support
Hallway Track
- ZFS / VFS Interaction
- Adrian Palmer has been a FreeBSD hobbyist since FreeBSD 7, and I think I managed to convince him to start contributing ***

News Roundup

One Week with NetBSD 7.0: Back to Unix basics

The author of this blog series is sending a week using NetBSD 7.0, following a previous series on Solaris 10
“This is actually familiar territory, as I've been using BSD variants almost exclusively since 2006. My recent SunOS explorations were triggered last summer by OpenBSD having choked on my current laptop's NVIDIA card, and from what I could see at the time, FreeBSD had the same problem, although I now know NVIDIA drivers exist for that system. The thing that keeps me from going all-in with FreeBSD 10.x, however, is the fact that Firefox crashes and leaves "core dump" messages in its wake, and I'm just not a Chrome kinda guy.”
“For those with a catholic taste in Unix, NetBSD is a keg party at the Vatican. If you're an absolute Unix beginner, or have been living on Ubuntu-based Linux distros for too long, then you may feel stranded at first by NetBSD's sparseness. You'll find yourself staring into the abyss and seeing only a blinking cursor staring back. If you have the presence of mind to type startx, you'll be greeted by twm, a window manager offering little more than an xterm window with the same blinking cursor until you learn how to configure the .twmrc file to include whatever applications you want or need in the right-click menu.”
“As for NetBSD itself, I can't think of any major productivity applications that can't be installed, and most multimedia stuff works fine.”
Issues the author hopes to sort out in later posts:
- Audio playback (youtube videos in Firefox)
- Wireless
- Flash
- Digital Camera SD Card readability, video playback
- Audacity
- A “fancy” desktop like Gnome 2, KDE, or xfce
In a follow-up post, the author got LibreOffice installed and sorted out the audio issues they were having
In a later follow-up XFCE is up and running as well ***

ZFS is for Containers in Ubuntu 16.04

As you may have heard, Ubuntu 16.04 will include ZFS -- baked directly into Ubuntu -- supported by Canonical
“ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background. To our delight, we're happy to make to OpenZFS available on every Ubuntu system.”
What does “supported by Canonical” mean?
“You'll find zfs.ko automatically built and installed on your Ubuntu systems. No more DKMS-built modules”
“The user space zfsutils-linux package will be included in Ubuntu Main, with security updates provided by Canonical”
The article then provides a quick tutorial for setting up Linux Containers (LXC) backed by ZFS
In the example, ZFS is backed by a file on the existing disk, not by a real disk, and with no redundancy
However, the setup script seems to support using real block devices
The Software Freedom Conservancy is expected to issue a statement detailing their opinion on the legalities and licensing issues of bundling ZFS with Linux. ***

Polling is a Hack: Server Sent Events (EventSource) with gevent, Flask, nginx, and FreeBSD

A tutorial on setting up ‘Server-Sent Events’, also know as EventSource in javascript, to notify website clients of new data, rather than having the javascript constantly poll for new data.
The setup uses FreeBSD, nginx, gevent, Python, and the Flask framework
The tutorial walks through setting a basic Python application using the Flask framework
Then setting up the client side in Javascript
Then for the server side setup, it covers installing and configuring nginx, and py-supervisor on FreeBSD
The tutorial also includes links to additional resources and examples, including how to rate limit the Flash application ***

Why FreeBSD?

An excellent article written by Hamza Sheikh, discussing why FreeBSD is now his clear choice for learning UNIX.
The article is pretty well written and lengthy, but has some great parts which we wanted to share with you:

There were many rough edges in the Linux world and some of them exist even today. Choosing the right distribution (distro) for the task at hand is always the first and most difficult decision to make. While this is a strength of the Linux community it is also its weakness. This is exacerbated with the toxic infighting within the community in the last few years.

A herd of voices believes it is their right to bring down a distro community because it is not like their distro of choice. Forking upstream projects has somehow become taboo. Hurling abuse in mailing lists is acceptable. Helping new users is limited to lambasting their distro of choice. Creating conspiracy theories over software decisions is the way to go. Copyleft zealots roam social media declaring non-copyleft free software heretic abominations. It all boils down to an ecosystem soured by the presence of maniacs who have the loudest voices and they seem to be everywhere you turn.

Where is the engineering among all this noise? Btrfs - baking for a long time - is still nowhere near ZFS in stability or feature parity. systemd is an insatiable entity that feeds on every idea in sight and just devours indiscriminately. Wayland was promised years ago and its time has yet to arrive. Containers are represented by Docker that neither securely contains applications nor makes them easy to manage in production. Firewalling is dithering between firewalld, nftables, etc. SystemTap cannot match DTrace.

In the same time span what do various BSDs offer? pf, CARP, ZFS, Hammer, OpenSSH, jails, pkgsrc, (software) ports, DTrace, hardware portability; just to name a few. Few would deny that BSDs have delivered great engineering with free software licenses to the entire world. To me they appear to be better flag bearers of free software with engineering to back it.

He then goes through some of the various BSD’s and the specifics on why FreeBSD was the logical choice for his situation. But at the end has a great summary on the community as a whole:

Finally - and maybe repeating myself here - I have nothing but praise for the community. Be it BSD Now, mailing lists, Reddit, Twitter, LFNW, or SeaGL, people have encouraged me, answered my questions, and filed bugs for me. I have been welcomed and made a part of the community with open arms. These reasons are (good) enough for me to use FreeBSD and contribute to it.

BeastieBits

OPNsense 16.1.3 released

Copies of "FreeBSD Mastery: Specialty Filesystems" seen in the wild

pfsense training available in Europe

LiteBSD now has 50 ports in its ports tree

Ports tree locked for OpenBSD 5.9

“FreeBSD Filesystem Fun” at March semibug

Event #46 — Embedded Platforms (BSD, OpenWRT, Plan 9 & Inferno)

Feedback/Questions

129: Synthesize all the Things!

JT Pennington — Wed, 17 Feb 2016 08:00:00 -0500

Coming up this week, we will be talking to John Marino about his work on the ports-mgmt utility “Synth” and the cross-pollination between DragonFly and FreeBSD. That plus the latest news and your email here on

This episode was brought to you by

Headlines

glibc and the BSDs

You have likely already heard about CVE-2015-7547
“A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library.”
“Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.”
More details from Google’s Online Security team blog
“Naturally, people have started asking whether FreeBSD is affected. The FreeBSD Security Officer has not yet released an official statement, but in the meantime, here is a brief look at the issue as far as FreeBSD is concerned.”
“First of all: neither FreeBSD itself nor native FreeBSD applications are affected. While the resolver in FreeBSD’s libc and GNU libc share a common parentage, the bug was introduced when the latter was rewritten to send A and AAAA queries in parallel rather than sequentially when the application requests both.”
The same most likely applies to the other BSDs
“However, Linux applications running under emulation on a FreeBSD system use the GNU libc and are therefore vulnerable unless patched.”
A patch to update emulation/linux_base-c6 has been prepared and should be committed soon
Running ‘pkg audit’ will list any known vulnerable packages installed on your system
“The issue can be mitigated by only using resolvers you trust, and configuring them to avoid sending responses which can trigger the bug.”
“If you already have your own resolvers, you can configure them to avoid sending UDP responses larger than 2048 bytes. If the response does not fit in 2048 bytes, the server will send a truncated response, and the client should retry using TCP. While a similar bug exists in the code path for TCP requests, I believe that it can only be exploited by a malicious resolver, and interposing your own resolver will protect affected Linux systems and applications.”
Dag-Erling’s blog post also includes instructions and configuration examples for locking down your resolver, or setting up your own resolver if you don’t have one already ***

OpenBSD Foundation - 2016 Fundraising Campaign

The OpenBSD foundation has announced their 2016 fundraising campaign, and set the goal of raising $250k for the year.
While they mention that fundraising for 2015 didn’t hit 2014’s blockbuster numbers, it still exceeded the goal set, with an almost equal mix of corporate and community donors.

‘Our goal for 2016 is to increase the amount of support we offer for development, without compromising our regular support for the projects. We would like to:
Plan and support more developer events (hackathons), and allow for more developers to attend these events.
Continue to improve the project infrastructure.
Fund more dedicated developer time for targeted development of specific projects.‘

To give you an idea of how much OpenBSD technology is used around the world, they broke it down this way:

If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal.
If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal.
If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal.

Getting Started with ION-DTN 3.4.0 on FreeBSD

“The Interplanetary Overlay Network (ION) software distribution is an implementation of Delay-Tolerant Networking (DTN) architecture as described in Internet RFC 4838, suitable for use in spacecraft”
This tutorial covers setting up ION 3.4.0 on FreeBSD
The tutorial starts by downloading the ION software, and installing the relevant build tools
The instructions allow ION to be installed system-wide, or for a specific user
The each host is configured
Then pings are traded between the hosts to ensure everything works
Then a web page is served over the interplanetary network
Sadly I don’t have any hosts on other planets to test with.
The tutorial also includes a troubleshooting guide ***

Open Storage Issue – New BSD Mag is Out!

The next issue of BSDMag (The Open Storage Issue) just landed which features an interview with Matt Olander of iXsystems.
During the interview, Matt talks about the culture of support for open-source down at iX, not only FreeNAS and PC-BSD, but the FreeBSD foundation, Slackware and more.
He also gets to extol the virtues of the open-source development model itself, why it tends to lead to better code overall.
In addition to the lead interview with Matt, this issue also features some other great interviews with Open Source storage vendors, and even some ZFS howto’s about setting up your ZIL devive ***

Interview - John Marino - marino@freebsd.org

FreeNAS with FreeBSD as its base helped save taxpayers $36,000 for a small public school district

News Roundup

Getting Started With Tor Hidden Services on FreeBSD

Ever wondered how to setup and use a Tor hidden service? We have a walkthrough posted over on github.io which details how to do that on a FreeBSD -CURRENT system.
The basics are pretty simple, installing security/tor is the first step (although, he is using portmaster, you may wish to just ‘pkg install security/tor’)
The walkthrough provides an example server hosting just the date/time on port 8080, which you can use as an example and to verify it works, before serving anything real.
Once a local server is ready to serve something, the Tor setup is pretty quick, basically just two lines of config in torrc:

HiddenServiceDir /usr/home/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:8080

After starting the service, the walkthrough will show you how to get the new hostname for this hidden service and verify its functionality.

ZFS Remote Mirrors for Home Use

A recently updated tutorial on remotely mirroring your ZFS files
Using a spare old computer, or a SBC like a Raspberry Pi, and an (external) hard drive
It covers installing and configuring FreeBSD for both sides of the remote replication
The new appendix covers the creation of a Raspberry Pi image, although a prebuilt one is also provided
The setup uses GELI to ensure the data is encrypted at-rest
Updating and maintaining both systems is covered in detail
The article is very detailed, and covers pretty much every aspect of the setup, including suggestions on where to physically locate the remote system, and configuration tips to reduce the chance that local intervention will be required
Most importantly, it covers the disaster recovery steps. How to get your files back when bad things happen ***

Lumina Desktop 0.8.8 Released

PC-BSD’s very own Lumina desktop has issued a new release, 0.8.8
Notable in this release is support for NetBSD out of box, improvements to the start menu, and ability to change monitor resolutions in the X configuration tool. (Also the desktop font colors look better!)
0.8.8 is now available in PC-BSD via pkg, and FreeBSD ports/pkg system as well.
Lumina Desktop aims for v1.0 in July 2016
We also have a blog post from Larry over at FossForce, highlighting that 1.0 of Lumina is still targeted for July(ish) ***

NetBSD on Google's Compute Engine

A NetBSD developer has gotten NetBSD running on Google Compute Engine, a service somewhat similar to Amazon’s EC2, and Microsoft’s Azure
Support is still being worked on, but I imagine it will land in NetBSD before too long
NetBSD on GCE dmesg
OpenBSD on GCE
FreeBSD on GCE ***

BeastieBits

htop 2.0 released - an interactive process viewer for Unix (including FreeBSD and OpenBSD)

Full set of binary packages for 7.0 released for ARM v6 and v7 (hf)

DragonFly 4.4.2 released

LibertyBSD 5.8 has been released

Broadwell systems may want to take advantage of the patch by Imre Vadasz

Finding the hard-to-spot bugs in FreeBSD

Feedback/Questions

128: The State of BSD

JT Pennington — Wed, 10 Feb 2016 08:00:00 -0500

This week on BSDNow, we interview Nick Wolff about how FreeBSD is used across the State of Ohio and some of the specific technology used. That, plus the latest news is coming your way right now on BSDNow, the place to

This episode was brought to you by

Headlines

Doc like an Egyptian: Managing project documentation with Sphinx

In case you didn’t make it out to SCALE a few weeks back, we have a great interview with Dru Lavigne over at OpenSource.com which goes over her talk on “Doc like an Egyptian”.
In particular she discusses the challenges of running a wiki for documentation for PC-BSD and FreeNAS which prompted the shift to using Sphinx instead.

> “While the main purpose of a wiki is to invite user contributions and to provide a low barrier to entry, very few people come to write documentation (however, every spambot on the planet will quickly find your wiki, which creates its own set of maintenance issues).

> Wikis are designed for separate, one-ish page infobytes, such as how-tos. They really aren't designed to provide navigation in a Table of Contents or to provide a flow of Chapters, though you can hack your pages to provide navigational elements to match the document's flow. This gets more difficult as the document increases in size—our guides tend to be 300+ pages. It becomes a nightmare as you try to provide versioned copies of each of those pages so that the user is finding and reading the right page for their version of software.

> While wiki translation extensions are available, how to configure them is not well documented, their use is slow and clunky, and translated pages only increase the number of available pages, getting you back to the problems in the previous bullet. This is a big deal for projects that have a global audience.

> While output-generation wiki extensions are available (for example, to convert your wiki pages to HTML or PDF), how to configure them is not well documented, and they provide very little control for the layout of the generated format. This is a big deal for projects that need to make their documentation available in multiple formats.“

She then discusses some of the hurdles of migration from the Wiki to Sphinx, and follows up with some of the differences using Sphinx you should be aware of for any documentation project.

> “While Sphinx is easy to learn, it does have its quirks. For example, it does not support stacked tags. This means, for example, you can not bold italic a phrase using tags—to achieve that requires a CSS workaround. And, while Sphinx does have extensive documentation, a lot of it assumes you already know what you are doing. When you don't, it can be difficult to find an example that does what you are trying to achieve.

> Sphinx is well suited for projects with an existing repository—say, on github—a build infrastructure, and contributors who are comfortable with using text editors and committing to the repo (or creating, say, git pull requests).“

Initial FreeBSD RISC-V Architecture Port Committed.

Touching on a story we mentioned a few weeks back, we have a blog post from from Annie over at the FreeBSD foundation talking about the details behind the initial support for RISC-V.
To start us off, you may be wondering what is RISC-V and what makes it special?RISC-V is an exciting new open-source Instruction-Set Architecture (ISA) developed at the University of California at Berkeley, which is seeing increasing interest in the embedded systems and hardware-software research communities.
Currently the improvements allows booting FreeBSD in the Spike simulator, from the university of Berkeley, with enough reliability to do various things, such as SSH, shell, mail, etc.
The next steps include getting multi-core support working, and getting it working in simulations of Cambridge’s open-source LowRISC System-on-Chip functioning, and ready for early hardware.
Both ports and packages are expected to land in the coming days, so if you love hacking on branch new architectures, this may be your time to jump in. ***

FreeBSD Bhyve hypervisor supporting Windows UEFI guests

If you have not been following bhyve lately, you’re in for a treat when FreeBSD 10.3 ships in the coming weeks
bhyve now supports UEFI and CSM booting, in addition to its existing FreeBSD userboot loader, and grub-bhyve port
The EFI support allows Windows guests to be run on FreeBSD
Due to the lack of graphics, this requires making a custom .iso to do an ‘Unattended Install’ of Windows, but this is easily done just editing and including a .xml file
The bootrom can now allocate memory
Added some SATA command emulations (no-op)
Increased the number of virtio-blk indirect descriptors
Added a Firmware guest query interface
Add -l option to specify userboot path FreeBSD Bhyve Hypervisor Running Windows Server 2012 R2 Standard
In related news, TidalScale officially released their product today
TidalScale is a commercial product based on bhyve that allows multiple physical machines to be combined into a single massive virtual machine, with the combined processor power, memory, disk I/O, and network capacity of all of the machines ***

FreeBSD TACACS+ GNS3 and Cisco 3700 Router

“TACACS+ – (Terminal Access Controller Access Control System plus) — is a session protocol developed by Cisco.”
This tutorial covers configuring FreeBSD and the tac_plus4 port to act as an authentication, authorization, and accounting server for Cisco routers
The configuration of FreeBSD, the software, and the router are covered
It also includes how to set the FreeBSD server up as a VM on windows, and bridge it to the network
I am sure there are some network administrators out there that would appreciate this ***

Interview - Nick Wolff - darkfiberiru@gmail.com / @darkfiberiru

News Roundup

Papers We Love Presents : Bryan Cantrill on Jails & Solaris Zones

The folks over at NYCBug point us to “Papers We Love”, a New York based meetup group where past papers are presented. They have a talk scheduled for tomorrow (Feb 11th) with Bryan Cantrill discussing Jails and Solaris Zones
The talk starts at 7PM at the Tumblr building, located between 5th and Park Ave South on 21st street
“We're crazy excited to have Bryan Cantrill, CTO of Joyent, formerly of Sun Microsystems, presenting on Jails: Confining the omnipotent root. by Poul-Henning Kamp and Robert Watson and Solaris Zones: Operating System Support for Consolidating Commercial Workloads by Dan Price and Andy Tucker!”
The abstract posted gives us a sneak peak of what to expect, first covering jails as a method to “partition” the operating system environment, but maintaining the UNIX “root” model.
Next it looks like he will compare and contrast with the Solaris Zones functionality, which creates virtualized application execution environments, within the single OS instance.
Sounds like a fantastic talk, hopefully somebody remembers to record and post it for us to enjoy later!
There will not be a live stream, but a video of the event should appear online after it has been edited ***

FreeBSD Storage Summit

The FreeBSD Foundation will be hosting a Storage Summit, co-located at the USENIX FAST (Filesystems And Storage Technology) conference
Developers and Vendors are invited to work on storage related issues
This summit will be a hackathon focused event, rather than a discussion focused devsummit
After setup and introductions, the summit will start with a “Networking Synergies Panel”, to discuss networking as it relates to storage
After a short break, the attendees will break up into a number of working groups focused on solving actual problems
The current working groups include:
CAM Scheduling & Locking, led by Justin Gibbs: “Updating CAM queuing/scheduling and locking models to minimize cross-cpu contention and support multi-queue controllers”
ZFS, led by Matt Ahrens: topics will include enabling the new cryptographic hashes supported by OpenZFS on FreeBSD, Interaction with the kernel memory subsystem, and other upcoming features.
User Space Storage Stack, led by George Neville-Neil
This event offers a unique opportunity for developers and vendors from the storage industry to meet at an event they will likely already be attending ***

Tor Browser 5.5 for OpenBSD/amd64 -current is completed

“The Tor BSD Diversity Project (TDP) is proud to announce the release of Tor Browser (TB) version 5.5 for OpenBSD. Please note that this version of TB remains in development mode, and is not meant to ensure strong privacy, anonymity or security.”
“TDP (https://torbsd.github.io) is an effort to extend the use of the BSD Unixes into the Tor ecosystem, from the desktop to the network. TDP is focused on diversifying the Tor network, with TB being the flagship project. Additional efforts are made to increase the number of *BSD relays on the Tor network among other sub-projects”
Help test the new browser bundle, or help diversify the Tor network ***

“FreeBSD Mastery: Advanced ZFS” Table of Contents

We brought you the news about sponsoring the Advanced ZFS book that MWL is working on, now Michael has given us the tentative chapter layout of the (sure to be a classic) tome coming from him and Allan.
- 0: Introduction
- 1: Boot Environments
- 2: Delegation and Jails
- 3: Sharing
- 4: Replication
- 5: zvols
- 6: Advanced Hardware
- 7: Caches
- 8: Performance
- 9: Tuning
- 10: ZFS Potpourri
In addition to the tease about the upcoming book, michael has asked the community for assistance in coming up with the cover art for it as well.
In particular it should probably be in-line with his previous works, with a parody of some other classic art-work.
If you have something, go tweet out to him at @mwlauthor

Beastie Bits

Feedback/Questions

127: DNS, Black Holes & Willem

JT Pennington — Wed, 03 Feb 2016 08:00:00 -0500

Today on the show, we welcome Allan back from FOSSDEM, and enjoy an interview with Willem about DNS and MTU Black Holes. That plus all the weeks news, keep it turned here to BSD

This episode was brought to you by

Headlines

FreeBSD Quarterly Status Report

It is that time of year again, reviewing the progress of the FreeBSD project over the last quarter of 2015
There are a huge number of projects that have recently been completed or that are planned to finish in time for FreeBSD 10.3 or 11.0
This is just a sample of the of the items that stood out most to us:
A number of new teams have been created, and existing teams report in. The Issue Triage, bugmeister, jenkins, IPv6 advocacy, and wiki-admin teams are all mentioned in the status report
Progress is reported on the i915 project to update the Intel graphics drivers
In the storage subsystem: RCTL I/O rate limiting, Warner Losh’s CAM I/O Scheduler is progressing, Mellanox iSCSI Extensions for RDMA (iSER) was added, Chelsio iSCSI offload drivers, Mellanox 100 gbit/s drivers
In Security: Encrypted crash dumps, OpenBSM updates, and a status report on HardenedBSD
For embedded: Support for Ralink/Mediatek MIPS devices, Raspberry Pi Video Code packages, touch screen support for RPI and BBB, new port to the Marvell Armada38x, and the work on arm64 and RISC-V
kib@ rewrote the out-of-memory handler, specifically to perform better in situations where a system does not have swap. Was tested on systems ranging from 32 MB of memory, to 512 GB
Various improvements to the tool chain, build system, and nanobsd
It was nice to see a bunch of reports from ports committers
An overview of the different proposed init replacements, with a report on each ***

First timer’s guide to FOSS conferences

This post provides a lot of good information for those considering going to their first conference
The very first item says the most: “Conference talks are great because they teach you new skills or give you ideas. However, what conference talks are really for is giving you additional topics of conversation to chat with your fellow conference goers with. Hanging out after a talk ends to chat with the speaker is a great way to connect with speakers or fellow attendees that are passionate about a particular subject.”
The hallway track is the best part of the conference. I’ve ended up missing as much as 2/3rds of a conference, and still found it to be a very valuable conference, sometimes more so than if I attend a talk in every slot
It is important to remember that missing a talk is not the end of the world, that discussion in the hallway may be much more valuable. Most of the talks end up on youtube anyway. The point of the conference is being in the same place as the other people at the conference, the talks are just a means to get us all there.
There is even a lot of good advice for people with social anxiety, and those like Allan who do not partake in alcohol
Know the conference perks and the resources available to you. The author of the post commented on twitter about originally being unaware of the resources that some conferences provide for speakers, but also of discounts for students, and travel grants from Google and others like the FreeBSD Foundation
There are also tips about swag, including watching out for booth wranglers (not common at BSD events, but many larger conferences have booths where your personal information can be exchanged for swag), as well as advice for following up with the people you meet at conferences.
Lastly, it provides thoughts on avoiding “Project Passion Explosion“, or what I call “overcharging your BSD battery”, where after hearing about the interesting stuff other people are doing, or about the things other need, you try to do everything at once, and burn yourself out
I know for myself, there are at least 10 projects I would love to work on, but I need to balance my free time, my work schedule, the FreeBSD release schedule, and which items might be better for someone else to work on. ***

FreeBSD 10.1 based WiFi Captive Portal

Captive portals, the bane of many a traveler’s existence, however a necessary evil in the era of war-driving and other potentially nefarious uses of “free-wifi”.
This week we have an article from the folks at “unixmen”, showing (in great detail) how they setup a FreeBSD 10.1 based captive portal, and yes those are manual MySQL commands.
First up is a diagram showing the layout of their new portal system, using multiple APs for different floors of the apartment / hotel?
The walkthrough assumes you have Apache/MySQL and PHP already installed, so you’ll need to prep those bits beforehand.
Some Apache configuration is up next, which re-directs all port 80 requests over to 443/SSL and the captive portal web-login
At this point we have to install “pear” from ports or packages and begin to do the database setup which is fairly typical if you done any SQL before, such as create user / database / table, etc.
With the database finished, the article provides a nice and clean rc.conf which enables all the necessary services.
Next up is the firewall configuration, which is using IPFW, specifically DUMMYNET/IPALIAS/IPDIVERT and friends. The article does mention to compile a new minimal kernel with these features, if you plan on doing so they I would recommend starting off with that.
The article then continues, with setting up DHCP server, SUDO and the PHP file creation that will act as the interface between the client and mysql/firewall rules.
When it’s all said and done, you end up with a nice web-interface for clients, plus a bonus Admin interface to manage creating and removing users.
For convenience at the very end is a link to all the files / configurations used, so grab that and avoid some of the copy-n-paste ***

Sailor, a 'wannabe' portable container system {their own words!}

In the world of docker / jails / VMs, containers are all the rage right now, and now we can introduce “Sailor” to this mix
A unique thing about this new solution, is that its based upon chroot/pkgin, and available on NetBSD / OSX and CentOS
Since it is not using “jail” or other security mechanism, they to give us this cavet “Note that sailor's goal is not to provide bullet-proof security, chroot is definitely not a trustable isolator; instead, sailor is a really convenient way of trying / testing an environment without compromising your workstation filesystem.”
Creating a new “ship” is relatively straight-forward, a simple shell define file can supply most of the relevant information. Nginx for example is only a few lines: https://github.com/NetBSDfr/sailor/blob/master/examples/nginx.conf
In addition to the basic pkg configuration, it also provides methods to do rw/ro mounts into the chroot, as well as IP aliases and copying of specific host binaries into the container ***

Interview - Willem Toorop - willem@nlnetlabs.nl / @WillemToorop

GetDNS
vBSDCon 2015 Talk ***

News Roundup

A Quarter Century of Unix

An oldie, but goodie, the book “A Quarter Century of UNIX” is now available for free download via PDF format.
This provides an invaluable look into the history of UNIX, which of course we wouldn’t have BSD without.
There is also a print version still available via Amazon (link at the above URL also). If you find the book useful, consider buying a copy, since a % still goes to the original author ***

Bjoern Zeeb has been awarded grant to finalize VIMAGE fixes

“Bjoern Zeeb has been awarded a project grant to finalize and integrate the work done to make the VIMAGE network stack virtualization infrastructure production ready.”
VIMAGE is the network virtualization kernel component that can be used to give jails their own network interfaces, so they can have their own firewalls, be assign addresses via DHCP, etc.
Currently, a number of bugs prevent this feature from being enabled by default, or used in production
The main areas of focus for the work are: network stack teardown, interface ordering, locking, and addressing the remaining memory leaks at teardown
The work is expected to be completed by the end of March and to be included in FreeBSD 11.0 ***

Building a smtpd Mail Server on OpenBSD

The OpenSMTPd FAQ has been updated with a new walkthrough of a complete installation
Following this guide, the resulting installation will:
Accepting mails for multiple domains and virtual users
Allowing virtual users to authenticate and send mails
Applying anti-spam and anti-virus filters on mails
Providing IMAP access for the virtual users
Providing log statistics
It covers setting up the new filter system, configuring TLS, creating the domain and user tables, configuring spamassassin and clamav, and setting up dovecot
There is even a crontab to send you weekly stats on what your email server is doing ***

Introduction to the FreeBSD Open Source Operating System LiveLessons

Dr. Kirk McKusick has been one of the foremost authorities on FreeBSD for some time now, as co-author of the D&I of FreeBSD (along with George Neville-Neil and Robert Watson) and teaching numerous classes on the same. (Another good reason to come to a *BSD conference)
As part of the Addison-Wesley Professional / LiveLessons series, he has made a 10+ hour video lecture you can now purchase to take his class from the comfort of your own home/couch/office/etc
Aspiring FreeBSD developers, kernel developers, Application Developers and other interested individuals should really consider this invaluable resource in their learning.
- The video starts with an introduction to the FreeBSD community and explains how it differs from the Linux ecosystem. The video then goes on to provide a firm background in the FreeBSD kernel. The POSIX kernel interfaces are used as examples where they are defined. Where they are not defined, the FreeBSD interfaces are described.
- The video covers basic kernel services, locking, process structure, scheduling, signal handling, jails, and virtual and physical memory management.
- The kernel I/O structure is described showing how I/O is multiplexed and the virtual filesystem interface is used to support multiple filesystems.
- Devices are described showing disk management and their auto-configuration.
- The organization and implementation of the fast filesystem is described concluding with a discussion of how to maintain consistency in the face of hardware or software failures.
- The video includes an overview of the ZFS filesystem and covers the socket-based network architecture, layering and routing issues.
- The presentations emphasize code organization, data structure navigation, and algorithms.
Normally the video will set you back $299, but right now you can pick it up for $239 (USD). We can’t recommend this enough, but also don’t forget to try and make it out to BSDCan or MeetBSD, where you can usually talk to Dr. McKusick in person. ***

BeastieBits

Feedback/Questions

126: Illuminating the future on PC-BSD

JT Pennington — Wed, 27 Jan 2016 08:00:00 -0500

This week on BSDNow, we are going to be talking to Ken Moore about the Lumina desktop environment, where it stands now & looking ahead. Then Allan turns the tables & interviews both Kris & Ken about new ongoings in PC-BSD land. Stay tuned, lots of exciting show is coming your way right now on BSDNow, the place to B...SD!

This episode was brought to you by

Headlines

Linuxvoice reviews six NAS designed OSes and states that FreeNAS has the largest amount of features

The review compares the features of: FreeNAS, NAS4Free, Open Media Vault, Openfiler Community Edition, EasyNAS, and Turnkey Linux File Server
“Many NAS solutions can do a lot more than just back up and restore files – you can extend them with plugins to do a variety of tasks. Some enable you to stream media to computers and others devices. Others can hook up with apps and services and allow them to use the NAS for storing and retrieving data”
Open Media Vault: 4/5, “A feature-rich NAS distro that’s easy to deploy and manage”. Many plugins, good UI
Turnkey Linux File Server: 2/5, “A no-fuss distro that’ll set up a fully functional file sharing server in no time”. No RAID, LVM must be down manually
Openfiler Community Edition: 1/5, “There is a target segment for Openfiler, but we can’t spot it”. In the middle of rebasing on CentOS, lacking documentation, confusing UI
EasyNAS: 3/5, “A simple NAS distro that balances the availability of features with reasonable assumptions”. Major updates require reinstall, lacks advanced features and advanced protocols
FreeNAS: 3/5, “FreeNAS The most feature-rich NAS distribution requires some getting used to”. Best documentation, best snapshot management, most plugins, jailed plugins, most enterprise features
NAS4Free: 3/5, “NAS4Free An advanced NAS distro that’s designed for advanced users”, additional flexibility with disk layout (partition the first disk to install the OS there, use remaining space for data storage)
“If we had to award this group test to the distro with the biggest number of features then the top two challengers would have been FreeNAS and its protegée NAS4Free. While both of these solutions pitch themselves to users outside the corporate environment, they’d simply be overkill for most home users. Furthermore, their FreeBSD base and the ZFS filesystem, while a boon to enterprise users, virtually makes them alien technology to the average Linux household.”
It is not clear why they gave NAS4Free and FreeNAS the same score when they wrote a list of reasons why FreeNAS was better.
It seems the goal of their rundown was to find the best Linux NAS, not the best NAS. ***

FreeBSD based Snort IPS

UnixMen.com provides a new tutorial on setting up Snort, the IPS (Intrusion Prevention system) on FreeBSD
Install Apache, PHP, and MySQL, then Snort
Download the latest Snort rules from the official website
Disable the Packet Filter on the USB interfaces to avoid issues with Snort
Install oinkmaster and barnyard2, and configure them
Then install the Snorby WEB interface, which will give you a nice overview of the data generated by the IPS
Then install SnortSAM, and connect it to ipfw
Now when Snort detects a potential intrusion, it will be displayed in Snorby, and automatically blocked with IPFW ***

Opensource.com features two BSD developers as examples of how open source can help your career

“When contributing to open source projects and communities, one of the many benefits is that you can improve your tech skills. In this article, hear from three contributors on how their open source helped them get a job or improved their career.”
Alexander Yurchenko, an OpenBSD developer who now works at Yandex says: “Participating in such a project yields colossal experience. A good, large open source project has everything that is typically required from a developer at job interviews: good planning, good coding, use of versioning systems and bug trackers, peer reviews, teamwork, and such. So, after stewing in such an environment for a year or two, you have a good opportunity to grow to a senior developer level.”
“That is, in fact, what happened to me. I was hired as a senior developer without having any formal work experience on my service record. After the first week, my probation period was reduced from three months to zero.”
While you may not have “formal work experience”, you do have a body of work, a (code/documentation/etc) portfolio, you can point to
Having spent a year working somewhere may say something about you, but showing some code you wrote that other people use every day, is usually more valuable
Alexander Polyakov, a DragonFly contributor, worked on updating support for other languages and on ACPI.
“I even made some money in the process—a customer found me via git log. He wanted to use DragonFlyBSD in production and needed better ACPI support and some RAID driver or something.”
“In a nutshell, contributing to various open source projects is how you gain great experience. Don't be afraid to send in bad code (happens to the best of us), keep calm (while being scolded for sending in that bad code), and choose projects you are really interested in. Then you'll both gain experience and have fun while you doing it.”
Kirill Gorkunov talks about his experience with turning open source into a career: “For a few years, I've been fixing the code, sending patches, getting scolded for bad code and complimented for good code. That experience was priceless. And you can be sure that as soon as you get good at it, job offers will follow. This is, in fact, how I met the kernel developers working on OpenVZ. Together, we decided to continue working on the OpenVZ kernel and related stuff as well”
When you contribute to open source, you end up being the person who wrote “Foo”, and this can often turn into work, when someone wants to build something with “Foo”, or like “Foo”
This same point was focus of a panel the FreeBSD Foundation organized at the womENcourage conference in Sweden last year: Open Source as a Career Path ***

FreeBSD, LibreSSL and LetsEncrypt oh my!

Over on the FreeBSD Wiki, Bernard Spil (whom we’ve interviewed before) has started a walkthrough talking about how he uses LibreSSL and LetsEncrypt, without using the heavy python client
The article provides detailed instructions on prepping the system and automating the process of updating the SSL certificates
If you’ve used the “official” letsencrypt client in the past, you’ll note some differences in his method, which keeps all the ‘acme-challenge’ files in a single-directory, which is aliased into domains.
Using this method also drops the requirement to run the letsencrypt auth as root, and allows you to run it as the unprivileged “letsencrypt” user instead.
He mentions that the bash/zsh scripts used may be added to ports at some point as well ***

Interview - Ken Moore & Kris Moore - ken@pcbsd.org / @pcbsdkris

PC-BSD’s new SysAdm Project and Lumina Update ***

News Roundup

DragonFly Intel i915 support to match what’s in the Linux 4.1 kernel

In DragonFly’s ongoing quest for DRM awesomeness, they have now merged changes to bring them up to Linux 4.1 kernel features.
Some of the notables include that “Valleyview” support is greatly improved, and not considered preliminary anymore
Skylake got some support improvements as well, including runtime power management, and that turbo and sleep states should be functional.
Some great improvements to power usage have been added, such as setting GPU frequencies to hardware minimum and enabling of DRRS (Dynamic Refresh Rate Switching) being enabled by default
They’ve even begun importing some of the prelim work for Broxton, the upcoming Atom SOC ***

FreeNAS Home Server Build

We have a nice article to share with you this week by John Ramsden, which walks us through his home-brew FreeNAS server setup.
As is typical with most home users, he will be using the system to both serve media, and as a backup target for other systems.
His hardware setup is pretty impressive for a home-brew, made up of the following:
- Fractal Design Node 804 Chassis
- Supermicro X10SL7-F Motherboard
- Xeon E3-1231 v3 CPU
- 4x Samsung DDR3 1.35v-1600 M391B1G73QH0 RAM
- 2x 32GB SATA III SMC DOM Boot Drive
- SeaSonic G-550 Power Supply
- Cyberpower CP1500PFCLCD 1500VA 900W PFC UPS
- 6x Western Digital 6TB Red HDD
- 2 x ENERMAX T.B. Silence UCTB12P Case Fan
- 3x Noctua NF-P14s redux-1200 Case Fan
The SATA DOM was neat to see in use, in his case in a mirror
He then walks us through his burn-in process, which involved memory testing for 46 hours, and then disk testing with the smartctl long tests.
There is even details on how the fan thresholds were set up, which may be of use to other DiY’ers out there.
The SATA DOM was neat to see in use, in his case in a mirror
He then walks us through his burn-in process, which involved memory testing for 46 hours, and then disk testing with the smartctl long tests.
There is even details on how the fan thresholds were set up, which may be of use to other DiY’ers out there.

claviger manages your SSH authorized_keys files for you

An application to manage your SSH authorized_keys files for you
Make a list of your keys (laptop, desktop, work)
Then a list of your ssh accounts
List which keys should be present, and which should be absent
Optional setting to keep all “other” keys, such as those added by other users
Optional list of specific “other” keys to allow (does not add them, but does not remove them if they are present)
You say say ‘server2 like server1’, and it will inherit all of the settings from that server
There is a “default” server, that all others inherit ***

FreeBSD 9.2 x64 OpenVPN AD authentication with crypt

A few days back unixmen.com posted a nice tutorial walkthrough of a OpenVPN setup on FreeBSD 9.2 using Active Directory for auth
In this particular setup, FreeBSD is running the gateway / OpenVPN server, the client desktops are running Windows 7 and domain controller on Windows 2008
The setup on FreeBSD pretty straightforward, thanks to the openvpn-auth-ldap port. (Unknown why they didn’t use the package)
In addition to showing the details on how configuration was done on BSD, what makes this walkthrough nice is the addition of so many screenshots of how the windows configuration was done.
Part of the walkthrough will also detail how they created their .ovpn files for importing on the OpenVPN clients. ***

Beastie Bits

dtrace included by default in NetBSD

FOSDEM16 is approaching, get ready to follow the BSD devroom

Call for testing: Concurrent: malloc(3) calls (to speed up Firefox)

"With the PV drivers in -CURRENT, it is now possible to run OpenBSD within AWS."

PC-BSD Handbook in Spanish

Feedback/Questions

125: DevSummits, Core and the Baldwin

JT Pennington — Wed, 20 Jan 2016 08:00:00 -0500

This week on the show, we will be talking to FreeBSD developer and former core-team member John Baldwin about a variety of topics, including running a DevSummit, everything you needed or wanted to know. Coming up right now on BSDNow, the place to B...SD.

This episode was brought to you by

Headlines

FreeBSD server retired after almost 19 years

We’ve heard stories about this kind of thing before, that box that often sits under-appreciated, but refuses to die. Well the UK register has picked up on a story of a FreeBSD server finally being retired after almost 19 years of dedicated service.

“In its day, it was a reasonable machine - 200MHz Pentium, 32MB RAM, 4GB SCSI-2 drive,” Ross writes. “And up until recently, it was doing its job fine.” Of late, however the “hard drive finally started throwing errors, it was time to retire it before it gave up the ghost!” The drive's a Seagate, for those of you looking to avoid drives that can't deliver more than 19 years of error-free operations.

This system in particular had been running FreeBSD 2.2.1 over the years. Why not upgrade you ask? Ross has an answer for that:

“It was heavily firewalled and only very specific services were visible to anyone, and most only visible to our directly connected customers,” Ross told Vulture South. “By the time it was probably due for a review, things had moved so far that all the original code was so tightly bound to the operating system itself, that later versions of the OS would have (and ultimately, did) require substantial rework. While it was running and not showing any signs of stress, it was simply expedient to leave sleeping dogs lie.”

All in all, an amazing story of the longevity of a system and its operating system. Do you have a server with a similar or even greater uptime? Let us know so we can try and top this story. ***

Roundup of all the BSDs

The magazine LinuxVoice recently did a group test of a variety of “BSD Distros”.
Included in their review were Free/Open/Net/Dragon/Ghost/PC
It starts with a pretty good overview of BSD in general, its starts and the various projects / forks that spawned from it, such as FreeNAS / Junos / Playstation / PFSense / etc
The review starts with a look at OpenBSD, and the consensus reached is that it is good, but does require a bit more manual work to run as a desktop. (Most of the review focuses on desktop usage). It ends up with a solid ⅘ stars though.
Next it moves into GhostBSD, discusses it being a “Live” distro, which can optionally be installed to disk. It loses a few points for lacking a graphical package management utility, and some bugs during the installation, but still earns a respectable ⅗ stars.
Dragonfly gets the next spin and gets praise for its very-up to date video driver support and availability of the HAMMER filesystem. It also lands at ⅗ stars, partly due to the reviewer having to use the command-line for management. (Notice a trend here?)
NetBSD is up next, and gets special mention for being one of the only “distros” that doesn’t do frequent releases. However that doesn’t mean you can’t have updated packages, since the review mentions pkgsrc and pkg as both available to customize your desktop. The reviewer was slightly haunted by having to edit files in /etc by hand to do wireless, but still gives NetBSD a ⅗ overall.
Last up are FreeBSD and PC-BSD, which get a different sort of head-to-head review. FreeBSD goes first, with mention that the text-install is fairly straight-forward and most configuration will require being done by hand. However the reviewer must be getting use to the command-line at this point, because he mentions:

“This might sound cumbersome, but is actually pretty straightforward and at the end produces a finely tuned aerodynamic system that does exactly what you want it to do and nothing else.”

He does mention that FreeBSD is the ultimate DIY system, even to the point of not having the package management tools provided out of box.
PC-BSD ultimately gets a lot of love in this review, again with it being focused on desktop usage this follows. Particularly popular are all the various tools written to make PC-BSD easier to use, such as Life-Preserver, Warden, the graphical installer and more. (slight mistake though, Life-Preserver does not use rsync to backup to FreeNAS, it does ZFS replication)
In the end he rates FreeBSD ⅘ and PC-BSD a whopping 5/5 for this roundup.
While reviews may be subjective to the particular use-case being evaluated for, it is still nice to see BSD getting some press and more interest from the Linux community in general. ***

OpenBSD Laptops

Our buddy Ted Unangst has posted a nice “planning ahead” guide for those thinking of new laptops for 2016 and the upcoming OpenBSD 5.9
He starts by giving us a status update on several of the key driver components that will be in 5.9 release“5.9 will be the first release to support the graphics on Broadwell CPUs. This is anything that looks like i5-5xxx. There are a few minor quirks, but generally it works well. There’s no support for the new Skylake models, however. They’ll probably work with the VESA driver but minus suspend/resume/acceleration (just as 5.8 did with Broadwell).”
He then goes on to mention that the IWM driver works well with most of the revisions (7260, 7265, and 3160) that ship with broadwell based laptops, however the newer skylake series ships with the 8260, which is NOT yet supported.
He then goes on to list some of the more common makes and models to look for, starting with the broadwell based X1 carbons which work really well (Kris gives +++), but make sure its not the newer skylake model just yet.
The macbook gets a mention, but probably should be avoided due to broadcom wifi
The Dell XPS he mentions as a good choice for a powerful (portable) desktops ***

Significant changes from NetBSD 7.0 to 8.0

Updated to GCC 4.8.5
Imported dhcpcd and replaced rtsol and rtsold
gpt(8) utility gained the ability to resize partitions and disks, as well as change the type of a partition
OpenSSH 7.1 and OpenSSL 1.0.1q
FTP client got support for SNI for https
Imported dtrace from FreeBSD
Add syscall support
Add lockstat support ***

Interview - John Baldwin - jhb@freebsd.org / @BSDHokie

FreeBSD Kernel Debugging

News Roundup

Dragonfly Mail Agent spreads to FreeBSD and NetBSD

DMA, the Dragonfly Mail Agent is now available not only in Dragonfly’s dports, but also FreeBSD ports, and NetBSD pkgsrc
“dma is a small Mail Transport Agent (MTA), designed for home and office use. It accepts mails from locally installed Mail User Agents (MUA) and delivers the mails either locally or to a remote destination. Remote delivery includes several features like TLS/SSL support and SMTP authentication. dma is not intended as a replacement for real, big MTAs like sendmail(8) or postfix(1). Consequently, dma does not listen on port 25 for incoming connections.”
There was a project looking at importing DMA into the FreeBSD base system to replace sendmail, I wonder of the port signals that some of the blockers have been fixed ***

ZFS UEFI Support has landed!

Originally started by Eric McCorkle
Picked up by Steven Hartland
Including modularizing the existing UFS boot code, and adding ZFS boot code
General improvements to the EFI loader including using more of libstand instead of containing its own implementations of many common functions
Thanks to work by Toomas Soome, there is now a Beastie Menu as part of the EFI loader, similar to the regular loader
As soon as this was committed, I added a few lines to it to connect the ZFS BE Menu to it, thanks to all of the above, without whom my work wouldn’t be usable
It should be relatively easy to hook my GELI boot stuff in as a module, and possibly just stack the UFS and ZFS modules on top of it
I might try to redesign the non-EFI boot code to use a similar design instead of what I have now ***

How three BSD OSes compare to ten Linux Distros

After benchmarking 10 of the latest Linux distros, Phoronix took to benchmarking 3 of the big BSDs
DragonFlyBSD 4.4.1 - The latest DragonFly release with GCC 5.2.1 and the HAMMER file-system.
OpenBSD 5.8 - OpenBSD 5.8 with GCC 4.2.1 as the default compiler and FFS file-system.
PC-BSD 10.2 - Derived off FreeBSD 10.2, the defaults were the Clang 3.4.1 compiler and ZFS file-system.
In the SQLite test, PCBSD+ZFS won out over all of the Linux distros, including those that were also using ZFS
In the first compile benchmark, PCBSD came second only to Intel’s Linux distro, Clear Linux. OpenBSD can last, although it is not clear if the benchmark was just comparing the system compiler, which would be unfair to OpenBSD
In Disk transaction performance, against ZFS won the day, with PCBSD edging out the Linux distros. OpenBSD’s older ffs was hurt by the lack of soft updates, and DragonFly’s Hammer did not perform well. Although in an fsync() heavy test, safety is more important that speed
As with all benchmarks, these obviously need to be taken with a grain of salt
In some of them you can clearly see that the ‘winner’ has a much higher standard error, suggesting that the numbers are quite variable ***

OPNSense 15.7.24 Released

We are just barely into the new year and OPNSense has dropped a new release on us to play with.
This new version, 15.7.24 brings a bunch of notable changes, which includes improvements to the firewall UI and a plugin management section of the firmware page. Additionally better signature verification using PKG’s internal verification mechanisms was added for kernel and world updates.
The announcement contains the full rundown of changes, including the suricata, openvpn and ntp got package bumps as well. ***

Beastie Bits

A FreeBSD 10 Desktop How-to (A bit old, but still one of the most complete walkthroughs of a desktop FreeBSD setup from scratch)

BSD and Scale 14

Xen support enabled in OpenBSD -current

Feedback/Questions

124: Get your engine(x) started!

JT Pennington — Wed, 13 Jan 2016 08:00:00 -0500

This week on the show, we have a very full news roster to rundown, plus an oldie, but goodie with Igor of the nginx project. That plus all your questions and feedback,

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSDJournal! ***

FreeNAS Logo Design Contest

Rules and Requirements

For those of you curious about Kris' new lighting here are the links to what he is using.

This episode was brought to you by

Headlines

Clearing the air

A number of you have written in the past few weeks asking why Allan and I didn’t talk about one of the biggest stories to make headlines last week.
Both of us are quite aware of the details surrounding the incidents between former FreeBSD developers “freebsdgirl” and “xmj”, however the news was still ongoing and we didn’t feel it right to discuss until some of the facts had time to shake out and a more clear (and calm) discussion could be had.
However, without getting into all the gory details here’s some of the key points that we want to highlight for our listeners. We each have our own thoughts on this.

Kris:

The FreeBSD that I know has been VERY open and inclusive to all who want to contribute. The saying “Shut up and code” is there for a reason. We’ve seen developers of all types, different race / gender / creed, and the one thing we all have in common is the love for BSD.
This particular incident has been linked to FreeBSD, which isn’t exactly a fair association, since the project and other members of community were not directly involved. What started out as a disagreement (over something non-BSD related) turned into an ugly slugfest all across social media and (briefly) on a BSD chatroom.
In this case after reviewing lots of the facts, I think both sides were WAY out of line, and hope they recognize that.
There has been slamming of the core team and foundation in social media, as somehow the delay / silence is an admission of wrong-doing. Nothing could be further from the truth. These are serious people doing a serious job, and much like BSD they would rather take the time to do it right instead of just going off on social media and making things worse. (Plus they all are volunteers who are spread across many different time-zones)
Also, if you hear rumors of incidents of harassment, remember that without details all those will ever be is rumors. Obviously those in the project would take any incident like that seriously, but without coming forward and sharing the details it’s impossible to take any action or make changes for the better.

Allan:

The FreeBSD community is the best group of people I have ever worked with, but that doesn’t mean that it is immune to the same problems that every other group of people faces. As much as all of us wish it didn’t, harassment and other ill-behavior does happen, and must be dealt with
The FreeBSD Core team has previously sanctioned committers and revoked commit bits for things that happened entirely offline and outside of the FreeBSD community. Part of being a committer is representing the project in everything that you do, so anything you do that reflects badly upon the project is grounds for your removal
There was something written about this in the project documentation somewhere (that I can not find for the live of me), specifically about the prestige that comes with (or used to) an @freebsd.org account, and how new members of the community need to keep that in mind as they work to earn, and keep, a commit bit
In this specific situation, I am not sure what core did exactly, we’ll have to wait for their report to find out, but I am not sure what more they could have done.
“Individual members of core have the power to temporarily suspend commit privileges until core as a whole has the chance to review the issue. Only a 2/3 majority of core has the authority to suspend commit privileges for longer than a week or to remove them permanently. Core's “special powers” only kick in when it acts as a group, not on an individual basis. As individuals, the core team members are all committers first and core second”
So, an individual member of core can revoke the commit bit of someone who is reported to have acted in a manner not conducive with the rules, but I don’t know how that would have made a difference in this case.
The only point from Randi’s list of 10 things the project should change that I do not think is possible is #6. As stated in the “Committers' Big List of Rules” that I quoted earlier, the core team can only take action after they have had time for everyone to review and discuss a matter, and then vote on it.
The core team is made up of 9 people with other responsibilities and commitments. Further, they are currently spread across 6 different countries, and 6 different times zones (even the countries and time zones do not line up).
We eagerly await Cores report on this matter, and more importantly, Core and the Foundation's work to come up with a better framework and response policy to deal with such situations in the future.
The important thing is to ensure that incident reports are properly handled, so that those reporting issues feel safe in doing so
While we hope there is never another incident of harassment in the FreeBSD community, the realities of the world we live in mean we need to be ready to deal with it ***

Dan Langille discussing his rig

Pictures of Dan Langille's Home Lab
Ever read FreeBSD Diary? How about used FreshPorts or FreshSource? Gone to BSDCan? If so you may be interested in seeing exactly where those sites are served from.
Dan Langille posts to reddit with information about his home lab, with the obligatory pictures to back it up
As most good home racks do, this one starts at Home Depot and ends up with a variety of systems and hardware living on it.
All in all an impressive rig and nice job wiring
(I wonder what that ASUS RT‑N66U is doing, if it’s running FreeBSD or just an access point??)
Reminder: Get your BSDCan talk proposal submitted before the deadline, January 19th ***

Pre-5.9 pledge(2) update

Theo gives us a status update on pledge() for pre OpenBSD 5.9“For the next upcoming release, we will disable the 'paths' argument.Reasoning: We have been very busy making as much of the tree set thepromises right in applications, and building a few new promises aswell. We simply don't have enough time to review the kernel code andmake sure it is bug-free. We'll use the next 6 months developmentcycle to decide on paths, and then re-audit the tree to use theinterface where it is suitable. The base tree (/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/games)contains 652 ELF binaries. 451 use pledge. 201 do not. Approximately47 do not need or cannot use pledge. Leaving 154 we could potentiallypledge in the future. Most of those are not very important. Thereare a few hot spots, but most of what people use has been handled wellby the team.“

Chromium: now with OpenBSD pledge(2)

In addition to the pledge news, we also have a story about the Chromium browser being converted to use pledge on OpenBSD.“The renderer, gpu, plugin and utility processes are now using pledge(2)Unfortunately the GPU process only requires an rpath pledge because ofMesa trying to parse two configuration files, /etc/drirc and ${HOME}/.drircSo currently the GPU process will use an rpath pledge in the nextweek or so so that people can test, but this situation has to beresolved because it is not acceptable that a mostly unused configurationfile is being parsed from a library and that stops us from using lesspledges and thus disallowing the GPU process to have read accessto the filesystem ... like your ssh keys.” UPDATE: the rpath pledge has been removed.
***

iXsystems

https://forums.freenas.org/index.php?threads/freenas-logo-design-contest.39968/

Interview - Igor Sysoev - igor@sysoev.ru / @isysoev

NGINX and FreeBSD

News Roundup

FreeBSD on EdgeRouter Lite - no serial port required

A few years back there was a neat story on how to setup FreeBSD on the EdgeRouter-Lite
This last week we get to revisit this, as Colin Percival posts a script, and a very detailed walkthrough of using it to generate your own custom image which does NOT require hooking up a serial cable.
Currently the script only works on -CURRENT, but may work later for 10.3
The script is pretty complete, does the buildworld and creation of a USB image for you. It also does a basic firewall configuration and even growfs for expanding to the full-size of your USB media.
Using the ‘firstboot’ keyword, an rc.d script does all the initial configuration allowing you access to the system
If you have one, or are looking at switching to a FreeBSD based router, do yourself a favor and take a look at this article. ***

John Marino reaches out to the community for testing of Synth, a new custom package repo builder

A hybrid of poudriere and portmaster/portupgrade
Uses your regular ports tree and your running system, but built builds packages faster, the poudriere way
Requires no setup, no downloading or building reference versions of the OS, no checking out yet another copy of the ports tree
In the future may have support for using binary packages for dependencies, build only the apps you actually want to customize
Looks very promising ***

OpenBSD malloc finds use-after-free in Android OS

Score one for OpenBSD’s rigorous security and attention to detail. We have an interesting commit / comment from Android
It looks like this particular mistake was found in the uncrypt routines, in particular the using of a variable memory which had already gone out of scope.
Through the usage of OpenBSD’s malloc junk filling feature, the developers were able to identify and correct the issue.
Maybe there is a case to be made that this be used more widely, especially during testing? ***

Netflix's async sendfile now in FreeBSD-current

We have some slides presented by Gleb Smirnoff at last years FreeBSD storage summit, talking about changes to sendfile made by Netflix.
It starts off with a bit of history, showing the misery of life without sendfile(2) back in FreeBSD 1.0, specifically the ftpd daemon.
Then in 1997 that all changed, HP-UX 11.00 grew the sendfile function, and FreeBSD 3.0 / Linux 2.2 added it in ‘98
The slides then go into other details, on how the first implementations would map the userland cycle into the kernel. Then in 2004 the SF_NODISKIO flag was added, followed by changes in 2006 and 2013 to using sbspace() bytes and sending shared memory descriptor data respectively.
The idea is that instead of the web server waiting for the send to complete, it calls sendfile then goes about its other work, then it gets a notification when the work is done, and finishes up any of the request handling, like logging how many bytes were sent
The new sendfile implementation took the maximum load of an older netflix box from 25 gigabits/sec to 35 gigabits/sec
Separately, Netflix has also done work on implementing a TLS version of sendfile(), to streamline the process of sending encrypted data
There is still a todo list, including making sendfile() play nice with ZFS. Currently files sent via sendfile from ZFS are stored in memory twice, once in the ARC, and once in the buffer cache that sendfile uses ***

Beastie Bits

Feedback/Questions

Bryson - SmartOS / KVM / ZFS
Samba 1969
DO / VPN / PF
Unstable VM / Update
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

123: ZFS in the trenches

JT Pennington — Wed, 06 Jan 2016 08:00:00 -0500

This week on BSDNow, we will be talking shop with Josh Paetzel of FreeNAS fame, hearing about his best do’s and do-nots of using ZFS in production. Also, a quick

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

FreeNAS Logo Design Contest

Rules and Requirements

For those of you curious about Kris' new lighting here are the links to what he is using.

This episode was brought to you by

Headlines

A Brief look back at 2015

As we start the show this week, we begin with a brief look back at BSD in 2015, brought to us by Larry at FOSS force.
Aside from his issue with tap-to-click on the touchpad, his PC-BSD experience has been pretty good. (Larry, if you hear this, jump on #pcbsd on FreeNode and we will lend a hand)
He mentions that this really isn’t his first time running BSD, apparently back in ye-olden days he got NetBSD up and running on a PowerBook G3, until an update brought that experience to abrupt ending.
He gives a shout-out to the FreeBSD Foundation as being a great go-to source for wrapup on the previous year in FreeBSD land, while also mentioning the great 4.4 release of DragonFly, and some of the variants, such as RetroBSD and LiteBSD
He leaves us with a tease for 2016 that work is ongoing on Twitter to port over Mopidy, a python based extensible music server ***

A look forward at BSD events throughout 2016

After a quick look back at 2015, now its time to start planning your 2016 schedule. The BSDEvents site has a calendar of all the upcoming conferences / shows where BSD will have a presence this year.
There are quite a few items on the agenda, including non BSD specific conferences, such as SCALE / Fosdem and more.
Take a look and see, you may be able to find something close your location where you can come hang out with other BSD developers.
(or better yet), if a linux conference is coming to your town, think about submitting a BSD talk!
Additionally, if getting BSD Certification is something on your 2016 resolutions, you can often take the test at one of these shows, avoiding the need to travel to a testing center. ***

The 'Hidden' Cost of Using ZFS for Your Home NAS

An article was recently posted that seems to be trying to dissuade people from using ZFS for their home NAS
It points out what experienced users already know, but many newcomers are not strictly aware of: Expanding a ZFS pool is not always as straightforward as you think it should be
ZFS was designed to be expanded, and it handled this very well
However, a ZFS pool is made up of VDEVs, and it is these VDEVs that provide the redundancy. RAID-Z VDEVs cannot be changed once they are created. You can replace each disk individually, and the VDEV will grow to its new larger size, but you cannot add additional disks to a RAID-Z VDEV
At this point, your option is to add an additional VDEV, although best practises dictate that the new VDEV should use an equal number of disks, to avoid uneven performance
So, if you started with a 6 disk RAID-Z2, having to add 6 more disks to grow the pool does seem excessive
For the best flexibility, use mirrors. If you had used 6 disks as 3 mirrors of 2 disks each, you could then just add 2 more disks at a time. The downside is that using 2TB disks, you’d only have 6TB of usable space, versus the 8TB you would get from those disks in a RAID-Z2
This is the trade-off, mirrors give you better performance and flexibility, but less space efficiency
It is important to note that the diagrams in this article make it appear as if all parity information is stored on specific drives. In ZFS parity is spread across all drives. Often times, the data written to the drive is not of a size that can evenly be split across all drives, so the data actually ends up looking like this
The errors as I see it in the original article are:
- It notes that the hidden cost of ZFS is that if you add a second RAID-Z VDEV, you will have a whole second set of parity drives. While this is a cost, it is the cost of making sure your data is safe. If you had an array with more than 12 drives, it is likely that you would to be able to withstand the failure of the larger number of drives
- The article does not consider the resilver time. If you did create a configuration with a very wide RAID-Z stripe, the failure of a disk would leave the pool degraded for a much longer time, leaving your pool at risk for that longer period.
- The article does not consider performance. Two RAID-Z2 VDEVs of 6 disks each will give much better performance than a single VDEV of 10 or 12 disks, especially when it comes to IOPS. ***

ZFS Boot Enviroments now availble in the FreeBSD bootloader

It’s been in phabricator for a while (and PC-BSD), but the support for Boot-Environments has now landed upstream in -CURRENT
This work was helped by cross-project collaboration when an IllumOS Developer, Toomas Soome, started porting the FreeBSD loader to IllumOS to replace GRUB there
This gives Beastie menu the ability to look at the ZFS disk, and dynamically list boot-environments that it finds. (Much nicer than GRUB, which required a pre-written configuration file)
This work was extended further, when Toomas Soome also ported the Beastie Menu to the UEFI loader which is now enabled by default for UEFI
All of these changes are scheduled to be merged back in time for FreeBSD 10.3 as well.
There is also a patch being worked on to support booting from ZFS in UEFI
This is exciting times for doing neat things with ZFS on root, these plus Allans forthcoming GELI support will negate the necessity for GRUB on PC-BSD for example (Kris is very happy) ***

Interview - Josh Paetzel - email@email / @bsdunix4ever

ZFS Support ***

News Roundup

RetroBSD being tested on ESP32

More hardware news for RetroBSD and LiteBSD
I don’t know much about this hardware, but there is a lot of discussion in the forum threads about it
Not sure what you are supposed to accomplish with only 400kb of ram
LITEBSD Brings 4.4BSD to PIC32
It is interesting to see these super-small boards with only 512kb of memory, but will crypto offload support
It is also interesting to see talk of 140mbps WiFi, can the processor actually handle that much traffic? BSD Unix-like OS is Resurrected for Embedded IoT Market
Related to the above stories, we also have an article about BSD making a resurgence on various Internet of things devices, which mentions both RetroBSD and LiteBSD
The article mentions that this is an exciting development for embedded vars who now have an alternative licensed open-source OS to potentially use ***

HardenedBSD’s new Binary Updater

It looks like there is now another way to update your FreeBSD(hardened) system
The post by Shawn Web, details how the new updater will work in future releases of HBSD
Right now it looks fairly straight-forward, creating both the base.txz and kernel.txz, along with some data for etcupdate
It includes a nice option for the kernel name in the update, allowing different kernels to be installed / updated at will
Everything is cryptographically signed and verified using the base system openssl
The build system is fairly simple, only requiring “sh/git/openssl” to create the binary updates
Planned features also include updating of jails, and ZFS boot-environments ***

Sometimes, processors need (BSD) love too

We have a blog post from Brian Everly, talking about his long journey into legacy processors and the plans for the future to work on better supporting them on OpenBSD ports
He begins with the story of his UNIX journey to today, and why this fostered his love for many of these old (and not so old) architectures, such as Sparc64, PPC32, i386.
This journey ended up with the purchase of some legacy hardware (ebay is your friend), and the creation of a database listing the major port blockers on each platform
This is the great kind of thing folks can do to step up and help a project, even as a weekend hobby it’s great to run some hardware and help test / fix up issues that other developers maybe don’t interact with as much anymore. ***

Beastie Bits

The standard MWL disclaimer

PC-BSD 11.0-CURRENTJAN2016 Available

NetBSD pkgsrc-2015Q3 statistics

NetBSD pkgsrc-2015Q4 released

First Reproducible builds conference in Athens

The creator of the original ThinkPad design passes away

Feedback/Questions

122: The BSD Black Box

JT Pennington — Wed, 30 Dec 2015 08:00:00 -0500

This week on the show, we will be interviewing Alex Rosenberg, to

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

Life with an OpenBSD Laptop: A UNIX-lover's tale of migrating away from the Mac. The Good, The Bad, The Ugly

OpenBSD user Isaac (.ike) Levy details his switch from a Mac to an OpenBSD laptop
He covers a bit about selecting hardware and dealing with wifi
Talks about binary packages and system upgrades
Talks about power management, suspend/resume, battery life
Show screenshots of some of his favourite window managers
Browsers and email clients are also discussed
Things he found missing in OpenBSD:
- A journaling file system, every unclean shutdown means a full fsck(1)
- UTF-8/unicode was not everywhere
- Syncing pictures and contacts to his phone
- Drawing tools ***

DragonFlyBSD matches its Intel kernel graphics driver against Linux 4.0

The DragonFlyBSD DRM stack continues to rapidly advance, now bringing in support from Linux 4.0!
Some of the notable features:
Basic Skylake support
- Panel Self-Refresh (PSR) now supported on Valleyview and Cherryview
- Preparations for atomic display updates
- Performance improvements on various GPU families, including Cherryview, Broadwell and Haswell
- GPU frequencies are now kept at a minimum of 450MHz when possible on Haswell and Broadwell, ensuring a minimum experience level for various types of workloads
- Improved reset support for gen3/4 GPUs, which should fix some OpenGL crashes on Core 2 and pre-2012 Atom machine
- Better sound/graphics driver synchronization for audio over hdmi support
- As usual, small bugfixes and stability improvements here and there ***

A BSD Wish List for 2016

Larry over at Foss Force brings us his wish list for BSD support in 2016.
Since he has converted most of his daily desktop usage to PC-BSD, he is specifically wanting support for some desktop applications. Namely Google hangouts and Spotify.
This is something which has come up periodically among the PC-BSD community. At the moment most users are dual-booting or using alternatives, like WebRTC. However the Google Hangouts plugin is available for Linux, and perhaps this will encourage some developers to see if we can get it running with the newer Linux stack on -CURRENT.
Spotify also has a native Linux version, which may need testing on FreeBSD - CURRENT. It may be closer now, and should be updated on the Wanted Ports Page
https://wiki.freebsd.org/WantedPorts ***

Hard Float API coming soon by default to armv6

Warner Losh talks about upcoming changes to armv6 on FreeBSD
“All the CPUs that FreeBSD supports have hard floating point in them. We've supported hard float for quite some time in the FreeBSD kernel. However, by default, we still use a soft-float ABI.”
First, “A new armv6hf (architecture) was created, but that caused some issues with some ports, and the meaning of 'soft float' sadly was ambiguous between the soft-float ABI, and the soft-float libraries that implement floating point when there's no hardware FPU”
“Over the spring and summer, I fixed ld.so so that it can load both soft ABI and hard ABI libraries on the same system, depending on markings in the binaries themselves. Soft float ABI and hard float ABI binaries have different flags in the ELF headers, so it is relatively straightforward to know which is which.”
“So, in the coming days, I'll commit the first set of changes to move to armv6 as a hard float ABI by default. The kernel doesn't care: it can execute both. The new ld.so will allow you to transition through this change by allowing old, compat soft ABI libraries to co-exist on the system with new hard ABI libraries. This change alone isn't enough, but it will be good to get it out into circulation.”
“armv6hf will be removed before FreeBSD 11”
A LIBSOFT will be created, similar in concept to the LIB32 available on AMD64 ***

Interview - Alex Rosenberg - alexr@leftfield.org / @alexr

Former Manager of Platform Architecture at Sony ***

Beastie Bits

Feedback/Questions

121: All your hyves are belong to us

JT Pennington — Wed, 23 Dec 2015 08:00:00 -0500

This week on the show, we are going to be talking to Trent Thompson,

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

Review: Guarding the gates with OpenBSD 5.8

Jesse Smith over at DistroWatch treats us this week to a nice review of OpenBSD 5.8, which may be a good introduction for the uninitiated to learn more+ He first walks through some of the various highlights of 5.8, and spends time introducing the reader to a number of the projects that originate from OpenBSD, such as LibreSSL, OpenSSH, doas, the new “file” implementation and W^X support on i386.
The article then walks through his impressions of performing a fresh install of 5.8, and then getting up and running in X.
He mentions that you may want to check the installation defaults, since on his 8GB VM disk, it didn’t leave enough room for packages on the /usr partition.
It also includes a nice heads-up for new users about using the pkg_add command, and where / how you can set the initial repository mirror address.
The “doas” command was also praised:“I found I very much appreciated the doas command, its documentation and configuration file. The doas configuration file is much easier to read than sudo's and the available options are well explained. The doas command allowed me to assign root access to a user given the proper password and doas worked as advertised.”
A glowing summary as well:“OpenBSD may be very secure, but I think what sets the operating system apart are its documentation and clean system design. It is so easy to find things and understand the configuration of an OpenBSD system. The file system is organized in a clean and orderly manner. It always takes me a while to get accustomed to using OpenBSD, as for me it is a rare occurrence, but once I get settled in I like how straight forward everything is. I can usually find and configure anything on the system without referring to external documents or searching for answers on-line and that is quite an accomplishment for an operating system where virtually everything is done from the command line. “ ***

OpenBSD Hackathon Reports

Alexander Bluhm: multiprocessor networking
“The next step, we are currently working on, is to remove the big kernel lock from forwarding and routing. mpi@ has been doing this for a long time, but some corner cases were still left. I have written a regression test for handling ARP packets to show that all cases including proxy ARP are still working. Another thing that may happen with lock-free routing is that the interface is destroyed on one CPU while another CPU is working with a route to that interface. We finally got this resolved. The code that destroys the interface has to wait until all routes don't use this interface anymore. I moved the sleep before the destruction of the interface is started, so that the routes can always operate on a completely valid interface structure.”
Vincent Gross: ifa_ifwithaddr()
Vincent worked on the function that finds the interface with the specified address, which is used to tell if the machine is the intended recipient of an incoming packet. A number of corner cases existed with broadcast addresses, especially if two interfaces were in the same subnet. This code was moved to the new in_broadcast()
Ken Westerback: fdisk, installbot, and dhclient
Reyk Floeter: Hosting a hackathon, vmd, vmctl
“When I heard that Martin Pieuchot (mpi@) was looking for a place to hold another mini-hackathon for three to four people to work on multiprocessor (MP) enhancements of the network stack, I offered to come to our work place in Hannover, Northern Germany. We have space, gear, fast Internet and it is easy to reach for the involved people. Little did I know that it would quickly turn into n2k15, a network hackathon with 20 attendees from all over the world”
“If you ever hosted such an event or a party for many guests, you will know the dilemma of the host: you’re constantly concerned about your guests enjoying it, you have to take care about many trivial things, other things will break, and you get little to no time to attend or even enjoy it yourself. Fortunately, I had very experienced and welcomed guests: only one vintage table and a vase broke – the table can be fixed – and I even found some time for hacking myself.”
Martin Pieuchot: MP networking
“ We found two kind of MP bugs! There are MP bugs that you fix without even understanding them, and there are MP bugs that you understand but can't fix”
Stefan Sperling: initial 802.11n support ***

Hacking the PS4

As a followup to the story last week about the PS4 being “jailbroken”, we have a link to further information about how far this project has come along
This article also provides some great background information about whats running under the hood of your PS4, including FreeBSD 9, Mono VM and WebKit, with WebKit being the primary point of entry to jailbreak the box.
One particular point of interest, was the revelation that early firmware versions did not include ASLR, but it appears ASLR was added sometime around firmware 1.70. (Wonder if they used HardenedBSD’s implementation), and how they can bypass it entirely. “Luckily for us, we aren't limited to just writing static ROP chains. We can use JavaScript to read the modules table, which will tell us the base addresses of all loaded modules. Using these bases, we can then calculate the addresses of all our gadgets before we trigger ROP execution, bypassing ASLR.“
The article also mentions that they can prove that jails are used in some fashion, and provides examples of how they can browse the file system and dump a module list.
The kernel exploit in question is SA-15:21 from August of this year. The jailbreaking appears to be against an older version of PS4 firmware that did not include this patch ***

Nokia and ARM leading the charge to implement better TCP/IP as part of the 5G standard

“Many believe that a critical success factor for 5G will be a fully revamped TCP/IP stack, optimized for the massively varied use cases of the next mobile generation, for cloud services, and for virtualization and software-defined networking (SDN). This is the goal of the new OpenFastPath (OFP) Foundation, founded by Nokia Networks, ARM and industrial IT services player Enea. This aims to create an open source TCP/IP stack which can accelerate the move towards SDN in carrier and enterprise networks. Other sign-ups include AMD, Cavium, Freescale, Hewlett Packard Enterprise and the ARM-associated open source initiative, Linaro.”
“The new fast-path TCP/IP stack will be based on the open source FreeBSD operating system”
The general idea is to have a fast, open source, user space networking stack, based on the FreeBSD stack
with an “optimised callback-based zero-copy socket API” to keep packet processing in user-space as far as possible
It will be interesting to see a little bit more FreeBSD getting into every mobile and cloud based device. ***

Interview - Trent Thompson - [trentnthompson@gmail.com](trentnthompson@gmail.com) / @pr1ntf

iohyve ***

News Roundup

First cut of the FreeBSD modularized TCP stack

FreeBSD now has more than one TCP stack, and better yet, you can use more than one at once
Each socket pcb is associated with a stack, and it is possible to select a non-default stack with a socket option, so you can make a specific application use an experimental stack, while still defaulting to the known-good stack
This should lead to a lot of interesting development and testing, without the level of risk usually associated with modifying the TCP stack
The first new module available is ‘fastpath’, which may relate to the Nokia story earlier in the show
There are also plans to support changing TCP stacks after establish a session, which might land as early as January ***

Faces of FreeBSD : Erin Clark

In this edition of “Faces of FreeBSD” the FreeBSD foundation gives us an introduction to Erin Clark, of our very own iXsystems!
Her journey to the BSD family may sound similar to a lot of ours. She first began using Linux / Slackware in the early 2000’s, but in 2009 a friend introduced her to FreeBSD and the rest, as they say, is history.
“I use FreeBSD because it is very solid and secure and has a great selection of open source software that can be used with it from the ports collection. I have always appreciated FreeBSD’s networking stack because it makes a great router or network appliance. FreeBSD’s use of the ZFS file system is also very nice - ZFS snapshots definitely saved me a few times. I also like that FreeBSD is very well documented; almost everything you need to know about working with FreeBSD can be found in the FreeBSD Handbook.”
Originally a sys admin at iXsystems, where she helped managed PC-BSD desktops among others, now she works on the FreeNAS project as a developer for the CLI interface functionality. ***

New Olimex board runs Unix

Looking for some small / embedded gear to mess around with? The Olimex folks have a new Pic32 system now available which runs “RetroBSD”
“The current target is Microchip PIC32 microcontroller with 128 kbytes of RAM and 512 kbytes of Flash. PIC32 processor has MIPS M4K architecture, executable data memory and flexible RAM partitioning between user and kernel modes.”
RetroBSD isn’t something we’ve covered extensively here on BSDNow, so to bring you up to speed, it is a port of 2.11 BSD
Their website lists the following features of this 2.11 refresh:“
Small resource requirements. RetroBSD needs only 128 kbytes of RAM to be up and running user applications.
Memory protection. Kernel memory is fully protected from user application using hardware mechanisms.
Open functionality. Usually, user application is fixed in Flash memory - but in case of RetroBSD, any number of applications could be placed into SD card, and run as required.
Real multitasking. Standard POSIX API is implemented (fork, exec, wait4 etc).
Development system on-board. It is possible to have C compiler in the system, and to recompile the user application (or the whole operating system) when needed.“
For those looking into BSD history, or wanting something small and exotic to play with this may fit the bill nicely. ***

OpenSource.com reviews PCBSD

Joshua over at opensource.com writes up a review of PC-BSD (10.2 we assume)
Some of the highlights mentioned, include the easy to use graphical installer, but he does mention we should update the sorting of languages. (Good idea!)
Along with including nice screenshots, it also covers the availability of various DE’s / WM’s, and talks a fair amount about the AppCafe and Control Panel utilities.
“Thanks to being featured on PC-BSD's desktop, the PC-BSD Handbook is easily located by even the most novice user. There is no need to search through the system's installed applications for a manual, or relying solely on the help documentation for individual components. While not comprehensive, PC-BSD's handbook does a good job as striking a balance between concise and thorough. It contains enough information to help and provides detailed instructions for the topics it covers, but it avoids providing so much information that it overwhelms” ***

BeastieBits

Gandi introduces support for FreeBSD on their IaaS platform, with both ZFS and UFS based images available

Funny commit message from the Linux kernel

FreeBSD Journal, Nov/Dec 2015

Feedback/Questions

120: I’m talking about the man in the middle

JT Pennington — Wed, 16 Dec 2015 08:00:00 -0500

This week on BSDNow, we are going to be talking to Pawel about how his

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

Note the recent passing of 2 members of the BSD community

NGINX as Reverse Proxy for Apache on FreeBSD 10.2

A tutorial on setting up NGINX as a reverse proxy for Apache
Sometimes your users or application require some feature of Apache, that cannot be easily replicated in NGINX, like .htaccess files or a custom apache module
In addition, because the default worker model in Apache does not accept new work until it is finished sending the request, a user with a slow connection can tie down that worker for a long time
With NGINX as a reverse proxy, it will receive the data from the Apache worker over localhost, freeing that worker to answer the next request, while NGINX takes care of sending the data to the user
The tutorial walks through the setup, which is very easy on modern FreeBSD
One could also add mod_rpaf2 to the Apache, to securely pass through the users’ real IP address for use by Apache’s logging and the PHP scripts ***

FreeBSD and FreeNAS in Business by Randy Westlund

The story of how a Tent & Awning company switched from managing orders with paper, to a computerized system backed by a FreeNAS
“At first, I looked at off-the-shelf solutions. I found a number of cloud services that were like Dropbox, but with some generic management stuff layered on top. Not only did these all feel like a poor solution, they were very expensive. If the provider were to go out of business, what would happen to my dad’s company?”
“Fortunately, sourcing the hardware and setting up the OS was the easiest part; I talked to iXsystems. I ordered a FreeNAS Mini and a nice workstation tower”
“I have r2d2 (the tower, which hosts the database) replicating ZFS snapshots to c3po (the FreeNAS mini), and the data is backed up off-site regularly. This data is absolutely mission-critical, so I can’t take any risks. I’m glad I have ZFS on my side.”
“I replaced Dropbox with Samba on c3po, and the Windows machines in the office now store important data on the NAS, rather than their local drives.”
“I also replaced their router with an APU board running pfSense and replaced their PPTP VPN with OpenVPN and certificate authorization.”
“FreeBSD (in three different incarnations) helped me focus on improving the company’s workflow without spending much time on the OS. And now there’s an awning company that is, in a very real sense, powered by FreeBSD.” ***

Tutorial, Windows running under bhyve

With the recent passing of the world’s foremost expert on running Windows under bhyve on FreeBSD, this tutorial will help you get up to speed
“The secret sauce to getting Windows running under bhyve is the new UEFI support. This is pretty great news, because when you utilize UEFI in bhyve, you don't have to load the operating system in bhyveload or grub-bhyve first.”
The author works on iohyve, and wanted to migrate away from VirtualBox, the only thing stopping that was support for Windows Guests
iohyve now has support for managing Windows VMs
The tutorial uses a script to extract the Windows Server 2008 ISO and set up AutoUnattend.xml to handle the installation of Windows, including setting the default administrator password, this is required because there is no graphical console yet
The AutoUnattended setup also includes setting the IP address, laying out the partitions, and configuring the serial console
A second script is then used to make a new ISO with the modifications
The user is directed to fetch the UEFI firmware and some other bits
Then iohyve is used to create the Windows VM
The first boot uses the newly created ISO to install Windows Server 2008
Subsequent boots start Windows directly from the virtual disk
Remote Desktop is enabled, so the user can manage the Windows Server graphically, using FreeRDP or a Windows client
iohyve can then be used to take snapshots of the machine, and clone it ***

BSD Router Project has released 1.58

The BSD Router project has announced the release of version 1.58 with some notable new features
Update to FreeBSD 10.2-RELEASE-p8
Disabled some Chelsio Nic features not used by a router
Added new easy installation helper option, use with “system install ”
Added the debugging symbols for userland
Includes the iperf package, and flashrom package, which allows updating system BIOS on supported boxes
IMPORTANT: Corrects an important UFS label bug introduced on 1.57. If you are running 1.57, you will need to fetch their fixlabel.sh script before upgrading to 1.58 ***

OPNsense 15.7.22 Released

An update to OPNsense has landed this week which includes the important updates to OpenSSL 1.0.2e and LibreSSL 2.2.5
A long-standing annoying bug with filter reload timeouts has finally been identified and sorted out as well, allowing the functionality to run quickly and “glitch free” again.
Some newer ports for curl (7.46), squid (3.5.12) and lighttpd (1.4.38) have also been thrown in for good measure
Some other minor UI fixes have also been included as well
With the holidays coming up, if you are still running a consumer router, this may be a good time to convert over to a OPNsense or PFsense box and get yourself ready for the new year. ***

iXsystems

iXSystems releases vCenter Web Client Plug-in for TrueNAS

Interview - Pawel Jakub Dawidek - pjd@FreeBSD.org

News Roundup

Developer claims the PS4 has been jail-broken

While not exactly a well-kept secret, the PS4’s proprietary “OrbOS” is FreeBSD based.
Using this knowledge and a Kernel exploit, developer CTurt (https://twitter.com/CTurtE/) claims he was able jailbreak a WebKit process and gain access to the system.
He has posted a small tease to GitHub, detailing some of the information gleaned from the exploit, such as PID list and root FS dump
As such with these kinds of jailbreaks, he already requested that users stop sending him requests about game piracy, but the ability to hack on / run homebrew apps on the PS4 seems intriguing ***

Sepherosa Ziehau is looking for testers if you have a em(4), emx(4), or igb(4) Intel device

DragonFly Testers wanted! Sephe has posted a request for users of the em(4), emx(4) and igb(4) intel drivers to test his latest branch and report back results
He mentions that he has tested the models 82571, 82574 and 82573 (em/emx); 82575, 82576, 82580 and i350 specifically, so if you have something different, I’m sure he would be much appreciative of the help.
It looks like the em(4) driver has been updated to 7.5.2, and igb(4) 2.4.3, and adds support for the I219-LM and I219-V NICS. ***

OpenBSD Xen Support

Filed under the “Ohh, look what’s coming soon” section, it appears that patches are starting to surface for OpenBSD Xen DOMU support.
For those who aren’t up on their Xen terminology, DomU is the unprivileged domain (I.E. Guest mode)
Right now the patch exists at the link above, and adds a new (commented out) device to the GENERIC kernel, but this gives Xen users something new to watch for updates to. ***

Thinkpad Backlit Keyboard support being worked on

Another reason why Lenovo / ThinkPads are some of the best laptops currently to use with BSD, the kettenis over at the OpenBSD project has committed a patch to enable support for the “ThinkLight”
For those who don’t know, this is the little light that helps illuminate the laptop’s keyboard under low-light situations.
While the initial patch only supports the “real-deal” ThinkLight, he does mention that support will be added soon for the others on ThinkPads
No sysctl’s to fiddle with, this works directly with the ACPI / keyboard function keys directly, nice! ***

Deadline is approaching for Submissions of Tutorial Proposals for AsiaBSDCon 2016

Call for Papers for BSDCAN 2016 now open

The next two major BSD conferences both have their CFP up right now. First up is AsiaBSDCon in Tokyo from March 10th-13th, followed by BSDCan in Ottawa, June 8th-11th.
If you are working on anything interesting in the BSD community, this is a good way to get the word out about your project, plus the conference pays for Hotel / Travel.
If you can make it to both, DO SO, you won’t regret it. Both Allan and Kris will be attending and we would look forward to meeting you. ***

iohyve lands in ports

(http://www.freshports.org/sysutils/iohyve/)

Something we’ve mentioned in passing has taken its first steps in becoming reality for users! “iohyve” has now landed in the FreeBSD ports tree
While it shares a similar name to “iocage” its not directly related, different developers and such. However it does share a very similar syntax and some principles of ZFS usage
The current version is 0.7, but it already has a rather large feature set
Among the current features are ISO Management, resource management, snapshot support (via ZFS), and support for OpenBSD, NetBSD and Linux (Using grub-bhyve port) ***

BeastieBits

hammer mount is forced noatime by default

Show your support for FreeBSD

OpenBSD running in an Amazon EC2 t2.micro

NetBSD's 2015Q4 Package freeze is coming

‘Screenshots from Developers’ that we covered previously from 2002, updated for 2015

Feedback/Questions (slexy was down when I made these, I only did 3, since the last is really long, save rest for next week)

119: There be Dragons, BSD Dragons anyway

JT Pennington — Wed, 09 Dec 2015 08:00:00 -0500

This week on BSDNow - It’s getting close to christmas and the

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

n2k15 hackathon reports

tedu@ worked on rebound, malloc hardening, removing legacy code
“I don't usually get too involved with the network stack, but sometimes you find yourself at a network hackathon and have to go with the flow. With many developers working in the same area, it can be hard to find an appropriate project, but fortunately there are a few dusty corners in networking land that can be swept up without too much disturbance to others.”
“IPv6 is the future of networking. IPv6 has also been the future of networking for 20 years. As a result, a number of features have been proposed, implemented, then obsoleted, but the corresponding code never quite gets deleted. The IPsec stack has followed a somewhat similar trajectory”
“I read through various networking headers in search of features that would normally be exposed to userland, but were instead guarded by ifdef _KERNEL. This identified a number of options for setsockopt() that had been officially retired from the API, but the kernel code retained to provide ABI compatibility during a transition period. That transition occurred more than a decade ago. Binary programs from that era no longer run for many other reasons, and so we can delete support. It's only a small improvement, but it gradually reduces the amount of code that needs to be reviewed when making larger more important changes”
Ifconfig txpower got similar treatment, as no modern WiFi driver supports it
Support for Ethernet Trailers, RFC 893, enabled zero copy networking on a VAX with 512 byte hardware pages, the feature was removed even before OpenBSD was founded, but the ifconfig option was still in place
Alexandr Nedvedicky (sashan@) worked on MP-Safe PF
“I'd like to thank Reyk for hackroom and showing us a Christmas market. It was also my pleasure to meet Mr. Henning in person. Speaking of Henning, let's switch to PF hacking.”
“mpi@ came with patch (sent to priv. list only currently), which adds a new lock for PF. It's called PF big lock. The big PF lock essentially establishes a safe playground for PF hackers. The lock currently covers all pf_test() function. The pf_test() function parts will be gradually unlocked as the work will progress.
To make PF big lock safe few more details must be sorted out. The first of them is to avoid recursive calls to pf_test(). The pf_test() could get entered recursively, when packet hits block rule with return-* action. This is no longer the case as ip*_send() functions got introduced (committed change has been discussed privately). Packets sent on behalf of kernel are dispatched using softnet task queue now. We still have to sort out pf_route*() functions. The other thing we need to sort out with respect to PF big lock is reference counting for statekey, which gets attached to mbuf. Patch has been sent to hackers, waiting for OK too. The plan is to commit reference counting sometimes next year after CVS will be unlocked. There is one more patch at tech@ waiting for OK. It brings OpenBSD and Solaris PF closer to each other by one tiny little step.” ***

ACM Queue: Challenges of Memory Management on Modern NUMA System

“Modern server-class systems are typically built as several multicore chips put together in a single system. Each chip has a local DRAM (dynamic random-access memory) module; together they are referred to as a node. Nodes are connected via a high-speed interconnect, and the system is fully coherent. This means that, transparently to the programmer, a core can issue requests to its node's local memory as well as to the memories of other nodes. The key distinction is that remote requests will take longer, because they are subject to longer wire delays and may have to jump several hops as they traverse the interconnect. The latency of memory-access times is hence non-uniform, because it depends on where the request originates and where it is destined to go. Such systems are referred to as NUMA (non-uniform memory access).”
So, depending what core a program is running on, it will have different throughput and latency to specific banks of memory. Therefore, it is usually optimal to try to allocate memory from the bank of ram connected to the CPU that the program is running on, and to keep that program running on that same CPU, rather than moving it around
There are a number of different NUMA strategies, including:
Fixed, memory is always allocated from a specific bank of memory
First Touch, which means that memory is allocated from the bank connected to the CPU that the application is running on when it requests the memory, which can increase performance if the application remains on that same CPU, and the load is balanced optimally
Round Robin or Interleave, where memory is allocated evenly, each allocation coming from the next bank of memory so that all banks are used. This method can provide more uniform performance, because it ensures that all memory accesses have the same change to be local vs remote. If even performance is required, this method can be better than something more focused on locality, but that might fail and result in remote access
AutoNUMA, A kernel task routinely iterates through the allocated memory of each process and tallies the number of memory pages on each node for that process. It also clears the present bit on the pages, which will force the CPU to stop and enter the page-fault handler when the page is next accessed. In the page-fault handler it records which node and thread is trying to access the page before setting the present bit and allowing execution to continue. Pages that are accessed from remote nodes are put into a queue to be migrated to that node. After a page has already been migrated once, though, future migrations require two recorded accesses from a remote node, which is designed to prevent excessive migrations (known as page bouncing).
The paper also introduces a new strategy:
Carrefour is a memory-placement algorithm for NUMA systems that focuses on traffic management: placing memory so as to minimize congestion on interconnect links or memory controllers. Trying to strike a balance between locality, and ensuring that the interconnect between a specific pair of CPUs does not become congested, which can make remote accesses even slower
Carrefour uses three primary techniques:
Memory collocation, Moving memory to a different node so that accesses will likely be local.
Replication, Copying memory to several nodes so that threads from each node can access it locally (useful for read-only and read-mostly data).
Interleaving, Moving memory such that it is distributed evenly among all nodes.
FreeBSD is slowly gaining NUMA capabilities, and currently supports: fixed, round-robin, first-touch. Additionally, it also supports fixed-rr, and first-touch-rr, where if the memory allocation fails, because the fixed domain or first-touch domain is full, it falls back to round-robin.
For more information, see numa(4) and numa_setaffinity(2) on 11-CURRENT ***

Is that Linux? No it is PC-BSD

Larry Cafiero continues to make some news about his switch to PC-BSD from Linux. This time in an blog post titled “Is that Linux? No, its PC-BSD” he describes an experience out and about where he was asked what is running on his laptop, and was unable for the first time in 9 years to answer, it’s Linux.
The blog then goes on to mention his experience up to now running PC-BSD, how the learning curve was fairly easy coming from a Linux background.
He mentions that he has noticed an uptick in performance on the system, no specific benchmarks but this “Linux was fast enough on this machine. But in street racing parlance, with PC-BSD I’m burning rubber in all four gears.”
The only major nits he mentions is having trouble getting a font to switch in FireFox, and not knowing how to enable GRUB quiet mode. (I’ll have to add a knob back for that) ***

Dual booting OS X and OpenBSD with full disk encryption

New GPT and UEFI support allow OpenBSD to co-exist with Mac OS X without the need for Boot Camp Assistant or Hybrid MBRs
This tutorial walks the read through the steps of installing OpenBSD side-by-side with Mac OS X
First the HFS+ partition is shrunk to make room for a new OpenBSD partition
Then the OpenBSD installer is run, and the available free space is setup as an encrypted softraid
The OpenBSD installer will add itself to the EFI partition
Rename the boot loader installed by OpenBSD and replace it with rEFInd, so you will get a boot menu allowing you to select between OpenBSD and OS X ***

Interview - Paul Goyette - pgoyette@netbsd.org

NetBSD Testing and Modularity ***

iXsystems

iXsystems Wins Press and Industry Analyst Accolades in Best in Biz Awards 2015 ***

News Roundup

HOWTO: L2TP/IPSec with OpenBSD

*BSD contributor Sevan Janiyan provides an update on setting up a road-warrior VPN
This first article walks through setting up the OpenBSD server side, and followup articles will cover configuring various client systems to connect to it
The previous tutorial on this configuration is from 2012, and things have improved greatly since then, and is much easier to set up now
The tutorial includes PF rules, npppd configuration, and how to enable isakmpd and ipsec
L2TP/IPSec is chosen because most operating systems, including Windows, OS X, iOS, and Android, include a native L2TP client, rather than requiring some additional software to be installed ***

DragonFly 4.4 Released

DragonFly BSD has made its 4.4 release official this week!
A lot of big changes, but some of the highlights
- Radeon / i915 DRM support for up to Linux Kernel 3.18
- Proper collation support for named locales, shared back to FreeBSD 11-CURRENT
- Regex Support using TRE “As a consequence of the locale upgrades, the original regex library had to be forced into POSIX (single-byte) mode always. The support for multi-byte characters just wasn't there. ” …. “TRE is faster, more capable, and supports multibyte characters, so it's a nice addition to this release.”
- Other noteworthy, iwm(4) driver, CPU power-saving improvements, import ipfw from FreeBSD (named ipfw3)
An interesting tidbit is switching to the Gold linker ***

Guide to install Ajenti on Nginx with SSL on FreeBSD 10.2

Looking for a webmin-like interface to control your FreeBSD box? Enter Ajenti, and today we have a walkthrough posted on how to get it setup on a FreeBSD 10.2 system.
The walkthrough is mostly straightforward, you’ll need a FreeBSD box with root, and will need to install several packages / ports initially.
Because there is no native package (yet), it guides you through using python’s PIP installer to fetch and get Ajenti running.
The author links to some pre-built rc.d scripts and other helpful config files on GitHub, which will further assist in the process of making it run on FreeBSD.
Ajenti by itself may not be the best to serve publically, so it also provides instructions on how to protect the connection by serving it through nginx / SSL, a must-have if you plan on using this over unsecure networks. ***

BSDCan 2016 CFP is up!

BSDCan is the biggest North American BSD conference, and my personal favourite
The call for papers is now out, and I would like to see more first-time submitters this year
If you do anything interesting with or on a BSD, please write a proposal
Are the machines you run BSD on bigger or smaller than what most people have? Tell us about it
Are you running a big farm that does something interesting?
Is your university research using BSD?
Do you have an idea for a great new subsystem or utility?
Have you suffered through some horrible ordeal? Make sure the rest of us know the best way out when it happens to us.
Did you build a radar that runs NetBSD? A telescope controlled by FreeBSD?
Have you run an ISP at the north pole using Jails?
Do you run a usergroup and have tips to share?
Have you combined the features and tools of a BSD in a new and interesting way?
Don’t have a talk to give? Teach a tutorial!
The conference will arrange your air travel and hotel, and you’ll get to spend a few great days with the best community on earth
Michael W. Lucas’s post about the 2015 proposals and rejections ***

Beastie Bits

Feedback/Questions

118: BSD is go for Launch

JT Pennington — Wed, 02 Dec 2015 08:00:00 -0500

Coming up on BSDNow - We know init systems have been all the rage

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

Interview with Renato Westphal

An interview with Brazilian OpenBSD developer Renato Westphal
He describes how he first got into OpenBSD, working on a University-Industry partnership program and looking to deploy LDP (Label Distribution Protocol) for MPLS.
He ported OpenBSDs ldpd(8) to Linux, but then contributed his bug fixes and improvements back to OpenBSD
When asked if he was motivated to replace closed-source router implementations with OpenBSD: “Well, I don't administer any network, I work full time as a programmer. I have some friends however that succeeded replacing closed vendor solutions with OpenBSD boxes and that for sure motivates me to keep doing what I'm doing. My biggest motivation, however, is the challenge of resolving complex problems writing trivially simple code that is both secure and efficient.”
They also go on to discuss some of the interesting features of EIGRP, and developing eigrpd(8)
What do you think is missing from routing in OpenBSD: “Implementing new features and protocols while they are in their draft stage in IETF. I'd like to see OpenBSD as the reference platform for the development of new routing and networking technologies in general” ***

Let’s Encrypt on a FreeBSD NGINX reverse proxy

We have a neat guide/story today on how to setup the “Let’s Encrypt” certificates on a FreeBSD / nginx reverse proxy
Backstory: For those who don’t know, “Let’s Encrypt” (https://letsencrypt.org) is a new Certificate Authority, which will allow you to create free and automated certificates.
They have been in closed beta for several months now, and will be opening to a public beta Dec 3rd (tomorrow)
This guide is particularly timely, since by the time most of you are watching this episode, the public beta will be up and running.
Most of the instructions are fairly straight-forward. She starts by installing the lets-encrypt package from ports/pkg and modifying her nginx with a ‘catch-all’ vhost that re-directs traffic to the https versions of a site.
With that done, the certificate creation is just a few commands to get started, in which she shows creating a cert for multiple domains
As a bonus! She includes a nice renewal script which can be run from cron. It will monitor the certs daily, and renew it when it’s 14 days from expiring, or throw an error for somebody to look at. ***

Mike Larkins OpenBSD vmm subsystem now in tree

An openBSD native hypervisor has taken another step closer to reality, with Mike Larkin pushing the initial bits of “vmm” into the base kernel/world
He mentions in the commit message that it still needs a lot of work, and as such is disabled by default.
However for the adventurous among you, it can be turned on and tested
Right now there is no BIOS, and as such it can only be used to boot other OpenBSD instances, although he mentions other BSD’s could be supported fairly quickly (He did a 1 hour port to bootstrap NetBSD)
No big documentation expected for this release, since there is so much ongoing churn. Take a look at the man page for details on getting started. ***

The story of how Yahoo switched to FreeBSD

Yahoo originally started running on SunOS, but quickly found it not able to cope with the high frequency of HTTP requests
“Having spend many frustrating hours trying to install other PC OS's, I was a bit skeptical. I had no intention of spending three days trying to install yet another one. To my surprise I went to the FreeBSD Web site, downloaded the floppy boot image, booted a PC with the created floppy, answered a few install questions, and a few minutes later FreeBSD was installing over the Net. The real surprise was when I came back later to a fully configured system that actually worked.”
“If anything had gone wrong with that install it would likely been the end of that trial. Luckily for us that it was the easiest and most painless OS installs I had ever experienced.”
Just that easily, Yahoo might never have ended up on FreeBSD
“A couple of days later we added a FreeBSD box to our cluster of Web servers. Not only did it out-perform the rest of our machines, but it was more stable.”
From my understanding of stories told over dinner, Yahoo had a few very important perl scripts, and they tended to crash on Linux, but kept running without issue on FreeBSD
Related hackernews thread ***

iXsystems

iXsystem's recap of LISA 2015 ***

Interview - Mark Heily - mark@heily.com / @MarkHeily

relaunchd ***

News Roundup

Inline Intrusion Prevision System is an upcoming OPNSense Feature

The next OPNSense release, 16.1 is around the corner and today we have a sneak peek at their new Inline Intrusion Prevention system
Suricata working with Netmap 2.1 enabled version, which allows Deep Packet Inspection of traffic. Such as looking at each packet individually and only blocking specific ones. They use the example of blocking Warcraft (oh noes!)
Enabling this feature is just a simple mouse-click away, and various default rules are included as part of the Emerging Threats Community rules. ***

Matthew Dillion working on Hardlinks in Hammer2

We have an interesting commit from Matthew Dillon for Hammer2, specifically targeted at hard-links
The backstory he gives us: “The H2 design has had a long-standing problem of losing track of hardlinks when intermediate directories are renamed, breaking the common-parent-directory design for the inode target.”
The implemented fix was one which instead places the hardlink target in the first common parent directory, which is marked with “xlink” via chflag
If no parent directory is marked “xlink”, it will fall-through instead to the root of the mount
They also modified their installworld to set “/” /usr/,/var/,/home/ as “xlink” flagged
This prevents moving hard-links across these directories, but is similar to dealing with multiple partitions / datasets already. ***

Japan's NetBSD User Group showed off some NetBSD machines at the 2015 Tokushima Open Source Conference

It’s been a little while since we’ve shown off a bunch of odd devices running NetBSD, but we have an update from the 2015 Tokushima Open Source Conference.
This time around, we have pictures of the booth, as well as a variety of oddities such as:
ODroid-C1 / Sharp X68030
Sharp NetWalker
Sharp WZero3 (Cell phone)
Give them a look, this time around they have nice cards pictured which details the hardware being used (in english none the less!) ***

One of the three OpenBSD users Blog Post by Adam Wolk

An OpenBSD user comments on a recent interaction with the syncthing project (a dropbox like alternative)
The application has an auto-update feature (which doesn’t mix well with package systems in the first place), but it doesn’t work on OpenBSD because there is no /proc/curproc/file to determine the filename of the executable. This is a trivially easy task, but when the bug was reported, syncthings response was “Maybe one of the three OpenBSD users feel strongly enough about this to propose a patch. :D”
Part of the issue is that many users (especially the type that would run OpenBSD) opt out of reporting metrics, so OpenBSD is under-represented in the metrics the project developers are basing their decisions on
Maybe someone can post a patch to solve the problem. While FreeBSD can provide a linux procfs, it would be better to use a more portable way to get the location of the process binary ***

BeastieBits

Feedback/Questions

117: The Cantrill Strikes Back: ...

JT Pennington — Tue, 24 Nov 2015 08:00:00 -0500

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

Why did I choose the DragonFlyBSD Operating System by Siju George

We have a new article this week by Siju George posted over at BSDMag, talking about his reasons for using DragonFlyBSD in production.
He ran through periods of using both Free/OpenBSD, but different reasons led him away from each. Specifically problems doing port upgrades on FreeBSD, and the time required to do fsck / raid parity checks on OpenBSD.
During his research, he had heard about the HAMMER file-system, but didn’t know of anybody running it in production. After some mailing list conversions, and pointers from Matthew Dillon, he took the plunge and switched.
Now he has fallen in love with the operating system, some of the key strengths he notes at:
Rolling-Release model, which can be upgraded every few weeks or whenever he has the time
- No time-consuming fsck after a unclean shutdown
- No RAID parity checks while still having redundancy
- Able to add volumes to HAMMER on the fly
He also mentions looking forward to HAMMER2, and its potential for easy clustering support, along with eventual CARP implementation so he can run two systems on the same IP. ***

The Devil & BSD - Larry Cafiero

A story that has been making the rounds on social media is by Larry Cafiero, on his reasons for deciding to switch from Linux over to the BSD side of things.
While most of the reasons are over the conflicts surrounding behavior by Linux leaders towards those in the community, he does mention that he has converted his main workstation over to PC-BSD.
According to Larry, “With a couple of hours of adding backup files and tweaking (augmented by a variety of “oh, look” moments which could easily make me the ADHD Foundation Poster Boy), it looks exactly like my personally modified Korora 22 Xfce which graced the machine earlier. “
He also gave a great compliment to the quality of the docs / applications in PC-BSD: “In addition, you have to like a operating system which gives you a book — in this case, the PC-BSD Handbook — which should be the gold standard of documentation. It’s enviable, as in, “man, I wish I had written that.” Also programs like AppCafe provide a plethora of FOSS software, so there’s no shortage of programs. Side by side, there’s nothing on the Linux side of things that is lacking on the BSD side of things.”
Regardless the initial reason for the switch, we are glad to have him and any other switchers join us on the BSD side of FOSS. ***

New resource for BSD-schoolin’

“The initial repository contains all of the material for the practitioner and masters style courses as well as a PDF for the teaching guide. All of the material is licensed under a BSD doc team license, also visible in the repo and on the github site.”
“we expect all other work, including the extension of the practitioner course to 5 days, and the adaptation of the graduate course to undergraduates will be in the github repo”
“Our goal now is to recruit a small number of universities to partner with us to teach this material. We will keep you posted on our progress.”
We are working on getting an interview lined up to talk more about this project
If I somehow find the time, I am try to contribute towards a sysadmin course similar to what I used to teach at an Arts&Tech College here in Canada ***

A Few thoughts on OpenBSD 5.8

A user details their thoughts, reactions, and concerns after upgrading to OpenBSD 5.8
Among the changes:
sudo was removed and replaced as doas. The user decided to make the switch, but ran into a bug with line continuation (\ to escape newline to continue a long line)
The removal of TCP Wrappers support from ssh - this caused a number of rules in hosts.allow to no longer be respected.
The FreeBSD port of openssh-portable has a patch to readd TCP wrappers because many people find it useful, including myself, when the ssh is in a jail and cannot run a firewall
The removal of the pf_rules= rc.conf variable. “I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pf_rules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be”
This is what is often called a “POLA Violation”, Policy of Least Astonishment. When deciding what the system should do after some change or new feature is introduced, it should be the thing that will be the least “surprising” to the user. Having your firewall rules suddenly not apply, is surprising.
“A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments”
It is very helpful to see a list of feedback like this after a release, so that the next release can be better
I would be interested in seeing similar feedback for the other BSDs ***

Interview - Bryan Cantrill - @bcantrill

Linux Interface Rants

News Roundup

FreeBSD AMI building AMI - Colin’s Corner

Colin Percival (Of TarSnap Fame) has brought us a new article this week on how to create your own custom EC2 AMI builds.
This new tool and instructions allows the creation of AMI files, without needing to go through the hassle of doing a fresh FreeBSD release build each time.
Essentially it works similar to Colin’s previous “de-penguinator” utility, by running a FreeBSD in a memory instance, allowing the disk to be unmounted and prepped for becoming an AMI.
The hope is that this new work allows easier creation of a new variety of “customized” FreeBSD instances, for end users to download and deploy at will. ***

Peter Hessler on OpenBSD / OpenBGPd

Last week a new video landed of Peter Hessler giving us a status update on OpenBSD tech, and OpenBGPd specifically
Of interest, he notes that LibreSSL is being used in iOS / OSX, and of course PF is used all over, Apple, BSD, Solaris and even a Windows port!
OpenNTPD gets a mention as well, still ZERO CVEs for the lifetime of the project
On the OpenBGPd side, it is considered production ready, so no reason to hold back deployment
Very “feature-complete”, able to handle Edge Router, Route server, Multi-RIB. Slew of optional features like route reflector, looking glass, mrt dumps, mpls / mpls vpn.
Bugs fixed, crashers, memory constraints and performance has been improved
Filtering Performance, in example provided, importing 561K rules / 60K prefixes, went from 35 minutes down to 30 seconds. ***

Onion Omega Updates

I have a newer kernel config that will be committed soon that hooks up the system LED, and the three LEDs on the expansion dock via /dev/led
I also have the I2C interface working to talk to the Relay and Servo expansions
I have not determined the exact protocol for the Servo expansions, but the relay expansion is fairly simple to operate
Instructions have been added to the wiki
I have managed to use the GPIO to toggle external LEDs and to read the value from a switch
I have also used the Servo PWM controller to dim an LED and control the speed of a PWM computer case fan
My plan is to operate a 32x32 multi colour LED matrix from the device for an interactive christmas display ***

FreeBSD Mastery: ZFS Book review

Book can be purchased here
or from the list of vendors including directly from the author here ***

Beastie Bits

Computer History Museum is looking for Bell Labs UNIX

ACM Queue Portrait: Robert Watson

Video Collection about BSD History, put together by FreeBSDNews

Minix announces its 2016 conference

Chris Henschen from fP Technologies' talk about BSD is now online

Mike Larkin and Theo de Raadt's talks from Hackfest this year in Quebec are online

FreeBSD on a BeagleBoneBlack with a Touchscreen Display

Dan Langille will be talking at CINLUG

Feedback/Questions

116: Arcing ZFS

JT Pennington — Wed, 18 Nov 2015 08:00:00 -0500

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal!

Headlines

How to create new binary packages in the Ports system on OpenBSD

Creating a port is often a great first step you can take to get involved in your favorite BSD of choice, and (often) doesn’t require any actual programming to do so.
In this article we have a great walkthrough for users on creating a new ported application, and eventually binary package, on OpenBSD
As mentioned in the tutorial, a good starting place is always an existing port, which can you use as a template for your new creation. Tip: Try to pick something similar, I.E. python for a python app, Qt for Qt, etc.
This tutorial will first walk you through the process of creating your Makefile and related description about the new port.
Once you’ve created the initial Makefile, there are a bunch of new “make” targets you can begin to run to try building your port, everything from “make fetch” to “make makesum” and “make package”. Using these tests you can verify that your port is correct and results in the installable package/app you wanted. ***

Status update on pledge(2)

OpenBSD has been working very aggressively to convert much of their base system applications to using pledge(2) “Formerly Tame(2))
Theo has provided a great status update on where that stands as of right now and the numbers look like the following:
Out of 600 ELF binaries, 368 of them have been updated to utilize pledge(2) in some manner
This is quite a few, and includes everything from openssl, ping, sftp, grep, gzip and much more
There are still a number of “pledge-able” commands waiting for conversion, such as login, sysctl, nfsd, ssh and others.
He also mentions that there does exist some subset of commands which aren’t viable pledge(2) candidates, such as simple things like “true”, or commands like reboot/mount or even perl itself. ***

FreeBSD booting on the Onion Omega

Tiny $19 MIPS SoC ($25 with dock that provides built in mini-USB Serial interface, power supply, LED lights, GPIO expansion, USB port, etc)
A number of pluggable ‘expansions’ are available, including:
- Arduino Dock (connect the Omega device to your existing Arduino components)
- Blue Tooth Lower Energy
- 10/100 Ethernet Port
- Relay expansion (2 relays each, can stack up to 8 expansions to control 16 relays)
- Servo expansion (control up to 16 PWM servos, like robotic arms or camera mounts)
- OLED expansion (1" monochrome 128x64 OLED display)
- Thermal Printer Kit (includes all wiring and other components)
The device is the product of a successful Kick Starter campaign from March of this year
Specs:
Atheros AR9330 rev1 400MHZ MIPS 24K
64MB DDR2 400MHz
16MB Flash
802.11b/g/n 150Mbps Atheros Wifi + 100mbps Atheros Wired Ethernet
18 GPIO Pins
USB Controller
Using the freebsd-wifi-build tool, I was able to build a new firmware for the device based on a profile for a similar device based on the same Atheros chip. I hope to have time to validate some of the settings and get them posted up into the wiki and get the kernel configuration committed to FreeBSD in the next week or two
It is an interesting device compared to the TP-Link WDR3600’s we did at BSDCan, as it has twice as much flash, leaving more room for the system image, but only half as much ram, and a slower CPU ***

SSH Performance testing

There has been a discussion about the value of upkeeping the HPN (High Performance Networking) patch to OpenSSH in the base system of FreeBSD
As part of this, I did some fresh benchmarks on my pair of new high end servers
The remaining part to be done is testing different levels of latency
By tweaking the socket buffer sizes, I was able to saturate the full 10 gigabit with netcat, iperf, etc
From the tests that have been done so far, it doesn’t look like even the NONE cipher can reach that level of performance because of the MAC (Message Authentication Code)
It does appear that some of the auto-tuning in HPN is not worked as expected
Explicitly setting -oTcpRcvBuf=7168 (KB) is enough to saturate a gigabit with 50ms RTT (round trip time) ***

iXsystems

Interview - George Wilson - wilzun@gmail.com / @zfsdude

OpenZFS and Delphix ***

News Roundup

Nicholas Marriott has replaced the aging version of less(1) in OpenBSD

Sometimes less isn’t more, it’s just less
In this story, we have news that the old version of less(1) in OpenBSD has now been ripped out in favor of the more modern fork from illumos founder Garrett D’Amore.
In addition to being a “more” modern version, it also includes far “less” of the portability code, uses terminfo, replacing termcap and is more POSIX compliant. ***

FreeBSD gets initial support for advanced SMR drives

Kenneth D. Merry ken@freebsd.org has developed initial support for Host Managed, and Host Aware Shingled Magnetic Recording drives in FreeBSD, available as a patch against both -current and 10-stable
“This includes support for Host Managed, Host Aware and Drive Managed SMRdrives that are either SCSI (ZBC) or ATA (ZAC) attached via a SAScontroller. This does not include support for SMR ATA drives attached viaan ATA controller. Also, I have not yet figured out how to properly detecta Host Managed ATA drive, so this code won't do that.”
SMR drives have overlapping tracks, because the read head can be much smaller than the write head
The drawback to this approach is that writes to the disk must take place in 256 MB “zones” that must be written from the beginning
New features in the patch:
A new 'camcontrol zone' command that allows displaying and managing drive zones via SCSI/ATA passthrough.
- A new zonectl(8) utility that uses the new DIOCZONECMD ioctl to display and manage zones via the da(4) (and later ada(4)) driver.
- Changes to diskinfo -v to display the zone mode of a drive.
- A new disk zone API, sys/sys/disk_zone.h.
- A new bio type, BIO_ZONE, and modifications to GEOM to support it. This new bio will allow filesystems to query zone support in a drive and manage zoned drives.
Extensive modifications to the da(4) driver to handle probing SCSI and SATA behind SAS SMR drives.
- Additional CAM CDB building functions for zone commands.
“We (Spectra Logic) are working on ZFS changes that will use this CAM and GEOM infrastructure to make ZFS play well with SMR drives. Those changes aren't yet done.”
It is good to see active development in this area, especially from experts in archival storage
A second patch is also offered, that improves the pass(4) passthrough interface for disks, and introduces a new camdd(8) command, a version of dd that uses the pass(4) interface, kqueue, and separate reader/writer threads for improved performance
He also presents a feature wishlist that includes some interesting benchmarking features, including a ‘sink’ mode, where reads from the device are just thrown away, rather than having to write then to /dev/null ***

Initial implemtnation of 802.11n now in iwm(4)

OpenBSD laptop users rejoice! 802.11n has landed!
Initially only for the iwm(4) driver, support is planned for other devices in the future
Includes support for all the required (non-optional) bits to make 802.11N functional
Adds a new 11n mode to ifmedia, and MCS (modulation coding scheme) that sits alongside the ieee80211_rateset structure.
No support for MIMO / SGI (Short Guard Interval) or 40 MHz wide-channels, but perhaps we will see those in a future update.
They are asking users for testing against a wide variety of any/all APs! ***

Freebsd adds support for Bluetooth LE Security Management

FreeBSD + BlueTooth, not something we discuss a lot about, but it is still under active development.
The most recently added features come from Takanori Watanabe, and adds new LE Security Management.
Specifically, it enables support for BLE Security Manager Protocol(SMP), and enables a userland tool to wait for the underlying HCI connection to be encrypted. ***

Building OpnSense on HardenedBSD

Looking for a way to further Harden your router? We have a tutorial from the HardenedBSD developer, Shawn Webb, about how to build OpnSense on HBSD 10-STABLE.
You’ll need to first be running HBSD 10-STABLE somewhere, in this article he is using bhyve for the builder VM.
The build process itself is mostly pretty straight-forward, but there are a number of different repos that all have to be checked out, so pay attention to which goes where. +In this example he does a targeted build for a Netgate RCC-VE-4860, but you can pick your particular build. ***

Beastie Bits

1 BTC bounty for chromium bug!

DesktopBSD 2.0 M1 released

By implementing asynchronous pru_attach for UDP, Sepherosa Ziehau has increased connect rate by around 15K connections per second

Stephen Bourne, known for the Bourne Shell, will be giving a talk at NYCBUG this week

Tor Browser 5.0.3 for OpenBSD released

The Tor BSD Diversity Project aim to
- Increase the number of Tor relays running BSDs. We envision this happening by increasing the total number of relays, with the addition of more BSD users running relays;
- Make the Tor Browser available under BSD operating systems using native packaging mechanisms. Our first target is OpenBSD;
- Engage the broader BSD community about the Tor anonymity network and the place that BSD Unix should occupy in the privacy community at large.

Screenshots from Unix People circa 2002

Feedback/Questions

115: Controlling the Transmissions

JT Pennington — Wed, 11 Nov 2015 08:00:00 -0500

Controlling the Transmissions

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

FreeBSD 2015 Vendor Dev Summit

FreeBSD Quarterly Status Report - Third Quarter 2015

We have a fresh quarterly status report from the FreeBSD project. Once again it almost merits an entire show, but we will try to hit all the highlights.
Bhyve - Porting of the Intel edk2 UEFI firmware, allowing Windows in headless mode, and Illumos support. Also porting to ARM has begun!
Improved Support for Acer C720 ChromeBooks
High Availability Clustering in CTL (Cam Target Layer)
Root Remounting (Similar to pivot_root in Linux). This work allows using “reboot -r” to do a fast-reboot, with a partial shutdown, kill all processes, and re-mount rootfs and boot. Especially useful for booting from mfs or similar then transitioning to iscsi or some other backing storage
OpenCL Support in Mesa, as well as kernel progress on the i915 driver
Improved support for UEFI FrameBuffer on a bunch of recent MacBook Pro and other Macs, in addition to improvements to “vt” framebuffer driver for high resolution displays.
ZFS support for UEFI Boot (Needs testing, but used in PC-BSD for a couple months now), and importing new features from IllumOS (resumable send, receive prefetch, replication checksumming, 50% less ram required for L2ARC, better prefetch)
DTrace SDT probes added to TCP code, to replace the old TCPDEBUG kernel option. Recompiling the kernel is no longer required to debug TCP, just use DTrace
Ongoing work to bring us a native port/package of GitLab ***

Meteor, the popular javascript web application framework has been forked to run on FreeBSD, OpenBSD and NetBSD - FreeBSD testers requested

We have a public call for testing for FreeBSD users of Meteor by Tom Freudenberg
The included link includes all the details on how to currently get meteor boot-strapped on your box and bring up the server
So far the reports are positive, many users reporting that it is running on their 10.2 systems / jails just fine.
Just a day ago the original porter mentioned that OpenBSD is ready to go for testing using the prepared dev bundle. ***

Mike Larkin work continues on an native OpenBSD hypervisor, which he has announced is now booting

Speaking of OpenBSD, we have an update from Mike Larkin about the status of the OpenBSD native hypervisor vmm(4).
His twitter post included the output from a successful VM bootup of OpenBSD 5.8-current, all the way to multi-user
While the code hasn’t been committed (yet) we will keep you informed when it lands so you too can begin playing with it. ***

This is how I like open source

A blog post by FreeBSD Core Team member, and one of the lead developers of pkg, Baptiste Daroussin
One project he has been working on is string collation
Garrett d'Amore (of IllumOS) implemented unicode string collation while working for Nexenta and made it BSD license
John Marino (from Dragonfly) imported the work done on Illumos into Dragonfly, while he was doing that he decided, it was probably a good idea to rework how locales are handled
He discovered that Edwin Groothuis (from FreeBSD) had long ago started a project to simplify locales handling on FreeBSD
He extended the tools written by Edwin and has been able to update Dragonfly to the latest (v27 so far) unicode definitions
John Marino has worked with Bapt many times on various projects (including bringing pkg and ports to Dragonfly)
Bapt decided it was time that FreeBSD got proper string collation support as well, and worked with John to import the support to FreeBSD
Bapt spotted a couple of bugs and worked with John on fixing them: issues with eucJP encoding, issues with Russian encoding (John did most of the work on tracking down and fixing the bugs), Bapt also converted localedef (the tool to generate the locales) into using BSD license only code (original version used the CDDL libavl library which I modified to use tree(3)), fixed issues. I also took the locale generation from Edwin (extended by John)
This work resulted in a nice flow of patches going from Dragonfly to FreeBSD and from FreeBSD to Dragonfly.
And now Garrett is interested in grabbing back our patches into Illumos!
The result of this collaboration is that now 3 OS share the same implementation for collation support! This is very good because when one discovers a bug the 3 of them benefit the fix!
The biggest win here is that this was a lot of work, and not an area that many people are interested in working on, so it was especially important to share the work rather than reimplement it separately. ***

Interview - Hiren Panchasara - hiren@freebsd.org / @hirenpanchasara

Improving TCP ***

iXsystems

MissonComplete winners ***

News Roundup

LibreSSL 2.3.1 released

LibreSSl keeps on chugging, the latest release has landed, 2.3.1, which is the second snapshot based upon the OpenBSD 5.9 development branch.
Currently they are targeting a stable ABI/API sometime around March 2016 for the 2.3.X series.
Included in this update are ASN. 1 cleanups and some compliance fixes for RFC5280
Switched internally to time_t, with a check that the host OS supports 64bit time_t
Various TLS fixes, including the ability to check cert validity times with tls_peer_cert_not{before|after}
Fixed a reported memory leak in OBJ_obj2txt ***

Guide for Installing Ghost w/ Nginx on FreeBSD

A nice walkthrough for the week, we’ve found an article about how to install the Ghost blogging platform on FreeBSD 10.2.
For those who don’t know, Ghost is a MIT licensed blogging tool, started in 2012 by a former WordPress UI developer and is entirely coded in Node.js
While a port for FreeBSD does not yet exist (somebody get on that please), this tutorial can walk you through the process of getting it deployed manually
Most of the requirements are simple, www/node, www/npm and sqlite3.
With those installed, most of the steps are simply creating the username / home for ghost, and some “npm” setup.
The walkthrough even includes a handy rc.d script, making the possibility of a port seem much more likely ***

Adrian Chadd on 'Why attention to detail matters when you're a kernel developer

Adrian was correctly trolled in the FreeBSD embedded IRC chatroom and started looking at why the bridging performance in MIPS boards was so bad
120-150 mbit/sec is not really enough anymore
Using previous MIPS24k support as a starting point, Adrian managed to get HWPMC (Hardware Performance Monitoring Counters) working on MIPS74k
Using the data collected from the performance counters Adrian was able to figure out that packets were being copied in order to meet alignment requirements of the NIC and the FreeBSD networking stack. It turns out this is no longer a requirement for most modern Atheros NICs, so the workaround could be removed
Now performance was 180 mbit/sec
Next, on the receive side, only the TCP stack requires strict alignment, the ethernet stack does not, so offset the start point by 2 bytes so that TCP ends up aligned, and problem solved. Or not, no performance difference...
The problem appeared to be busdma, Ian Lepore had recently made improves in this area on armv6 and helpfully ported these over to MIPS
Now 420 mbit/sec. Getting better, but not as fast as Linux
After some further investigation, a missing ‘sync’ operation was added, and the memory caching was changed from writethrough to writeback
Things were so fast now, that the descriptor ring was being run through the ring so quickly as to hit the next descriptor that is still being setup. The first was to mark the first descriptor of a multi-descriptor packet as ‘empty’ until the entire chain was setup, so it would not be processed before the latter bits were done being added to the ring.
So now MIPS can bridge at 720 mbit/sec, and route 320 mbit/sec
Adrian wants to improve the routing speed and get it caught up to the bridging speed, but as always, free time is scarce. ***

Switching from OS X to FreeBSD

The story of a user who had used OS X since its beta, but 10.9 and 10.10, became more and more dissatisfied
They found they were spending too much time fighting with the system, rather than getting work done
They cover the new workstation they bought, and the process of getting FreeBSD going on it, including why they chose FreeBSD rather than PCBSD
Also covered it setting up a Lenovo X220 laptop
They setup the i3wm and mutt
The blog is very detailed and goes so far as to share a github repo of dotfiles and configuration files to ease the transition from OS X. ***

BeastieBits

The Stack behind Netflix's scaling

The Amiga port of NetBSD now has xorg support

NetBSD has announced EOL for v5.x to be November 9th

RetroArch ports allow playing PlayStation, Sega, Atari, etc., games on FreeBSD

OpenBSD booting on a 75mhz Cyrex system with 32MB RAM

Matthew Green reports Nouveau Nvidia can support GL with his latest commit

Releases!

OPNsense releases 15.7.18

pfSense releases 2.2.5

Feedback/Questions

For those of you curious about Kris' new lighting here are the links to what he is using.

114: BSD-Schooling

JT Pennington — Wed, 04 Nov 2015 08:00:00 -0500

This week, Allan is out of town at another Developer Summit, but we have a great episode coming

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

WhatsApp founder, on how it got so HUGE

Wired has interviewed WhatsApp co-founder Brian Acton, about the infrastructure behind WhatsApp
WhatsApp manages 900 million users with a team of 50, while Twitter needs around 4,000 employees to manage 300 million users.
“FreeBSD has a nicely tuned network stack and extremely good reliability. We find managing FreeBSD installations to be quite straightforward.”
“Linux is a beast of complexity. FreeBSD has the advantage of being a single distribution with an extraordinarily good ports collection.”
“To us, it has been an advantage as we have had very few problems that have occurred at the OS level. With Linux, you tend to have to wrangle more and you want to avoid that if you can.”
“FreeBSD happened because both Jan and I have experience with FreeBSD from Yahoo!.”
Additional Coverage ***

User feedback in the SystemD vs BSD init

We have a very detailed blog post this week from Randy Westlund, about his experiences on Linux and BSD, contrasting the init systems.
What he finds is that while, it does make some things easier, such as writing a service file once, and having it run everywhere, the tradeoff comes in the complexity and lack of transparency.
Another area of concern was the reproducibility of boots, how in his examples on servers, there can often be times when services start in different orders, to save a few moments of boot-time.
His take on the simplicity of BSD’s startup scripts is that they are very easy to hack on and monitor, while not introducing the feature creep we have seen in sysd.
It will be interesting to see NextBSD / LaunchD and how it compares in the future! ***

Learn to embrace open source, or get buried

At the recent “All Things Open” conference, opensource.com interviewed Jim Salter
He describes how he first got started using FreeBSD to host his personal website
He then goes on to talk about starting FreeBSDWiki.net and what its goals were
The interview then talks about using Open Source at solve customers’ problems at his consulting firm
Finally, the talks about his presentation at AllThingsOpen: Move Over, Rsync about switching to ZFS replication ***

HP’s CTO Urges businesses to avoid permissive licenses

Martin Fink went on a rant about the negative effects of license proliferation
While I agree that having too many new licenses is confusing and adds difficulty, I didn’t agree with his closing point
“He then ended the session with an extended appeal to move the open-source software industry away from permissive licenses like Apache 2.0 and toward copyleft licenses like the GPL”
“The Apache 2.0 license is currently the most widely used "permissive" license. But the thing that developers overlook when adopting it, he said, is that by using Apache they are also making a choice about how much work they will have to put into building any sort of community around the project. If you look at Apache-licensed projects, he noted, "you'll find that they are very top-heavy with 'governance' structures." Technical committees, working groups, and various boards, he said, are needed to make such projects function. But if you look at copyleft projects, he added, you find that those structures simply are not needed.”
There are plenty of smaller permissively licensed projects that do not have this sort of structure, infact, most of this structure comes from being an Apache run project, rather than from using the Apache or any other permissive license
Luckily, he goes on to state that the “OpenSwitch code is released under the Apache 2.0 license, he said, because the other partner companies viewed that as a requirement.”
“HP wanted to get networking companies and hardware suppliers on board. In order to get all of the legal departments at all of the partners to sign on to the project, he said, HP was forced to go with a permissive license”
Hopefully the trend towards permissive licenses continues
Additionally, in a separate LWN post:
RMS Says: “I am not saying that competitors to a GNU package are unjust or bad -- that isn't necessarily so. The pertinent point is that they are competitors. The goal of the GNU Project is for GNU to win the competition. Each GNU package is a part of the GNU system, and should contribute to the success of the GNU Project. Thus, each GNU package should encourage people to run other GNU packages rather than their competitors -- even competitors which are free software.”
Never thought I’d see RMS espousing vendor lock-in ***

Interview - Brian Callahan - bcallah@devio.us / @twitter

The BSDs in Education ***

News Roundup

Digital Libraries in Africa making use of DragonflyBSD and HAMMER

In the international development context, we have an interesting post from Michael Wilson of the PeerCorps Trust Fund.
They are using DragonFlyBSD and FreeBSD to support the Tanzanian Digital Library Initiative in very resource-limited settings.
They cite among the most important reasons for using BSD as the availability and quality of the documentation, as well as the robustness of the filesystems, both ZFS and HAMMER.
Their website is now online over at (http://www.tandli.com/) , check it out to see exactly how BSD is being used in the field ***

netflix hits > 65gbps from a single freebsd box

A single socket server, with a high end Xeon E5 processor and a dual ported Chelsio T580 (2x 40 Gbps ports) set a netflix record pushing over 65 Gbps of traffic from a single machine
The videos were being pushed from SSDs and some new high end NVMe devices
The previous record at Netflix was 52 Gbps from a single machine, but only with very experimental settings. The current work is under much more typical settings
By the end of that night, traffic surged to over 70 Gbps
Only about 10-15% of that traffic was encrypted with the in-kernel TLS engine that Netflix has been working on with John-Mark Gurney
It was reported that the machine was only using about 65% cpu, and had plenty of head room
If I remember the discussion correctly, there were about 60,000 streams running off the machine ***

Lumina Desktop 0.8.7 has been released

A very large update has landed for PC-BSD’s Lumina desktop
A brand new “Start” menu has been added, which enables quick launch of favorite apps, pinning to desktop / favorites and more.
Desktop icons have been overhauled, with better font support, and a new Grid system for placement of icons.
Support for other BSD’s such as DragonFly has been improved, along with TONS of internal changes to functionality and backends.
Almost too many things to list here, but the link above will have full details, along with screenshots. ***

A LiveUSB for NetBSD has been released by Jibbed

After a three year absence, the Jibbed project has come back with a Live USB image for NetBSD!
The image contains NetBSD 7.0, and is fully R/W, allowing you to run the entire system from a single USB drive.
Images are available for 8Gb and 4Gb sticks (64bit and 32bit respectively), along with VirtualBox images as well
For those wanting X, it includes both X and TWM, although ‘pkgin’ is available, so you can quickly add other desktops to the image ***

Beastie Bits

NYC Bug's November meeting will be featuring a talk by Stephen R. Bourne

New not-just-BSD postcast, hosted by two OpenBSD devs Brandon Mercer and Joshua Stein

Feedback/Questions

Stefan
Zach
Jake
Corey
Robroy
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to
feedback@bsdnow.tv

113: What’s Next for BSD?

JT Pennington — Wed, 28 Oct 2015 08:00:00 -0400

Coming up on this week’s episode, we have an interview

This episode was brought to you by

iX Systems Mission Complete

Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! ***

Headlines

OpenBSD 5.8 is released on the 20th birthday of the OpenBSD project

5.8 has landed, and just in time for the 20th birthday of OpenBSD, Oct 18th
A long list of changes can be found on the release announcement, but here’s a small scattering of them
Drivers for new hardware, such as:
- rtwn = Realtek RTL8188CE wifi
- hpb = HyperTransport bridge in IBM CPC945
- Improved sensor support for upd driver (USB power devices)
- Jumbo frame support on re driver, using RTL8168C/D/E/F/G and RTL8411
Updated to installer, improve autoinstall, and questions about SSH setup
Sudo in base has been replace with “doas”, sudo moved to package tree
New file(1) command with sandboxing and priv separation
The tame(2) API WiP
Improvements to the httpd(8) daemon, such as support for lua pattern matching redirections
Bugfixes and the security updates to OpenSMTPD 5.4.4
LibreSSL security fixes, removed SSLv3 support from openssl(1) (Still working on nuking SSLv3 from all ports)
And much more, too much to mention here, read the notes for all the gory details!

OpenBSD Developer Interviews

To go along with the 20th birthday, we have a whole slew of new interviews brought to us by the beastie.pl team. English and Polish are both provided, so be sure not to miss these!

Jean-Sébastien Pédron has submitted a call for testing out the neIntel i915 driver

A very eagerly awaited feature, Haswell GPU support has begun the testing process
The main developer, Jean-Sébastien Pédron dumbbell@freebsd.org looking for users to test the patch, both those that have older supported cards (Sandybridge, Ivybridge) that are currently working, and users with Haswell devices that have, until now, not been supported
Included is a link to the Wiki with instructions on how to enable debugging, and grab the updated branch of FreeBSD with the graphical improvements. Jean-Sébastien is calling for testers to send results both good and bad over to the freebsd-x11 mailing lists
For those who want an “out of box solution” the next PC-BSD 11.0-CURRENT November images will include these changes as well

How to install FreeBSD on a Raspberry Pi 2

We have a nice walkthrough this week on how to install FreeBSD, both 10 or 11-CURRENT on a RPi 2!
The walkthrough shows us how to use OSX to copy the image to SD card, then booting.
In this case, we have him using a USB to serial cable to capture output with screen
This is a pretty quick way for users sitting on a RPi2 to get up and running with FreeBSD

Interview - Jordan Hubbard - jkh@ixsystems.com

NextBSD | NextBSD Github

Beastie Bits

OpenBSD's Source Tree turned 20 on October 18th

GhostBSD working on Graphical ZFS Configuration Utility

EuroBSDcon 2014 videos finally online

Postdoctoral research position at Memorial University is open

NetBSD Security Advisory: TCP LAST_ACK memory exhaustion, reported by NetFlix and Juniper

DesktopBSD making a comeback?

Feedback/Questions

112: Tracing the source

JT Pennington — Wed, 21 Oct 2015 08:00:00 -0400

This week Allan is away at a ZFS conference, so it seems

This episode was brought to you by

Headlines

pfsense - 2.3 alpha snapshots available

pfsense 2.3 Features and Changes
The entire front end has been re-written
Upgrade of base OS to FreeBSD 10-STABLE
The PPTP server component has been removed,
PBIs have been replaced with pkg
PHP upgraded to 5.6
The web interface has been converted to Bootstrap ***

BSDMag October 2015 out

A Look at the New PC-BSD 10.2 - Kris Moore
Basis Of The Lumina Desktop Environment 18 - Ken Moore
A Secure Webserver on FreeBSD with Hiawatha - David Carlier
Defeating CryptoLocker Attacks with ZFS - Michael Dexter
Emerging Technology Has Increasingly Been a Force for Both Good and Evil - Rob Somerville
Interviews with: Dru Lavigne, Luca Ferrari, Oleksandr Rybalko ***

OpnSense 15.7.14 Released

Another update to OpnSense has landed!
Some of the notable takeaways this time are that it isn’t a security update
Major rework of the firewall rules sections including, rules, schedules, virtual ip, nat and aliases pages
Latest BIND and Squid packages
Improved configuration management, including fixes to importing an old config file. New location for configuration history / backups. ***

OpenBSD in Toyota Highlander

Images
While looking through the ‘Software Information’ screen of a Toyota Highlander, Chad Dougherty of the ACM found a bunch of OpenBSD copyright notices
At least one of which I recognize as OpenCrypto, because of the comment about “transforms”
It is likely that the vehicle is running QNX, which contains various bits of BSD
QNX: Third Party License Terms List version 2.17
Some highlights
- Robert N. M. Watson (FreeBSD)
- TrustedBSD Project (FreeBSD)
- NetBSD Foundation
- NASA Ames Research Center (NetBSD)
- Damien Miller (OpenBSD)
- Theo de Raadt (OpenBSD)
- Sony Computer Science Laboratories Inc.
- Bob Beck (OpenBSD)
- Christos Zoulas (NetBSD)
- Markus Friedl (OpenBSD)
- Henning Brauer (OpenBSD)
- Network Associates Technology, Inc. (FreeBSD)
- 100s of others
OpenSSH seems to be included
It also seems to contain tcpdump for some reason

Interview - Adam Leventhal -

adam.leventhal@delphix.com /
@ahl
ZFS and DTrace

Beastie-Bits

isboot, an iSCSI boot driver for FreeBSD 9 and 10

tame() is now called pledge()
Interview with NetBSD developer Leoardo
Taccari

Fuguita releases LiveCD based on OpenBSD 5.8

Dtrace toolkit gets an update and imported into NetBSD

An older article about how to do failover / load-balancing in pfsense

Feedback/Questions

111: Xenocratic Oath

JT Pennington — Wed, 14 Oct 2015 08:00:00 -0400

Coming up on this weeks episode, we have BSD news, tidbits and articles out the wazoo to share. Also, be sure to stick around for our interview with Brandon Mercer as he tells us about OpenBSD being used in the healthcare industry.

This episode was brought to you by

Headlines

NetBSD 7.0 Release Announcement

DRM/KMS support brings accelerated graphics to x86 systems using modern Intel and Radeon devices (Linux 3.15)
Multiprocessor ARM support.
Support for many new ARM boards, including the Raspberry Pi 2 and BeagleBone Black
Major NPF improvements:
- BPF with just-in-time (JIT) compilation by default
- support for dynamic rules
support for static (stateless) NAT
support for IPv6-to-IPv6 Network Prefix Translation (NPTv6) as per RFC 6296
support for CDB based tables (uses perfect hashing and guarantees lock-free O(1) lookups)
Multiprocessor support in the USB subsystem.
GPT support in sysinst via the extended partitioning menu.
Lua kernel scripting
GCC 4.8.4, which brings support for C++11
Experimental support for SSD TRIM in wd(4) and FFS
tetris(6): Add colours and a 'down' key, defaulting to 'n'. It moves the block down a line, if it fits. ***

CloudFlare develops interesting new netmap feature

Normally, when Netmap is enabled on an interface, the kernel is bypassed and all of the packets go to the Netmap consumers
CloudFlare has developed a feature that allows all but one of the RX queues to remain connected to the kernel, and only a single queue be passed to Netmap
The change is a simple modification to the nm_open API, allowing the application to open only a specific queue of the NIC, rather than the entire thing
The RSS or other hashing must be modified to not direct traffic to this queue
Then specific flows are directed to the netmap application for matching traffic
For example under Linux:
ethtool -X eth3 weight 1 1 1 1 0 1 1 1 1 1
ethtool -K eth3 lro off gro off
ethtool -N eth3 flow-type udp4 dst-port 53 action 4
Directs all name server traffic to NIC queue number 4
Currently there is no tool like ethtool to accomplish this same under FreeBSD
I wonder if the flows could be identified more specifically using something like ipfw-netmap ***

Building your own OpenBSD based Mail server!

part 2
part 3
The UK Register gives us a great writeup on getting your own mail server setup specifically on OpenBSD 5.7
In this article they used a MiniPC the Acer Revo One RL85, which is a decently priced little box for a mail server
While a bit lengthy in 3 parts, it does provide a good walkthrough of getting OpenBSD setup, PostFix and DoveCot configured and working. In the final installment it also provides details on spam filtering and antivirus scanning.

Getting started with the UEFI bootloader on OpenBSD

If you've been listening over the past few weeks, you've heard about OpenBSD.s new UEFI boot-loader. We now have a blog post with detailed instructions on how to get setup with this on your own system.
The initial setup is pretty straightforward, and should only take a few minutes at most. In involves the usual fdisk commands to create a FAT EFI partition, and placing the bootx64.efi file in the correct location.
As a bonus, we even get instructions on how to enable the frame-buffer driver on systems without native Intel video support (ThinkPad x250 in this example) ***

Recipe for building a 10Mpps FreeBSD based router

Olivier, (of FreeNAS and BSD Router Project fame) treats us this week to a neat blog post about building your own high-performance 10Mpps FreeBSD router
As he first mentions, the hardware required will need to be beefy, no $200 miniPC here. In his setup he uses a 8 core Intel Xeon E5-2650, along with a Quad port 10 Gigabit Chelsio TS540-CR.
He mentions that this doesn't work quite on stock FreeBSD yet, you will need to pull code in from the projects/routing which fixes an issue with scaling on cores, in this case he is shrinking the NIC queues down to 4 from 8.
If you don't feel like doing the compiles yourself, he also includes links to experimental BSDRouter project images which he used to do the benchmarks
Bonus! Nice graphic of the benchmarks from enabling IPFW or PF and what that does to the performance. ***

Interview - Brandon Mercer - bmercer@openbsd.org / @knowmercymod

OpenBSD in Healthcare

Sorry about the audio quality degradation. The last 7 or 8 minutes of the interview had to be cut, a problem with the software that captures the audio from skype and adds it to our compositor. My local monitor is analogue and did not experience the issue, so I was unaware of the issue during the recording ***

News Roundup

Nvidia releases new beta FreeBSD driver along with new kernel module

Includes a new kernel module, nvidia-modeset.ko
While this module does NOT have any user-settable features, it works with the existing nvidia.ko to provide kernel-mode setting (KMS) used by the integrated DRM within the kernel.
The beta adds support for 805A and 960A nvidia cards
Also fixes a memory leak and some regressions ***

MidnightBSD 0.7-RELEASE

We missed this while away at Euro and elsewhere, but MidnightBSD (A desktop-focused FreeBSD 6.1 Fork) has come out with a new 0.7 release
This release primarily focuses on stability, but also includes important security fixes as well.
It cherry-picks updates to a variety of FreeBSD base-system updates, and some important ZFS features, such as TRIM and LZ4 compression
Their custom .mports. system has also gotten a slew of updates, with almost 2000 packages now available, including a WiP of Gnome3. It also brings support for starting / stopping services automatically at pkg install or removal.
They note that this will most likely be the last i386 release, joining the club of other projects that are going 64bit only. ***

"Open Source as a Career Path"

The FreeBSD Project held a panel discussion of why Open Source makes a good career path at the ACM.s womENcourage conference in Uppsala, Sweden, the weekend before EuroBSDCon
The Panel was lead by Dru Lavigne, and consisted of Deb Goodkin, Benedict Reuschling, Dan Langille, and myself
We attempted to provide a cross section of experiences, including women in the field, the academic side, the community side, and the business side
During the question period, Dan gave a great answer to the question of .Why do open source projects still use old technologies like mailing lists and IRC.
The day before, the FreeBSD Foundation also had a booth at the career fair. We were the only open source project that attended. Other exhibitors included: Cisco, Facebook, Intel, Google, and Oracle.
The following day, Dan also gave a workshop on how to contribute to an open source project ***

Beastie-Bits

NetBSD 2015PkgSrc Freeze

Support for 802.11N for RealTek USB in FreeBSD

Wayland ported to DragonFlyBSD

OpenSMTPd developer debriefs on audit report

FreeBSD fixes issue with pf under Xen with TSO. Errata coming soon

Xinuos funds the HardenedBSD project

Feedback/Questions

110: - Firmware Fights

JT Pennington — Wed, 07 Oct 2015 08:00:00 -0400

This week on BSDNow, we get to hear all of Allans post EuroBSDCon wrap-up and a great interview with Benno Rice from Isilon. We got to discuss some of the pain of doing major forklift upgrades, and why your business should track -CURRENT.

This episode was brought to you by

Headlines

EuroBSDCon Videos

EuroBSDCon has started posting videos of the talks online already.
The videos posted online are archives of the live stream, so some of the videos contain multiple talks
Due to a technical complication, some videos only have 1 channel of audio
EuroBSDCon Talk Schedule
Red Room Videos
Yellow Room Videos
Blue Room Videos
Photos of the conference courtersy of Ollivier Robert ***

A series of OpenSMTPd patches fix multiple vulnerabilities

Qualys recently published an audit of the OpenSNMPd source code
The fixes for these vulnerabilities were released as 5.7.2
After its release, two additional vulnerabilities were found. One, in the portable version, newer code that was added after the audit started
All users are strongly encouraged to upgrade to 5.7.3
OpenBSD users should apply the latest errata or upgrade to the newest snapshot ***

FreeBSD updates in -CURRENT

Looks like Xen header support has been bumped in FreeBSD from 4.2 -> 4.6
It also enables support for ARM
Update to Clang / LLVM to 3.7.0
http://llvm.org/releases/3.7.0/docs/ReleaseNotes.html
ZFS gets FRU (field replaceable unit) tracking
OpenCL makes it way into the ports tree
bhyve has grown UEFI support, plus a CSM module
bhyve can now boot Windows
Currently there is still only a serial console, so the post includes an unattended install .xml file and instructions on how to repack the ISO. Once Windows is installed, you can RDP into the machine
bhyve can also now run IllumOS ***

OpenBSD Initial Support for Broadwell Graphics

OpenBSD joins DragonFly now with initial support for broadwell GPUs landing in their development branch
This brings Open up to Linux 3.14.52 DRM, and Mark Kettenis mentions that it isn.t perfect yet, and may cause some issues with older hardware, although no major regressions yet ***

OpenBSD Slides for TAME and libTLS APIs

The first set of slides are from a talk Theo de Raadt gave in Croatia, they describe the history and impetus for tame
Theo specifically avoids comparisons to other sandboxing techniques like capsicum and seccomp, because he is not impartial
tame() itself is only about 1200 lines of code
Sandboxing the file(1) command with systrace: 300 lines of code, with tame: 4 lines
Theo makes the point that .optional security. is irrelevant. If a mitigation feature has a knob to turn it off, some program will break and advise users to turn the feature off. Eventually, no one uses the feature, and it dies
This has lead to OpenBSD.s policy: .Once working, these features cannot be disabled. Application bugs must be fixed.
The second talk is by Bob Beck, about LibreSSL
when LibreSSL was forked from OpenSSL 1.0.1g, it contained 388,000 lines of C code
30 days in LibreSSL, they had deleted 90,000 lines of C
OpenSSL 1.0.2d has 432,000 lines of C (728k total), and OpenSSL Current has 411,000 lines of C (over 1 million total)
LibreSSL today, contains 297,000 lines of C (511k total)
None of the high risk CVEs against OpenSSL (there have been 5) have affected LibreSSL. It turns out removing old code and unneeded features is good for security.
The talk focuses on libtls, an alternative to the OpenSSL API, designed to be easier to use and less error prone
In the libtls api, if -1 is returned, it is always an error. In OpenSSL, it might not be an error, needs additional code to check errno
In OpenBSD: ftp, nc, ntpd, httpd, spamd, syslog have been converted to the new API
The OpenBSD Foundation is looking for donations in order to sponsor 2-3 developers to spend 6 months dedicated to LibreSSL ***

Interview - Benno Rice - benno@FreeBSD.org / @jeamland

Isilon and building products on top of FreeBSD

News Roundup

ReLaunchd

This past week we got a heads up about another init/launchd replacement, this time .Relaunchd.
The goals of this project appear to be keeping launchd functionality, while being portable enough to run on FreeBSD / Linux, etc.
It also has aspirations of being .container-aware. with support for jailed services, ala-docker, as well as cluster awareness.
Written in ruby :(, it also maintains that it wishes to NOT take over PID1 or replace the initial system boot scripts, but extend / leverage them in new ways. ***

Static Intrusion Detection in NetBSD

Alistar Crooks has committed a new .sid. utility to NetBSD, which allows intrusion detection by comparing the file-system contents to a database of known good values
The utility can compare the entire root file system of a modest NetBSD machine in about 15 seconds
The following parameters of each file can be checked: atime, block count, ctime, file type, flags, group, inode, link target, mtime, number of links, permissions, size, user, crc32c checksum, sha256 checksum, sha512 checksum
A JSON report is issued at the end, for any detected variances ***

LibreSSL 2.3.0 in PC-BSD

If you.re running PC-BSD 10.2-EDGE or October's -CURRENT image, LibreSSL 2.3.0 is now a thing
Thanks to the hard work of Bernard Spil and others, we have merged in the latest LibreSSL which actually removes SSL support in favor of TLS
Quite a number of bugs have been fixed, as well as patches brought over from OpenBSD to fix numerous ports.
Allan has started a patchset that sets the OpenSSL in base to "private"
This hides the library so that applications and ports cannot find it, so only tools in the base system, like fetch, will be able to use it. This makes OpenSSL no longer part of the base system ABI, meaning the version can be upgraded without breaking the stable ABI promise. This feature may be important in the future as OpenSSL versions now have EoL dates, that may be sooner than the EoL on the FreeBSD stable branches. ***

PC-BSD and boot-environments without GRUB

In this month.s -CURRENT image of PC-BSD, we began the process of moving back from the GRUB boot-loader, in favor of FreeBSD.s
A couple of patches have been included, which enables boot-environment support via the 4th menus (Thanks Allan) and support for booting ZFS on root via UEFI
"beadm" has also been updated to seamlessly support both boot-loaders
No full-disk encryption support yet (hopefully soon), but GRUB is still available on installer for those who need it ***

Import of IWM wireless to DragonFly

Matthew Dillon has recently imported the newer if_iwm driver from FreeBSD -> DragonFly
Across the internet, users with newer Intel chipsets rejoiced!
Coupled with the latest Broadwell DRM improvements, DragonFly sounds very ready for the latest laptop chipsets
Also, looks like progress is being made on i386 removal ***

Feedback/Questions

109: Impish BSD

JT Pennington — Wed, 30 Sep 2015 08:00:00 -0400

This week, we have a great interview with Warner Losh of the FreeBSD project! We will be discussing everything from automatic kernel module loading, IO scheduling and of course NanoBSD.

This episode was brought to you by

Interview - Warner Losh - [imp@bsdimp.com](imp@bsdimp.com) / @bsdimp

SSD performance and driver auto-loader

108: ServeUp BSD

JT Pennington — Wed, 23 Sep 2015 08:00:00 -0400

This week on the show, Allan is heading to Sweden, but we have a great interview with Andrew Pantyukhin to bring you. We will be discussing everything from contributions to FreeBSD, which technologies worked best in the datacenter, config management and more.

This episode was brought to you by

Headlines

Allan is away this week, traveling to Sweden for the ACM womENcourage conference followed by EuroBSDCon, but we have an excellent interview for you, so sit back and enjoy the show. Allan will be back on October 5th, so we look forward to bringing you a live show, with all the details about EuroBSD and more!

Interview - Andrew Pantyukhin - infofarmer@gmail.com / @infofarmer

Building products with FreeBSD

107: In their midst

JT Pennington — Wed, 16 Sep 2015 08:00:00 -0400

This week, we are going to be talking with Aaron Poffenberger, who has much to share about his first-hand experience in infiltrating Linux conferences with BSD-goodness.

This episode was brought to you by

Headlines

Alexander Motin implements CTL High Availability

CTL HA allows two .head. nodes to be connected to the same set of disks, safely
An HA storage appliance usually consists of 2 totally separate servers, connected to a shared set of disks in separate JBOD sleds
The problem with this setup is that if both machines try to use the disks at the same time, bad things will happen
With CTL HA, the two nodes can communicate, in this case over a special TCP protocol, to coordinate and make sure they do not step on each others toes, allowing safe operation
The CTL HA implementation in FreeBSD can operate in the following four modes:
Active/Unavailable -- without interlink between nodes
- Active/Standby -- with the second node handling only basic LUN discovery and reservation, synchronizing with the first node through the interlink
- Active/Active -- with both nodes processing commands and accessing the backing storage, synchronizing with the first node through the interlink
- Active/Proxy -- with second node working as proxy, transferring all commands to the first node for execution through the interlink
The custom TCP protocol has no authentication, so it should never be enabled on public interfaces
Doc Update ***

Panel Self-Refresh support lands in DragonFlyBSD

In what seems almost weekly improvements being made to the Xorg stack for DragonFly, we now have Panel Self-Refresh landing, thanks to Imre Vadász
Understanding Panel Self-Refresh and More about Panel Self-Refresh
In a nutshell, the above articles talks about how in the case of static images on the screen, power-savings can be obtained by refreshing static images from display memory (frame-buffer), disabling the video processing of the CPU/GPU and associated pipeline during the process.
And just for good measure, Imre also committed some further Intel driver cleanup, reducing the diff with Linux 3.17 ***

Introducing Sluice, a new ZFS snapshot management tool

A new ZFS snapshot management tool written in Python and modeled after Apple.s Time Machine
Simple command line interface
No configuration files, settings are stored as ZFS user properties
Includes simple remote replication support
Can operate on remote systems with the zfs://user@host/path@snapname url schema
Future feature list includes .import. command to moved files from non-ZFS storage to ZFS and create a snapshot, and .export. to do the inverse
Thanks to Dan for tipping us about this new project ***

Why WhatsApp only needs 50 engineers for 900 million users

Wired has a good write-up on the behind-the-scenes work taking place at WhatsApp
While the article mentions FreeBSD, it spends the bulk of its discussion about Erlang and using its scalable concurrency and deployment of new code to running processes.
FB messenger uses Haskell to accomplish much the same thing, while Google and Mozilla are currently trying to bring the same level of flexibility to Go and Rust respectively.
video
Thanks to Ed for submitting this news item ***

Interview - Aaron Poffenberger - email@email / @akpoff

BSD in a strange place

KM: Go ahead and tell us about yourself and how did you first get involved with BSD?
AJ: You.ve presented recently at Texas Linux Fest, both on FreeBSD and FreeNAS. What specifically prompted you to do that?
KM: What would you say are the main selling points when presenting BSD to Linux users and admins?
AJ: On the flip side of this topic, in what areas to do you think we could improve BSD to present better to Linux users?
KM: What would you specifically recommend to other BSD users or fans who may also want to help present or teach about BSD? Any things specifically to avoid?
AJ: What is the typical depth of knowledge you encounter when presenting BSD to a mostly Linux crowd? Any surprises when doing so?
KM: Since you have done this before, are you mainly writing your own material or borrowing from other talks that have been done on BSD? Do you think there.s a place for some collaboration, maybe having a repository of materials that can be used for other BSD presenters at their local linux conference / LUG?
AJ: Since you are primarily an OpenBSD user have you thought about doing any talks related to it? Is OpenBSD something on the radar of the typical Linux conference-goer?
KM: Is there anything else you would like to mention before we wrap up? ***

News Roundup

GhostBSD 10.1 released

GhostBSD has given us a new release, this time it also includes XFCE as an alternative to the MATE desktop
The installer has been updated to allow using GRUB, BSD loader, or none at all
It also includes the new OctoPKG manager, which proves a Qt driven front-end to pkgng
Thanks to Shawn for submitting this ***

Moving to FreeBSD

In this blog post, Randy Westlund takes us through his journey of moving from Gentoo over to FreeBSD
Inspired in part due to Systemd, he first spent some time on Wikipedia reading about BSD before taking the plunge to grab FreeBSD and give it a whirl in a VM.
"My first impression was that installation was super easy. Installing Gentoo is done manually and can be a "fun" weekend adventure if you're not sure what you're doing. I can spin up a new FreeBSD VM in five minutes."
"There's a man page for everything! And they're well-written! Gentoo has the best documentation of any Linux distro I've used, but FreeBSD is on another level. With a copy of the FreeBSD Handbook and the system man pages, I can actually get things done without tabbing over to Google every five minutes."
He goes on to mention everything from Init system, Jails, Security, Community and License, a well-rounded article.
Also gives a nice shout-out to PC-BSD as an even easier way to get started on a FreeBSD journey, thanks!
Shout out to Matt for tipping us to this blog post ***

OpenBSD Enables GPT by default

Looks like OpenBSD has taken the plunge and enabled GPT by default now
Ken Westerback does us the honors, by removing the kernel option for GPT
Users on -CURRENT should give this a whirl, and of course report issues back upstream
Credit to Jona for writing in about this one ***

DISCUSSION: Are reproducible builds worth-while?

In this weeks article / rant, Ted takes on the notion of reproducible builds being the end-all be-all for security.
What about compiler backdoors?
This does not prevent shellshock, or other bugs in the code itself
Personally, I.m all in favor, another .Trust but verify. mechanism of the distributed binaries, plus it makes it handy to do source builds and not end up with various checksum changes where no code actually changed. ***

Feedback/Questions

106: Multipath TCP

JT Pennington — Wed, 09 Sep 2015 08:00:00 -0400

This week, we have Nigel Williams here to bring us all sorts of info about Multipath TCP, what it is, how it works and the ongoing effort to bring it into FreeBSD. All that and of course the latest BSD news coming your way, right now!

This episode was brought to you by

Headlines

Backing out changes doesn.t always pinpoint the problem

Peter Wemm brings us a fascinating look at debugging an issue which occurred on the FreeBSD build cluster recently.
Bottom line? Backing out something isn.t necessarily the fix, rather it should be apart of the diagnostic process
In this particular case, a change to some mmap() functionality ended up exposing a bug in the kernel.s page fault handler which existed since (wait for it.) 1997!
As Peter mentions at the bottom of the Article, this bug had been showing up for years, but was sporadic and often written off as a networking hiccup. ***

BSD Router Project benchmarks new routing changes to FreeBSD

A project branch of FreeBSD -CURRENT has been created with a number of optimizations to the routing code
Alexander V. Chernikov (melifaro@).s routing branch
The net result is an almost doubling of peak performance in packets per second
Performance scales well with the number of NIC queues (2 queues is 88% faster than 1 queue, 3 is 270% faster). Unlike the previous code, when the number of queues hits 4, performance is down by only 10%, instead of being cut nearly in half
Other Benchmark Results, and the tools to do your own tests ***

When is SSL not SSL?

Our buddy Ted has a good write-up on a weird situation related to licensing of stunnel and LibreSSL
The problem exists due to stunnel being released with a different license, that is technically incompatible with the GPL, as well as linking against non-OpenSSL versions.
The author has also decided to create specific named exceptions when the *SSL lib is part of the base operating system, but does not personally consider LibreSSL as a valid linking target on its own
Ted points out that the LibreSSL team considers LibreSSL == OpenSSL, so this may be a moot concern ***

Update on systembsd

We.ve mentioned the GSoC project to create a SystemD shim in OpenBSD before. Now we have the slides from Ian Sutton talking about this project.
As a refresher, this project is to take DBUS and create daemons emulating various systemd components, such as hostnamed, localed, timedated, and friends.
Written from scratch in C, it was mainly created in the hopes of becoming a port, allowing Gnome and related tools to function on OpenBSD.
This is a good read, especially for current or aspiring porters who want to bring over newer versions of applications which now depend upon SystemD. ***

Interview - Nigel Williams - [njwilliams@swin.edu.au](njwilliams@swin.edu.au)

Multipath TCP

News Roundup

OpenBSD UEFI boot loader

We.ve mentioned the ongoing work to bring UEFI booting to OpenBSD and it looks like this has now landed in the tree
The .fdisk. utility has also been updated with a new -b flag, when used with .-i. will create the special EFI system partition on amd64/i386 . (http://marc.info/?l=openbsd-cvs&m=144139348416071&w=2)
Some twitter benchmarks ***

FreeBSD Journal, July/August issue

The latest issue of the FreeBSD Journal has arrived
As always, the Journal opens with a letter from the FreeBSD Foundation
Feature Articles:
Groupon's Deal on FreeBSD -- How to drive adoption of FreeBSD at your organization, and lessons learned in retraining Linux sysadmins
FreeBSD: The Isilon Experience -- Mistakes not to make when basing a product on FreeBSD. TL;DR: track head
Reflections on FreeBSD.org: Packages -- A status update on where we are with binary packages, what issues have been overcome, and which still remain
Inside the Foundation -- An overview of some of the things you might not be aware that the FreeBSD Foundation is doing to support the project and attract the next generation of committers
Includes a book review of .The Practise of System and Network Administration.
As usual, various other reports are included: The Ports Report, SVN Update, A conference report, a report from the Essen hackathon, and the Event Calendar ***

Building ARMv6 packages on FreeBSD, the easy way

Previously we have discussed how to build ARMv6 packages on FreeBSD
We also interviewed Sean Bruno about his work in this area
Thankfully, over time this process has been simplified, and no longer requires a lot of manual configuration, or fussing with the .image activator.
Now, you can just build packages for your Raspberry Pi or similar device, just as simply as you would build for x86, it just takes longer to build. ***

New PC-BSD Release Schedule

The PC-BSD Team has announce an updated release schedule for beyond 10.2
This schedule follows more closely the FreeBSD schedules, with major releases only occurring when FreeBSD does the next point update, or major version bump.
PC-BSD.s source tree has been split into master(current) and stable as well
PRODUCTION / EDGE packages will be built from stable, with PRODUCTION updated monthly now. The -CURRENT monthly images will contain the master source builds. ***

Feedback/Questions

105: Virginia BSD Assembly

JT Pennington — Wed, 02 Sep 2015 08:00:00 -0400

It's already our two-year anniversary! This time on the show, we'll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year's vBSDCon. What's it have to offer in an already-crowded BSD conference space? We'll find out.

This episode was brought to you by

Headlines

OpenBSD hypervisor coming soon

Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm"
Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route
He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on ***

Why FreeBSD should not adopt launchd

Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned)
In this article, the author talks about why he thinks this is a bad idea
He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail
The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
Reddit had quite a bit to say about this one, some in agreement and some not ***

DragonFly graphics improvements

The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
You should also see some power management improvements, longer battery life and various other bug fixes
If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around ***

OpenBSD tames the userland

Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are
Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff)
Some classic utilities are even being reworked to make taming them easier - the "w" command, for example
The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
More discussion can be found on HN, as one might expect
If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release ***

Interview - Scott Courtney - vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits
This is their first big status update, covering some of the things that've happened since the project was born
There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything ***

LibreSSL nukes SSLv3

With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command
At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
They've now flipped the switch, and the process of complete removal has started
From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!"
With this change and a few more to follow shortly, Libre*SSL* won't actually support SSL anymore - time to rename it "LibreTLS" ***

FreeBSD MPTCP updated

For anyone unaware, Multipath TCP is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy."
There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start ***

UEFI and GPT in OpenBSD

There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in)
The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made ***

Feedback/Questions

104: Beverly Hills 25519

JT Pennington — Wed, 26 Aug 2015 08:00:00 -0400

Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you.

This episode was brought to you by

Headlines

EdgeRouter Lite, meet OpenBSD

The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it
We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)
Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it
He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware
More discussion can be found on Hacker News and various other places
One thing to note about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no W^X at all) ***

Design and Implementation of the FreeBSD Operating System interview

For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development
InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors
"The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points."
Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics ***

Path list parameter in OpenBSD tame

We've mentioned OpenBSD's relatively new "tame" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges
One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between
Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers
The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9
More discussion can be found on Reddit and Hacker News ***

FreeBSD & PC-BSD 10.2-RELEASE

The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out
The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13
New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to
A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet
The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions
ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards
The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups
In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail
Check the full release notes for the rest of the details and changes
PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

OpenSSH: phasing out broken crypto, default cipher changes

News Roundup

NetBSD at Open Source Conference Shimane

We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another
This time they had NetBSD running on some Sony NWS devices (MIPS-based)
JavaStations were also on display - something we haven't ever seen before (made between 1996-2000) ***

BAFUG videos

The Bay Area FreeBSD users group has been uploading some videos of their recent meetings
Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works
Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts
In a second video, Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X"
In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)
People should record presentations at their BSD users groups and send them to us ***

L2TP over IPSEC on OpenBSD

If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well
Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic
This guide specifically covers L2TP, using npppd and pre-shared keys
Server setup, client setup, firewall configuration and routing-related settings are all covered in detail ***

Reliable bare metal with TrueOS

Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS
This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution
Most importantly, he also covers how to keep everything redundant and deal with hard drives failing
The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like
Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are ***

Kernel W^X on i386

We mentioned some big W^X kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now)
Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well
Check out our interview with Mike for some more background info on memory protections like W^X ***

Feedback/Questions

103: Ubuntu Slaughters Kittens

JT Pennington — Wed, 19 Aug 2015 08:00:00 -0400

Allan's away at BSDCam this week, but we've still got an exciting episode for you. We sat down with Bryan Cantrill, CTO of Joyent, to talk about a wide variety of topics: dtrace, ZFS, pkgsrc, containers and much more. This is easily our longest interview to date!

This episode was brought to you by

Interview - Bryan Cantrill - bryan@joyent.com / @bcantrill

BSD and Solaris history, illumos, dtrace, Joyent, pkgsrc, various topics (and rants)

Feedback/Questions

102: May Contain ZFS

JT Pennington — Wed, 12 Aug 2015 08:00:00 -0400

This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up.

This episode was brought to you by

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)
It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM
This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
In part two of the series, he talks about the GPIO and how you can configure it
Part three is still in the works, so check the site later on for further progress and info ***

The modern OpenBSD home router

In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
"It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"
Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
This guide also covers PPP and IPv6, in case you have those requirements
In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge
He also has a separate post for setting up an IPSEC VPN on the router ***

NetBSD at Open Source Conference 2015 Kansai

The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
And what conference would be complete without an LED-powered towel ***

OpenSSH 7.0 released

The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now
If you're using an older configuration file, the "without-password" option still works, so no change is required
You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
Various bug fixes and documentation improvements are also included
Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled ***

Interview - Peter Toth - peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)
He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging
Renato Westphal sent in a report of his very first hackathon
He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff
There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well ***

FreeBSD jails, the hard way

As you learned from our interview this week, there's quite a selection of tools available to manage your jails
This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
Unlike with iocage, ZFS isn't actually a requirement for this method
If you are using it, though, you can make use of snapshots for making template jails ***

OpenSSH hardware tokens

We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model
It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too ***

LibreSSL 2.2.2 released

The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more
SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely
Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well ***

Feedback/Questions

James writes in
Stuart writes in ***

101: I'll Fix Everything

JT Pennington — Wed, 05 Aug 2015 08:00:00 -0400

Coming up this week, we'll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like "what would you like to see in FreeBSD?" and hundreds of responses, well, we've got a lot to cover...

This episode was brought to you by

Headlines

OpenBSD, from distribution to project

Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through
It's the third part of his ongoing series of posts about OpenBSD removing large bits of code in favor of smaller replacements
In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..)
After importing new updates every release cycle, they eventually hit a transitional phase - things were updated, but nothing new was imported
When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed
In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons
More discussion on HN and reddit ***

Remote ZFS mirrors, the hard way

Backups to "the cloud" have become a hot topic in recent years, but most of them require trade-offs between convenience and security
You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren't without some compromise
As the author puts it: "We don't need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we'll-deletes, or any of the noise that comes with using someone else's infrastructure."
This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself
The end result is an automatic system for incremental backups that's backed (pun intended) by ZFS
If you're serious about keeping your important data safe and sound, you'll want to give this one a read - lots of detailed instructions ***

Various DragonFlyBSD updates

The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree
Intel ValleyView graphics support was finally committed to the main repository
While on the topic of graphics, they've also issued a call for testing for a DRM update (matching Linux 3.16's and including some more Broadwell fixes)
Their base GCC compiler is also now upgraded to version 5.2
If your hardware supports it, DragonFly will now use an accelerated console by default ***

QuakeCon runs on OpenBSD

QuakeCon, everyone's favorite event full of rocket launchers, recently gave a mini-tour of their network setup
For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF
In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more
He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution
There's also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff
Follow-up questions can be asked in this reddit thread
The host doesn't seem to be that familiar with the topics at hand, mentioning "OpenPF" multiple times among other things, so our listeners should get a kick out of it ***

Interview - Adrian Chadd - adrian@freebsd.org / @erikarn

Rethinking ways to improve FreeBSD

News Roundup

CII contributes to OpenBSD

If you recall back to when we talked to the OpenBSD foundation, one of the things Ken mentioned was the Core Infrastructure Initiative
In a nutshell, it's an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet
The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers)
To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they've just made a large donation to the foundation - this makes them the first "platinum" level donor as well
While the exact amount wasn't disclosed, it was somewhere between $50,000 and $100,000
The donation comes less than a month after Microsoft's big donation, so it's good to see these large organizations helping out important open source projects that we depend on every day ***

Another BSDCan report

The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon
In his report, he mainly covers the devsummit and some discussion with the portmgr team
One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch - Mark talks a bit about this as well
He also gives his thoughts on using QEMU for cross-compiling packages and network performance testing ***

Lumina 0.8.6 released

The PC-BSD team has released another version of Lumina, their BSD-licensed desktop environment
This is mainly a bugfix and performance improvement release, rather than one with lots of new features
The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc)
Lots of non-English translation updates and assorted fixes are included as well
If you haven't given it a try yet, or maybe you're looking for a new window manager, Lumina runs on all the BSDs ***

More c2k15 hackathon reports

Even more reports from OpenBSD's latest hackathon are starting to pour in
The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle)
He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD
Second up is Andrew Fresh, who went without any specific plans, but still ended up getting some UTF8 work done
On the topic of ARMv7, "I did enjoy being there when things weren't working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn't much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon."
Florian Obser sent in a report that includes a little bit of everything: setting up the hackathon's network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food
Paul Irofti wrote in as well about his activities, which were mainly focused on the Octeon CPU architecture
He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification
This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices) ***

Feedback/Questions

100: Straight from the Src

JT Pennington — Wed, 29 Jul 2015 08:00:00 -0400

We've finally reached a hundred episodes, and this week we'll be talking to Sebastian Wiedenroth about pkgsrc. Though originally a NetBSD project, now it runs pretty much everywhere, and he even runs a conference about it!

This episode was brought to you by

Headlines

Remote DoS in the TCP stack

A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections
While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely
This problem has a slightly confusing history that involves different fixes at different points in time from different people
Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th
On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches
On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found
Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6
On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn't include the first fix)
After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way
NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven't released a security notice yet
DragonFly is also investigating the issue now to see if they're affected as well ***

c2k15 hackathon reports

Reports from OpenBSD's latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these)
The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event
He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?"
With mandoc's new internal jump targets, this is a problem of the past now
Jasper also sent in a report, doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information)
Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!)
Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services)
It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool")
He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example)
His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades
Foundation director Ken Westerback was also there, getting some disk-related and laptop work done
He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues
Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home)
He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report)
Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work
One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year."
Jeremy Evans wrote in to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem
While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon
Rafael Zalamena, who got commit access at the event, gives his very first report on his networking-related hackathon activities
With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS
Jonathan Gray got a lot done in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code
As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix)
Martin Pieuchot gave an write-up on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did."
He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack
Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle
We're still eagerly awaiting a report from one of OpenBSD's newest developers, Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes)
OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint," so that may mean more big changes are still to come... ***

FreeBSD quarterly status report

FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far
It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others
Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased
In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages
The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon
Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012)
The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support
Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon)
ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August
PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though)
The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling
Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report
Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot
Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more ***

The OpenSSH bug that wasn't

There's been a lot of discussion about a supposed flaw in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even)
There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections
FreeBSD in its default configuration, with PAM and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH, nor any of the other BSDs, and not even the majority of Linux distros
If you disable all forms of authentication except public keys, like you're supposed to, then this is also not a big deal for FreeBSD systems
Realistically speaking, it's more of a PAM bug than anything else
OpenSSH added an additional check for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update) ***

Interview - Sebastian Wiedenroth - wiedi@netbsd.org / @wied0r

pkgsrc and pkgsrcCon

News Roundup

Now served by OpenBSD

We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it
The use case for the author was for a webserver, so he decided to try out the httpd in base
Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting
TLS 1.2 by default, strong ciphers with LibreSSL and HSTS combined give you a pretty secure web server ***

FreeBSD laptop playbooks

A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops"
It's based on ansible, and uses the playbook format for automatic set up and configuration
Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models
Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop ***

NetBSD on the NVIDIA Jetson TK1

If you've never heard of the Jetson TK1, we can go ahead and spoil the secret here: NetBSD runs on it
As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE
This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything)
You can even run X11 on it, pretty sweet ***

DragonFly power mangement options

DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there
In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well
He also did some testing with each of them and gave his findings about power saving
If you've been thinking about running DragonFly on a laptop, this would be a good one to read ***

OpenBSD router under FreeBSD bhyve

If one BSD just isn't enough for you, and you've only got one machine, why not run two at once
This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it
If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware
The author also includes a little bit of history on how he got into both operating systems
There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research
Of course, the next logical step is to put that bhyve host under Xen on NetBSD... ***

Feedback/Questions

99: BSD Gnow

JT Pennington — Wed, 22 Jul 2015 08:00:00 -0400

This week we'll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we'll hear about how the recent porting efforts have been since.

This episode was brought to you by

Headlines

OpenBSD presents tame

Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do
When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do
As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops."
Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking
Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously)
Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation)
Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc.
This is an initial work-in-progress version of tame, so there may be more improvements or further control options added before it hits a release (very specific access policies can sometimes backfire, however)
The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it)
Kernel bits are in the tree now, with userland changes starting to trickle in too
Combined with a myriad of memory protections, tight privilege separation and (above all else) good coding practices, tame should further harden the OpenBSD security fortress
Further discussion can be found in the usual places you'd expect ***

Using Docker on FreeBSD

With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up
This docker is "the real thing," and isn’t using a virtual machine as the backend - as such, it has some limitations
The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations
When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support)
For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally)
Give it a try, let us know how you find it to be compared to other solutions ***

OpenBSD imports doas, removes sudo

OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev
The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code
Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot)
Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact
There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary?
After the initial import, a number of developers began reviewing and improving various bits here and there
You can check out the code now if you're interested
Command usage and config syntax seem pretty straightforward
More discussion on HN ***

What would you like to see in FreeBSD

Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see
There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you're interested in more
The top comment says things don't "just work," citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable
Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now - should they be removed, and more focus put into ipfw?
Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD - similar comments were made about wireless chipsets as well
Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more
At least one user suggested better "marketing" for FreeBSD, with more advocacy and (hopefully) more business adoption
That one really applies to all the BSDs, and regular users (that's you listening to this) can help make it happen for whichever ones you use right now
Maybe Adrian can singlehandedly do all the work and make all the users happy ***

Interview - Ryan Lortie & Baptiste Daroussin

Porting the latest GNOME code to FreeBSD

News Roundup

Introducing resflash

If you haven't heard of resflash before, it's "a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way"
One of the major benefits to images like this is the read-only filesystem, so there's no possibility of filesystem corruption if power is lost
There's an optional read-write partition as well, used for any persistent changes you want to make
You can check out the source code on Github or read the main site for more info ***

Jails with iocage

There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others
After looking at all the different choices, the author of this blog post eventually settled on iocage for the job
The post walks you through the basic configuration and usage of iocage for creating managing jails
If you've been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration) ***

DragonFly GPU improvements

DragonFlyBSD continues to up their graphics game, this time with Intel's ValleyView series of CPUs
These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones
A git branch was created to hold the fixes for now while the last remaining bugs get fixed
Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing ***

Branchless development

Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them
He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once
"For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else."
The solution, according to him, is bringing all the code the developers are using closer together
One big benefit is that WIP code gets tested much faster (and bugs get fixed early on) ***

Feedback/Questions

98: Our Code is Your Code

JT Pennington — Wed, 15 Jul 2015 08:00:00 -0400

Coming up this time on the show, we'll be talking with the CTO of Xinuos, David Meyer, about their adoption of FreeBSD. We also discuss the BSD license model for businesses and the benefits of contributing changes back.

This episode was brought to you by

Headlines

Enabling FreeBSD on AArch64

One of the things the FreeBSD foundation has been dumping money into lately is ARM64 support, but we haven't heard too much about it - this article should change that
Since it's on a mainstream ARM site, the article begins with a bit of FreeBSD history, leading up to the current work on ARM64
There's also a summary of some of the ARM work done at this year's BSDCan, including details about running it on the Cavium ThunderX platform (which has 48 cores)
As of just a couple months ago, dtrace is even working on this new architecture
Come 11.0-RELEASE, the plan is for ARM64 to get the same "tier 1" treatment as X86, which would imply binary updates for base and ports - something Raspberry Pi users often complain about not having ***

OpenBSD's tcpdump detailed

Most people are probably familiar with tcpdump, a very useful packet sniffing and capturing utility that's included in all the main BSD base systems
This video guide is specifically about the version in OpenBSD, which has gone through some major changes (it's pretty much a fork with no version number anymore)
Unlike on the other platforms, OpenBSD's tcpdump will always run in a chroot as an unprivileged user - this has saved it from a number of high-profile exploits
It also has support for the "pf.os" system, allowing you to filter out operating system fingerprints in the packet captures
There's also PF (and pflog) integration, letting you see which line in your ruleset triggered a specific match
Being able to run tcpdump directly on your router is pretty awesome for troubleshooting ***

More FreeBSD foundation at BSDCan

The FreeBSD foundation has another round of trip reports from this year's BSDCan
First up is Kamil Czekirda, who gives a good summary of some of the devsummit, FreeBSD-related presentations, some tutorials, getting freebsd-update bugs fixed and of course eating cake
A second post from Christian Brueffer, who cleverly planned ahead to avoid jetlag, details how he got some things done during the FreeBSD devsummit
Their third report is from our buddy Warren Block, who (unsurprisingly) worked on a lot of documentation-related things, including getting more people involved with writing them
In true doc team style, his report is the most well-written of the bunch, including lots of links and a clear separation of topics (doc lounge, contributing to the wiki, presentations...)
Finally, the fourth one comes to us from Shonali Balakrishna, who also gives an outline of some of the talks
"Not only does a BSD conference have way too many very smart people in one room, but also some of the nicest." ***

DragonFly on the Chromebook C720

If you've got one of the Chromebook laptops and weren't happy with the included OS, DragonFlyBSD might be worth a go
This article is a "mini-report" on how DragonFly functions on the device as a desktop, and
While the 2GB of RAM proved to be a bit limiting, most of the hardware is well-supported
DragonFly's wiki has a full guide on getting set up on one of these devices as well ***

Interview - David Meyer - info@xinuos.com / @xinuos

Xinuos, BSD license model vs. others, community interaction

News Roundup

Introducing LiteBSD

We definitely don't talk about 4.4BSD a lot on the show
LiteBSD is "a variant of [the] 4.4BSD operating system adapted for microcontrollers"
If you've got really, really old hardware (or are working in the embedded space) then this might be an interesting hobby project to look info ***

HardenedBSD announces ASLR completion

HardenedBSD, now officially a full-on fork of FreeBSD, has declared their ASLR patchset to be complete
The latest and last addition to the work was VDSO (Virtual Dynamic Shared Object) randomization, which is now configurable with a sysctl
This post gives a summary of the six main features they've added since the beginning
Only a few small things are left to do - man page cleanups, possibly shared object load order improvements ***

Unlock the reaper

In the ongoing quest to make more of OpenBSD SMP-friendly, a new patch was posted that unlocks the reaper in the kernel
When there's a zombie process causing a resource leak, it's the reaper's job to deallocate their resources (and yes we're still talking about computers, not horror movies)
Initial testing has yielded positive results and no regressions
They're looking for testers, so you can install a -current snapshot and get it automatically
An updated version of the patch is coming soon too
A hackathon is going on right now, so you can expect more SMP improvements in the near future ***

The importance of mentoring

Adrian Chadd has a blog post up about mentoring new users, and it tells the story of how he originally got into FreeBSD
He tells the story of, at age 11, meeting someone else who knew about making crystal sets that became his role model
Eventually we get to his first FreeBSD 1.1 installation (which he temporarily abandoned for Linux, since it didn't have a color "ls" command) and how he started using the OS
Nowadays, there's a formal mentoring system in FreeBSD
While he talks about FreeBSD in the post, a lot of the concepts apply to all the BSDs (or even just life in general) ***

Feedback/Questions

97: Big Network, SmallWall

JT Pennington — Wed, 08 Jul 2015 08:00:00 -0400

Coming up this time on the show, we'll be chatting with Lee Sharp. He's recently revived the m0n0wall codebase, now known as SmallWall, and we'll find out what the future holds for this new addition to the BSD family. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan and pkgsrcCon videos

Even more BSDCan 2015 videos are slowly but surely making their way to the internet
Nigel Williams, Multipath TCP for FreeBSD
Stephen Bourne, Early days of Unix and design of sh
John Criswell, Protecting FreeBSD with Secure Virtual Architecture
Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD
John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto
Sevan Janiyan, Adventures in building open source software
And finally, the BSDCan 2015 closing
Some videos from this year's pkgsrcCon are also starting to appear online
Sevan Janiyan, A year of pkgsrc 2014 - 2015
Pierre Pronchery, pkgsrc meets pkg-ng
Jonathan Perkin, pkgsrc at Joyent
Jörg Sonnenberger, pkg_install script framework
Benny Siegert, New Features in BulkTracker
This is the first time we've ever seen recordings from the conference - hopefully they continue this trend ***

OPNsense 15.7 released

The OPNsense team has released version 15.7, almost exactly six months after their initial debut
In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed
Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included
Shortly afterwards, 15.7.1 was released with a few more small fixes ***

NetBSD at Open Source Conference 2015 Okinawa

If you liked last week's episode then you'll probably know what to expect with this one
The NetBSD users group of Japan hit another open source conference, this time in Okinawa
This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week
We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? ***

OpenBSD BGP and VRFs

"VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic"
This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
The BSDCan talk on rdomains expands on the subject a bit more if you haven't seen it, as well as a few related posts ***

Interview - Lee Sharp - lee@smallwall.org

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes
They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls
Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their "SunSSH" fork
Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
In a third blog post, they talk about a new system call they're borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
Look forward to the upcoming "Solaris Now" podcast _{(not really)} ***

EuroBSDCon 2015 talks and tutorials

This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
There are also a few tutorials planned for the event, some you've probably seen already and some you haven't
Registration for the event will be opening very soon (likely this week or next) ***

Using ZFS replication to improve offsite backups

If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data
This article covers doing just that, but with a focus on making use of the replication capability
It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it
Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer
Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them
One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important ***

Block encryption in OpenBSD

We've covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem
It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
The encrypted container method offers the advantage of being a bit more portable across installations than other ways ***

Docker hits FreeBSD ports

The inevitable has happened, and an early FreeBSD port of docker is finally here
Some details and directions are available to read if you'd like to give it a try, as well as a list of which features work and which don't
There was also some Hacker News discussion on the topic ***

Microsoft donates to OpenSSH

We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn
With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this ***

Feedback/Questions

96: Lost Technology

JT Pennington — Wed, 01 Jul 2015 08:00:00 -0400

Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Out with the old, in with the less

Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions"
"Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs."
In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure
It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers
"Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver."
In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced
The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness)
He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it."
Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called "doas"
There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing" talk is good complementary reading material ***

SMP steroids for PF

An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review
Attached to the mail was what may be the beginnings of making native PF SMP-aware
Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle
The initial response has been quite positive though, with some back and forth between developers and the submitter
For now, let's be patient and see what happens ***

DragonFly 4.2.0 released

DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes
i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release
Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page about configuring it
They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery
The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools
Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement
There was also some hacker news discussion you can check out, as well as upgrade instructions ***

OpenSMTPD 5.7.1 released

The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently
Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default
The long-awaited filter API is now enabled by default, though still considered slightly experimental
Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones)
Many more small additions and bugfixes were made, so check the changelog for the full list
Starting with 5.7.1, releases are now cryptographically signed to ensure integrity
This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server with thousands of emails per second, even offering prizes to whoever can DDoS them the hardest
OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately
Let's all encourage Kris to stop procrastinating on switching from Postfix ***

Interview - Jun Ebihara (蛯原純) - jun@netbsd.org / @ebijun

Lesser-known CPU architectures, embedded NetBSD devices

News Roundup

FreeBSD foundation at BSDCan

The FreeBSD foundation has posted a few BSDCan summaries on their blog
The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people."
He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily
Their second trip report is from Ahmed Kamal, who flew in all the way from Egypt
A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD
There are also two more wrap-ups from Zbigniew Bodek and Vsevolod Stakhov, so you've got plenty to read ***

OpenBSD from a veteran Linux user perspective

In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time
"For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration."
The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags
One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless."
He also goes through some of the basics, installing and updating software, following different branches
It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern." ***

FreeBSD on the desktop, am I crazy

Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop
He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think."
With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd
The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash
Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well
In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too ***

OpenIKED and Cisco CSR 1000v IPSEC

This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED
What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud
There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon
It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be ***

HardenedBSD improves stack randomization

The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area
In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well
They're now stacking the new on top of the old as well, with the goal being even more entropy
This change triggered an ABI and API incompatibility, so their major version has been bumped ***

OpenSSH 6.9 released

The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes
There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments
One very notable change is that the default cipher has changed as of this release
The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo
Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits
Many small bugs fixes and improvements were also made, so check the announcement for everything else
The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon ***

Feedback/Questions

95: Bitrot Group Therapy

JT Pennington — Wed, 24 Jun 2015 08:00:00 -0400

This time on the show, we'll be talking some ZFS with Sean Chittenden. He's been using it on FreeBSD at Groupon, and has some interesting stories about how it's saved his data. Answers to your emails and all of this week's headlines, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenBSD httpd rewrite support

One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you'd like to give it a try now
It's since been committed to -current, so you can try it out with a snapshot too ***

SSH 2FA on FreeBSD

We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication
This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD
It touches on key pairs with a server-side password, google authenticator and a few other variations
While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems ***

NetBSD 7.0-RC1 released

NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team ***

Interview - Sean Chittenden - seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
This blog post about it has something not mentioned before: virtual domains and virtual users
This means you can easily have "user1@domain.com" and "user2@otherdomain.com" both go to a local user on the box (or a different third address)
It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we'll cover in more detail when it's released... ***

OctoPkg, a QT frontend to pkgng

A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman
There are some basic instructions on how to get it built and running on the github page
After some testing, it'll likely make its way to the FreeBSD ports tree
Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over ***

AFL vs. mandoc, a quantitative analysis

Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
It's meant to be accompanying material to his BSDCan talk, which already covered nine topics
mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
The article breaks down the 45 different bugs that were found, based on their root cause
If you're interested in secure coding practices, this'll be a great one to read ***

OpenZFS conference videos

Videos from the second OpenZFS conference have just started to show up
The first talk is by, you guessed it, Matt Ahrens
In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS ***

Feedback/Questions

Bryson writes in
Kevin writes in ***

94: Builder's Insurance

JT Pennington — Wed, 17 Jun 2015 08:00:00 -0400

This week on the show, we'll be chatting with Marc Espie. He's recently added some additional security measures to dpb, OpenBSD's package building tool, and we'll find out why they're so important. We've also got all this week's news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan 2015 videos

BSDCan just ended last week, but some of the BSD-related presentation videos are already online
Allan Jude, UCL for FreeBSD
Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
Brooks Davis, CheriBSD: A research fork of FreeBSD
Giuseppe Lettieri, Even faster VM networking with virtual passthrough
Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
Peter Hessler, Using routing domains / routing tables in a production network
Ryan Lortie, a stitch in time: jhbuild
Ted Unangst, signify: Securing OpenBSD From Us To You
Many more still to come... ***

Documenting my BSD experience

Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try
"That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in."
In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that)
You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
His second post explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box
After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve ***

PC-BSD tries HardenedBSD builds

The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that a few weeks ago - but this might open the door for more projects to give it a try as well
With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have
Time will tell if more projects and products like FreeNAS might be interested too ***

C-states in OpenBSD

People who run BSD on their notebooks, you'll want to pay attention to this one
OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings ***

NetBSD at Open Source Conference 2015 Hokkaido

The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference
As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD's dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS
As the name "xhyve" might imply, it's a port of bhyve to Mac OS X
Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
There are also a few examples on how to use it ***

4K displays on DragonFlyBSD

If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine
Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
Some GUI applications might look weird on such a huge resolution,
HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience ***

Sandboxing port daemons on OpenBSD

We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment
This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default
It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots ***

SmallWall 1.8.2 released

SmallWall is a relatively new BSD-based project that we've never covered before
It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
They've just released the first official version, so you can give it a try now
If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... ***

Feedback/Questions

93: Stacked in Our Favor

JT Pennington — Wed, 10 Jun 2015 08:00:00 -0400

We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD.

This episode was brought to you by

Interview - Sepherosa Ziehau - sephe@dragonflybsd.org

Features of DragonFlyBSD's network stack

Discussion

Comparing containment methods and privilege separation

chroot, jails, systrace, capsicum, filesystem permissions, separating users ***

Feedback/Questions

92: BSD After Midnight

JT Pennington — Wed, 03 Jun 2015 08:00:00 -0400

Coming up this week, we'll be chatting with Lucas Holt, founder of MidnightBSD. It's a slightly lesser-known fork of FreeBSD, with a focus on easy desktop use. We'll find out what's different about it and why it was created. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Zocker, it's like docker on FreeBSD

Containment is always a hot topic, and docker has gotten a lot of hype in Linux land in the last couple years - they're working on native FreeBSD support at the moment
This blog post is about a docker-like script, mainly for ease-of-use, that uses only jails and ZFS in the base system
In total, it's 1,500 lines of shell script
The post goes through the process of using the tool, showing off all the subcommands and explaining the configuration
In contrast to something like ezjail, Zocker utilizes the jail.conf system in the 10.x branch ***

Patrol Read in OpenBSD

OpenBSD has recently imported some new code to support the Patrol Read function of some RAID controllers
In a nutshell, Patrol Read is a function that lets you check the health of your drives in the background, similar to a zpool "scrub" operation
The goal is to protect file integrity by detecting drive failures before they can damage your data
It detects bad blocks and prevents silent data corruption, while marking any bad sectors it finds ***

HAMMER 2 improvements

DragonFly BSD has been working on the second generation HAMMER FS
It now uses LZ4 compression by default, which we've been big fans of in ZFS
They've also switched to a faster CRC algorithm, further improving HAMMER's performance, especially when using iSCSI ***

FreeBSD foundation May update

The FreeBSD foundation has published another update newsletter, detailing some of the things they've been up to lately
In it, you'll find some development status updates: notably more ARM64 work and the addition of 64 bit Linux emulation
Some improvements were also made to FreeBSD's release building process for non-X86 architectures
There's also an AsiaBSDCon recap that covers some of the presentations and the dev events
They also have an accompanying blog post where Glen Barber talks about more sysadmin and clusteradm work at NYI ***

Interview - Lucas Holt - questions@midnightbsd.org / @midnightbsd

MidnightBSD

News Roundup

The launchd on train is never coming

Replacement of init systems has been quite controversial in the last few years
Fortunately, the BSDs have avoided most of that conflict thus far, but there have been a few efforts made to port launchd from OS X
This blog post details the author's opinion on why he thinks we're never going to have launchd in any of the BSDs
Email us your thoughts on the matter ***

Native SSH comes to… Windows

In what may be the first (and last) mention of Microsoft on BSD Now...
They've just recently announced that PowerShell will get native SSH support in the near future
It's not based on the commercial SSH either, it's the same one from OpenBSD that we already use everywhere
Up until now, interacting between BSD and Windows has required something like PuTTY, WinSCP, FileZilla or Cygwin - most of which are based on really outdated versions
The announcement also promises that they'll be working with the OpenSSH community, so we'll see how many Microsoft-submitted patches make it upstream (or how many donations they make) ***

Moving to FreeBSD

This blog post describes a long-time Linux user's first BSD switching experience
The author first talks about his Linux journey, eventually coming to love the more customization-friendly systems, but the journey ended with systemd
After doing a bit of research, he gave FreeBSD a try and ended up liking it - the rest of the post mostly covers why that is
He also plans to write about his experience with other BSDs, and is writing some tutorials too - we'll check in with him again later on ***

Feedback/Questions

91: Vox Populi

JT Pennington — Wed, 27 May 2015 08:00:00 -0400

This week on the show, we've got something pretty different. We went to a Linux convention and asked various people if they've ever tried BSD and what they know about it. Stay tuned for that, all this week's news and, of course, answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

LUKS in OpenBSD

Last week, we were surprised to find out that DragonFlyBSD has support for dm-crypt, sometimes referred to as LUKS (Linux Unified Key Setup)
It looks like they might not be the only BSD with support for it for much longer, as OpenBSD is currently reviewing a patch for it as well
LUKS would presumably be an additional option in OpenBSD's softraid system, which already provides native disk encryption
Support hasn't been officially committed yet, it's still going through testing, but the code is there if you want to try it out and report your findings
If enabled, this might pave the way for the first (semi-)cross platform encryption scheme since the demise of TrueCrypt (and maybe other BSDs will get it too in time) ***

FreeBSD gets 64bit Linux emulation

For those who might be unfamiliar, FreeBSD has an emulation layer to run Linux-only binaries (as rare as they may be)
The most common use case is for desktop users, enabling them to run proprietary applications like Adobe Flash or Skype
Similar systems can also be found in NetBSD and OpenBSD (though disabled by default on the latter)
However, until now, it's only supported binaries compiled for the i386 architecture
This new update, already committed to -CURRENT, will open some new possibilities that weren't previously possible
Meanwhile, HardenedBSD considers removing the emulation layer entirely ***

BSD at Open Source Conference 2015 Nagoya

We've covered the Japanese NetBSD users group setting up lots of machines at various conferences in the past, but now they're expanding
Their latest report includes many of the NetBSD things you'd expect, but also a couple OpenBSD machines
Some of the NetBSD ones included a Power Mac G4, SHARP NetWalker, Cubieboard2 and the not-so-foreign Raspberry Pi
One new addition of interest is the OMRON LUNA88k, running the luna88k port of OpenBSD
There was even an old cell phone running Windows games on NetBSD
Check the mailing list post for some links to all of the nice pictures ***

LLVM introduces OpenMP support

One of the things that has kept some people in the GCC camp is the lack of OpenMP support in LLVM
According to the blog post, it "enables Clang users to harness full power of modern multi-core processors with vector units"
With Clang being the default in FreeBSD, Bitrig and OS X, and with some other BSDs exploring the option of switching, the need for this potential speed boost was definitely there
This could also open some doors for more BSD in the area of high performance computing, putting an end to the current Linux monopoly ***

Interview - Eric, FSF, John, Jose, Kris and Stewart

Various "man on the street" style mini-interviews

News Roundup

BSD-licensed gettext replacement

If you've ever installed ports on any of the BSDs, you've probably had GNU's gettext pulled in as a dependency
Wikipedia says "gettext is an internationalization and localization (i18n) system commonly used for writing multilingual programs on Unix-like computer operating systems"
A new BSD-licensed rewrite has begun, with the initial version being for NetBSD (but it's likely to be portable)
If you've got some coding skills, get involved with the project - the more freely-licensed replacements, the better ***

Unix history git repo

A git repository was recently created to show off some Unix source code history
The repository contains 659 thousand commits and 2306 merges
You can see early 386BSD commits all the way up to some of the more modern FreeBSD code
If you want to browse through the giant codebase, it can be a great history lesson ***

PCBSD 10.1.2 and Lumina updates

We mentioned 10.1.1 being released last week (and all the cool features a couple weeks before) but now 10.1.2 is out
This minor update contained a few hotfixes: RAID-Z installation, cache and log devices and the text-only installer in UEFI mode
There's also a new post on the PCBSD blog about Lumina, answering some frequently asked questions and giving a general status update ***

Feedback/Questions

Mailing List Gold

Death by chocolate ***

90: ZFS Armistice

JT Pennington — Wed, 20 May 2015 08:00:00 -0400

This time on the show, we'll be chatting with Jed Reynolds about ZFS. He's been using it extensively on a certain other OS, and we can both learn a bit about the other side's implementation. Answers to your questions and all this week's news, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Playing with sandboxing

Sandboxing and privilege separation are popular topics these days - they're the goal of the new "shill" scripting language, they're used heavily throughout OpenBSD, and they're gaining traction with the capsicum framework
This blog post explores capsicum in FreeBSD, some of its history and where it's used in the base system
They also include some code samples so you can verify that capsicum is actually denying the program access to certain system calls
Check our interview about capsicum from a while back if you haven't seen it already ***

OpenNTPD on by default

OpenBSD has enabled ntpd by default in the installer, rather than prompting the user if they want to turn it on
In nearly every case, you're going to want to have your clock synced via NTP
With the HTTPS constraints feature also enabled by default, this should keep the time checked and accurate, even against spoofing attacks
Lots of problems can be traced back to the time on one system or another being wrong, so this will also eliminate some of those cases
For those who might be curious, they're using the "pool.ntp.org" cluster of addresses and google for HTTPS constraints (but these can be easily changed) ***

FreeBSD workshop in Landshut

We mentioned a BSD installfest happening in Germany a few weeks back, and the organizer wrote in with a review of the event
The installfest instead became a "FreeBSD workshop" session, introducing curious new users to some of the flagship features of the OS
They covered when to use UFS or ZFS, firewall options, the release/stable/current branches and finally how to automate installations with Ansible
If you're in south Germany and want to give similar introduction talks or Q&A sessions about the other BSDs, get in touch
We'll hear more from him about how it went in the feedback section today ***

Swap encryption in DragonFly

Doing full disk encryption is very important, but something that people sometimes overlook is encrypting their swap
This can actually be more important than the contents of your disks, especially if an unencrypted password or key hits your swap (as it can be recovered quite easily)
DragonFlyBSD has added a new experimental option to automatically encrypt your swap partition in fstab
There was another way to do it previously, but this is a lot easier
You can achieve similar results in FreeBSD by adding ".eli" to the end of the swap device in fstab, there are a few steps to do it in NetBSD and swap in OpenBSD is encrypted by default
A one-time key will be created and then destroyed in each case, making recovery of the plaintext nearly impossible ***

Interview - Jed Reynolds - jed@bitratchet.com / @jed_reynolds

Comparing ZFS on Linux and FreeBSD

News Roundup

USB thermometer on OpenBSD

So maybe you've got BSD on your server or router, maybe NetBSD on a toaster, but have you ever used a thermometer with one?
This blog post introduces the RDing TEMPer Gold USB thermometer, a small device that can tell the room temperature, and how to get it working on OpenBSD
Wouldn't you know it, OpenBSD has a native "ugold" driver to support it with the sensors framework
How useful such a device would be is another story though ***

NAS4Free now on ARM

We talk a lot about hardware for network-attached storage devices on the show, but ARM doesn't come up a lot
That might be changing soon, as NAS4Free has just released some ARM builds
These new (somewhat experimental) images are based on FreeBSD 11-CURRENT
Included in the announcement is a list of fully-supported and partially-supported hardware that they've tested it with
If anyone has experience with running a NAS on slightly exotic hardware, write in to us ***

pkgsrcCon 2015 CFP and info

This year's pkgsrcCon will be in Berlin, Germany on July 4th and 5th
They're looking for talk proposals and ideas for things you'd like to see
If you or your company uses pkgsrc, or if you're just interested in NetBSD in general, it would be a good event to check out ***

BSDTalk episode 253

BSDTalk has released another new episode
In it, he interviews George Neville-Neil about the 2nd edition of "The Design and Implementation of the FreeBSD Operating System"
They discuss what's new since the last edition, who the book's target audience is and a lot more
We're up to 90 episodes now, slowly catching up to Will... ***

Feedback/Questions

89: Exclusive Disjunction

JT Pennington — Wed, 13 May 2015 08:00:00 -0400

This week on the show, we'll be talking to Mike Larkin about various memory protections in OpenBSD. We'll cover recent W^X improvements, SSP, ASLR, PIE and all kinds of acronyms! We've also got a bunch of news and answers to your questions, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenSMTPD for the whole family

Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts
This article talks about configuring a home mail server too, but even for the other people you live with
After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too
If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through
In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box ***

NetBSD on the Edgerouter Lite

We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices
The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper)
A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post
The process is fairly simple, and you can cross-compile your own installation image on any CPU architecture (even from another BSD!)
OpenBSD and FreeBSD also have some support for these devices ***

Bitrig at NYC*BUG

The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo
John discussed Bitrig, an OpenBSD fork that we've talked about a couple times on the show
He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms
Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences ***

OPNsense, meet HardenedBSD

Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD and OPNsense, have decided to join forces
Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase
Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface
We'll cover more news on the collaboration as it comes out ***

Interview - Mike Larkin - mlarkin@openbsd.org / @mlarkin2012

Memory protections in OpenBSD: W^X, ASLR, PIE, SSP

News Roundup

A closer look at FreeBSD

The week wouldn't be complete without at least one BSD article making it to a mainstream tech site
This time, it's a high-level overview of FreeBSD, some of its features and where it's used
Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing
If you have any BSD-curious Linux friends, this might be a good one to send to them ***

Linksys NSLU2 and NetBSD

The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004
"About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]"
After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box
If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there ***

OpenBSD disklabel templates

We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout
With a few recent changes, there are now a series of templates you can use for a completely customized partition scheme
This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel
Combine this new feature with our -stable iso tutorial, and you could deploy completely patched and customized images en masse pretty easily ***

FreeBSD native ARM builds

FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base
Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used
This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen ***

Feedback/Questions

88: Below the Clouds

JT Pennington — Wed, 06 May 2015 08:00:00 -0400

This time on the show, we'll be talking with Ed Schouten about CloudABI. It's a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week's BSD news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted a report of the activities that went on between January and March of this year
As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
Lots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarter
Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) ***

OpenBSD 5.7 released

OpenBSD has formally released another new version, complete with the giant changelog we've come to expect
In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
If you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilities
Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLS
The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementations
Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily
BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
Speaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so
This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases
There's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week
Consider picking one up to support the project (and it's the only way to get puffy stickers)
For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now... ***

Tor-BSD diversity project

We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
A new initiative has started to do just that, called the Tor-BSD diversity project
"Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity."
In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
There's an additional progress report for that part specifically, and it looks like most of the work is done now
Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
If you've been considering running a node to help out, there's always our handy tutorial on getting set up ***

PC-BSD 10.1.2-RC1 released

If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
This quarterly update includes a number of new features, improvements and even some additional utilities
PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems
A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use
Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network
IPFW is now the default firewall, offering improved VIMAGE capabilities
The life preserver backup tool now allows for bare-metal restores via the install CD
ISC's NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
It also includes the latest Lumina desktop, and there's another post dedicated to that
Binary packages have also been updated to fresh versions from the ports tree
More details, including upgrade instructions, can be found in the linked blog post ***

Interview - Ed Schouten - ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

This article introduces OpenHRC, the "Open Household Router Contraption"
In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup
Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation
All the code is open source and on Github, so you can read through what's actually being changed and put in place
There's also a video guide to the entire process, if you're more of a visual person ***

OPNsense 15.1.10 released

Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version
15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree
Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs ***

IBM Workpad Z50 and NetBSD

Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display
You can probably tell where this is going... the article is about installing NetBSD it
"What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running"
The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
He's also got a couple videos of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) ***

FreeBSD from the trenches

The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases
In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually
Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool ***

Broadwell in DragonFly

DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too
It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being ***

Feedback/Questions

Mailing List Gold

How did you guess ***

87: On the List

JT Pennington — Wed, 29 Apr 2015 08:00:00 -0400

Coming up this time on the show, we'll be speaking with Christos Zoulas, a NetBSD security officer. He's got a new project called blacklistd, with some interesting possibilities for stopping bruteforce attacks. We've also got answers to your emails and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

New PAE support in OpenBSD

OpenBSD has just added Physical Address Extention support to the i386 architecture, but it's probably not what you'd think of when you hear the term
In most operating systems, PAE's main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms - this version isn't for that
Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections
Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don't get the potential security benefit
As we discussed in a previous episode, the AMD64 platform already saw some major W^X kernel and userland improvements - the i386 kernel reworking will begin shortly
Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there
The AMD64 improvements will be in 5.7, due out in just a couple days as of when we're recording this, but the i386 improvements will likely be in 5.8 ***

Booting Windows in bhyve

Work on FreeBSD's bhyve continues, and a big addition is on the way
Thus far, bhyve has only been able to boot operating systems with a serial console - no VGA, no graphics, no Windows
This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter
Graphics emulation is still in the works; this image was taken by booting headless and using RDP
A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan)
Not a lot of details on the matter currently, but we'll be sure to bring you more info as it comes out
Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts ***

MidnightBSD 0.6 released

MidnightBSD is a smaller project we've not covered a lot on the show before
It's an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use
They also have their own, smaller version of FreeBSD ports, called "mports"
If you're already using it, this new version is mainly a security and bugfix release
It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions
You can check their site for more information about the project
We're trying to get the lead developer to come on for an interview, but haven't heard anything back yet ***

OpenBSD rewrites the file utility

We're all probably familiar with the traditional file command - it's been around since the 1970s
For anyone who doesn't know, it's used to determine what type of file something actually is
This tool doesn't see a lot of development these days, and it's had its share of security issues as well
Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while
It's not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it
When you think about it, file was technically designed to be used on untrusted files
OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite - this time with modern coding practices and the usual OpenBSD scrutiny
This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made
With these two things combined, it should drastically reduce the damage a malicious file could potentially do
Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember
It'll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future - someone's already thrown together an unofficial portable version
Coincidentally, the lead developer and current maintainer of file just happens to be our guest today… ***

Interview - Christos Zoulas - christos@netbsd.org

blacklistd and NetBSD advocacy

News Roundup

GSoC-accepted BSD projects

The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list
FreeBSD's list includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication
OpenBSD's list includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it... porting HAMMER FS to OpenBSD
We'll be sure to keep you up to date on developments from both projects
Hopefully the other BSDs will make the cut too next year ***

FreeBSD on the Gumstix Duovero

If you're not familiar with the Gumstix Duovero, it's an dual core ARM-based computer-on-module
They actually look more like a stick of RAM than a mini-computer
This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd
If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us ***

EU study recommends OpenBSD

A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools
This is especially important, in all countries, after the mass surveillance documents came out
"[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts."
The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on
Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: "Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways"
Reddit, Undeadly and Hacker News also had some discussion, particularly about corporations giving back to the BSDs that they make use of in their infrastructure - something we've discussed with Voxer and M:Tier before ***

FreeBSD workflow with Git

If you're interested in contributing to FreeBSD, but aren't a big fan of SVN, they have a Github mirror too
This mailing list post talks about interacting between the official source repository and the Git mirror
This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved ***

Feedback/Questions

86: Business as Usual

JT Pennington — Wed, 22 Apr 2015 08:00:00 -0400

Coming up this time on the show, we'll be chatting with Antoine Jacoutot about how M:Tier uses BSD in their business. After that, we'll be discussing the different release models across the BSDs, and which style we like the most. As always, answers to your emails and all the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Optimizing TLS for high bandwidth applications

Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD
TLS has traditionally had too much overhead for the levels of bandwidth they're using, so this pdf outlines some of their strategy in optimizing it
The sendfile() syscall (which nginx uses) isn't available when data is encrypted in userland
To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel
Having encrypted movie streams would be pretty neat ***

Crypto in unexpected places

OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc)
One place you might not expect crypto to be used (or even needed) is in the "ping" utility, right? Well, think again
David Gwynne recently committed a change that adds MAC to the ping timestamp payload
By default, it'll be filled with a ChaCha stream instead of an unvarying payload, and David says "this lets us have some confidence that the timestamp hasn't been damaged or tampered with in transit"
Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward
Maybe we can look forward to a cryptographically secure "echo" command next... ***

Broadwell in DragonFly

The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status
Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn't work
The two main show-stoppers right now are the graphics and wireless, but they have someone who's already making progress with the GPU support
Wireless support will likely have to wait until FreeBSD gets it, then they'll port it back over
None of the BSDs currently have full Broadwell support, so stay tuned for further updates ***

DIY NAS software roundup

In this blog post, the author compares a few different software solutions for a network attached storage device
He puts FreeNAS, one of our favorites, up against a number of opponents - both BSD and Linux-based
NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface
If you've been thinking about putting together a NAS, but aren't quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names
Some competition is always good, gotta keep those guys on their toes ***

Interview - Antoine Jacoutot - ajacoutot@openbsd.org / @ajacoutot

OpenBSD at M:Tier, business adoption of BSD, various topics

News Roundup

OpenBSD on DigitalOcean

When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction - we hoped that all the other BSDs would soon follow
This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS
Using a -current snapshot and some swapfile trickery, it's possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk
After doing so, you just boot from their web UI-based console and can perform a standard installation
You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step ***

Initial ARM64 support lands in FreeBSD

The ARM64 architecture, sometimes called ARMv8 or AArch64, is a new generation of CPUs that will mostly be in embedded devices
FreeBSD has just gotten support for this platform in the -CURRENT branch
Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU - now a full build is possible
Work should now start happening in the main source code tree, and hopefully they'll have full support in a branch soon ***

Scripting with least privilege

A new scripting language with a focus on privilege separation and running with only what's absolutely needed has been popular in the headlines lately
Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc.
Shill aims to answer the questions "how do we limit the authority of scripts" and "how do we determine what authority is necessary" by including a declarative security policy that's checked and enforced by the language runtime
If used on FreeBSD, Shill will use Capsicum for sandboxing
You can find some more of the technical information in their documentation pdf or watch their USENIX presentation video
Hacker News also had some discussion on the topic ***

OpenBSD first impressions

A brand new BSD user has started documenting his experience through a series of blog posts
Formerly a Linux guy, he's tried out FreeBSD and OpenBSD so far, and is currently working on an OpenBSD desktop
The first post goes into why he chose BSD at all, why he's switching away from Linux, how the initial transition has been, what you'll need to relearn and what he's got planned going forward
He's only been using OpenBSD for a few days as of the time this was written - we don't usually get to hear from people this early in on their BSD journey, so it offers a unique perspective ***

PCBSD and 4K oh my!

Yesterday, Kris got ahold of some 4K monitor hardware to test PC-BSD out
The short of it - It works great!
Minor tweaks being made to some of the PC-BSD defaults to better accommodate 4K out of box
This particular model monitor ships with DisplayPort set to 1.1 mode only, switching it to 1.2 mode enables 60Hz properly ***

Feedback/Questions

Darin writes in
Mitch writes in ***

Discussion

Comparison of BSD release cycles

FreeBSD, OpenBSD, NetBSD and DragonFlyBSD ***

85: PIE in the Sky

JT Pennington — Wed, 15 Apr 2015 08:00:00 -0400

This time on the show, we'll be talking with Pascal Stumpf about static PIE in the upcoming OpenBSD release. He'll tell us what types of attacks it prevents, and why it's such a big deal. We've also got answers to questions from you in the audience and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Solaris' networking future is with OpenBSD

A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists
It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF
For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues
What's more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting
This blog post goes through some of the backstory of the two firewalls
PF is in a lot of places - other BSDs, Mac OS X and iOS - but there are plenty of other OpenBSD-developed technologies end up ported to other projects too
"Many of the world's largest corporations and government agencies are heavy Solaris users, meaning that even if you're neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD's PF for their filtering needs, we will all be benefiting even more from the OpenBSD project's emphasis on correctness, quality and security"
You're welcome, Oracle ***

BAFUG discussion videos

The Bay Area FreeBSD users group has been uploading some videos from their recent meetings
Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status)
Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework
Lastly, Kip Macy gave a talk titled "network stack changes, user-level FreeBSD"
The main two subjects there are some network stack changes, and how to get more people contributing, but there's also open discussion about a variety of FreeBSD topics
If you're close to the Bay Area in California, be sure to check out their group and attend a meeting sometime ***

More than just a makefile

If you're not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux
This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs
As it turns out, the ports system really isn't that different from a binary package manager - they are what's used to create binary packages, after all
The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream
After that, he shows you how to get your new port tested, if you're interesting in doing some porting yourself, and getting involved with the rest of the community
This post is very long and there's a lot more to it, so check it out (and more discussion on Hacker News) ***

Securing your home fences

Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now
We hear from a lot of users who want to set up some kind of BSD-based firewall, but don't hear back from them after they've done it.. until now
In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board
He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration
The post covers all the hardware you'll need, getting the OS installed to a flash drive or SD card and going through the whole process
Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up
If you don't have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD)
We love super-detailed guides like this, so everyone should write more and send them to us immediately ***

Interview - Pascal Stumpf - pascal@openbsd.org

Static PIE in OpenBSD

News Roundup

LLVM's new libFuzzer

We've discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility
It looks like LLVM is going to have their own fuzzing tool too now
The Clang and LLVM guys are no strangers to this type of code testing, but decided to "close the loop" and start fuzzing parts of LLVM (including Clang) using LLVM itself
With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future ***

HardenedBSD upgrades secadm

The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support
We covered both the secadm tool and integriforce in previous episodes, but the short version is that it's a way to prevent files from being altered (even as root)
Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now ***

RAID5 returns to OpenBSD

OpenBSD's softraid subsystem, somewhat similar to FreeBSD's GEOM, has had experimental RAID5 support for a while
However, it was exactly that - experimental - and required a recompile to enable
With some work from recent hackathons, the final piece was added to enable resuming partial array rebuilds
Now it's on by default, and there's a call for testing being put out, so grab a snapshot and put the code through its paces
The bioctl softraid command also now supports DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop the "do you want to enable DUIDs?" question entirely ***

pkgng 1.5.0 released

Going back to what we talked about last week, the final version of pkgng 1.5.0 is out
The "provides" and "requires" support is finally in a regular release
A new "-r" switch will allow for direct installation to a chroot or alternate root directory
Memory usage should be much better now, and some general code speed-ups were added
This version also introduces support for Mac OS X, NetBSD and EdgeBSD - it'll be interesting to see if anything comes of that
Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt) ***

p2k15 hackathon reports

There was another OpenBSD hackathon that just finished up in the UK - this time it was mainly for ports work
As usual, the developers sent in reports of some of the things they got done at the event
Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit
Stefan Sperling wrote in, detailing his work with wireless chipsets, specifically when the vendor doesn't provide any hardware documentation, as well as updating some of the games in ports
Ken Westerback also sent in a report, but decided to be a rebel and not work on ports at all - he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier ***

Feedback/Questions

Mailing List Gold

84: pkg remove freebsd-update

JT Pennington — Wed, 08 Apr 2015 08:00:00 -0400

On this week's mini-episode, we'll be talking with Baptiste Daroussin about packaging the FreeBSD base system with pkgng. Is this the best way going forward, or are we getting dangerously close to being Linux-like? We'll find out, and also get to a couple of your emails while we're at it, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Xen dom0 in FreeBSD 11-CURRENT

FreeBSD has just gotten dom0 support for the Xen hypervisor, something NetBSD has had for a while now
The ports tree will now have a Xen kernel and toolstack, meaning that they can be updated much more rapidly than if they were part of base
It's currently limited to Intel boxes with EPT and a working IOMMU, running a recent version of the -CURRENT branch, but we'll likely see it when 11.0 comes out
How will this affect interest in Bhyve? ***

A tale of two educational moments

Here we have a blog post from an OpenBSD developer about some experiences he had helping people get involved with the project
It's split into two stories: one that could've gone better, and one that went really well
For the first one, he found that someone was trying to modify a package from their ports tree to have fewer dependencies
Experience really showed its worth, and he was able to write a quick patch to do exactly what the other person had been working on for a few hours - but wasn't so encouraging about getting it committed
In the second story, he discussed updating a different port with a user of a forum, and ended up improving the new user's workflow considerably with just a few tips
The lesson to take away from this is that we can all help out to encourage and assist new users - everyone was a newbie once ***

What's coming in NetBSD 7

We first mentioned NetBSD 7.0 on the show in July of 2014, but it still hasn't been released and there hasn't been much public info about it
This blog post outlines some of the bigger features that we can expect to see when it actually does come out
Their total platform count is now over 70, so you'd be hard-pressed to find something that it doesn't run on
There have been a lot of improvements in the graphics area, particularly with DRM/KMS, including Intel Haswell and Nouveau (for nVidia cards)
Many ARM boards now have full SMP support
Clang has also finally made its way into the base system, something we're glad to see, and it should be able to build the base OS on i386, AMD64 and ARM - other architectures are still a WIP
In the crypto department: their PNRG has switched from the broken RC4 to the more modern ChaCha20, OpenSSL has been updated in base and LibreSSL is in pkgsrc
NetBSD's in-house firewall, npf, has gotten major improvements since its initial debut in NetBSD 6.0
Looking to the future, NetBSD hopes to integrate a stable ZFS implementation later on ***

OpenZFS office hours

We mentioned a couple weeks back that the OpenZFS office hours series was starting back up
They've just uploaded the recording of their most recent freeform discussion, with Justin Gibbs being the main presenter
In it, they cover how Justin got into ZFS, running in virtualized environments, getting patches into the different projects, getting more people involved, reviewing code, spinning disks vs SSDs, defragging, speeding up resilvering, zfsd and much more ***

Interview - Baptiste Daroussin - bapt@freebsd.org

Packaging the FreeBSD base system with pkgng

Discussion

Packaging the FreeBSD base system with pkgng (follow-up)

Feedback/Questions

Mailing List Gold

ok feedback@ ***

83: woN DSB

JT Pennington — Wed, 01 Apr 2015 08:00:00 -0400

Coming up this week on the show, we'll be talking to Kamila Součková, a Google intern. She's been working on the FreeBSD pager daemon, and also tells us about her initial experiences trying out BSD and going to a conference. As always, all the week's news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Major changes coming in PCBSD 11

The PCBSD team has announced that version 11.0 will have some more pretty big changes (as they've been known to do lately with NTP daemons and firewalls)
Switching from PF to IPFW provided some benefits for VIMAGE, but the syntax was just too complicated for regular everyday users
To solve this, they've ported over Linux's iptables, giving users a much more straightforward configuration
While ZFS has served them well as the default filesystem for a while, Kris decided that Btrfs would be a better choice going forward
Since the FreeBSD kernel doesn't support it natively, all filesystem calls will be through FUSE from now on - performance is Good Enough
People often complain about PCBSD's huge ISO download, so, to save space, the default email client will be switched to mutt, and KDE will be replaced with DWM as the default window manager
To reconfigure it, or make any appearance changes, users just need to edit a simple C header file and recompile - easy peasy
As we've mentioned on the show, PCBSD has been promoting safe backup solutions for a long time with its "life preserver" utility, making it simple to manage multiple snapshots too
To test if people have been listening to this advice, Kris recently activated the backdoor he put in life preserver that deletes all the users' files - hope you had that stuff backed up ***

NetBSD and FreeBSD join forces

The BSD community has been running into one of the same problems Linux has lately: we just have too many different BSDs to choose from
What's more, none of them have any specific areas they focus on or anything like that (they're all basically the same)
That situation is about to improve somewhat, as FreeBSD and NetBSD have just merged codebases... say hello to FretBSD
Within a week, all mailing lists and webservers for the legacy NetBSD and FreeBSD projects will be terminated - the mailing list for the new combined project will be hosted from the United Nations datacenter on a Microsoft Exchange server
As UN monitors will be moderating the mailing lists to prevent disagreements and divisive arguments before they begin, this system is expected to be adequate for the load
With FretBSD, your toaster can now run ZFS, so you'll never need to worry about the bread becoming silently corrupted again ***

Puffy in the cloud

If you've ever wanted to set up a backup server, especially for family members or someone who's not as technology-savvy, you've probably realized there are a lot of options
This post explores the option of setting up your own Dropbox-like service with Owncloud and PostgreSQL, running atop the new OpenBSD http daemon
Doing it this way with your own setup, you can control all the security aspects - disk encryption, firewall rules, who can access what and from where, etc
He also mentions our pf tutorial being helpful in blocking script kiddies from hammering the box
Be sure to encourage your less-technical friends to always back up their important data ***

NetBSD at AsiaBSDCon

Some NetBSD developers have put together a report of what they did at the most recent event in Tokyo
It includes a wrap-up of the event, as well as a list of presentations that NetBSD developers gave
Have you ever wanted even more pictures of NetBSD running on lots of devices? There's a never-ending supply, apparently
At the BSD research booth of AsiaBSDCon, there were a large number of machines on display, and someone has finally uploaded pictures of all of them
There's also a video of an OMRON LUNA-II running the luna68k port ***

Interview - Kamila Součková - kamila@ksp.sk / @anotherkamila

BSD conferences, Google Summer of Code, various topics

News Roundup

FreeBSD foundation March update

The FreeBSD foundation has published their March update for fundraising and sponsored projects
In the document, you'll find information about upcoming ARMv8 enhancements, some event recaps and a Google Summer of Code status update
They also mention our interview with the foundation president - be sure to check it out if you haven't ***

Inside OpenBSD's new httpd

BSD news continues to dominate mainstream tech news sites… well not really, but they talk about it once in a while
The SD Times is featuring an article about OpenBSD's in-house HTTP server, after seeing Reyk's AsiaBSDCon presentation about it (which he's giving at BSDCan this year, too)
In this article, they talk about the rapid transition of webservers in the base system - apache being replaced with nginx, only to be replaced with httpd shortly thereafter
Since the new daemon has had almost a full release cycle to grow, new features and fixes have been pouring in
The post also highlights some of the security features: everything runs in a chroot with privsep by default, and it also leverages strong TLS 1.2 defaults (including Perfect Forward Secrecy) ***

Using poudriere without OpenSSL

Last week we talked about using LibreSSL in FreeBSD for all your ports
One of the problems that was mentioned is that some ports are configured improperly, and end up linking against the OpenSSL in the base system even when you tell them not to
This blog post shows how to completely strip OpenSSL out of the poudriere build jails, something that's a lot more difficult than you'd think
If you're a port maintainer, pay close attention to this post, and get your ports fixed to adhere to the make.conf options properly ***

HAMMER and GPT in OpenBSD

Someone, presumably a Google Summer of Code student, wrote in to the lists about his HAMMER FS porting proposal
He outlined the entire process and estimated timetable, including what would be supported and which aspects were beyond the scope of his work (like the clustering stuff)
There's no word yet on if it will be accepted, but it's an interesting idea to explore, especially when you consider that HAMMER really only has one developer
In more disk-related news, Ken Westerback has been committing quite a lot of GPT-related fixes recently
Full GPT support will most likely be finished before 5.8, but anything involving HAMMER FS is still anyone's guess ***

Feedback/Questions

Mailing List Gold

82: SSL in the Wild

JT Pennington — Wed, 25 Mar 2015 08:00:00 -0400

Coming up this week, we'll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He's been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

EuroBSDCon 2015 call for papers

The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too
You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about
We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two)
Check the announcement for all the specific details and requirements
If your talk gets accepted, the conference even pays for your travel expenses ***

Making security sausage

Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
"Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!"
The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions
The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute
It was because of this that FreeBSD actually had to release a security update to their security update
He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." ***

Running FreeBSD on the server, a sysadmin speaks

More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you ***

NetBSD ported to Hardkernel ODROID-C1

In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35
There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0
More info can be found on their wiki page
After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device ***

Interview - Bernard Spil - brnrd@freebsd.org / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

If you're using pf on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy
This article will show you how to get set up with Gource for a cinematic-like experience
If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories"
When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity ***

pkgng 1.5.0 alpha1 released

The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
This update introduces support for provides/requires, something that we've been wanting for a long time
It will also now print which package is the reason for direct dependency change
Another interesting addition is the "pkg -r" switch, allowing cross installation of packages
Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems
DragonFly will also likely pick up this update once it's marked stable ***

Welcome to OpenBSD

We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
The slides from that talk are now online, and they've been generating quite a bit of discussion online
It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
As you may know, NetBSD has almost 60 supported platforms and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms over 13 CPU architectures, "it probably runs OpenBSD"
No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
Try to guess which font he used... ***

BSDTalk episode 252

And somehow Brian has snuck himself into another news item this week
He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
If that sounds familiar, it's probably because we did the same thing, albeit with a different member of their team
In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself ***

Feedback/Questions

Mailing List Gold

81: Puffy in a Box

JT Pennington — Wed, 18 Mar 2015 08:00:00 -0400

We're back from AsiaBSDCon! This week on the show, we'll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They're getting BSD in the hands of Windows admins who don't even realize it. We also have all this week's news and answer to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Using OpenBGPD to distribute pf table updates

For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol - a way for routers on the internet to discover and exchange routes to different addresses
This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
It begins with "One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems."
If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
OpenBGPD is part of the OpenBSD base system, but there's also an unofficial port to FreeBSD and a "work in progress" pkgsrc version ***

Mounting removable media with autofs

The FreeBSD foundation has a new article in the "FreeBSD from the trenches" series, this time about the sponsored autofs tool
It's written by one of the autofs developers, and he details his work on creating and using the utility
"The purpose of autofs(5) is to mount filesystems on access, in a way that's transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes."
He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
It ends with a real-world example of something we're all probably familiar with: plugging in USB drives and watching the magic happen
There's also some more advanced bonus material on GEOM classes and all the more technical details ***

The Tor Browser on BSD

The Tor Project has provided a "browser bundle" for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
Just tunneling your browser through a transparent Tor proxy is not safe enough - many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
It has, however, only been released for Windows, OS X and Linux - no BSD version
"[...] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves."
Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
If you've got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved) ***

OpenSSH 6.8 released

Continuing their "tick tock" pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 - it's a major upgrade, focused on new features (we like those better of course)
Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default - a big step up from the previously hex-encoded MD5 fingerprints
Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
You can now require multiple, different public keys to be verified for a user to authenticate (useful if you're extra paranoid or don't have 100% confidence in any single key type)
The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers ***

NetBSD at AsiaBSDCon

The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you'd expect
It covers their BoF session, the six NetBSD-related presentations and finally their "work in progress" session
There was a grand total of 34 different NetBSD gadgets on display at the event ***

Interview - Lawrence Teo - lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
HardenedBSD has introduced a similar mechanism into their "secadm" utility
You can list binaries in the config file that you want to be protected from changes, then specify whether those can't be run at all, or if they just print a warning
They're looking for some more extensive testing of this new feature ***

More s2k15 hackathon reports

A couple more Australian hackathon reports have poured in since the last time
The first comes from Jonathan Gray, who's done a lot of graphics-related work in OpenBSD recently
He worked on getting some newer "Southern Islands" and "Graphics Core Next" AMD GPUs working, as well as some OpenGL and DRM-related things
Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
Ted Unangst also sent in a report to detail what he hacked on at the event
With a strong focus on improving SMP scalability, he tackled the virtual memory layer
His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
All the trip reports are much more detailed than our short summaries, so give them a read if you're interested in all the technicalities ***

DragonFly 4.0.4 and IPFW3

DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed "new xorg" and "with kms" variables and a few LAGG fixes
There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it's technically the third revision) ***

NetBSD gets Raspberry Pi 2 support

NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
There are -current snapshots available for download, and multiprocessor support is also on the way
The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
The usual Hacker News discussion on the subject
If anyone has one of these little boards, let us know - maybe write up a blog post about your experience with BSD on it ***

OpenIKED as a VPN gateway

In our first discussion segment, we talked about a few different ways to tunnel your traffic
While we've done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven't talked a whole lot about OpenBSD's IPSEC suite
This article should help fill that gap - it walks you through the complete IKED setup
From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide's got it all ***

Feedback/Questions

Mailing List Gold

80: The PC-BSD Tour II

JT Pennington — Wed, 11 Mar 2015 08:00:00 -0400

We're away at AsiaBSDCon this week, but we've still got a packed episode for you. First up is a sequel to the "PC-BSD tour" segment from a while back, highlighting how ZFS boot environments work. After that, Justin Gibbs joins us to talk about the FreeBSD foundation's 15th anniversary. We'll return next week with a normal episode of BSD Now - which is of course, the place to B.. SD.

This episode was brought to you by

Special segment

Demystifying Boot Environments in PC-BSD

Interview - Justin Gibbs - gibbs@freebsd.org / @freebsdfndation

The FreeBSD foundation's 15th anniversary

Discussion

The story of PC-BSD

79: Just Add QEMU

JT Pennington — Wed, 04 Mar 2015 08:00:00 -0500

Coming up this time on the show, we'll be talking to Sean Bruno. He's been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We've also got answers to viewer-submitted questions and all this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

AsiaBSDCon 2015 schedule

Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up
This year's conference will be between 12-15 March at the Tokyo University of Science in Japan
The first and second days are for tutorials, as well as the developer summit and vendor summit
Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again
Not counting the ones that have yet to be revealed (as of the day we're recording this), there will be thirty-six different talks in all - four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD
Summaries of all the presentations are on the timetable page if you scroll down a bit ***

FreeBSD foundation updates and more

The FreeBSD foundation has posted a number of things this week, the first of which is their February 2015 status update
It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform
There's a FOSDEM recap and another update of their fundraising goal for 2015
They also have two new blog posts: a trip report from SCALE13x and a featured "FreeBSD in the trenches" article about how a small typo caused a lot of ZFS chaos in the cluster
"Then panic ensued. The machine didn't panic -- I did." ***

OpenBSD improves browser security

No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser
Ted Unangst writes in to the OpenBSD misc list to introduce a new project he's working on, simply titled "improving browser security"
He gives some background on the W^X memory protection in the base system, but also mentions that some applications in ports don't adhere to it
For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT engine) needs to be fixed to use it
"A system that is 'all W^X except where it's not' is the same as a system that's not W^X. We've worked hard to provide a secure foundation for programs; we'd like to see them take advantage of it."
The work is being supported by the OpenBSD foundation, and we'll keep you updated on this undertaking as more news about it is released
There's also some discussion on Hacker News and Undeadly about it ***

NetBSD at Open Source Conference 2015 Tokyo

The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo
There's even a spreadsheet of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around)
If you just can't get enough strange devices running BSD, check the mailing list post for lots of pictures
Their next target is, as you might guess, AsiaBSDCon 2015 - maybe we'll run into them ***

Interview - Sean Bruno - sbruno@freebsd.org / @franknbeans

Cross-compiling packages with poudriere and QEMU

News Roundup

The Crypto Bone

The Crypto Bone is a new device that's aimed at making encryption and secure communications easier and more accessible
Under the hood, it's actually just a Beaglebone board, running stock OpenBSD with a few extra packages
It includes a web interface for configuring keys and secure tunnels
The source code is freely available for anyone interested in hacking on it (or auditing the crypto), and there's a technical overview of how everything works on their site
If you don't want to teach your mom how to use PGP, buy her one of these(?) ***

BSD in the 2015 Google Summer of Code

For those who don't know, GSoC is a way for students to get paid to work on a coding project for an open source organization
Good news: both FreeBSD and OpenBSD were accepted for the 2015 event
FreeBSD has a wiki page of ideas for people to work on
OpenBSD also has an ideas page where you can see some of the initial things that might be interesting
If you're a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it
Who knows, you may even end up on the show if you work on a cool project
GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you'd like to hack on ***

pfSense 2.3 roadmap

The pfSense team has posted a new blog entry, detailing some of their plans for future versions
PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions
PBIs are scheduled to be replaced with native pkgng packages
Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely
Their ultimate goal is for pfSense to be a package you can install atop of a regular FreeBSD install, rather than a repackaged distribution ***

PCBSD 10.1.2 security features

PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post
A new "personacrypt" utility is introduced, which allows for easy encryption and management of external drives for your home directory
Going along with this, it also has a "stealth mode" that allows for one-time temporary home directories (but it doesn't self-destruct, don't worry)
The LibreSSL integration also continues, and now packages will be built with it by default
If you're using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update
They've also been working on introducing some new options to enable tunneling your traffic through Tor
There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week
A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity
Look forward to Kris wearing a Tor shirt in future episodes ***

Feedback/Questions

Mailing List Gold

78: From the Foundation (Part 2)

JT Pennington — Wed, 25 Feb 2015 08:00:00 -0500

This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We've also got answers to your emails and all the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan 2015 schedule

The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
Just a reminder: it's going to be held on June 12th and 13th at the University of Ottawa in Canada
This year's conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few "birds of a feather" gatherings
In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
That's not the ideal balance we'd hope for, but BSDCan says they'll try to improve that next year
Those numbers are based on the speaker's background, or any past presentations, for the few whose actual topic wasn't made obvious from the title (so there may be a small margin of error)
Michael Lucas (who's on the BSDCan board) wrote up a blog post about the proposals and rejections this year
If you can't make it this year, don't worry, we'll be sure to announce the recordings when they're made available
We also interviewed Dan Langille about the conference and what to expect this year, so check that out too ***

SSL interception with relayd

There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
If you're running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
It starts off with some backstory and some of the things relayd is capable of
relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
The post is very long, with lots of details and some sample config files - the whole nine yards ***

OPNsense 15.1.6.1 released

The OPNsense team has released yet another version in rapid succession, but this one has some big changes
It's now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
This version also features a new tool for easily upgrading between versions, simply called "opnsense-update" (similar to freebsd-update)
It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
With the news of m0n0wall shutting down last week, they've also released bare minimum hardware specifications required to run OPNsense on embedded devices
Encouraged by last week's mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling) ***

OpenBSD on a Minnowboard Max

What would our show be without at least one story about someone installing BSD on a weird device
For once, it's actually not NetBSD…
This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
It's using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
The author describes his entirely solid-state setup, noting that there's virtually no noise, no concern about hard drives dying and very reasonable power usage
You'll find instructions on how to get OpenBSD installed and going throughout the rest of the article
Have a look at the spec sheet if you're interested, they make for cool little BSD boxes ***

Netmap for 40gbit NICs in FreeBSD

Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he's just committed
The ixl(4) driver, that's one for the X1710 40-gigabit card, now has netmap support
It's currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
This should make for some serious packet-pushing power
If you have any network hardware like this, he would appreciate testing for the new code ***

Interview - Ken Westerback - directors@openbsdfoundation.org

The OpenBSD foundation's activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
Ken was also busy, getting a few networking-related things fixed and improved in the base system
He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
There's apparently plans for "dhclientng" - presumably a big improvement (rewrite?) of dhclient ***

FreeBSD beginner video series

A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
We usually assume that people who watch the show are already familiar with basic concepts, but they'd be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
So far, he's covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
Everyone's gotta start somewhere and, with a little bit of initial direction, today's newbies could be tomorrow's developers
It should be an ongoing series with more topics to come ***

NetBSD tests: zero unexpected failures

The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
They've finally gotten the number of "expected" failures down to zero on a few select architectures
Results are published on a special release engineering page, so you can have a look if you're interested
The rest of the post links to the "top performers" (ones with less than ten failure) in the -current branch ***

PCBSD switches to IPFW

The PCBSD crew continues their recent series of switching between major competing features
This time, they've switched the default firewall away from PF to FreeBSD's native IPFW firewall
Look forward to Kris wearing a "keep calm and use IPFW" shir- wait ***

Feedback/Questions

Mailing List Gold

VCS flamebait
Hidden agenda ***

77: Noah's L2ARC

JT Pennington — Wed, 18 Feb 2015 08:00:00 -0500

This week on the show, we'll be chatting with Alex Reece and Matt Ahrens about what's new in the world of OpenZFS. After that, we're starting a new tutorial series on submitting your first patch. All the latest BSD news and answers to your emails, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Revisiting FreeBSD after 20 years

With comments like "has Linux lost its way?" floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades
This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly - not just praise this time
He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL
On the topic of jails, he summarizes: "Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time."
The post also goes through the "just plain different" aspects of a complete OS vs. a distribution of various things pieced together
Finally, he includes some things he wasn't so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things
There was some decent discussion on Hacker News about this article too, with counterpoints from both sides ***

s2k15 hackathon report: network stack SMP

The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted
One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack
If you're not familiar with him, he gave a presentation at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons
Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock
Hopefully more trip reports will be sent in during the coming weeks
Most of the big code changes should probably appear after the 5.7-release testing period ***

From BIND to NSD and Unbound

If you've been running a DNS server on any of the BSDs, you've probably noticed a semi-recent trend: BIND being replaced with Unbound
BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative
OpenBSD goes a step further, also including NSD in the base system, whereas you'll need to install that from ports on FreeBSD
Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons
This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound
All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it... ***

m0n0wall calls it quits

The original, classic BSD firewall distribution m0n0wall has finally decided to close up shop
For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk
It started over twelve years ago, which is pretty amazing when you consider that's around half of FreeBSD itself's lifespan
The project was probably a lot of people's first encounter with BSD in any form
If you were a m0n0wall user, fear not, you've got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD or OpenBSD, or going the premade route with something like pfSense, OPNsense or the BSD Router Project
The founder's announcement includes these closing words: "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can."
While m0n0wall didn't get a lot of on-air mention, surely a lot of our listeners will remember it fondly ***

Interview - Alex Reece & Matt Ahrens - alex@delphix.com & matt@delphix.com / @openzfs

What's new in OpenZFS

Tutorial

Making your first patch (OpenBSD)

News Roundup

Overlaying remote LANs with OpenBSD's VXLAN

Have you ever wanted to "merge" multiple remote LANs? OpenBSD's vxlan(4) is exactly what you need
This article talks about using it to connect two virtualized infrastructures on different ESXi servers
It gives a bit of networking background first, in case you're not quite up to speed on all this stuff
This tool opens up a lot of very cool possibilities, even possibly doing a "remote" LAN party
Be sure to check the AsiaBSDCon talk about VXLANs if you haven't already ***

2020, year of the PCBSD desktop

Here we have a blog post about BSD on the desktop, straight from a KDE developer
He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux's desktop market share (small as it may be)
With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option
ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one
There was also some discussion on Slashdot that might be worth reading ***

OpenSSH host key rotation, redux

We mentioned the new OpenSSH host key rotation and other goodies in a previous episode, but things have changed a little bit since then
djm says "almost immediately after smugly declaring 'mission accomplished', the bug reports started rolling in."
There were some initial complaints from developers about the new options, and a serious bug shortly thereafter
After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests
Most importantly, the bigger big fix was described as: "a malicious server (say, "host-a") could advertise the public key of another server (say, "host-b"). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide."
None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon ***

PCBSD tries out LibreSSL

PCBSD users may soon be seeing a lot less security problems because of two recent changes
After switching over to OpenNTPD last week, PCBSD decides to give the portable LibreSSL a try too
Note that this is only for the packages built from ports, not the base system unfortunately
They're not the first ones to do this - OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD's ports are built against it
A good number of patches are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla
Look forward to Kris wearing a "keep calm and abandon OpenSSL" shirt in the near future ***

Feedback/Questions

Mailing List Gold

Debian Dejavu
Package gone missing ***

76: Time for a Change

JT Pennington — Wed, 11 Feb 2015 08:00:00 -0500

This week, we'll be talking to Henning Brauer about OpenNTPD and its recently revived portable version. After that, we'll be discussing different ways to securely tunnel your traffic: specifically OpenVPN, IPSEC, SSH and Tor. All that and the latest news, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Strange timer bug in FreeBSD 11

Peter Wemm wrote in to the FreeBSD -CURRENT mailing list with an interesting observation
Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime
This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break
A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game
An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap
Peter disagreed and gave some background, offering a different patch to fix the issue and detect it early if it happens again
Ultimately, the problem was traced back to an issue with a recent clang import
It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down ***

An OpenBSD mail server

There's been a recent influx of blog posts about building a BSD mail server for some reason
In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux
In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin
It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd
That means this is more of a "complete solution" - right down to what the end users see
The series is split up into categories so it's very easy to follow along step-by-step ***

How DragonFlyBSD uses git

DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code
In a series of posts, Matthew Dillon (the project lead) details their internal setup
They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access)
The maintainers of the server are the only ones with shell access available
He also details how a cron job syncs from the master to a public box that anyone can check out code from
It would be interesting to hear about how other BSD projects manage their master source repository ***

Why not try PCBSD?

ITwire, another more mainstream tech site, published a recent article about switching to PCBSD
They interview a guy named Kris that we've never heard of before
In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same
"With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD."
If you have some friends who complain to you about systemd all the time, this might be a good article to show them ***

Interview - Henning Brauer - henning@openbsd.org / @henningbrauer

OpenNTPD and its portable variant

News Roundup

Authenticated time in OpenNTPD

We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already
While at the hackathon, some developers came up with an alternate way to get authenticated NTP responses
You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool
OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header
It's not intended to be a direct time source, just a constraint to keep things within reason
If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid
Henning and Theo also weigh in to give some of the backstory on the idea
Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) ***

NetBSD at Open Source Conference 2015 Oita and Hamanako

It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them
This time the conferences were in Oita and Hamanako, Japan
Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices
As always, they took lots of pictures from the event of NetBSD on all these weird machines ***

Poudriere in a jail

A common question we get about our poudriere tutorial is "how do I run it in a jail?" - this blog post is about exactly that
It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow poudriere to work its magic ***

Bruteblock, another way to stop bruteforce

We've mentioned a few different ways to stop ssh bruteforce attempts in the past: fail2ban, denyhosts, or even just with pf's built-in rate limiting
Bruteblock is a similar tool, but it's not just for ssh logins - it can do a number of other services
It can also work directly with IPFW, which is a plus if you're using that as your firewall
Add a few lines to your syslog.conf and bruteblock will get executed automatically
The rest of the article takes you through the different settings you can configure for blocking ***

New iwm(4) driver and cross-polination

The OpenBSD guys recently imported a new "iwm" driver for newer Intel 7260 wireless cards (commonly found in Thinkpads)
NetBSD wasted no time in porting it over, giving a bit of interesting backstory
According to Antti Kantee, "it was created for OpenBSD by writing and porting a NetBSD driver which was developed in a rump kernel in Linux userspace"
Both projects would appreciate further testing if you have the hardware and can provide useful bug reports
Maybe FreeBSD and DragonFly will port it over too, or come up with something that's partially based on the code ***

PCBSD current images

The first PCBSD -CURRENT images should be available this weekend
This image will be tagged 11.0-CURRENTFEB2015, with planned monthly updates
For the more adventurous this will allow testing both FreeBSD and PCBSD bleeding edge ***

Feedback/Questions

Mailing List Gold

Discussion

Comparison of ways to securely tunnel your traffic

OpenVPN, OpenBSD IKED, FreeBSD IPSEC, OpenSSH, Tor ***

75: From the Foundation (Part 1)

JT Pennington — Wed, 04 Feb 2015 08:00:00 -0500

This week on the show, we'll be starting a two-part series detailing the activities of various BSD foundations. Ed Maste from the FreeBSD foundation will be joining us this time, and we'll talk about what all they've been up to lately. All this week's news and answers to viewer-submitted questions, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Key rotation in OpenSSH 6.8

Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
Times changes, key types change, problems are found with old algorithms and we switch to new ones
In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now
With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange
Keys that are in your known_hosts file but not on the server will get automatically removed
This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple
There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released ***

NetBSD Banana Pi images

We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi
Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially
The email includes some steps to get everything working and an overview of what comes with the image
Also check the wiki page for some related boards and further instructions on getting set up
On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) ***

LibreSSL shirts and other BSD goodies

If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online
There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL"
While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
OpenBSD recently launched their new store, but the selection is still a bit limited right now
NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) ***

OPNsense 15.1.4 released

The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs)
This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
A developer has also posted an interesting write-up titled "Development Workflow in OPNsense"
If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it ***

Interview - Ed Maste - board@freebsdfoundation.org

The FreeBSD foundation's activities

News Roundup

Rolling with OpenBSD snapshots

One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling
There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think
He's now helping test out patches and new ports since he's running the same code as the developers ***

Signing pkgsrc packages

As of the time this show airs, the official pkgsrc packages aren't cryptographically signed
Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS
Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal
Instead, they're using netpgpverify, a fork of NetBSD's netpgp utility
Maybe someday this will become the official way to sign packages in NetBSD? ***

FreeBSD support model changes

Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model
The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime"
There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read ***

OpenSMTPD, Dovecot and SpamAssassin

We've been talking about setting up your own BSD-based mail server on the last couple episodes
Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked
Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane…
In related news, OpenSMTPD has got some interesting new features coming soon
They're also planning to switch to LibreSSL by default for the portable version ***

FreeBSD 10 on the Thinkpad T400

BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400
Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt ***

PC-BSD 10.1.1 Released

Automatic background updater now in
Shiny new Qt5 utils
OVA files for VM’s
Full disk encryption with GELI v7 ***

Feedback/Questions

Mailing List Gold

74: That Sly MINIX

JT Pennington — Wed, 28 Jan 2015 08:00:00 -0500

Coming up this week, we've got something a little bit different for you. We'll be talking with Andrew Tanenbaum, the creator of MINIX. They've recently imported parts of NetBSD into their OS, and we'll find out how and why that came about. As always, all the latest news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

The missing EuroBSDCon videos

Some of the missing videos from EuroBSDCon 2014 we mentioned before have mysteriously appeared
Jordan Hubbard, FreeBSD, looking forward to another 10 years
Lourival Viera Neto, NPF scripting with Lua
Kris Moore, Snapshots, replication and boot environments
Andy Tanenbaum, A reimplementation of NetBSD based on a microkernel
Kirk McKusick, An introduction to FreeBSD's implementation of ZFS
Emannuel Dreyfus, FUSE and beyond, bridging filesystems
John-Mark Gurney, Optimizing GELI performance
Unfortunately, there are still about six talks missing… and no ETA ***

FreeBSD on a MacBook Pro (or two)

We've got a couple posts about running FreeBSD on a MacBook Pro this week
In the first one, the author talks a bit about trying to run Linux on his laptop for quite a while, going back and forth between it and something that Just Works™
Eventually he came full circle, and the focus on using only GUI tools got in the way, instead of making things easier
He works on a lot of FreeBSD-related software, so switching to it for a desktop seems to be the obvious next step
He's still not quite to that point yet, but documents his experiments with BSD as a desktop
The second article also documents an ex-Linux user switching over to BSD for their desktop
It also covers power management, bluetooth and trackpad setup
On the topic of Gentoo, "Underneath the beautiful and easy-to-use Portage system lies the same glibc, the same turmoil over a switch to a less-than-ideal init system, and the same kernel-level bugs that bring my productivity down"
Check out both articles if you've been considering running FreeBSD on a MacBook ***

Remote logging over TLS

In most of the BSDs, syslogd has been able to remotely send logs to another server for a long time
That feature can be very useful, especially for forensics purposes - it's much harder for an attacker to hide their activities if the logs aren't on the same server
The problem is, of course, that it's sent in cleartext, unless you tunnel it over SSH or use some kind of third party wrapper
With a few recent commits, OpenBSD's syslogd now supports sending logs over TLS natively, including X509 certificate verification
By default, syslogd runs as an unprivileged user in a chroot on OpenBSD, so there were some initial concerns about certificate verification - how does that user access the CA chain outside of the chroot?
That problem was also conquered, by loading the CA chain directly from memory, so the entire process can be run in the chroot without issue
Some of the privsep verifcation code even made its way into LibreSSL right afterwards
If you haven't set up remote logging before, now might be an interesting time to try it out ***

FreeBSD, not a Linux distro

George Neville-Neil gave a presentation recently, titled "FreeBSD: not a Linux distro"
It's meant to be an introduction to new users that might've heard about FreeBSD, but aren't familiar with any BSD history
He goes through some of that history, and talks about what FreeBSD is and why you might want to use it over other options
There's even an interesting "thirty years in three minutes" segment
It's not just a history lesson though, he talks about some of the current features and even some new things coming in the next version(s)
We also learn about filesystems, jails, capsicum, clang, dtrace and the various big companies using FreeBSD in their products
This might be a good video to show your friends or potential employer if you're looking to introduce FreeBSD to them ***

Long-term support considered harmful

There was recently a pretty horrible bug in GNU's libc (BSDs aren't affected, don't worry)
Aside from the severity of the actual problem, the fix was delayed for quite a long time, leaving people vulnerable
Ted Unangst writes a post about how this idea of long-term support could actually be harmful in the long run, and compares it to how OpenBSD does things
OpenBSD releases a new version every six months, and only the two most recent releases get support and security fixes
He describes this as both a good thing and a bad thing: all the bugs in the ecosystem get flushed out within a year, but it forces people to stay (relatively) up-to-date
"Upgrades only get harder and more painful (and more fragile) the longer one goes between them. More changes, more damage. Frequent upgrades amortize the cost and ensure that regressions are caught early."
There was also some discussion about the article you can check out ***

Interview - Andrew Tanenbaum - info@minix3.org / @minix3

MINIX's integration of NetBSD

News Roundup

Using AFL on OpenBSD

We've talked about American Fuzzy Lop a bit on a previous episode, and how some OpenBSD devs are using it to catch and fix new bugs
Undeadly has a cool guide on how you can get started with fuzzing
It's a little on the advanced side, but if you're interested in programming or diagnosing crashes, it'll be a really interesting article to read
Lots of recent CVEs in other open source projects are attributed to fuzzing - it's a great way to stress test your software ***

Lumina 0.8.1 released

A new version of Lumina, the BSD-licensed desktop environment from PCBSD, has been released
This update includes some new plugins, lots of bugfixes and even "quality-of-life improvements"
There's a new audio player desktop plugin, a button to easily minimize all windows at once and some cool new customization options
You can get it in PCBSD's edge repo or install it through regular ports (on FreeBSD, OpenBSD or DragonFly!)
If you haven't seen our episode about Lumina, where we interview the developer and show you a tour of its features, gotta go watch it ***

My first OpenBSD port

The author of the "Code Rot & Why I Chose OpenBSD" article has a new post up, this time about ports
He recently made his first port and got it into the tree, so he talks about the whole process from start to finish
After learning some of the basics and becoming comfortable running -current, he noticed there wasn't a port for the "Otter" web browser
At that point he did what you're supposed to do in that situation, and started working on it himself
OpenBSD has a great porter's handbook that he referenced throughout the process
Long story short, his browser of choice is in the official ports collection and now he's the maintainer (and gets to deal with any bug reports, of course)
If some software you use isn't available for whatever BSD you're using, you could be the one to make it happen ***

How to slide with DragonFly

DragonFly BSD has a new HAMMER FS utility called "Slider"
It's used to easily browse through file history and undelete files - imagine something like a commandline version of Apple's Time Machine
They have a pretty comprehensive guide on how to use it on their wiki page
If you're using HAMMER FS, this is a really handy tool to have, check it out ***

OpenSMTPD with Dovecot and Salt

We recently had a feedback question about which mail servers you can use on BSD - Postfix, Exim and OpenSMTPD being the big three
This blog post details how to set up OpenSMTPD, including Dovecot for IMAP and Salt for quick and easy deployment
Intrigued by it becoming the default MTA in OpenBSD, the author decided to give it a try after being a long-time Postfix fan
"Small, fast, stable, and very easy to customize, no more ugly m4 macros to deal with"
Check it out if you've been thinking about configuring your first mail server on any of the BSDs ***

Feedback/Questions

Mailing List Gold

73: Pipe Dreams

JT Pennington — Wed, 21 Jan 2015 08:00:00 -0500

This week on the show we'll be chatting with David Maxwell, a former NetBSD security officer. He's got an interesting project called Pipecut that takes a whole new approach to the commandline. We've also got answers to viewer-submitted questions and all this week's headlines, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted an updated on some of their activities between October and December of 2014
They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements
As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure
The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs
FreeBSD's forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released)
Git was promoted from beta to an officially-supported version control system (Kris is happy)
The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints
Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more "cloud" services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements
Check out the full report for all the details that we didn't cover ***

OpenBSD package signature audit

"Linux Audit" is a website focused on auditing and hardening systems, as well as educating people about securing their boxes
They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure
The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed
Package signature formats and public key distribution methods are also touched on
After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future
If you haven't seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this ***

Replacing a Linux router with BSD

There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one
The poster begins with "I'm in the camp that doesn't trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I'd run Windows NT, not Linux. So I've decided to migrate my homebrew router/firewall/samba server to one of the BSDs."
A lot of people were quick to recommend OPNsense and pfSense, being that they're very easy to administer (requiring basically no BSD knowledge at all)
Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD
If you've been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through
Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you'll have to wade through some of that to get to the good information ***

LibreSSL in FreeBSD and OPNsense

A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL)
The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly
OPNsense developers are looking into switching away from OpenSSL to LibreSSL's portable version, for both their ports and base system, which would be a pretty huge differentiator for their project
Some ports still need fixing to be compatible though, particularly a few python-related ones
If you're a FreeBSD ports person, get involved and help squash some of the last remaining bugs
A lot of the work has already been done in OpenBSD's ports tree - some patches just need to be adopted
More and more upstream projects are incorporating LibreSSL patches in their code - let your favorite software vendor know that you're using it ***

Interview - David Maxwell - david@netbsd.org / @david_w_maxwell

Pipecut, text processing, commandline wizardry

News Roundup

Jetpack, a new jail container system

A new project was launched to adapt FreeBSD jails to the "app container specification"
While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker
It's a similar project to iocage or bsdploy, which we haven't talked a whole lot about
There was also some discussion about it on Hacker News ***

Separating base and package binaries

All of the main BSDs make a strong separation between the base system and third party software
This is in contrast to Linux where there's no real concept of a "base system" - more recently, some distros have even merged all the binaries into a single directory
A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies
Read the comments for the full explanation, but having things separated really helps keep things organized ***

Updated i915kms driver for FreeBSD

This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward
It doesn't introduce Haswell support just yet, but was required before the Haswell bits can be added ***

Year of the OpenBSD desktop

Here we have an article about using OpenBSD as a daily driver for regular desktop usage
The author says he "ran fifty thousand different distributions, never being satisfied"
After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook
He also used FreeBSD between versions 7 and 9, finding a "a mostly harmonious environment," but regressions lead him to give up on desktop *nix once again
Starting with 2015, he's back and is using OpenBSD on a Thinkpad x201
The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup
He apparently used our desktop tutorial - thanks for watching! ***

Unattended FreeBSD installation

A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE
His goal was to have a setup similar to Redhat's "kickstart" or OpenBSD's autoinstall
The article shows you how to set up DHCP and TFTP, with no NFS share setup required
He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you ***

Feedback/Questions

Mailing List Gold

72: Common *Sense Approach

JT Pennington — Wed, 14 Jan 2015 08:00:00 -0500

This week on the show, we'll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We'll learn some of the backstory and see what they've got planned for the future. We've also got all this week's news and answers to all your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Be your own VPN provider with OpenBSD

We've covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past - but what if you don't trust any VPN company?
It's easy for anyone to say "of course we don't run a modified version of OpenVPN that logs all your traffic... what are you talking about?"
The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
With this guide, you'll be able to cut out the middleman and create your own VPN, using OpenBSD
It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN ***

FreeBSD vs Gentoo comparison

People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
If you're a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more ***

Kernel W^X in OpenBSD

W^X, "Write XOR Execute," is a security feature of OpenBSD with a rather strange-looking name
It's meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
This helps prevent some types of buffer overflows: code injected into it won't execute, but will crash the program (quite obviously the lesser of the two evils)
Through some recent work, OpenBSD's kernel now has no part of the address space without this feature - whereas it was only enabled in the userland previously
Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that's been in the works for a while
More technical details can be found in some recent CVS commits ***

Building an IPFW-based router

We've covered building routers with PF many times before, but what about IPFW?
A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something BSD-based
In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
If you're an IPFW fan and are thinking about putting together a new router, give this post a read ***

Interview - Jos Schellevis - project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

Adrian Chadd, who we've had on the show before, has been doing some more ultra-high performance testing
Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
According to him, it's "not very pretty"
He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
You can check out his new code on Github right now ***

Using divert(4) to reduce attacks

We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you're running
PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won't work
The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
Consider setting this up to reduce the attack spam in your logs if you run public services ***

ChaCha20 patchset for GELI

A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
There are also some benchmarks that look pretty good in terms of performance
Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
There's some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet ***

PCBSD update system enhancements

The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
You can choose what parts of your system you want to let it automatically handle (packages, security updates)
The update system uses ZFS and Boot Environments for safe updating and bypasses some dubious pkgng functionality
There's also a new graphical frontend available for it ***

Feedback/Questions

Mailing List Gold

71: System Disaster

JT Pennington — Wed, 07 Jan 2015 08:00:00 -0500

This time on the show, we'll be talking to Ian Sutton about his new BSD compatibility wrappers for various systemd dependencies. Don't worry, systemd is not being ported to BSD! We're still safe! We've also got all the week's news and answers to your emails, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Introducing OPNsense, a pfSense fork

OPNsense is a new BSD-based firewall project that was recently started, forked from the pfSense codebase
Even though it's just been announced, they already have a formal release based on FreeBSD 10 (pfSense's latest stable release is based on 8.3)
The core team includes a well-known DragonFlyBSD developer
You can check out their code on Github now, or download an image and try it out - let us know if you do and what you think about it
They also have a nice wiki and some instructions on getting started for new users
We plan on having them on the show next week to learn a bit more about how the project got started and why you might want to use it - stay tuned ***

Code rot and why I chose OpenBSD

Here we have a blog post about rotting codebases - a core banking system in this example
The author tells the story of how his last days spent at the job were mostly removing old, dead code from a giant project
He goes on to compare it to OpenSSL and the hearbleed disaster, from which LibreSSL was born
Instead of just bikeshedding like the rest of the internet, OpenBSD "silently started putting the beast into shape" as he puts it
The article continues on to mention OpenBSD's code review process, and how it catches any bugs so we don't have more heartbleeds
"In OpenBSD you are encouraged to run current and the whole team tries its best to make current as stable as it can. You know why? They eat their own dog food. That's so simple yet so amazing that it blows my mind. Developers actually run OpenBSD on their machines daily."
It's a very long and detailed story about how the author has gotten more involved with BSD, learned from the mailing lists and even started contributing back - he says "In summary, I'm learning more than ever - computing is fun again"
Look for the phrase "Getting Started" in the blog post for a nice little gem ***

ZFS vs HAMMER FS

One of the topics we've seen come up from time to time is how FreeBSD's ZFS and DragonFly's HAMMER FS compare to each other
They both have a lot of features that traditional filesystems lack
A forum thread was opened for discussion about them both and what they're typically used for
It compares resource requirements, ideal hardware and pros/cons of each
Hopefully someone will do another new comparison when HAMMER 2 is finished
This is not to be confused with the other "hammer" filesystem ***

Portable OpenNTPD revived

With ISC's NTPd having so many security vulnerabilities recently, people need an alternative NTP daemon
OpenBSD has developed OpenNTPD since 2004, but the portable version for other operating systems hasn't been actively maintained in a few years
The older version still works fine, and is in FreeBSD ports and NetBSD pkgsrc, but it would be nice to have some of the newer features and fixes from the native version
Brent Cook, who we've had on the show before to talk about LibreSSL, decided it was time to fix this
While looking through the code, he also found some fixes for the native version as well
You can grab it from Github now, or just wait for the updated release to hit the repos of your OS of choice ***

Interview - Ian Sutton - ian@kremlin.cc

BSD replacements for systemd dependencies

News Roundup

pkgng adds OS X support

FreeBSD's next-gen package manager has just added support for Mac OS X
Why would you want that? Well.. we don't really know, but it's cool
The author of the patch may have some insight about what his goal is though
This could open up the door for a cross-platform pkgng solution, similar to NetBSD's pkgsrc
There's also the possibility of pkgng being used as a packaging format for MacPorts in the future
While we're on the topic of pkgng, you can also watch bapt's latest presentation about it from ruBSD 2014 - "four years of pkg" ***

Secure secure shell

Almost everyone watching BSD Now probably uses OpenSSH and has set up a server at one point or another
This guide provides a list of best practices beyond the typical "disable root login and use keys" advice you'll often hear
It specifically goes in-depth with server and client configuration with the best key types, KEX methods and encryption ciphers to use
There are also good explanations for all the choices, based both on history and probability
Minimal backwards compatibility is kept, but most of the old and insecure stuff gets disabled
We've also got a handy chart to show which SSH implementations support which ciphers, in case you need to support Windows users or people who use weird clients ***

Dissecting OpenBSD's divert(4)

PF has a cool feature that not a lot of people seem to know about: divert
It lets you send packets to userspace, allowing you to inspect them a lot easier
This blog post, the first in a series, details all the cool things you can do with divert and how to use it
A very common example is with intrusion detection systems like Snort ***

Screen recording on FreeBSD

This is a neat article about a topic we don't cover very often: making video content on BSD
In the post, you'll learn how to make screencasts with FreeBSD, using kdenlive and ffmpeg
There are also notes about getting a USB microphone working, so you can do commentary on whatever you're showing
It also includes lots of details and helpful screenshots throughout the process
You should make cool screencasts and send them to us ***

Feedback/Questions

Mailing List Gold

70: Daemons in the North

JT Pennington — Wed, 31 Dec 2014 08:00:00 -0500

It's our last episode of 2014, and we'll be chatting with Dan Langille about the upcoming BSDCan conference. We'll find out what's planned and what sorts of presentations they're looking for. As usual, answers to viewer-submitted questions and all the week's news, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenBSD PIE enhancements

ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem
They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment
For example, the default shells (and many other things in /bin and /sbin) are statically linked
In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose
With this and a few related commits, OpenBSD fixes this by introducing static self-relocation
More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy
It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now ***

FreeBSD foundation semi-annual newsletter

The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities
As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved
The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)
You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too
There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp
It's a very long report, so dedicate some time to read all the way through it
This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too
As we go into 2015, consider donating to whichever BSD you use, it really can make a difference ***

Modernizing OpenSSH fingerprints

When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to
Up until now, the key fingerprints have been an MD5 hash, displayed as hex
This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to
This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint
You can add a "FingerprintHash" line in your ssh_config to force using only the new type
There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type
The new options should be in the upcoming 6.8 release ***

Interview - Dan Langille - info@bsdcan.org / @bsdcan

Plans for the BSDCan 2015 conference

News Roundup

Introducing ntimed, a new NTP daemon

As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD
With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon
It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github
PHK also has a few blog entries about the project, including status updates ***

OpenBSD-maintained projects list

There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers
The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)
A developer compiled a new list from all of the replies to that thread into a nice organized webpage
Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more
This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout) ***

Monitoring network traffic with FreeBSD

If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you
It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)
This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike ***

Trapping spammers with spamd

This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail
It gives some background on the greylisting approach to spam, rather than just a typical host blacklist
"Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."
The post also shows how to combine it with PF and other tools for a pretty fancy mail setup
You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc
You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd ***

Feedback/Questions

Mailing List Gold

69: Under the Ports Tree

JT Pennington — Wed, 24 Dec 2014 08:00:00 -0500

It's a special holiday episode! We asked you guys in the audience to send in the tale of how you first got into BSD, and we're going to share those with everyone today. We'll also be playing two bonus mini-interviews, so get comfy by the fire and listen to some BSD Now - the place to B.. SD.

This episode was brought to you by

Special segment

How our viewers got into BSD

Jason's story (text)
bsdx's story (text)
David's story (text)
Brad's story (text)
Reese's story (video)
Bryan's story (video)
Pete's story (text)
Anders' story (text)
Guillermo's story (text)
Jonathan's story (text)
Adam's story (text)
Chris' story (text)
Tigersharke's story (text)
Roller and Kandie's stories (text)
Uwe's story (text)
Pascal's story (text) and (image) ***

Interview - Erwin Lansing - erwin@freebsd.org

BSD in Europe, getting people involved

Interview - Cristina Vintila - @cristina_crow

BSD conferences

68: Just the Essentials

JT Pennington — Wed, 17 Dec 2014 08:00:00 -0500

Coming up this week, we'll be talking with Michael Lucas about his newest BSD book, "FreeBSD Mastery: Storage Essentials." It's got lots of great information about the disk subsystems, GEOM, filesystems, you name it. We've also got the usual round of news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenBSD vs FreeBSD security features

From the author of both the OpenBSD and FreeBSD secure gateway articles we've featured in the past comes a new entry about security
The article goes through a list of all the security features enabled (and disabled) by default in both FreeBSD and OpenBSD
It covers a wide range of topics, including: memory protection, randomization, encryption, privilege separation, Capsicum, securelevels, MAC, Jails and chroots, network stack hardening, firewall features and much more
This is definitely one of the most in-depth and complete articles we've seen in a while - the author seems to have done his homework
If you're looking to secure any sort of BSD box, this post has some very detailed explanations of different exploit mitigation techniques - be sure to read the whole thing
There are also some good comments on DaemonForums and lobste.rs that you may want to read ***

The password? You changed it, right?

Peter Hansteen has a new blog post up, detailing some weird SSH bruteforcing he's seen recently
He apparently reads his auth logs when he gets bored at an airport
This new bruteforcing attempt seems to be targetting D-Link devices, as evidenced by the three usernames the bots try to use
More than 700 IPs have tried to get into Peter's BSD boxes using these names in combination with weak passwords
Lots more details, including the lists of passwords and IPs, can be found in the full article
If you're using a BSD router, things like this can be easily prevented with PF or fail2ban (and you probably don't have a "d-link" user anyway) ***

Get started with FreeBSD, an intro for Linux users

Another new BSD article on a mainstream technology news site - seems we're getting popular
This article is written for Linux users who may be considering switching over to BSD and wondering what it's all about
It details installing FreeBSD 9.3 and getting a basic system setup, while touching on ports and packages, and explaining some terminology along the way
"Among the legions of Linux users and admins, there seems to be a sort of passive curiosity about FreeBSD and other BSDs. Like commuters on a packed train, they gaze out at a less crowded, vaguely mysterious train heading in a slightly different direction and wonder what traveling on that train might be like" **

Interview - Michael W. Lucas - mwlucas@michaelwlucas.com / @mwlauthor

FreeBSD Mastery: Storage Essentials

News Roundup

OpenSMTPD status update

The OpenSMTPD guys, particularly Gilles, have posted an update on what they've been up to lately
As of 5.6, it's become the default MTA in OpenBSD, and sendmail will be totally gone in 5.7
Email is a much more tricky protocol than you might imagine, and the post goes through some of the weirdness and problems they've had to deal with
There's also another post that goes into detail on their upcoming filtering API - a feature many have requested
The API is still being developed, but you can test it out now if you know what you're doing - full details in the article
OpenSMTPD also has portable versions in FreeBSD ports and NetBSD pkgsrc, so check it out ***

OpenCrypto changes in FreeBSD

A little while back, we talked to John-Mark Gurney about updating FreeBSD's OpenCrypto framework, specifically for IPSEC
Some of that work has just landed in the -CURRENT branch, and the commit has a bit of details
The ICM and GCM modes of AES were added, and both include support for AESNI
There's a new port - "nist-kat" - that can be used to test the new modes of operation
Some things were fixed in the process as well, including an issue that would leak timing info and result in the ability to forge messages
Code was also borrowed from both OpenBSD and NetBSD to make this possible ***

First thoughts on OpenBSD's httpd

Here we have a blog post from a user of OpenBSD's new homegrown web server that made its debut in 5.6
The author loves that it has proper privilege separation, a very simple config syntax and that it always runs in a chroot
He also mentions dynamic content hosting with FastCGI, and provides an example of how to set it up
Be sure to check our interview with Reyk about the new httpd if you're curious on how it got started
Also, if you're running the version that came with 5.6, there's a huge patch you can apply to get a lot of the features and fixes from -current without waiting for 5.7 ***

Steam on PCBSD

One of the most common questions people who want to use BSD as a desktop ask us is "can I run games?" or "can I use steam?"
Steam through the Linux emulation layer (in FreeBSD) may be possible soon, but it's already possible to use it with WINE
This video shows how to get Steam set up on PCBSD using the Windows version
There are also some instructions in the video description to look over
A second video details getting streaming set up ***

Feedback/Questions

67: Must Be Rigged

JT Pennington — Wed, 10 Dec 2014 08:00:00 -0500

Coming up this week on the show, we've got an interview with Patrick Wildt, one of the developers of Bitrig. We'll find out all the details of their OpenBSD fork, what makes it different and what their plans are going forward. We've also got all the week's news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Bitrig 1.0 released

If you haven't heard of it, Bitrig is a fork of OpenBSD that started a couple years ago
According to their FAQ, some of their goals include: only supporting modern hardware and a limited set of CPU architectures, replacing nearly all GNU tools in base with BSD versions and having better virtualization support
They've finally announced their first official release, 1.0
This release introduces support for Clang 3.4, replacing the old GCC, along with libc++ replacing the GNU version
It also includes filesystem journaling, support for GPT and - most importantly - a hacker-style console with green text on black background
One of the developers answered some questions about it on Hacker News too ***

Is it time to try BSD?

Here we get a little peek into the Linux world - more and more people are considering switching
On a more mainstream tech news site, they have an article about people switching away from Linux and to BSD
People are starting to get even more suspicious of systemd, and lots of drama in the Linux world is leading a whole new group of potential users over to the BSD side
This article explores some pros and cons of switching, and features opinions of various users ***

Poudriere 3.1 released

One of the first things we ever covered on the show was poudriere, a tool with a funny name that's used to build binary packages from FreeBSD ports
It's come a long way since then, and bdrewery and bapt have just announced a new major version
This new release features a redesigned web interface to check on the status of your packages
There are lots of new bulk building options to preserve packages even if some fail to compile - this makes maintaining a production repo much easier
It also introduces a useful new "pkgclean" subcommand to clean out your repository of packages that aren't needed anymore, and poudriere keeps it cleaner by default as well now
Check the full release notes for all the additions and bug fixes ***

Firewalling with OpenBSD's pf and pfsync

A talk by David Gwynne from an Australian conference was uploaded, with the subject matter being pf and pfsync
He uses pf to manage 60 internal networks with a single firewall
The talk gives some background on how pf originally came to be and some OpenBSD 101 for the uninitiated
It also touches on different rulesets, use cases, configuration syntax, placing limits on connections, ospf, authpf, segregating VLANs, synproxy handling and a lot more
The second half of the presentation focuses on pfsync and carp for failover and redundancy
With two BSD boxes running pfsync, you can actually patch your kernel and still stay connected to IRC ***

Interview - Patrick Wildt - patrick@bitrig.org / @bitrig

The initial release of Bitrig

News Roundup

Infrastructural enhancements at NYI

The FreeBSD foundation put up a new blog post detailing some hardware improvements they've recently done
Their eastern US colocation is hosted at New York Internet, and is used for FTP mirrors, pkgng mirrors, and also as a place for developers to test things
There've been fourteen machines purchased since July, and now FreeBSD boasts a total of sixty-eight physical boxes there
This blog post goes into detail about how those servers are used and details some of the network topology ***

The long tail of MD5

Our friend Ted Unangst is on a quest to replace all instances of MD5 in OpenBSD's tree with something more modern
In this blog post, he goes through some of the different areas where MD5 still lives, and discovers how easy (or impossible) it would be to replace
Through some recent commits, OpenBSD now uses SHA512 in some places that you might not expect
Some other places require a bit more care… ***

DragonFly cheat sheet

If you've been thinking of trying out DragonFlyBSD lately, this might make the transition a bit easier
A user-created "cheat sheet" on the website lists some common answers to beginner questions
The page features a walkthrough of the installer, some shell tips and workarounds for various issues
At the end, it also has some things that new users can get involved with to help out ***

Experiences with an OpenBSD laptop

A lot of people seem to be interested in trying out some form of BSD on their laptop, and this article details just that
The author got interested in OpenBSD mostly because of the security focus and the fact that it's not Linux
In this blog post, he goes through the steps of researching, installing, configuring, upgrading and finally actually using it on his Thinkpad
He even gives us a mention as a good place to learn more about BSD, thanks! ***

PC-BSD Updates

A call for testing of a new update system has gone out
Conversion to Qt5 for utils has taken place ***

Feedback/Questions

Mailing List Gold

Over 440% faster
The PF conundrum (edit: Allan misspoke about PF performance during this segment, apologies.)
Violating bad standards
apt-get rid of systemd ***

66: Conference Connoisseur

JT Pennington — Wed, 03 Dec 2014 08:00:00 -0500

This week on the show, we'll be talking with Paul Schenkeveld, chairman of the EuroBSDCon foundation. He tells us about his experiences running BSD conferences and how regular users can get involved too. We've also got answers to all your emails and the latest news, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSD-powered digital library in Africa

You probably haven't heard much about Nzega, Tanzania, but it's an East African country without much internet access
With physical schoolbooks being a rarity there, a few companies helped out to bring some BSD-powered reading material to a local school
They now have a pair of FreeNAS Minis at the center of their local network, with over 80,000 books and accompanying video content stored on them (~5TB of data currently)
The school's workstations also got wiped and reloaded with FreeBSD, and everyone there seems to really enjoy using it ***

pfSense 2.2 status update

With lots of people asking when the 2.2 release will be done, some pfSense developers decided to provide a status update
2.2 will have a lot of changes: being based on FreeBSD 10.1, Unbound instead of BIND, updating PHP to something recent, including the new(ish) IPSEC stack updates, etc
All these things have taken more time than previously expected
The post also has some interesting graphs showing the ratio of opened and close bugs for the upcoming release ***

Recommended hardware threads

A few threads on caught our attention this week, all about hardware recommendations for BSD setups
In the first one, the OP asks about mini-ITX hardware to run a FreeBSD server and NAS
Everyone gave some good recommendations for low power, Atom-based systems
The second thread started off asking about which CPU architecture is best for PF on an OpenBSD router, but ended up being another hardware thread
For a router, the ALIX, APU and Soekris boards still seem to be the most popular choices, with the third and fourth threads confirming this
If you're thinking about building your first BSD box - server, router, NAS, whatever - these might be some good links to read ***

Interview - Paul Schenkeveld - freebsd@psconsult.nl

Running a BSD conference

News Roundup

From Linux to FreeBSD - for reals

Another Linux user is ready to switch to BSD, and takes to Reddit for some community encouragement (seems to be a common thing now)
After being a Linux guy for 20(!) years, he's ready to switch his systems over, and is looking for some helpful guides to transition
In the comments, a lot of new switchers offer some advice and reading material
If any of the listeners have some things that were helpful along your switching journey, maybe send 'em this guy's way ***

Running FreeBSD as a Xen Dom0

Continuing progress has been made to allow FreeBSD to be a host for the Xen hypervisor
This wiki article explains how to run the Xen branch of FreeBSD and host virtual machines on it
Xen on FreeBSD currently supports PV guests (modified kernels) and HVM (unmodified kernels, uses hardware virtualization features)
The wiki provides instructions for running Debian (PV) and FreeBSD (HVM), and discusses the features that are not finished yet ***

HardenedBSD updates and changes

a.out is the old executable format for Unix
The name stands for assembler output, and was coined by Ken Thompson as the fixed name for output of his PDP-7 assembler in 1968
FreeBSD, on which HardenedBSD is based, switched away from a.out in version 3.0
A restriction against NULL mapping was introduced in FreeBSD 7 and enabled by default in FreeBSD 8
However, for reasons of compatibility, it could be switched off, allowing buggy applications to continue to run, at the risk of allowing a kernel bug to be exploited
HardenedBSD has removed the sysctl, making it impossible to run in ‘insecure mode’
Package building update: more consistent repo, no more i386 packages ***

Feedback/Questions

Boris writes in
Alex writes in (edit: adding "tinker panic 0" to the ntp.conf will disable the sanity check)
Chris writes in
Robert writes in
Jake writes in ***

Mailing List Gold

Real world authpf use
The great perl event of 2014 ***

65: 8,000,000 Mogofoo-ops

JT Pennington — Wed, 26 Nov 2014 08:00:00 -0500

Coming up on the show this week, we've got an interview with Brendan Gregg of Netflix. He's got a lot to say about performance tuning and benchmarks, and even some pretty funny stories about how people have done them incorrectly. As always, this week's news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Even more BSD presentation videos

More videos from this year's MeetBSD and OpenZFS devsummit were uploaded since last week
Robert Ryan, At the Heart of the Digital Economy
FreeNAS & ZFS, The Indestructible Duo - Except for the Hard Drives
Richard Yao, libzfs_core and ioctl stabilization
OpenZFS, Company lightning talks
OpenZFS, Hackathon Presentation and Awards
Pavel Zakharov, Fast File Cloning
Rick Reed, Half a billion unsuspecting FreeBSD users
Alex Reece & Matt Ahrens, Device Removal
Chris Side, Channel Programs
David Maxwell, The Unix command pipeline
Be sure to check out the giant list of videos from last week's episode if you haven't seen them already ***

NetBSD on a Cobalt Qube 2

The Cobalt Qube was a very expensive networking appliance around 2000
In 2014, you can apparently get one of these MIPS-based machines for about forty bucks
This blog post details getting NetBSD installed and set up on the rare relic of our networking past
If you're an old-time fan of RISC or MIPS CPUs, this'll be a treat for you
Lots of great pictures of the hardware too ***

OpenBSD vs. AFL

In their never-ending security audit, some OpenBSD developers have been hitting various parts of the tree with a fuzzer
If you're not familiar, fuzzing is a semi-automated way to test programs for crashes and potential security problems
The program being subjected to torture gets all sorts of random and invalid input, in the hopes of uncovering overflows and other bugs
American Fuzzy Lop, in particular, has provided some interesting results across various open source projects recently
So far, it's fixed some NULL pointer dereferences in OpenSSH, various crashes in tcpdump and mandoc and a few other things
AFL has an impressive list of CVEs (vulnerabilities) that it's helped developers discover and fix
It also made its way into OpenBSD ports, FreeBSD ports and NetBSD's pkgsrc very recently, so you can try it out for yourself ***

GNOME 3 hits the FreeBSD ports tree

While you've been able to run GNOME 3 on PC-BSD and OpenBSD for a while, it hasn't actually hit the FreeBSD ports tree.. until now
Now you can play with GNOME 3 and all its goodies (as well as Cinnamon 2.2, which this also brings in) on vanilla FreeBSD
Be sure to check the commit message and /usr/ports/UPDATING if you're upgrading from GNOME 2
You might also want to go back and listen to our interview with Joe Marcus Clark about GNOME's portability ***

Interview - Brendan Gregg - bgregg@netflix.com / @brendangregg

Performance tuning, benchmarks, debugging

News Roundup

DragonFlyBSD 4.0 released

A new major version of DragonFly, 4.0.1, was just recently announced
This version includes support for Haswell GPUs, lots of SMP improvements (including some in PF) and support for up to 256 CPUs
It's also the first release to drop support for i386, so it joins PCBSD in the 64 bit-only club
Check the release notes for all the details, including networking and kernel improvements, as well as some crypto changes ***

Can we talk about FreeBSD vs Linux

Hackernews had a recent thread about discussing Linux vs BSD, and the trolls stayed away for once
Rather than rehashing why one is "better" than the other, it was focused on explaining some of the differences between ecosystems and communities
If you're one of the many people who watch our show just out of curiosity about the BSD world, this might be a good thread to read
Someone in the comments even gave bsdnow.tv a mention as a good resource to learn, thanks guy ***

OpenBSD IPSEC tunnel guide

If you've ever wanted to connect two networks with OpenBSD gateways, this is the article for you
It shows how to set up an IPSEC tunnel between destinations, how to lock it down and how to access all the machines on the other network just like they were on your LAN
The article also explains some of the basics of IPSEC if you're not familiar with all the terminology, so this isn't just for experts
Though the article itself is a few years old, it mostly still applies to the latest stuff today
All the tools used are in the OpenBSD base system, so that's pretty handy too ***

DragonFly starts work on IPFW2

DragonFlyBSD, much like FreeBSD, comes with more than one firewall you can use
Now it looks like you're going to have yet another choice, as someone is working on a fork of IPFW (which is actually already in its second version, so it should be "IPFW3")
Not a whole lot is known yet; it's still in heavy development, but there's a brief roadmap page with some planned additions
The guy who's working on this has already agreed to come on the show for an interview, but we're going to give him a chance to get some more work done first
Expect that sometime next year, once he's made some progress ***

Feedback/Questions

64: Rump Kernels Revisited

JT Pennington — Wed, 19 Nov 2014 08:00:00 -0500

This time on the show, we'll be talking with Justin Cormack about NetBSD rump kernels. We'll learn how to run them on other operating systems, what's planned for the future and a lot more. As always, answers to viewer-submitted questions and all the news for the week, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and tutorials

The 2014 EuroBSDCon videos have been online for over a month, but unannounced - keep in mind these links may be temporary (but we'll mention their new location in a future show and fix the show notes if that's the case)
Arun Thomas, BSD ARM Kernel Internals
Ted Unangst, Developing Software in a Hostile Environment
Martin Pieuchot, Taming OpenBSD Network Stack Dragons
Henning Brauer, OpenBGPD turns 10 years
Claudio Jeker, vscsi and iscsid iSCSI initiator the OpenBSD way
Paul Irofti, Making OpenBSD Useful on the Octeon Network Gear
Baptiste Daroussin, Cross Building the FreeBSD ports tree
Boris Astardzhiev, Smartcom’s control plane software, a customized version of FreeBSD
Michał Dubiel, OpenStack and OpenContrail for FreeBSD platform
Martin Husemann & Joerg Sonnenberger, Tool-chaining the Hydra, the ongoing quest for modern toolchains in NetBSD
Taylor R Campbell, The entropic principle: /dev/u?random and NetBSD
Dag-Erling Smørgrav, Securing sensitive & restricted data
Peter Hansteen, Building The Network You Need With PF
Stefan Sperling, Subversion for FreeBSD developers
Peter Hansteen, Transition to OpenBSD 5.6
Ingo Schwarze, Let’s make manuals more useful
Francois Tigeot, Improving DragonFly’s performance with PostgreSQL
Justin Cormack, Running Applications on the NetBSD Rump Kernel
Pierre Pronchery, EdgeBSD, a year later
Peter Hessler, Using routing domains or tables in a production network
Sean Bruno, QEMU user mode on FreeBSD
Kristaps Dzonsons, Bugs Ex Ante
Yann Sionneau, Porting NetBSD to the LatticeMico32 open source CPU
Alexander Nasonov, JIT Code Generator for NetBSD
Masao Uebayashi, Porting Valgrind to NetBSD and OpenBSD
Marc Espie, parallel make, working with legacy code
Francois Tigeot, Porting the drm-kms graphic drivers to DragonFly
The following talks (from the Vitosha track room) are all currently missing:
Jordan Hubbard, FreeBSD, Looking forward to another 10 years (but we have another recording)
Theo de Raadt, Randomness, how arc4random has grown since 1998 (but we have another recording)
Kris Moore, Snapshots, Replication, and Boot-Environments
Kirk McKusick, An Introduction to the Implementation of ZFS
John-Mark Gurney, Optimizing GELI Performance
Emmanuel Dreyfus, FUSE and beyond, bridging filesystems
Lourival Vieira Neto, NPF scripting with Lua
Andy Tanenbaum, A Reimplementation of NetBSD Based on a Microkernel
Stefano Garzarella, Software segmentation offloading for FreeBSD
Ted Unangst, LibreSSL
Shawn Webb, Introducing ASLR In FreeBSD
Ed Maste, The LLDB Debugger in FreeBSD
Philip Guenther, Secure lazy binding ***

OpenBSD adopts SipHash

Even more DJB crypto somehow finds its way into OpenBSD's base system
This time it's SipHash, a family of pseudorandom functions that's resistant to hash bucket flooding attacks while still providing good performance
After an initial import and some clever early usage, a few developers agreed that it would be better to use it in a lot more places
It will now be used in the filesystem, and the plan is to utilize it to protect all kernel hash functions
Some other places that Bernstein's work can be found in OpenBSD include the ChaCha20-Poly1305 authenticated stream cipher and Curve25519 KEX used in SSH, ChaCha20 used in the RNG, and Ed25519 keys used in signify and SSH ***

FreeBSD 10.1-RELEASE

FreeBSD's release engineering team likes to troll us by uploading new versions just a few hours after we finish recording an episode
The first maintenance update for the 10.x branch is out, improving upon a lot of things found in 10.0-RELEASE
The vt driver was merged from -CURRENT and can now be enabled with a loader.conf switch (and can even be used on a PlayStation 3)
Bhyve has gotten quite a lot of fixes and improvements from its initial debut in 10.0, including boot support for ZFS
Lots of new ARM hardware is supported now, including SMP support for most of them
A new kernel selection menu was added to the loader, so you can switch between newer and older kernels at boot time
10.1 is the first to support UEFI booting on amd64, which also has serial console support now
Lots of third party software (OpenSSH, OpenSSL, Unbound..) and drivers have gotten updates to newer versions
It's a worthy update from 10.0, or a good time to try the 10.x branch if you were avoiding the first .0 release, so grab an ISO or upgrade today
Check the detailed release notes for more information on all the changes
Also take a look at some of the known problems to see if you'll be affected by any of them
PC-BSD was also updated accordingly with some of their own unique features and changes ***

arc4random - Randomization for All Occasions

Theo de Raadt gave an updated version of his EuroBSDCon presentation at Hackfest 2014 in Quebec
The presentation is mainly about OpenBSD's arc4random function, and outlines the overall poor state of randomization in the 90s and how it has evolved in OpenBSD over time
It begins with some interesting history on OpenBSD and how it became a security-focused OS - in 1996, their syslogd got broken into and "suddenly we became interested in security"
The talk also touches on how low-level changes can shake up the software ecosystem and third party packages that everyone uses
There's some funny history on the name of the function (being called arc4random despite not using RC4 anymore) and an overall status update on various platforms' usage of it
Very detailed and informative presentation, and the slides can be found here
A great quote from the beginning: "We consider ourselves a community of (probably rather strange) people who work on software specifically for the purpose of trying to make it better. We take a 'whole-systems' approach: trying to change everything in the ecosystem that's under our control, trying to see if we can make it better. We gain a lot of strength by being able to throw backwards compatibility out the window. So that means that we're able to do research and the minute that we decide that something isn't right, we'll design an alternative for it and push it in. And if it ends up breaking everybody's machines from the previous stage to the next stage, that's fine because we'll end up in a happier place." ***

Interview - Justin Cormack - justin@netbsd.org / @justincormack

NetBSD on Xen, rump kernels, various topics

News Roundup

The FreeBSD foundation's biggest donation

The FreeBSD foundation has a new blog post about the largest donation they've ever gotten
From the CEO of WhatsApp comes a whopping one million dollars in a single donation
It also has some comments from the donor about why they use BSD and why it's important to give back
Be sure to donate to the foundation of whatever BSD you use when you can - every little bit helps, especially for OpenBSD, NetBSD and DragonFly who don't have huge companies supporting them regularly like FreeBSD does ***

OpenZFS Dev Summit 2014 videos

Videos from the recent OpenZFS developer summit are being uploaded, with speakers from different represented platforms and companies
Matt Ahrens, opening keynote
Raphael Carvalho, Platform Overview: ZFS on OSv
Brian Behlendorf, Platform Overview: ZFS on Linux
Prakash Surya, Platform Overview: illumos
Xin Li, Platform Overview: FreeBSD
All platforms, Group Q&A Session
Dave Pacheco, Manta
Saso Kiselkov, Compression
George Wilson, Performance
Tim Feldman, Host-Aware SMR
Pavel Zakharov, Fast File Cloning
The audio is pretty poor on all of them unfortunately ***

BSDTalk 248

Our friend Will Backman is still busy getting BSD interviews as well
This time he sits down with Matthew Dillon, the lead developer of DragonFly BSD
We've never had Dillon on the show, so you'll definitely want to give this one a listen
They mainly discuss all the big changes coming in DragonFly's upcoming 4.0 release ***

MeetBSD 2014 videos

The presentations from this year's MeetBSD conference are starting to appear online as well
Kirk McKusick, A Narrative History of BSD
Jordan Hubbard, FreeBSD: The Next 10 Years
Brendan Gregg, Performance Analysis
The slides can be found here ***

Feedback/Questions

Mailing List Gold

63: A Man's man(1)

JT Pennington — Wed, 12 Nov 2014 08:00:00 -0500

This time on the show, we've got an interview with Kristaps Džonsons, the creator of mandoc. He tells us how the project got started and what its current status is across the various BSDs. We also have a mini-tutorial on using PF to throttle bandwidth. This week's news, answers to your emails and even some cheesy mailing list gold, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Updates to FreeBSD's random(4)

FreeBSD's random device, which presents itself as "/dev/random" to users, has gotten a fairly major overhaul in -CURRENT
The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna
Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE)
Pluggable modules can now be written to add more sources of entropy
These changes are expected to make it in 11.0-RELEASE, but there hasn't been any mention of MFCing them to 10 or 9 ***

OpenBSD Tor relays and network diversity

We've talked about getting more BSD-based Tor nodes a few times in previous episodes
The "tor-relays" mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes
With the security features and attention to detail, it makes for an excellent dedicated Tor box
More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large
A few users are even saying they'll convert their Linux nodes to OpenBSD to help out
Check the archive for the full conversation, and maybe run a node yourself on any of the BSDs
The Tor wiki page on OpenBSD is pretty out of date (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it ***

SSP now default for FreeBSD ports

SSP, or Stack Smashing Protection, is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces
It's now enabled by default in FreeBSD's ports tree, and the pkgng packages will have it as well - but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer)
This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates
If you were using the temporary "new Xorg" or SSP package repositories instead of the default ones, you need to switch back over
NetBSD made this the default on i386 and amd64 two years ago and OpenBSD made this the default on all architectures twelve years ago
Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed ***

Building an OpenBSD firewall and router

While we've discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side
The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris
Most agree that, if it's for a business especially, it's worth the extra money to go with something that's well known in the BSD community
They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc.
Through the comments, we also find out that QuakeCon runs OpenBSD on their network
Hopefully most of our listeners are running some kind of BSD as their gateway - try it out if you haven't already ***

Interview - Kristaps Džonsons - kristaps@bsd.lv

Mandoc, historical man pages, various topics

Tutorial

Throttling bandwidth with PF

News Roundup

NetBSD at Kansai Open Forum 2014

Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything
From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all
As always, you can find lots of pictures in the trip report ***

Getting to know your portmgr lurkers

The lovable "getting to know your portmgr" series makes its triumphant return
This time around, they interview Alex, one of the portmgr lurkers that joined just this month
"How would you describe yourself?" "Too lazy."
Another post includes a short interview with Emanuel, another new lurker
We discussed the portmgr lurkers initiative with Steve Wills a while back ***

NetBSD's ARM port gets SMP

The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used
This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X
NetBSD's release team is working on getting these changes into the 7 branch before 7.0 is released
There are also a few nice pictures in the article ***

A high performance mid-range NAS

This blog post is about FreeNAS and optimizing iSCSI performance
It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance
There are some nice graphs and lots of detail if you're interested in tweaking some of your own settings
They conclude "there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload" ***

Feedback/Questions

Mailing List Gold

62: Gift from the Sun

JT Pennington — Wed, 05 Nov 2014 08:00:00 -0500

We're away at MeetBSD this week, but we've still got a great show for you. We'll be joined by Pawel Dawidek, who's done quite a lot of things in FreeBSD over the years, including the initial ZFS port. We'll get to hear how that came about, what he's up to now and a whole lot more. We'll be back next week with a normal episode of BSD Now - the place to B.. SD.

This episode was brought to you by

Interview - Pawel Jakub Dawidek - pjd@freebsd.org

Porting ZFS, GEOM, GELI, Capsicum, various topics

61: IPSECond Wind

JT Pennington — Wed, 29 Oct 2014 08:00:00 -0400

This week on the show, we sat down with John-Mark Gurney to talk about modernizing FreeBSD's IPSEC stack. We'll learn what he's adding, what needed to be fixed and how we'll benefit from the changes. As always, answers to your emails and all of this week's news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSD panel at Phoenix LUG

The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
It was a good "real world" example of things potential switchers are curious to know about
They closed by concluding that more diversity is always better, and even if you've got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea ***

Book of PF signed copy auction

Peter Hansteen (who we've had on the show) is auctioning off the first signed copy of the new Book of PF
All the profits from the sale will go to the OpenBSD Foundation
The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD's versions (which still use ALTQ, among other differences)
If you're interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf - and the money will also go to a good cause
Michael Lucas has challenged Peter to raise more for the foundation than his last book selling - let's see who wins
Pause the episode, go bid on it and then come back! ***

FreeBSD Foundation goes to EuroBSDCon

Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
They also sponsored four other developers to go
The foundation was there "to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD"
They also have a second report from Kamil Czekirda
A total of $2000 was raised at the conference ***

OpenBSD 5.6 released

Note: we're doing this story a couple days early - it's actually being released on November 1st (this Saturday), but we have next week off and didn't want to let this one slip through the cracks - it may be out by the time you're watching this
Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
This will serve as a "transitional" release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
As always, 5.6 comes with its own song and artwork - the theme this time was obviously LibreSSL
Be sure to check the full changelog (it's huge) and pick up a CD or tshirt to support their efforts
If you don't already have the public key releases are signed with, getting a physical CD is a good "out of bounds" way to obtain it safely
Here are some cool images of the set
After you do your installation or upgrade, don't forget to head over to the errata page and apply any patches listed there ***

Interview - John-Mark Gurney - jmg@freebsd.org / @encthenet

Updating FreeBSD's IPSEC stack

News Roundup

Clang in DragonFly BSD

As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang almost exclusively on i386/amd64
Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
We'd love to see more BSDs switch to Clang/LLVM eventually, it's a lot more modern than the old GCC most are using ***

reallocarray(): integer overflow detection for free

One of the less obvious features in OpenBSD 5.6 is a new libc function: "reallocarray()"
It's a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
OpenBSD's explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too ***

Switching from Linux blog

A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
So far, he's put up a few posts about his initial thoughts, some documentation he's going through and his experiments so far
It'll be an ongoing series, so we may check back in with him again later on ***

Owncloud in a FreeNAS jail

One of the most common emails we get is about running Owncloud in FreeNAS
Now, finally, someone made a video on how to do just that, and it's even jailed
A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
If you're looking for an easy way to back up and sync your files, this might be worth a watch ***

Feedback/Questions

Mailing List Gold

That's not our IP
Is this thing on? ***

60: Don't Buy a Router

JT Pennington — Wed, 22 Oct 2014 08:00:00 -0400

This week on the show we're joined by Olivier Cochard-Labbé, the creator of both FreeNAS and the BSD Router Project! We'll be discussing what the BSD Router Project is, what it's for and where it's going. All this week's headlines and answers to viewer-submitted questions, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSD Devroom CFP

This year's FOSDEM conference (Belgium, Jan 31st - Feb 1st) is having a dedicated BSD devroom
They've issued a call for papers on anything BSD-related, and we always love more presentations
If you're in the Belgium area or plan on going, submit a talk about something cool you're doing
There's also a mailing list and some more information in the original post ***

Bhyve SVM code merge

The bhyve_svm code has been in the "projects" tree of FreeBSD, but is now ready for -CURRENT
This changeset will finally allow bhyve to run on AMD CPUs, where it was previously limited to Intel only
All the supported operating systems and utilities should work on both now
One thing to note: bhyve doesn't support PCI passthrough on AMD just yet
There may still be some issues though ***

NetBSD at Open Source Conference Tokyo

The Japanese NetBSD users group held a booth at another recent open source conference
As always, they were running NetBSD on everything you can imagine
One of the users reports back to the mailing list on their experience, providing lots of pictures and links
Here's an interesting screenshot of NetBSD running various other BSDs in Xen ***

More BSD switchers every day

A decade-long Linux user is considering making the switch, and asks Reddit about the BSD community
Tired of the pointless bickering he sees in his current community, he asks if the same problems exist over here and what he should expect
So far, he's found that BSD people seem to act more level-headed about things, and are much more practical, whereas some FSF/GNU/GPL people make open source a religion
There's also another semi-related thread about another Linux user wanting to switch to BSD because of systemd and GNU people
There are some extremely well written and thought-out comments in the replies (in both threads), be sure to give them all a read
Maybe the OPs should've just watched this show ***

Interview - Olivier Cochard-Labbé - olivier@cochard.me / @ocochardlabbe

The BSD Router Project

News Roundup

FreeBSD -CURRENT on a T420

Thinkpads are quite popular with BSD developers and users
Most of the hardware seems to be supported across the BSDs (especially wifi)
This article walks through installing FreeBSD -CURRENT on a Thinkpad T420 with UEFI
If you've got a Thinkpad, or especially this specific one, have a look at some of the steps involved ***

FreeNAS on a Supermicro 5018A-MHN4

More and more people are migrating their NAS devices to BSD-based solutions
In this post, the author goes through setting up FreeNAS on some of his new hardware
His new rack-mounted FreeNAS machine has a low power Atom with eight cores and 64GB of RAM - quite a lot for its small form factor
The rest of the post details all of the hardware he chose and goes through the build process (with lots of cool pictures) ***

Hardening procfs and linprocfs

There was an exploit published recently for SFTP in OpenSSH, but it mostly just affected Linux
There exists a native procfs in FreeBSD, which was the target point of that exploit, but it's not used very often
The Linux emulation layer also supports its own linprocfs, which was affected as well
The HardenedBSD guys weigh in on how to best solve the problem, and now support an additional protection layer from writing to memory with procfs
If you want to learn more about ASLR and HardenedBSD, be sure to check out our interview with Shawn too ***

pfSense monitoring with bandwidthd

A lot of people run pfSense on their home network, and it's really useful to monitor the bandwidth usage
This article will walk you through setting up bandwidthd to do exactly that
bandwidthd monitors based on the IP address, rather than per-interface
It can also build some cool HTML graphs, and we love those pfSense graphs
Have a look at our bandwidth monitoring and testing tutorial for some more ideas ***

Feedback/Questions

Mailing List Gold

More old bugs
The Right Font™ (see also) ***

59: BSDって聞いたことある？

JT Pennington — Wed, 15 Oct 2014 08:00:00 -0400

This week on the show we'll be talking with Hiroki Sato about the status of BSD in Japan. We also get to hear about how he got on the core team, and we just might find out why NetBSD is so popular over there! Answers to all your emails, the latest news, and even a brand new segment, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSD talks at XDC 2014

This year's Xorg conference featured a few BSD-related talks
Matthieu Herrb, Status of the OpenBSD graphics stack
Matthieu's talk details what's been done recently in Xenocara the OpenBSD kernel for graphics (slides here)
Jean-Sébastien Pédron, The status of the graphics stack on FreeBSD
His presentation gives a history of major changes and outlines the current overall status of graphics in FreeBSD (slides here)
Francois Tigeot, Porting DRM/KMS drivers to DragonFlyBSD
Francois' talk tells the story of how he ported some of the DRM and KMS kernel drivers to DragonFly (slides here) ***

FreeBSD Quarterly Status Report

The FreeBSD project has a report of their activities between July and September of this year
Lots of ARM work has been done, and a goal for 11.0 is tier one support for the platform
The release includes reports from the cluster admin team, release team, ports team, core team and much more, but we've already covered most of the items on the show
If you're interested in seeing what the FreeBSD community has been up to lately, check the full report - it's huge ***

Monitoring pfSense logs using ELK

If you're one of those people who loves the cool graphs and charts that pfSense can produce, this is the post for you
ELK (ElasticSearch, Logstash, Kibana) is a group of tools that let you collect, store, search and (most importantly) visualize logs
It works with lots of different things that output logs and can be sent to one central server for displaying
This post shows you how to set up pfSense to do remote logging to ELK and get some pretty awesome graphs ***

Some updates to IPFW

Even though PF gets a lot of attention, a lot of FreeBSD people still love IPFW
While mostly a dormant section of the source tree, some updates were recently committed to -CURRENT
The commit lists the user-visible changes, performance changes, ABI changes and internal changes
It should be merged back to -STABLE after a month or so of testing, and will probably end up in 10.2-RELEASE
Also check this blog post for some more information and fancy graphs ***

Interview - Hiroki Sato (佐藤広生) - hrs@freebsd.org / @hiroki_sato

BSD in Japan, technology conferences, various topics

News Roundup

pfSense on Hyper-V

In case you didn't know, the latest pfSense snapshots support running on Hyper-V
Unfortunately, the current stable release is based on an old, unsupported FreeBSD 8.x base, so you have to use the snapshots for now
The author of the post tells about his experience running pfSense and gives lots of links to read if you're interested in doing the same
He also praises pfSense above other Linux-based solutions for its IPv6 support and high quality code ***

OpenBSD as a daily driver

A curious Reddit user posts to ask the community about using OpenBSD as an everyday desktop OS
The overall consensus is that it works great for that, stays out of your way and is quite reliable
Caveats would include there being no Adobe Flash support (though others consider this a blessing..) and it requiring a more hands-on approach to updating
If you're considering running OpenBSD as a "daily driver," check all the comments for more information and tips ***

Getting PF log statistics

The author of this post runs an OpenBSD box in front of all his VMs at his colocation, and details his experiences with firewall logs
He usually investigates any IPs of interest with whois, nslookup, etc. - but this gets repetitive quickly, so..
He sets out to find the best way to gather firewall log statistics
After coming across a perl script to do this, he edited it a bit and is now a happy, lazy admin once again
You can try out his updated PF script here ***

FlashRD 1.7 released

In case anyone's not familiar, flashrd is a tool to create OpenBSD images for embedded hardware devices, executing from a virtualized environment
This new version is based on (the currently unreleased) OpenBSD 5.6, and automatically adapts to the number of CPUs you have for building
It also includes fixes for 4k drives and lots of various other improvements
If you're interested in learning more, take a look at some of the slides and audio from the main developer on the website ***

Feedback/Questions

Mailing List Gold

58: Behind the Masq

JT Pennington — Wed, 08 Oct 2014 08:00:00 -0400

Coming up this week on the show, we'll be talking to Matt Ranney and George Kola about how they use FreeBSD at Voxer, and how to get more companies to switch over. After that, we'll show you how to filter website ads at the gateway level, using DNSMasq. All this week's news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

NetBSD's EuroBSDCon report

This year's EuroBSDCon had the record number of NetBSD developers attending
The NetBSD guys had a small devsummit as well, and this blog post details some of their activities
Pierre Pronchery also talked about EdgeBSD there (also see our interview if you haven't already)
Hopefully this trend continues, and NetBSD starts to have even more of a presence at the conferences ***

Upcoming features in OpenBSD 5.6

OpenBSD 5.6 is to be released in just under a month from now, and one of the developers wrote a blog post about some of the new features
The post is mostly a collection of various links, many of which we've discussed before
It'll be the first version with LibreSSL and many other cool things
We will, of course, have all the details on the day of release
There are some good comments on hacker news about 5.6 as well ***

FreeBSD ARMv8-based implementation

The FreeBSD foundation is sponsoring some work to port FreeBSD to the new ThunderX ARM CPU family
With the potential to have up to 48 cores, this type of CPU might make ARM-based servers a more appealing option
Cavium, the company involved with this deal, seems to have lots of BSD fans
This collaboration is expected to result in Tier 1 recognition of the ARMv8 architecture ***

Updating orphaned OpenBSD ports

We discussed OpenBSD porting over portscout from FreeBSD a while back
Their ports team is making full use of it now, and they're also looking for people to help update some unmaintained ports
A new subdomain, portroach.openbsd.org, will let you view all the ports information easily
If you're interested in learning to port software, or just want to help update a port you use, this is a good chance to get involved ***

Interview - Matt Ranney & George Kola - mjr@ranney.com & george.kola@voxer.com

BSD at Voxer, companies switching from Linux, community interaction

Tutorial

Adblocking with DNSMasq & Pixelserv

News Roundup

GhostBSD 4.0 released

The 4.0 branch of GhostBSD has finally been released, based on FreeBSD 10
With it come all the big 10.0 changes: clang instead of gcc, pkgng by default, make replaced by bmake
Mate is now the default desktop, with different workstation styles to choose from ***

Reports from PF about banned IPs

If you run any kind of public-facing server, you've probably seen your logs fill up with unwanted traffic
This is especially true if you run SSH on port 22, which the author of this post seems to
A lot can be done with just PF and some brute force tables
He goes through some different options for blocking Chinese IPs and break-in attempts
It includes a useful script he wrote to get reports about the IPs being blocked via email ***

NetBSD 6.1.5 and 6.0.6 released

The 6.1 and 6.0 branches of NetBSD got some updates
They include a number of security and stability fixes - plenty of OpenSSL mentions
Various panics and other small bugs also got fixed ***

OpenSSH 6.7 released

After a long delay, OpenSSH 6.7 has finally been released
Major internal refactoring has been done to make part of OpenSSH usable as a library
SFTP transfers can now be resumed
Lots of bug fixes, a few more new features - check the release notes for all the details
This release disables some insecure ciphers by default, so keep that in mind if you connect with legacy clients that use Arcfour or CBC modes ***

Feedback/Questions

57: The Daemon's Apprentice

JT Pennington — Wed, 01 Oct 2014 08:00:00 -0400

We're back from EuroBSDCon! This week we'll be talking with Steve Wills about mentoring new BSD developers. If you've ever considered becoming a developer or helping out, it's actually really easy to get involved. We've also got all the BSD news for the week and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

NetBSD at Hiroshima Open Source Conference

NetBSD developers are hard at work, putting NetBSD on everything they can find
At a technology conference in Hiroshima, some developers brought their exotic machines to put on display
As usual, there are lots of pictures and a nice report from the conference ***

FreeBSD's Linux emulation overhaul

For a long time, FreeBSD's emulation layer has been based on an ancient Fedora 10 system
If you've ever needed to install Adobe Flash on BSD, you'll be stuck with all this extra junk
With some recent work, that's been replaced with a recent CentOS release
This opens up the door for newer versions of Skype to run on FreeBSD, and maybe even Steam someday ***

pfSense 2.2-BETA

Big changes are coming in pfSense land, with their upcoming 2.2 release
We talked to the developer a while back about future plans, and now they're finally out there
The 2.2 branch will be based on FreeBSD 10-STABLE (instead of 8.3) and include lots of performance fixes
It also includes some security updates, lots of package changes and updates and much more
You can check the full list of changes on their wiki ***

NetBSD on the Raspberry Pi

This article shows how you can install NetBSD on the ever-so-popular Raspberry Pi
As of right now, you'll need to use a -CURRENT snapshot to do it
It also shows how to grow the filesystem to fill up an SD card, some pkgsrc basics and how to get some initial things set up
Can anyone find something that you can't install NetBSD on? ***

Interview - Steve Wills - swills@freebsd.org / @swills

Mentoring new BSD developers

News Roundup

MidnightBSD 0.5 released

We don't hear a whole lot about MidnightBSD, but they've just released version 0.5
It's got a round of the latest FreeBSD security patches, driver updates and various small things
Maybe one of their developers could come on the show sometime and tell us more about the project ***

BSD Router Project 1.52 released

The newest update for the BSD Router Project is out
This version is based on a snapshot of 10-STABLE that's very close to 10.1-RELEASE
It's mostly a bugfix release, but includes some small changes and package updates ***

Configuring a DragonFly BSD desktop

We've done tutorials on how to set up a FreeBSD or OpenBSD desktop, but maybe you're more interested in DragonFly
In this post from Justin Sherrill, you'll learn some of the steps to do just that
He pulled out an old desktop machine, gave it a try and seems to be pleased with the results
It includes a few Xorg tips, and there are some comments about the possibility of making a GUI DragonFly installer ***

Building a mini-ITX pfSense box

Another week, another pfSense firewall build post
This time, the author is installing to a Jetway J7F2, a mini-ITX device with four LAN ports
He used to be a m0n0wall guy, but wanted to give the more modern pfSense a try
Lots of great pictures of the hardware, which we always love ***

Feedback/Questions

56: Beastly Infrastructure

JT Pennington — Wed, 24 Sep 2014 08:00:00 -0400

This week we're on the other side of the Atlantic, attending EuroBSDCon. For now, we've got an awesome interview with Peter Wemm about the FreeBSD web cluster and infrastructure. It's an inside look that you probably won't hear about anywhere else! We'll also get to a couple of your emails today, and be back next week with all the usual goodies, on BSD Now - the place to B.. SD.

This episode was brought to you by

Interview - Peter Wemm - peter@freebsd.org / @karinjiri

The FreeBSD web cluster and infrastructure

Feedback/Questions

Todd writes in
Brandon writes in ***

55: The Promised WLAN

JT Pennington — Wed, 17 Sep 2014 08:00:00 -0400

Coming up this week, we'll be talking with Adrian Chadd about all things wireless, his experience with FreeBSD on various laptop hardware and a whole lot more. As usual, we've got the latest news and answers to all your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD 10.1-BETA1 is out

The first maintenance update in the 10.x series of FreeBSD is on its way
Since we can't see a changelog yet, the 10-STABLE release notes offer a glimpse at some of the new features and fixes that will be included in 10.1
The vt driver was merged from -CURRENT, lots of drivers were updated, lots of bugs were fixed and bhyve also got many improvements from 11
Initial UEFI support, multithreaded softupdates for UFS and many more things were added
You can check the release schedule for the planned release dates
Details for the various forms of release media can be found in the announcement ***

Remote headless OpenBSD installation

A lot of server providers only offer a limited number of operating systems to be easily installed on their boxes
Sometimes you'll get lucky and they'll offer FreeBSD, but it's much harder to find ones that natively support other BSDs
This article shows how you can use a Linux-based rescue system, a RAM disk and QEMU to install OpenBSD on the bare metal of a server, headlessly and remotely
It required a few specific steps you'll want to take note of, but is extremely useful for those pesky hosting providers ***

Building a firewall appliance with pfSense

In this article, we learn how to easily set up a gateway and wireless access point with pfSense on a Netgate ALIX2C3 APU
After the author's modem died, he decided to look into a more do-it-yourself option with pf and a tiny router board
The hardware he used has gigabit ports and a BSD-compatible wireless card, as well as enough CPU power for a modest workload and a few services (OpenVPN, etc.)
There's a lot of great pictures of the hardware and detailed screenshots, definitely worth a look ***

Receive Side Scaling - UDP testing

Adrian Chadd has been working on RSS (Receive Side Scaling) in FreeBSD, and gives an update on the progress
He's using some quad core boxes with 10 gigabit ethernet for the tests
The post gives lots of stats and results from his network benchmark, as well as some interesting workarounds he had to do
He also provides some system configuration options, sysctl knobs, etc. (if you want to try it out)
And speaking of Adrian Chadd... ***

Interview - Adrian Chadd - adrian@freebsd.org / @erikarn

BSD on laptops, wifi, drivers, various topics

News Roundup

Sendmail removed from OpenBSD

Mail server admins around the world are rejoicing, because sendmail is finally gone from OpenBSD
With OpenSMTPD being a part of the base system, sendmail became largely redundant and unneeded
If you've ever compared a "sendmail.cf" file to an "smtpd.conf" file... the different is as clear as night and day
5.6 will serve as a transitional release, including both sendmail and OpenSMTPD, but 5.7 will be the first release without it
If you still need it for some reason, sendmail will live in ports from now on
Hopefully FreeBSD will follow suit sometime in the future as well, possibly including DragonFly's mail transfer agent in base (instead of an entire mail server) ***

pfSense backups with pfmb

We've mentioned the need for a tool to back up pfSense configs a number of times on the show
This script, hosted on github, does pretty much exactly that
It can connect to one (or more!) pfSense installations and back up the configuration
You can roll back or replace failed hardware very easily with its restore function
Everything is done over SSH, so it should be pretty secure ***

The Design and Implementation of the FreeBSD Operating System

We mentioned when the pre orders were up, but now "The Design and Implementation of the FreeBSD Operating System, 2nd edition" seems to be shipping out
If you're interested in FreeBSD development, or learning about the operating system internals, this is a great book to buy
We've even had all three authors on the show before! ***

OpenBSD's systemd replacement updates

We mentioned last week that the news of OpenBSD creating systemd wrappers was getting mainstream attention
One of the developers writes in to Undeadly, detailing what's going on and what the overall status is
He also clears up any confusion about "porting systemd to BSD" (that's not what's going on) or his code ever ending up in base (it won't)
The top comment as of right now is a Linux user asking if his systemd wrappers can be ported back to Linux... poor guy ***

Feedback/Questions

54: Luminary Environment

JT Pennington — Wed, 10 Sep 2014 08:00:00 -0400

This week on the show, it's all about Lumina. We'll be giving you a visual walkthrough of the new BSD-exclusive desktop environment, as well as chatting with the main developer. There's also answers to your emails and all the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Portscout ported to OpenBSD

Portscout is a popular utility used in the FreeBSD ports infrastructure
It lets port maintainers know when there's a new version of the upstream software available by automatically checking the distfile mirror
Now OpenBSD porters can enjoy the same convenience, as it's been ported over
You can view the status online to see how it works and who maintains what
The developer who ported it is working to get all the current features working on OpenBSD, and added a few new features as well
He decided to fork and rename it a few days later ***

Sysadmins and systemd refugees flocking to BSD

With all the drama in Linux land about the rapid changes to their init system, a lot of people are looking at BSD alternatives
This "you got your Windows in my Linux" article (and accompanying comments) give a nice glimpse into the minds of some of those switchers
Both server administrators and regular everyday users are switching away from Linux, as more and more distros give them no choice but to use systemd
Fortunately, the BSD communities are usually very welcoming of switchers - it's pretty nice on this side! ***

OpenBSD's versioning schemes

Ted Unangst explains the various versioning systems within OpenBSD, from the base to libraries to other included software
In contrast to FreeBSD's release cycle, OpenBSD isn't as concerned with breaking backwards compatibility (but only if it's needed to make progress)
This allows them to innovate and introduce new features a lot more easily, and get those features in a stable release that everyone uses
He also details the difference between branches, their errata system and lack of "patch levels" for security
Some other things in OpenBSD don't have version numbers at all, like tmux
"Every release adds some new features, fixes some old bugs, probably adds a new bug or two, and, if I have anything to say about it, removes some old features." ***

VAXstation 4000 Model 90 booting NetBSD

We found a video of NetBSD booting on a 22 year old VAX workstation, circa 1992
This system has a monstrous 71 MHz CPU and 128MB of ECC RAM
It continues in part two, where we learn that it would've cost around $25,000 when it was released!
The uploader talks about his experiences getting NetBSD on it, what does and doesn't work, etc
It's interesting to see that such old hardware isn't necessarily obsolete just because newer things have come out since then (but maybe don't try to build world on it...) ***

Interview - Ken Moore - ken@pcbsd.org

The Lumina desktop environment

Special segment

Lumina walkthrough

News Roundup

Suricata for IDS on pfSense

While most people are familiar with Snort as an intrusion detection system, Suricata is another choice
This guide goes through the steps of installing and configuring it on a public-facing pfSense box
Part two details some of the configuration steps
One other cool thing about Suricata - it's compatible with Snort rules, so you can use the same updates
There's also another recent post about snort as well, if that's more your style
If you run pfSense (or any BSD) as an edge router for a lot of users, this might be worth looking into ***

OpenBSD's systemd API emulation project

This story was pretty popular in the mainstream news this week
For the Google Summer of Code, a student is writing emulation wrappers for some of systemd's functions
There was consideration from some Linux users to port over the finished emulation back to Linux, so they wouldn't have to run the full systemd
One particularly interesting Slashdot comment snippet: "We are currently migrating a large number (much larger than planned after initial results) of systems from RHEL to BSD - a decision taken due to general unhappiness with RHEL6, but SystemD pushed us towards BSD rather than another Linux distro - and in some cases are seeing throughput gains of greater than 10% on what should be equivalent Linux and BSD server builds. The re-learning curve wasn't as steep as we expected, general system stability seems to be better too, and BSD's security reputation goes without saying."
It will NOT be in the base system - only in ports, and only installed as a dependency for things like newer GNOME that require such APIs
In the long run, BSD will still be safe from systemd's reign of terror, but will hopefully still be compatible with some third party packages like GNOME that insist on using it ***

GhostBSD 4 previewed

The GhostBSD project is moving along, slowly getting closer to the 4 release
This article shows some of the progress made, and includes lots of screenshots and interesting graphical frontends
If you're not too familiar with GhostBSD, we interviewed the lead developer a little while back ***

NetBSD on the Banana Pi

The Banana Pi is a tasty alternative to the Raspberry Pi, with similar hardware specs
In this blog post, a NetBSD developer details his experiences in getting NetBSD to run on it
After studying how the prebuilt Linux image booted, he made some notes and started hacking
Ethernet, one of the few things not working, is being looked into and he's hoping to get it fully supported for the upcoming NetBSD 7.0
They're only about $65 as of the time we're recording this, so it might be a fun project to try ***

Feedback/Questions

53: It's HAMMER Time

JT Pennington — Wed, 03 Sep 2014 08:00:00 -0400

It's our one year anniversary episode, and we'll be talking with Reyk Floeter about the new OpenBSD webserver - why it was created and where it's going. After that, we'll show you the ins and outs of DragonFly's HAMMER FS. Answers to viewer-submitted questions and the latest headlines, on a very special BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD foundation's new IPSEC project

The FreeBSD foundation, along with Netgate, is sponsoring some new work on the IPSEC code
With bandwidth in the 10-40 gigabit per second range, the IPSEC stack needs to be brought up to modern standards in terms of encryption and performance
This new work will add AES-CTR and AES-GCM modes to FreeBSD's implementation, borrowing some code from OpenBSD
The updated stack will also support AES-NI for hardware-based encryption speed ups
It's expected to be completed by the end of September, and will also be in pfSense 2.2 ***

NetBSD at Shimane Open Source Conference 2014

The Japanese NetBSD users group held a NetBSD booth at the Open Source Conference 2014 in Shimane on August 23
One of the developers has gathered a bunch of pictures from the event and wrote a fairly lengthy summary
They had NetBSD running on all sorts of devices, from Raspberry Pis to Sun Java Stations
Some visitors said that NetBSD had the most chaotic booth at the conference ***

pfSense 2.1.5 released

A new version of the pfSense 2.1 branch is out
Mostly a security-focused release, including three web UI fixes and the most recent OpenSSL fix (which FreeBSD has still not patched in -RELEASE after nearly a month)
It also includes many other bug fixes, check the blog post for the full list ***

Systems, Science and FreeBSD

Our friend George Neville-Neil gave a presentation at Microsoft Research
It's mainly about using FreeBSD as a platform for research, inside and outside of universities
The talk describes the OS and its features, ports, developer community, documentation, who uses BSD and much more ***

Interview - Reyk Floeter - reyk@openbsd.org / @reykfloeter

OpenBSD's HTTP daemon

Tutorial

A crash course on HAMMER FS

News Roundup

OpenBSD's rcctl tool usage

OpenBSD recently got a new tool for managing /etc/rc.conf.local in -current
Similar to FreeBSD's "sysrc" tool, it eliminates the need to manually edit rc.conf.local to enable or disable services
This blog post - from a BSD Now viewer - shows the typical usage of the new tool to alter the startup services
It won't make it to 5.6, but will be in 5.7 (next May) ***

pfSense mini-roundup

We found five interesting pfSense articles throughout the week and wanted to quickly mention them
The first item in our pfSense mini-roundup details how you can stream Netflix to in non-US countries using a "smart" DNS service
The second post talks about setting ip IPv6, in particular if Comcast is your ISP
The third one features pfSense on Softpedia, a more mainstream tech site
The fourth post describes how to filter HTTPS traffic with Squid and pfSense
The last article describes setting up a VPN using the "tinc" daemon and pfSense
It seems to be lesser known, compared to things like OpenVPN or SSH tunnels, so it's interesting to read about
This pfSense HQ website seems to have lots of other cool pfSense items, check it out ***

OpenBSD's new buffer cache

OpenBSD has traditionally used the tried-and-true LRU algorithm for buffer cache, but it has a few problems
Ted Unangst has just switched to a new algorithm in -current, partially based on 2Q, and details some of his work
Initial tests show positive results in terms of cache responsiveness
Check the post for all the fine details ***

BSDTalk episode 244

Another new BSDTalk is up and, this time around, Will Backman interviews Ken Moore, the developer of the new BSD desktop environment
They discuss the history of development, differences between it and other DEs, lots of topics
If you're more of a visual person, fear not, because...
We'll have Ken on next week, including a full "virtual walkthrough" of Lumina and its applications ***

Feedback/Questions

52: Reverse Takeover

JT Pennington — Wed, 27 Aug 2014 08:00:00 -0400

Coming up this week, we'll be chatting with Shawn Webb about his recent work with ASLR and PIE in FreeBSD. After that, we'll be showing you how you can create a reverse SSH tunnel to a system behind a firewall... how sneaky. Answers to your emails plus the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD foundation August update

The foundation has published a new PDF detailing some of their recent activities
It includes project development updates, the 10.1-RELEASE schedule and some of its new features
There is also a short interview with Dru Lavigne in the "voices from the community" section
If you're into hardware, there's another section about some new FreeBSD server equipment
In closing, there's an update on funding too ***

NSD for an authoritative nameserver

With BIND having been removed from FreeBSD 10.0, you might be looking to replace your old DNS setup
This article shows how to use NSD for an authoritative DNS nameserver
It's also got a link to a similar article on Unbound, the new favorite recursive and caching resolver (they work great together)
All the instructions are presented very neatly, with all the little details included
Less BIND means less vulnerabilities, everybody's happy ***

BIND and Nginx removed from OpenBSD

While we're on the topic of DNS servers, BIND was finally removed from OpenBSD as well
The base system contains both NSD and Unbound, so users can transition over between 5.6 (November of this year) and 5.7 (May of next year)
They've also removed nginx from the base system, in favor of the new custom HTTP daemon
BIND and Nginx are still available in ports if you don't want to switch
We're hoping to have Reyk Floeter on the show next week to talk about it, but scheduling might not work out, so it may be a little later on
With Apache gone in the upcoming 5.6, It's also likely that sendmail will be removed before 5.7 - hooray for modern alternatives ***

NetBSD demo videos

A Japanese NetBSD developer has been uploading lots of interesting videos
Unsurprisingly, they're all featuring NetBSD running on exotic and weird hardware
Most of them are demoing sound or running a modern Twitter client on an ancient computer
They're from the same guy that did the conference wrap-up we mentioned recently ***

Interview - Shawn Webb - shawn.webb@hardenedbsd.org / @lattera

Address space layout randomization in FreeBSD

Tutorial

Reverse SSH tunneling

News Roundup

Puppet master-agent installation on FreeBSD

If you've got a lot of BSD boxes under your control, or if you're just lazy, you've probably looked into Puppet before
The author claims a lack of BSD-specific Puppet documentation, so he decided to write up some notes of his own
He goes through some advantages of using this type of tool for deployments, even when you don't have a huge number of systems
The rest of the post explains how to set up both the master and the agent configurations ***

Misc. pfSense items

We found a few miscellaneous pfSense articles this past week
The first one is about the hunt for the "ultimate" free open source firewall, where pfSense is obviously a strong contender
The second one shows how to log NAT firewall states (a good way to find out which family member has been torrenting!)
In the third, you can see how to automatically back up your configuration files
The fourth item shows how to set up PXE booting with pfSense, similar to one of our tutorials ***

Time Machine backups on ZFS

If you've got a Mac you need to keep backed up, a FreeBSD server with ZFS can take the place of an expensive "time capsule"
This post walks you through setting up netatalk and mDNS for a very versatile Time Machine backup system
With a single command on the OS X side, you can write to and read from the BSD box just like a regular external drive
Surprisingly simple to do, recommended for anyone with Macs on their network ***

Lumina desktop preview

Lumina, the BSD-exclusive desktop environment, seems to be coming along nicely
The main developer has posted an update on the PCBSD blog with some screenshots
Lots of new features have been added, many of which are documented in the post
There just might be a BSD Now episode about Lumina coming up.. (cough cough) ***

Feedback/Questions

51: Engineering Nginx

JT Pennington — Wed, 20 Aug 2014 08:00:00 -0400

Coming up on the show, we'll be showing you how to set up a secure, SSL-only webserver. There's also an interview with Eric Le Blan about community participation and FreeBSD's role in the commercial server space. All that and more, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Password gropers take spamtrap bait

Our friend Peter Hansteen, who keeps his eyes glued to his log files, has a new blog post
He seems to have discovered another new weird phenomenon in his pop3 logs
"yes, I still run one, for the same bad reasons more than a third of my readers probably do: inertia"
Someone tried to log in to his service with an address that was known to be invalid
The rest of the post goes into detail about his theory of why someone would use a list of invalid addresses for this purpose ***

Inside the Atheros wifi chipset

Adrian Chadd - sometimes known in the FreeBSD community as "the wireless guy" - gave a talk at the Defcon Wireless Village 2014
He covers a lot of topics on wifi, specifically on Atheros chips and why they're so popular for open source development
There's a lot of great information in the presentation, including cool (and evil) things you can do with wireless cards
Very technical talk; some parts might go over your head if you're not a driver developer
The raw video file is also available to download on archive.org
Adrian has also recently worked on getting Kismet and Aircrack-NG to work better with FreeBSD, including packet injection and other fun things ***

Trip report and hackathon mini-roundup

A few more (late) reports from BSDCan and the latest OpenBSD hackathon have been posted
Mark Linimon mentions some of the future plans for FreeBSD's release engineering and ports
Bapt also has a BSDCan report detailing his work on ports and packages
Antoine Jacoutot writes about his work at the most recent hackathon, working with rc configuration and a new /etc/examples layout
Peter Hessler, a latecomer to the hackathon, details his experience too, hacking on the installer and built-in upgrade function
Christian Weisgerber talks about starting some initial improvements of OpenBSD's ports infrastructure ***

DragonFly BSD 3.8.2 released

Although it was already branched, the release media is now available for DragonFly 3.8.2
This is a minor update, mostly to fix the recent OpenSSL vulnerabilities
It also includes some various other small fixes ***

Interview - Eric Le Blan - info@xinuos.com

Xinuos' recent FreeBSD integration, BSD in the commercial server space

Tutorial

Building a hardened, feature-rich webserver

News Roundup

Defend your network and privacy, FreeBSD version

Back in episode 39, we covered a blog post about creating an OpenBSD gateway - partly based on our tutorial
This is a follow-up post, by the same author, about doing a similar thing with FreeBSD
He mentions some of the advantages and disadvantages between the two operating systems, and encourages users to decide for themselves which one suits their needs
The rest is pretty much the same things: firewall, VPN, DHCP server, DNSCrypt, etc. ***

Don't encrypt all the things

Another couple of interesting blog posts from Ted Unangst about encryption
It talks about how Google recently started ranking sites with HTTPS higher in their search results, and then reflects on how sometimes encryption does more harm than good
After heartbleed, the ones who might be able to decrypt your emails went from just a three-letter agency to any script kiddie
He also talks a bit about some PGP weaknesses and a possible future replacement
He also has another, similar post entitled "in defense of opportunistic encryption" ***

New automounter lands in FreeBSD

The work on the new automounter has just landed in 11-CURRENT
With help from the FreeBSD Foundation, we'll have a new "autofs" kernel option
Check the SVN viewer online to read over the man pages if you're not running -CURRENT
You can also read a bit about it in the recent newsletter ***

OpenSSH 6.7 CFT

It's been a little while since the last OpenSSH release, but 6.7 is almost ready
Our friend Damien Miller issued a call for testing for the upcoming version, which includes a fair amount of new features
It includes some old code removal, some new features and some internal reworkings - we'll cover the full list in detail when it's released
This version also officially supports being built with LibreSSL now
Help test it out and report any findings, especially if you have access to something a little more exotic than just a BSD system ***

Feedback/Questions

50: VPN, My Dear Watson

JT Pennington — Wed, 13 Aug 2014 08:00:00 -0400

It's our 50th episode, and we're going to show you how to protect your internet traffic with a BSD-based VPN. We'll also be talking to Robert Watson, of the FreeBSD core team, about security research, exploit mitigation and a whole lot more. The latest news and answers to all of your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
MeetBSD has an "unconference" format, which means there will be both planned talks and community events
All the extra details will be on their site soon
It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
From there, it talks about how he used the OpenBSD USB image and got a fully-working system
He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
Whichever version of whatever SSL you use, make sure it's patched for these issues
DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

If you use git (like a certain host of this show) then you've probably considered setting up your own server
This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
It even shows you how to set up multiple repos with key-based user separation and other cool things
The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

In this article, different methods of data storage and backup are compared
After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
FreeBSD, ZFS and Samba obviously!
The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

49: The PC-BSD Tour

JT Pennington — Wed, 06 Aug 2014 08:00:00 -0400

Coming up this week on the show, we've got something special for you! We'll be giving you an in-depth look at all of the graphical PC-BSD utilities. That's right, BSD doesn't have to be commandline-only anymore! There's also the usual round of answers to your emails and all the latest headlines, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD foundation semi-annual newsletter

The FreeBSD foundation published their semi-annual newsletter, complete with a letter from the president of the foundation
"In fact after reading [the president's] letter, I was motivated to come up with my own elevator pitch instead of the usual FreeBSD is like Linux, only better!"
It talks about the FreeBSD journal as being one of the most exciting things they've launched this year, conferences they funded and various bits of sponsored code that went into -CURRENT
The full list of funded projects is included, also with details in the financial reports
There are also a number of conference wrap-ups: NYCBSDCon, BSDCan, AsiaBSDCon and details about the upcoming EuroBSDCon

48: Liberating SSL

JT Pennington — Wed, 30 Jul 2014 08:00:00 -0400

Coming up in this week's episode, we'll be talking with one of OpenBSD's newest developers - Brent Cook - about the portable version of LibreSSL and how it's developed. We've also got some information about the FreeBSD port of LibreSSL you might not know. The latest news and your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

FreeBSD has gotten quite a lot done this quarter
Changes in the way release branches are supported - major releases will get at least five years over their lifespan
A new automounter is in the works, hoping to replace amd (which has some issues)
The CAM target layer and RPC stack have gotten some major optimization and speed boosts
Work on ZFSGuru continues, with a large status report specifically for that
The report also mentioned some new committers, both source and ports
It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we've already mentioned on the show
"Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period" ***

A new OpenBSD HTTPD is born

Work has begun on a new HTTP daemon in the OpenBSD base system
A lot of people are asking "why?" since OpenBSD includes a chrooted nginx already - will it be removed? Will they co-exist?
Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn't trying to be a full-featured replacement)
It's partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
This has the added benefit of the usual, easy-to-understand syntax and privilege separation
There's a very brief man page online already
It supports vhosts and can serve static files, but is still in very active development - there will probably be even more new features by the time this airs
Will it be named OpenHTTPD? Or perhaps... LibreHTTPD? (I hope not) ***

pkgng 1.3 announced

The newest version of FreeBSD's second generation package management system has been released, with lots of new features
It has a new "real" solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
Lots of the code has been sandboxed for extra security
You'll probably notice some new changes to the UI too, making things more user friendly
A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday ***

FreeBSD after-install security tasks

A number of people have written in to ask us "how do I secure my BSD box after I install it?"
With this blog post, hopefully most of their questions will finally be answered in detail
It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
Not only does it just list things to do, but the post also does a good job of explaining why you should do them
Maybe we'll see some more posts in this series in the future ***

Interview - Brent Cook - bcook@openbsd.org / @busterbcook

LibreSSL's portable version and development

News Roundup

FreeBSD Mastery - Storage Essentials

MWL's new book about the FreeBSD storage subsystems now has an early draft available
Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
You'll get access to the completed (e)book when it's done if you buy the early draft
The suggested price is $8 ***

Why BSD and not Linux?

Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
Lots of good responses from users of the various BSDs
Directly ripping a quote: "Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is "GCC free". DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity."
And "Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS."
Some other users share their switching experiences - worth a read ***

More g2k14 hackathon reports

Following up from last week's huge list of hackathon reports, we have a few more
Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
Andrew Fresh enjoyed his first hackathon, pushing OpenBSD's perl patches upstream and got tricked into rewriting the adduser utility in perl
Ted Unangst did his usual "teduing" (removing of) old code - say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
Luckily we didn't have to cover 20 new ones this time! ***

BSDTalk episode 243

The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
The main topic of discussion is mandoc, which some users might not be familiar with
mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it's not built by default)
We'll catch up to you soon, Will! ***

Feedback/Questions

Thomas writes in
Stephen writes in
Sha'ul writes in
Florian writes in
Bob Beck writes in - and note the "Caution" section that was added to libressl.org ***

47: DES Challenge IV

JT Pennington — Wed, 23 Jul 2014 08:00:00 -0400

Coming up this week on the show! We've got an interview with Dag-Erling Smørgrav, the current security officer of FreeBSD, to discuss what exactly being in such an important position is like. The latest news, answers to your emails and even some LibreSSL drama, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

g2k14 hackathon reports

Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
Lots of work got done - in just the first two weeks of July, there were over 1000 commits to their CVS tree
Some of the developers wrote in to document what they were up to at the event
Bob Beck planned to work on kernel stuff, but then "LibreSSL happened" and he spent most of his time working on that
Miod Vallat also tells about his LibreSSL experiences
Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we'll be interviewing him next week!)
Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
Martin Pelikan integrated read-only ext4 support
Vadim Zhukov did lots of ports work, including working on KDE4
Theo de Raadt created a new, more secure system call, "sendsyslog" and did a lot of work with /etc, sysmerge and the rc scripts
Paul Irofti worked on the USB stack, specifically for the Octeon platform
Sebastian Benoit worked on relayd filters and IPv6 code
Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
Stefan Sperling fixed a lot of issues with wireless drivers
Florian Obser did many things related to IPv6
Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
Matthieu Herrb worked on updating and modernizing parts of xenocara ***

FreeBSD pf discussion takes off

Concerns from last week, about FreeBSD's packet filter being old and unmaintained, seemed to have finally sparked some conversation about the topic on the "questions" and "current" mailing lists (unfortunately people didn't always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
Straight from the SMP FreeBSD pf maintainer: "no one right now [is actively developing pf on FreeBSD]"
Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
FreeBSD's pf man pages are lacking, and some of FreeBSD's documentation still links to OpenBSD's pages, which won't work anymore - possibly turning away would-be BSD converts because it's frustrating
There's also the issue of importing patches from pfSense, but most of those still haven't been done either
Lots of disagreement among developers vs. users...
Many users are very vocal about wanting it updated, saying the syntax change is no big deal and is worth the benefits - developers aren't interested
Henning Brauer, the main developer of pf on OpenBSD, has been very nice and offered to help the other BSDs get their pf fixed on multiple occasions
Gleb Smirnoff, author of the FreeBSD-specific SMP patches, questions Henning's claims about OpenBSD's improved speed as "uncorroborated claims" (but neither side has provided any public benchmarks)
Gleb had to abandon his work on FreeBSD's pf because funding ran out ***

LibreSSL progress update

LibreSSL's first few portable releases have come out and they're making great progress, releasing 2.0.3 two days ago
Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
However, there has already been some drama... with Linux users
There was a problem with Linux's PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
This "problem" doesn't affect OpenBSD's native implementation, only the portable version
The developers decide to weigh in to calm the misinformation and rage
A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now - remember to say thanks, guys
Ted Unangst has a really good post about the whole situation, definitely check it out
As a follow-up from last week, bapt says they're working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly - if you're a port maintainer, please test your ports against it ***

Preparation for NetBSD 7

The release process for NetBSD 7.0 is finally underway
The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
If you run NetBSD, that'll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
They're also looking for some help updating documentation and fixing any bugs that get reported
Another formal announcement will be made when the beta binaries are up ***

Interview - Dag-Erling Smørgrav - des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
There's also some detail about the signing infrastructure and different mirrors
Ports people and source people need to talk more often about ABI breakage
The post also includes information about pkg 1.3, the old pkg tools' EOL, the quarterly stable package sets and a lot more (it's a huge post!) ***

Cross-compiling ports with QEMU and poudriere

With recent QEMU features, you can basically chroot into a completely different architecture
This article goes through the process of building ARMv6 packages on a normal X86 box
Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
The poudriere-devel port now has a "qemu user" option that will pull in all the requirements
Hopefully this will pave the way for official pkgng packages on those lesser-used architectures ***

Cloning FreeBSD with ZFS send

For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
This post shows his entire process in creating a mirror machine, using ZFS for everything
The "zfs send" and "zfs snapshot" commands really come in handy for this
He does the whole thing from a live CD, pretty impressive ***

FreeBSD Overview series

A new blog series we stumbled upon about a Linux user switching to BSD
In part one, he gives a little background on being "done with Linux distros" and documents his initial experience getting and installing FreeBSD 10
He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
Most of what he was used to on Linux was already in the default FreeBSD (except bash...)
Part two documents his experiences with pkgng and ports ***

Feedback/Questions

45: ZFS War Stories

JT Pennington — Wed, 09 Jul 2014 08:00:00 -0400

This week Allan is at BSDCam in the UK, so we'll be back with a regular episode next week. For now though, here's an interview with Josh Paetzel about some crazy experiences he's had with ZFS.

This episode was brought to you by

Interview - Josh Paetzel - josh@ixsystems.com / @bsdunix4ever

Crazy ZFS stories, network protocols, server hardware

44: Base ISO 100

JT Pennington — Wed, 02 Jul 2014 08:00:00 -0400

This time on the show, we'll be sitting down to talk with Craig Rodrigues about Jenkins and the FreeBSD testing infrastructure. Following that, we'll show you how to roll your own OpenBSD ISOs with all the patches already applied... ISO can't wait! This week's news and answers to all your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

pfSense 2.1.4 released

The pfSense team has released 2.1.4, shortly after 2.1.3 - it's mainly a security release
Included within are eight security fixes, most of which are pfSense-specific
OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
It also includes a large number of various other bug fixes
Update all your routers! ***

DragonflyBSD's pf gets SMP

While we're on the topic of pf...
Dragonfly patches their old[er than even FreeBSD's] pf to support multithreading in many areas
Stemming from a user's complaint, Matthew Dillon did his own work on pf to make it SMP-aware
Altering your configuration's ruleset can also help speed things up, he found
When will OpenBSD, the source of pf, finally do the same? ***

ChaCha usage and deployment

A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
OpenSSH offers it as a stream cipher now, OpenBSD uses it for it's random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
Both Google's fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
Unfortunately, this article has one mistake: FreeBSD does not use it - they still use the broken RC4 algorithm ***

BSDMag June 2014 issue

The monthly online BSD magazine releases their newest issue
This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, "saving time and headaches using the robot framework for testing," an interview and an article about the increasing number of security vulnerabilities
The free pdf file is available for download as always ***

Interview - Craig Rodrigues - rodrigc@freebsd.org

FreeBSD's continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end - this had the advantage of not requiring any extra disk space, but raised some security concerns
With signify, now everything is fully downloaded and verified before tar is even invoked
The pkg_add utility works a little bit differently, but it's also been improved in this area - details in the post
Be sure to also read the original post from Adam, lots of good information ***

FreeBSD 9.3-RC2 is out

As the -RELEASE inches closer, release candidate 2 is out and ready for testing
Since the last one, it's got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
The updated bsdconfig will use pkgng style packages now too
A lesser known fact: there are also premade virtual machine images you can use too ***

pkgsrcCon 2014 wrap-up

In what may be the first real pkgsrcCon article we've ever had!
Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
Unfortunately no recordings to be found... ***

PostgreSQL FreeBSD performance and scalability

FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
Lots of technical details if you're interested in getting the best performance out of your hardware
It also includes specific kernel options he used and the rest of the configuration
If you don't want to open the pdf file, you can use this link too ***

Feedback/Questions

43: Package Design

JT Pennington — Wed, 25 Jun 2014 08:00:00 -0400

It's a big show this week! We'll be interviewing Marc Espie about OpenBSD's package system and build cluster. Also, we've been asked many times "how do I keep my BSD box up to date?" Well, today's tutorial should finally answer that. Answers to all your emails and this week's headlines, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

EuroBSDCon 2014 talks and schedule

The talks and schedules for EuroBSDCon 2014 are finally revealed
The opening keynote is called "FreeBSD, looking forward to another 10 years" by jkh
Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
It looks like Theo even has a talk, but the title isn't on the page... how mysterious
There are also days dedicated to some really interesting tutorials
Register now, the conference is on September 25-28th in Bulgaria
If you see Allan and Kris walking towards you and you haven't given us an interview yet... well you know what's going to happen
Why aren't the videos up from last year yet? Will this year also not have any? ***

FreeNAS vs NAS4Free

More mainstream news covering BSD, this time with an article about different NAS solutions
In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
"One is pleasantly functional; the other continues devolving during a journey of pain" - uh oh, who's the loser? ***

Quality software costs money, heartbleed was free

PHK writes an article for ACM Queue about open source software projects' funding efforts
A lot of people don't realize just how widespread open source software is - TVs, printers, gaming consoles, etc
The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish's funding
The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
On that subject, "Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software"
Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive ***

Geoblock evasion with pf and OpenBSD rdomains

Geoblocking is a way for websites to block visitors based on the location of their IP
This is a blog post about how to get around it, using pf and rdomains
It has the advantage of not requiring any browser plugins or DNS settings on the users' computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that...)
In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
It's got all the details you need to set up a VPN-like system and bypass those pesky geographic filters ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

OpenBSD's package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
Adam Langley has a blog post about it, why they did it and how they're going to maintain it
You can easily browse the source code
Theo de Raadt also weighs in with how this effort relates to LibReSSL
More eyes on the code is good, and patches will be shared between the two projects ***

More BSD Tor nodes wanted

Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
If one vulnerability is found, a huge portion of the network would be useless - we need more variety in the network stacks, crypto, etc.
The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
Check out our Tor tutorial and help out the network, and promote BSD at the same time! ***

FreeBSD 10 OpenStack images

OpenStack, to quote Wikipedia, is "a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution."
The article goes into detail about creating a FreeBSD instant, installing and converting it for use with "bsd-cloudinit"
The author of the article is a regular listener and emailer of the show, hey! ***

BSDday 2014 call for papers

BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
It was created in 2008 and is the only BSD conference around that area
The "call for papers" was issued, so if you're around Argentina and use BSD, consider submitting a talk
Sysadmins, developers and regular users are, of course, all welcome to come to the event ***

Feedback/Questions

42: Devious Methods

JT Pennington — Wed, 18 Jun 2014 08:00:00 -0400

Coming up this week, we'll be showing you how to chain SSH connections, as well as some cool tricks you can do with it. Going along with that theme, we also have an interview with Bryce Chidester about running a BSD-based shell provider. News, emails and cowsay turkeys, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

PIE and ASLR in FreeBSD update

A status update for Shawn Webb's ASLR and PIE work for FreeBSD
One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
"FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support"
If you're running -CURRENT, just add "WITH_PIE=1" to your /etc/src.conf and /etc/make.conf
The next step is working on the ASLR coding style and getting more developers to look through it
Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR ***

Misc. pfSense news

Couple of pfSense news items this week, including some hardware news
Someone's gotta test the pfSense hardware devices before they're sold, which involves powering them all on at least once
To make that process faster, they're building a controllable power board (and include some cool pics)
There will be more info on that device a bit later on
On Friday, June 27th, there will be another video session (for paying customers only...) about virtualized firewalls
pfSense University, a new paid training course, was also announced
A single two-day class costs $2000, ouch ***

ZFS stripe width

A new blog post from Matt Ahrens about ZFS stripe width
"The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice"
Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
He covers best performance on random IOPS, best reliability, and best space efficiency use cases
It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels' overhead factor ***

FreeBSD 9.3-BETA3 released

The third BETA in the 9.3 release cycle is out, we're slowly getting closer to the release
This is expected to be the final BETA, next will come the RCs
There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what's in -CURRENT (but still isn't using ChaCha20)
The FreeBSD foundation has a blog post about it too
There's a list of changes between 9.2 and 9.3 as well, but we'll be sure to cover it when the -RELEASE hits ***

Interview - Bryce Chidester - brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

A Slackware user from the "linux questions" forum decides to try out BSD, and documents his initial impressions and findings
After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to "politics" (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
Might be an interesting, ongoing series we can follow up on later ***

Even more BSDCan trip reports

BSDCan may be over until next year, but trip reports are still pouring in
This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
He's part of the "Jenkins CI for FreeBSD" group and went to BSDCan mostly for that
Nice long post about all of his experiences at the event, definitely worth a read
He even talks about... the food ***

FreeBSD disk partitioning

For his latest book series on FreeBSD's GEOM system, MWL asked the hackers mailing list for some clarification
This erupted into a very long discussion about fdisk vs gnop vs gpart
So you don't have to read the 500 mailing list posts, he's summarized the findings in a blog post
It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools ***

BSD Router Project version 1.51

A new version of the BSD Router Project has been released, 1.51
It's now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
Check the sourceforge page for the complete list of changes
Bad news... the minimum disk size requirement has increased to 512MB... getting pretty bloated ***

Feedback/Questions

41: Commit This Bit

JT Pennington — Wed, 11 Jun 2014 08:00:00 -0400

This week in the big show, we'll be interviewing Benedict Reuschling of the FreeBSD documentation team, and he has a special surprise in store for Allan. As always, answers to your questions and all the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD moves to Bugzilla

Historically, FreeBSD has used the old GNATS system for keeping track of bug reports
After years and years of wanting to switch, they've finally moved away from GNATS to Bugzilla
It offers a lot of advantages, is much more modern and actively maintained and
There's a new workflow chart for developers to illustrate the new way of doing things
The old "send-pr" command will still work for the time being, but will eventually be phased out in favor of native Bugzilla reporting tools (of which there are multiple in ports)
This will hopefully make reporting bugs a lot less painful ***

DIY NAS: EconoNAS 2014

We previously covered this blog last year, but the 2014 edition is up
More of a hardware-focused article, the author details the parts he's using for a budget NAS
Details the motherboard, RAM, CPU, hard drives, case, etc
With a set goal of $500 max, he goes just over it - $550 for all the parts
Lots of nice pictures of the hardware and step by step instructions for assembly, as well as software configuration instructions ***

DragonflyBSD 3.8 released

Justin announced the availability of DragonflyBSD 3.8.0
Binaries in /bin and /sbin are dynamic now, enabling the use of PAM and NSS to manage user accounts
It includes a new HAMMER FS backup script and lots of FreeBSD tools have been synced with their latest versions
Work continues on for the Intel graphics drivers, but it's currently limited to the HD4000 and Ivy Bridge series
See the release page for more info and check the link for source-based upgrade instructions ***

OpenZFS European conference 2014

There was an OpenZFS conference held in Europe recently, and now the videos are online for your viewing pleasure
Matt Ahrens, Introduction
Michael Alexander, FhGFS performance on ZFS
Andriy Gapon, Testing ZFS on FreeBSD
Luke Marsden, HybridCluster: ZFS in the cloud
Vadim Comănescu, Syneto: continuously delivering a ZFS-based OS
Chris George, DDRdrive ZIL accelerator: random write revelation
Grenville Whelan, High-Availability
Phil Harman, Harman Holistic
Mark Rees, Storiant and OpenZFS
Andrew Holway, EraStor ZFS appliances
Dan Vâtca, Syneto and OpenZFS
Luke Marsden, HybridCluster and OpenZFS
Matt Ahrens, Delphix and OpenZFS
Check the link for slides and other goodies ***

Interview - Benedict Reuschling - bcr@freebsd.org

BSD documentation, getting commit access, unix education, various topics

News Roundup

Getting to know your portmgr, Steve Wills

"It is my pleasure to introduce Steve Wills, the newest member of the portmgr team"
swills is an all-round good guy, does a lot for ports (especially the ruby ports)
In this interview, we learn why he uses FreeBSD, the most embarrassing moment in his FreeBSD career and much more
He used to work for Red Hat, woah ***

BSDTalk episode 242

This time on BSDTalk, Will interviews Chris Buechler from pfSense
Topics include: the heartbleed vulnerability and how it affected pfSense, how people usually leave their firewalls unpatched for a long time (or even forget about them!), changes between major versions, the upgrade process, upcoming features in their 10-based version, backporting drivers and security fixes
They also touch on recent concerns in the pfSense community about their license change, that they may be "going commercial" and closing the source - so tune in to find out what their future plans are for all of that ***

Turn old PC hardware into a killer home server

Lots of us have old hardware lying around doing nothing but collecting dust
Why not turn that old box into a modern file server with FreeNAS and ZFS?
This article goes through the process of setting up a NAS, gives a little history behind the project and highlights some of the different protocols FreeNAS can use (NFS, SMB, AFS, etc)
Most of our users are already familiar with all of this stuff, nothing too advanced
Good to see BSD getting some well-deserved attention on a big mainstream site ***

Unbloating the VAX install CD

After a discussion on the VAX mailing list, something very important came to the attention of the developers...
You can't boot NetBSD on a VAX box with 16MB of RAM from the CD image
This blog post goes through the developer's adventure in trying to fix that through emulation and stripping various things out of the kernel to make it smaller
In the end, he got it booting - and now all three VAX users who want to run NetBSD can do so on their systems with 16MB of RAM... ***

Feedback/Questions

40: AirPorts & Packages

JT Pennington — Wed, 04 Jun 2014 08:00:00 -0400

On this week's episode, we'll be giving you an introductory guide on OpenBSD's ports and package system. There's also a pretty fly interview with Karl Lehenbauer, about how they use FreeBSD at FlightAware. Lots of interesting news and answers to all your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports, part 2

More presentations and trip reports are still being uploaded
Ingo Schwarze, New Trends in mandoc
Vsevolod Stakhov, The Architecture of the New Solver in pkg
Julio Merino, The FreeBSD Test Suite
Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
There's also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks! ***

Beyond security, getting to know OpenBSD's real purpose

Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a "webcast" last week, and the audio and slides are finally up
It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a "pressure cooker for ideas," briefly touches on GPL vs BSDL, their "do it right or don't do it at all" attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
Here's a direct link to the slides
Great presentation if you'd like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too ***

FreeBSD vs Linux, a comprehensive comparison

Another blog post covering something people seem to be obsessed with - FreeBSD vs Linux
This one was worth mentioning because it's very thorough in regards to how things are done behind the scenes, not just the usual technical differences
It highlights the concept of a "core team" and their role vs "contributors" and "committers" (similar to a presentation Kirk McKusick did not long ago)
While a lot of things will be the same on both platforms, you might still be asking "which one is right for me?" - this article weighs in with some points for both sides and different use cases
Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don't hate us for linking it ***

Expand FreeNAS with plugins

One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
With these plugins, you can greatly expand the feature set of your NAS via third party programs
This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
It then goes into more detail about each of them, how to actually install plugins and then how to set them up ***

Interview - Karl Lehenbauer - karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

Ports and packages in OpenBSD

News Roundup

Code review culture meets FreeBSD

In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
This article describes Phabricator, an open source code review system that we briefly mentioned last week
Instructions for using it are on the wiki
While not approved by the core team yet for anything official, it's in a testing phase and developers are encouraged to try it out and get their patches reviewed
Just look at that fancy interface!! ***

Upcoming BSD books

Sneaky MWL somehow finds his way into both our headlines and the news roundup
He gives us an update on the next BSD books that he's planning to release
The plan is to release three (or so) books based on different aspects of FreeBSD's storage system(s) - GEOM, UFS, ZFS, etc.
This has the advantage of only requiring you to buy the one(s) you're specifically interested in
"When will they be released? When I'm done writing them. How much will they cost? Dunno."
It's not Absolute FreeBSD 3rd edition... ***

CARP failover and high availability on FreeBSD

If you're running a cluster or a group of servers, you should have some sort of failover in place
But the question comes up, "how do you load balance the load balancers!?"
This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
Also mentions DNS-based load balancing as another option ***

PCBSD weekly digest

This time in PCBSD land, we're getting ready for the 10.0.2 release (ISOs here)
AppCafe got a good number of fixes, and now shows 10 random highlighted applications
EasyPBI added a "bulk" mode to create PBIs of an entire FreeBSD port category
Lumina, the new desktop environment, is still being worked on and got some bug fixes too ***

Feedback/Questions

39: The Friendly Sandbox

JT Pennington — Wed, 28 May 2014 08:00:00 -0400

This time on the show we'll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
Karl Lehenbauer's keynote (he's on next week's episode)
Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
Warner Losh, NAND Flash and FreeBSD
Simon Gerraty, FreeBSD bmake and Meta Mode
Bob Beck, LibreSSL - The First 30 Days
Henning Brauer, OpenBGPD Turns 10 Years Old
Arun Thomas, BSD ARM Kernel Internals
Peter Hessler, Using BGP for Realtime Spam Lists
Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
Daichi Goto, Shellscripts and Commands
Benno Rice, Keeping Current
Sean Bruno, MIPS Router Hacking
John-Mark Gurney, Optimizing GELI Performance
Patrick Kelsey, Userspace Networking with libuinet
Massimiliano Stucchi, IPv6 Transitioning Mechanisms
Roger Pau Monné, Taking the Red Pill
Shawn Webb, Introducing ASLR in FreeBSD
There's also a trip report from Peter Hessler and one from Julio Merino
The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
It also includes a few general privacy tips, recommended browser extensions, etc
The intro to the article is especially great, so give the whole thing a read
He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
Possibly the most useful part is how to address the question "my server already works, why bother switching?"
"Stackoverflow’s answers assume I have apt-get installed"
It includes mention of the great documentation, stability, ports, improved security and much more
A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

The usual monthly release from BSDMag, covering a variety of subjects
This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
It's a free PDF, go grab it ***

BSDTalk episode 241

A new episode of BSDTalk is out, this time with Bob Beck
He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
Tim writes in
AJ writes in
Peter writes in
Thomas writes in
Martin writes in ***

38: A BUG's Life

JT Pennington — Wed, 21 May 2014 08:00:00 -0400

We're back from BSDCan! This week on the show we'll be chatting with Brian Callahan and Aaron Bieber about forming a local BSD users group. We'll get to hear their experiences of running one and maybe encourage some of you to start your own! After that, we've got a tutorial on the basics of NetBSD's package manager, pkgsrc. Answers to your emails and the latest headlines, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD 11 goals and discussion

Something that actually happened at BSDCan this year...
During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE
Some of MWL's notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support
A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more
There's also some notes from the devsummit virtualization session, mostly talking about bhyve
Lastly, he also provides some notes about ports and packages and where they're going ***

An SSH honeypot with OpenBSD and Kippo

Everyone loves messing with script kiddies, right?
This blog post introduces Kippo, an SSH honeypot tool, and how to use it in combination with OpenBSD
It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely
You can use this to get new 0day exploits or find weaknesses in your systems
OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications ***

NetBSD foundation financial report

The NetBSD foundation has posted their 2013 financial report
It's a very "no nonsense" page, pretty much only the hard numbers
In 2013, they got $26,000 of income in donations
The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else
Be sure to donate to whichever BSDs you like and use! ***

Building a fully-encrypted NAS with OpenBSD

Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you're doing
This article takes a look at the OpenBSD side and explains how to build a NAS with security in mind
The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require - this means the kernel itself is even protected
The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people's needs too
There's also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware - fantastic write up! ***

Interview - Brian Callahan & Aaron Bieber - admin@lists.nycbug.org & admin@cobug.org

Forming a local BSD Users Group

Tutorial

The basics of pkgsrc

News Roundup

FreeBSD periodic mails vs. monitoring

If you've ever been an admin for a lot of FreeBSD boxes, you've probably noticed that you get a lot of email
This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them
From bad SSH logins to Zabbix alerts, it all adds up quickly
It highlights the periodic.conf file and FreeBSD's periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers ***

Doing cool stuff with OpenBSD routing domains

A blog post from our viewer and regular emailer, Kjell-Aleksander!
He manages some internally-routed IP ranges at his work, but didn't want to have equipment for each separate project
This is where OpenBSD routing domains and pf come in to save the day
The blog post goes through the process with all the network details you could ever dream of
He even named his networking equipment... after us ***

LibreSSL, the good and the bad

We're all probably familiar with OpenBSD's fork of OpenSSL at this point
However, "for those of you that don't know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk"
This article talks about some of the cryptographic development challenges involved with maintaining such a massive project
You need cryptographers, software engineers, software optimization specialists - there are a lot of roles that need to be filled
It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork - the main one being their aim for backwards compatibility ***

PCBSD weekly digest

Lots going on in PCBSD land this week, AppCafe has been redesigned
The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update
In the more recent post, there's some further explanation of the PBI system and the reason for the transition
It's got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion ***

Feedback/Questions

37: BSDCanned Goods

JT Pennington — Wed, 14 May 2014 08:00:00 -0400

This week we're at BSDCan, ganging up on people and forcing them to give us interviews. Assuming we don't get arrested for harassment, we'll be back next week with your regularly scheduled programming. For now, we've got some feedback emails to catch up on, as well as a prerecorded talk Matt Ahrens gave about ZFS. We'll be back to tell you all about the conference next week, on BSD Now - the place to B.. SD.

This episode was brought to you by

Presentation - Matthew Ahrens - matt@mahrens.org / @mahrens1

OpenZFS discussion

Feedback/Questions

36: Let's Get RAID

JT Pennington — Wed, 07 May 2014 08:00:00 -0400

This week on the show we'll be showing you how to set up RAID arrays in both FreeBSD and OpenBSD. There's also an interview with David Chisnall - of the FreeBSD core team - about the switch to Clang and a lot more. As usual, we'll be dropping the latest news and answering your emails, so sit back and enjoy some BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenBSD 5.5 released

If you ordered a CD set then you've probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
This is one of the biggest releases to date, with a very long list of changes and improvements
Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes... and a lot more
The full list of changes is HUGE, be sure to read through it all if you're interested in the details
If you're doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
Also be sure to apply the errata patches on your new installations... especially those OpenSSL ones (some of which still aren't fixed in the other BSDs yet)
On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
Congrats to the whole team on this great release - 5.6 is going to be even more awesome with "Libre"SSL and lots of other stuff that's currently in development ***

FreeBSD foundation funding highlights

The FreeBSD foundation posts a new update on how they're spending the money that everyone donates
"As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we've done to help FreeBSD become the most innovative, reliable, and high-performance operation system"
During this spring, they want to highlight the new UEFI boot support and newcons
There's a lot of details about what exactly UEFI is and why we need it going forward
FreeBSD has also needed some updates to its console to support UTF8 and wide characters
Hopefully this series will continue and we'll get to see what other work is being sponsored ***

OpenSSH without OpenSSL

The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
Since it won't have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES in counter mode and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
No support for RSA, DSA or ECDSA public keys - only Ed25519
It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
Believe it or not, this was planned before all the heartbleed craziness
Maybe someday soon we'll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc, would be really neat ***

BSDMag's April 2014 issue is out

The free monthly BSD magazine has got a new issue available for download
This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
Anyone can contribute to the magazine, just send the editors an email about what you want to write
No Linux articles this time around, good ***

Interview - David Chisnall - theraven@freebsd.org

The LLVM/Clang switch, FreeBSD's core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

Our buddy Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest - mainly to talk about NTP and keeping reliable time
Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and... much more
GNN also talks a little about the Precision Time Protocol and how it's different than NTP
Two people we've interviewed talking to each other, awesome
If you're interested in NTP, be sure to see our tutorial too ***

m2k14 trip reports

We've got a few more reports from the recent OpenBSD hackathon in Morocco
The first one is from Antoine Jacoutot (who is a key GNOME porter and gave us the screenshots for the OpenBSD desktop tutorial)
"Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do"
He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports' compatibility with LibreSSL
Speaking of LibreSSL, there's an article all would-be portable version writers should probably read and take into consideration
Jasper Adriaanse also writes about what he got done over there
He cleaned up and fixed the puppet port to work better with OpenBSD ***

Why you should use FreeBSD on your cloud VPS

Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
The 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS ***

PCBSD weekly digest

Big changes coming in the way PCBSD manages software
The PBI system, AppCafe and related tools are all going to use pkgng now
The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
New rating system coming soon and much more ***

Feedback/Questions

35: Puffy Firewall

JT Pennington — Wed, 30 Apr 2014 08:00:00 -0400

We're back again! On this week's packed show, we've got one of the biggest tutorials we've done in a while. It's an in-depth look at PF, OpenBSD's firewall, with some practical examples and different use cases. We'll also be talking to Peter Hansteen about the new edition of "The Book of PF." Of course, we've got news and answers to your emails too, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

ALTQ removed from PF

Kicking off our big PF episode...
The classic packet queueing system, ALTQ, was recently removed from OpenBSD -current
There will be a transitional phase between 5.5 and 5.6 where you can still use it by replacing the "queue" keyword with "oldqueue" in your pf.conf
As of 5.6, due about six months from now, you'll have to change your ruleset to the new syntax if you're using it for bandwidth shaping
After more than ten years, bandwidth queueing has matured quite a bit and we can finally put ALTQ to rest, in favor of the new queueing subsystem
This doesn't affect FreeBSD, PCBSD, NetBSD or DragonflyBSD since all of their PFs are older and maintained separately. ***

FreeBSD Quarterly Status Report

The quarterly status report from FreeBSD is out, detailing some of the project's ongoing tasks
Some highlights include the first "stable" branch of ports, ARM improvements (including SMP), bhyve improvements, more work on the test suite, desktop improvements including the new vt console driver and UEFI booting support finally being added
We've got some specific updates from the cluster admin team, core team, documentation team, portmgr team, email team and release engineering team
LOTS of details and LOTS of topics to cover, give it a read ***

OpenBSD's OpenSSL rewrite continues with m2k14

A mini OpenBSD hackathon begins in Morocco, Africa
You can follow the changes in the -current CVS log, but a lot of work is mainly going towards the OpenSSL cleaning
We've got two trip reports so far, hopefully we'll have some more to show you in a future episode
You can see some of the more interesting quotes from the tear-down or see everything
Apparently they are going to call the fork "LibreSSL" ....
What were the OpenSSL developers thinking? The RSA private key was used to seed the entropy!
We also got some mainstream news coverage and another post from Ted about the history of the fork
Definitely consider donating to the OpenBSD foundation, this fork will benefit all the other BSDs too ***

NetBSD 6.1.4 and 6.0.5 released

New updates for the 6.1 and 6.0 branches of NetBSD, focusing on bugfixes
The main update is - of course - the heartbleed vulnerability
Also includes fixes for other security issues and even a kernel panic... on Atari
Patch your Ataris right now, this is serious business ***

Interview - Peter Hansteen - peter@bsdly.net / @pitrh

The Book of PF: 3rd edition

Tutorial

BSD Firewalls: PF

News Roundup

New Xorg now the default in FreeBSD

For quite a while now, FreeBSD has had two versions of X11 in ports
The older, stable version was the default, but you could install a newer one by having "WITH_NEW_XORG" in /etc/make.conf
They've finally made the switch for 10-STABLE and 9-STABLE
Check this wiki page for more info ***

GSoC-accepted BSD projects

The Google Summer of Code team has got the list of accepted project proposals uploaded so we can see what's planned
OpenBSD's list includes DHCP configuration parsing improvements, systemd replacements, porting capsicum, GPT and UEFI support, and modernizing the DHCP daemon
The FreeBSD list was also posted
Theirs includes porting FreeBSD to the Android emulator, CTF in the kernel debugger, improved unicode support, converting firewall rules to a C module, pkgng improvements, MicroBlaze support, PXE fixes, bhyve caching, bootsplash and lots more
Good luck to all the students participating, hopefully they become full time BSD users ***

Complexity of FreeBSD VFS using ZFS as an example

HybridCluster posted the second part of their VFS and ZFS series
This new post has lots of technical details once again, definitely worth reading if you're a ZFS guy
Of course, also watch episode 24 for our interview with HybridCluster - they do really interesting stuff ***

PCBSD weekly digest

Preload has been ported over, it's a daemon that prefetches applications
PCBSD is developing their own desktop environment, Lumina (there's also an FAQ)
It's still in active development, but you can try it out by installing from ports
We'll be showing a live demo of it in a few weeks (when development settles down a bit)
Some kid in Australia subjects his poor mother to being on camera while she tries out PCBSD and gives her impressions of it ***

34: It's Gonna Get NASty

JT Pennington — Wed, 23 Apr 2014 08:00:00 -0400

This week, Allan's at a conference so we've got a short episode for you. We sat down with John Hixson to discuss FreeNAS development and all their future plans. The show will be back next week with a normal episode.

This episode was brought to you by

Interview - John Hixson - john@ixsystems.com / @bsdwhore

FreeNAS development

33: Certified Package Delivery

JT Pennington — Wed, 16 Apr 2014 08:00:00 -0400

This week, we sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we'll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There's a boatload of news and we've got answers to your questions, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan schedule, speakers and talks

This year's BSDCan will kick off on May 14th in Ottawa
The list of speakers is also out
And finally the talks everyone's looking forward to
Lots of great tutorials and talks, spanning a wide range of topics of interest
Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts ***

NYCBSDCon talks uploaded

The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
Jeff Rizzo's talk, "Releasing NetBSD: So Many Targets, So Little Time"
Dru Lavigne's talk, "ZFS Management Tools in FreeNAS and PC-BSD"
Scott Long's talk, "Serving one third of the Internet via FreeBSD"
Michael W. Lucas' talk, "BSD Breaking Barriers" ***

FreeBSD Journal, issue 2

The bi-monthly FreeBSD journal's second issue is out
Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
In less than two months, they've already gotten over 1000 subscribers! It's available on Google Play, iTunes, Amazon, etc
"We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD"
Check our interview with GNN for more information about the journal ***

OpenSSL, more like OpenSS-Hell

We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
There's been a pretty vicious response from security experts all across the internet and in all of the BSD projects - and rightfully so
We finally have a timeline of events
Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
pfSense released a new version to fix it
OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
A nice quote from one of the OpenBSD lists: "Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL's bug tracker is only used to park bugs, not fix them"
Sounds like someone else was having fun with the bug for a while too
There's also another OpenSSL bug that OpenBSD patched - it allows an attacker to inject data from one connection into another
OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out - we're seeing a fork in real time ***

Interview - Jim Brown - info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

Back in episode 23 we talked with Ted Unangst about the new "signify" tool in OpenBSD
Now there's a (completely unofficial) portable version of it on github
If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems ***

Foundation goals and updates

The OpenBSD foundation has reached their 2014 goal of $150,000
You can check their activities and goals to see where the money is going
Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
The FreeBSD foundation has kicked off their spring fundraising campaign
There's also a list of their activities and goals available to read through
Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet ***

PCBSD weekly digest

New PBI runtime that fixes stability issues and decreases load times
"Update Center" is getting a lot of development and improvements
Lots of misc. bug fixes and updates ***

Feedback/Questions

There's a reddit thread we wanted to highlight - a user wants to show his friend BSD and why it's great
Brad writes in
Sha'ul writes in
iGibbs writes in
Matt writes in ***

32: PXE Dust

JT Pennington — Wed, 09 Apr 2014 08:00:00 -0400

This week on the big show we'll be showing off OpenBSD's new "autoinstall" feature to do completely automatic, unattended installations. We also have an interview with Dru Lavigne about all the writing work she does for FreeBSD, PCBSD and FreeNAS. The latest headlines and answers to your emails, on BSD Now - it's the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD ASLR status update

Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
He's implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
Work has also started on testing ASLR on ARM, using a Raspberry Pi
He's giving a presentation at BSDCan this year about his ASLR work
While we're on the topic of BSDCan... ***

BSDCan tutorials, improving the experience

Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
The tutorials are called "Building the network you need with PF, the OpenBSD packet filter" and "Transitioning to OpenBSD 5.5" - both scheduled to last three hours each
He's requesting anyone that'll be there to go ahead and contact him, telling him exactly what you'd like to learn
There's also a bit of background information about the tutorials and how he's looking to improve them
If you're interested in OpenBSD and going to BSDCan this year, hit him up ***

pkgsrc-2014Q1 released

The new stable branch of pkgsrc packages has been built and is ready
Python 3.3 is now a "first class citizen" in pkgsrc
14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
There's a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD - you could even use pkgsrc instead of pkgng or ports if you were so inclined
They're also looking into signing packages ***

Only two holes in a heck of a long time, who cares?

A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
He questions "what's the big deal" about OpenBSD's slogan being "Only two remote holes in the default install, in a heck of a long time!"
Luckily, the community and Theo set the record straight about why you should care about this
Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
It spawned a discussion about ease of management and Linux's poor security record, definitely worth reading ***

Interview - Dru Lavigne - dru@freebsd.org / @bsdevents

FreeBSD's documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

A new version of pfSense is released, mainly to fix some security issues
Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
There are also some NIC driver updates and other things
Of course if you want to learn more about pfSense, watch episode 25
2.1.2 is already up for testing too ***

FreeBSD gets UEFI support

It looks like FreeBSD's battle with UEFI may be coming to a close?
Ed Maste committed a giant list of patches to enable UEFI support on x86_64
Look through the list to see all the details and information
Thanks FreeBSD foundation! ***

Ideas for the next DragonflyBSD release

Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
They're aiming for late May for the next version
Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
Gasp, they're even considering dropping i386 ***

PCBSD weekly digest

Lots of new PBI updates for 10.0, new runtime implementation
New support for running 32 bit applications in PBI runtime
New default CD and DVD player, umplayer
Latest GNOME 3 and Cinnamon merged, new edge package builds ***

Feedback/Questions

31: Edgy BSD Users

JT Pennington — Tue, 01 Apr 2014 08:00:00 -0400

This week we'll be talking to Richard Stallman about the upcoming GPLv4 and how it will protect our software from being stolen. After that, we'll show you how to recover from those pesky ZFS on Linux corruption issues, as well as some tips on how to explain to your boss that all the production boxes were compromised. Your questions and all the latest GNUs, on Linux Now - the place to Lin.. ux.

This episode was brought to you by

Headlines

Preorders for cool BSD stuff

The 2nd edition of The Design and Implementation of the FreeBSD Operating System is up for preorder
We talked to GNN briefly about it, but he and Kirk have apparently finally finished the book
"For many years, The Design and Implementation of the FreeBSD Operating System has been recognized as the most complete, up-to-date, and authoritative technical guide to FreeBSD's internal structure. Now, this definitive guide has been extensively updated to reflect all major FreeBSD improvements between Versions 5 and Versions 11"
OpenBSD 5.5 preorders are also up, so you can buy a CD set now
You can help support the project, and even get the -release of the OS before it's available publicly
5.5 is a huge release with lots of big changes, so now is the right time to purchase one of these - tell Austin we sent you! ***

pkgsrcCon 2014 CFP

This year's pkgsrcCon is in London, on June 21st and 22nd
There's a Call For Papers out now, so you can submit your talks
Anything related to pkgsrc is fine, it's pretty informal
Does anyone in the audience know if the talks will be recorded? This con is relatively unknown ***

BSDMag issue for March 2014

The monthly BSD magazine releases its newest issue
Topics this time include: deploying NetBSD using AWS EC2, creating a multi-purpose file server with NetBSD, DragonflyBSD as a backup server, more GIMP lessons, network analysis with wireshark and a general security article
The Linux article trend seems to continue... hmm ***

Non-ECC RAM in FreeNAS

We've gotten a few questions about ECC RAM with ZFS
Here we've got a surprising blog post about why someone did not go with ECC RAM for his NAS build
The article mentions the benefits of ECC and admits it is a better choice in nearly all instances, but unfortunately it's not very widespread in consumer hardware motherboards and it's more expensive
Regular RAM also has "special" issues with ZFS and pool corruption
Long post, so check out the whole thing if you've been considering your memory options and weighing the benefits ***

Interview - Pierre Pronchery - khorben@edgebsd.org / @khorben

EdgeBSD (slides)

Tutorial

Building an OpenBSD desktop

News Roundup

Getting to know your portmgr-lurkers

This week we get to hear from Frederic Culot, colut@
Originally an OpenBSD user from France, Frederic joined as a ports committer in 2010 and recently joined the portmgr lurkers team
"FreeBSD is also one of my sources of inspiration when it comes to how organizations behave and innovate, and I find it very interesting to compare FreeBSD with the for-profit companies I work for"
We get to find out a little bit about him, why he loves FreeBSD and what he does for the project ***

NetBSD on the Playstation 2

Who doesn't want to run NetBSD on their old PS2?
The PS2 port of NetBSD was sadly removed in 2009, but it has been revived
It's using a slightly unusual MIPS CPU that didn't have much GCC support
Hopefully a bootable kernel will be available soon ***

The FreeBSD Challenge update

Our friend from the Linux Foundation continues his FreeBSD switching journey
This time he starts off by discovering virtual machines suck at keeping accurate time, and some ports weren't working because of his clock being way off
After polling the IRC for help, he finally learns the difference between ntpdate and ntpd and both of their use cases
Maybe he should've just read our NTP tutorial! ***

PCBSD weekly digest

The mount tray icon got lots of updates and fixes
The faulty distribution server has finally been tracked down and... destroyed
New language localization project is in progress
Many many updates to ports and PBIs, new -STABLE builds ***

Feedback/Questions

30: Documentation is King

JT Pennington — Wed, 26 Mar 2014 08:00:00 -0400

Finally hit 30 episodes! Today we'll be chatting with Warren Block to discuss BSD documentation efforts and future plans. If you've ever wondered about the scary world of mailing lists, today's tutorial will show you the basics of how to get help and contribute back. There's lots to get to today, so sit back and enjoy some BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenBSD on a Sun T5120

Our buddy Ted Unangst got himself a cool Sun box
Of course he had to write a post about installing and running OpenBSD on it
The post goes through some of the quirks and steps to go through in case you're interested in one of these fine SPARC machines
He's also got another post about OpenBSD on a Dell CS24-SC server ***

Bhyvecon 2014 videos are up

Like we mentioned last week, Bhyvecon was an almost-impromptu conference before AsiaBSDCon
The talks have apparently already been uploaded!
Subjects include Bhyve's past, present and future, OSv on Bhyve, a general introduction to the tool, migrating those last few pesky Linux boxes to virtualization
Lots more detail in the videos, so check 'em all out ***

Building a FreeBSD wireless access point

We've got a new blog post about creating a wireless access point with FreeBSD
After all the recent news of consumer routers being pwned like candy, it's time for people to start building BSD routers
The author goes through a lot of the process of getting one set up using good ol' FreeBSD
Using hostapd, he's able to share his wireless card in hostap mode and offer DHCP to all the clients
Plenty of config files and more messy details in the post ***

Switching from Synology to FreeNAS

The author has been considering getting a NAS for quite a while and documents his research
He was faced with the compromise of convenience vs. flexibility - prebuilt or DIY
After seeing the potential security issues with proprietary NAS devices, and dealing with frustration with trying to get bugs fixed, he makes the right choice
The post also goes into some detail about his setup, all the things he needed a NAS to do as well as all the advantages an open source solution would give ***

Interview - Warren Block - wblock@freebsd.org

FreeBSD's documentation project, igor, doceng

Tutorial

The world of BSD mailing lists

News Roundup

HAMMER2 work and notes

Matthew Dillon has posted some updated notes about the development of the new HAMMER version
The start of a cluster API was committed to the tree
There are also links to design document, a freemap design document, a changes list and a todo list ***

BSD Breaking Barriers

Our friend MWL gave a talk at NYCBSDCon about BSD "breaking barriers"
"What makes the BSD operating systems special? Why should you deploy your applications on BSD? Why does the BSD community keep growing, and why do Linux sites like DistroWatch say that BSD is where the interesting development work is happening? We'll cover the not-so-obvious reasons why BSD still stands tall after almost 40 years."
He also has another upcoming talk, (or "webcast") called "Beyond Security: Getting to Know OpenBSD's Real Purpose"
"OpenBSD is frequently billed as a high-security operating system. That's true, but security isn't the OpenBSD Project's main goal. This webcast will introduce systems administrators to OpenBSD, explain the project's mission, and discuss the features and benefits."
It's on May 27th and will hopefully be recorded ***

FreeBSD in a chroot

Finch, "FreeBSD running IN a CHroot," is a new project
It's a way to extend the functionality of restricted USB-based FreeBSD systems (FreeNAS, etc.)
All the details and some interesting use cases are on the github page
He really needs to change the project name though ***

PCBSD weekly digest

Lots of bugfixes for PCBSD coming down the tubes
LZ4 compression is now enabled by default on the whole pool
The latest 10-STABLE has been imported and builds are going
Also the latest GNOME and Cinnamon builds have been imported and much more ***

Feedback/Questions

Bostjan writes in (IRC suggests md5deep)
Don writes in
kaltheat writes in (We use R0DE Podcast microphones and Logitech C920 HD webcams)
Harri writes in ***

29: P.E.F.S.

JT Pennington — Wed, 19 Mar 2014 08:00:00 -0400

We're back from AsiaBSDCon! This week we'll be chatting with Gleb Kurtsou about some a filesystem-level encryption utility called PEFS. After that, we'll give you a step by step guide on how to actually use it. There's also the usual round of your questions and we've got a lot of news to catch up on, so stay tuned to BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Using OpenSSH Certificate Authentication

SSH has a not-so-often-talked-about authentication option in addition to passwords and keys: certificates - you can add certificates to any current authentication method you're using
They're not really that complex, there just isn't a lot of documentation on how to use them - this post tries to solve that
There's the benefit of not needing a known_hosts file or authorized_users file anymore
The post goes into a fair amount of detail about the differences, advantages and implications of using certificates for authentication ***

Back to FreeBSD, a new series

Similar to the "FreeBSD Challenge" blog series, one of our listeners will be writing about his switching BACK to FreeBSD journey
"So, a long time ago, I had a box which was running FreeBSD 4, running on a Pentium. 14 years later, I have decided to get back into FreeBSD, now at FreeBSD 10"
He's starting off with PCBSD since it's easy to get working with dual graphics
Should be a fun series to follow! ***

OpenBSD's recent experiments in package building

If you'll remember back to our poudriere tutorial, it lets you build FreeBSD binary packages in bulk - OpenBSD's version is called dpb
Marc Espie recently got some monster machines in russia to play with to help improve scaling of dpb on high end hardware
This article goes through some of his findings and plans for future versions that increase performance
We'll be showing a tutorial of dpb on the show in a few weeks ***

Securing FreeBSD with 2FA

So maybe you've set up two-factor authentication with gmail or twitter, but have you done it with your BSD box?
This post walks us through the process of locking down an ssh server with 2FA
With just a mobile phone and a few extra tools, you can enable two-factor auth on your BSD box and have just that little extra bit of protections ***

Interview - Gleb Kurtsou - gleb.kurtsou@gmail.com

PEFS (security audit results here)

Tutorial

Filesystem-based encryption with PEFS

News Roundup

BSDCan 2014 registration

Registration is finally open!
The prices are available along with a full list of presentations
Tutorial sessions for various topics as well
You have to go ***

Big changes for OpenBSD 5.6

Although 5.5 was just frozen and the release process has started, 5.6 is already looking promising
OpenBSD has, for a long time, included a heavily-patched version of Apache based on 1.3
They've also imported nginx into base a few years ago, but now have finally removed Apache
Sendmail is also no longer the default MTA, OpenSMTPD is the new default
Will BIND be removed next? Maybe so
They've also discontinued the hp300, mvme68k and mvme88k ports ***

Getting to know your portmgr lurkers

The "getting to know your portmgr" series makes its return
This time we get to talk with danfe@ (probably most known for being the nVidia driver maintainer, but he does a lot with ports)
How he got into FreeBSD? He "wanted a unix system that I could understand and that would not get bloated as time goes by"
Mentions why he's still heavily involved with the project and lots more ***

PCBSD weekly digest

Work has started to port Pulseaudio to PCBSD 10.0.1
There's a new "pc-mixer" utility being worked on for sound management as well
New PBIs, GNOME/Mate updates, Life Preserver fixes and a lot more
PCBSD 10.0.1 was released too ***

Feedback/Questions

28: Ghost of Partition

JT Pennington — Wed, 12 Mar 2014 08:00:00 -0400

This week we're at AsiaBSDCon, so it'll be a shorter episode. We've got an interview with Eric Turgeon, founder of the desktop-focused GhostBSD project. Haven't heard of GhostBSD? Well stay tuned then. There's also a really interesting tutorial on how to serially concatenate disks in NetBSD. We'll be back next week with a normal episode.

This episode was brought to you by

Interview - Eric Turgeon - ericturgeon@ghostbsd.org / @GhostBSD1

GhostBSD

Tutorial

Serially concatenating disks in NetBSD

Feedback/Questions

27: BSD Now vs. BSDTalk

JT Pennington — Wed, 05 Mar 2014 08:00:00 -0500

The long-awaited meetup is finally happening on today's show. We're going to be interviewing the original BSD podcaster, Will Backman, to discuss what he's been up to and what the future of BSD advocacy looks like. After that, we'll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We've got answers to user-submitted questions and the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD and OpenBSD in GSOC2014

The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
Both FreeBSD and OpenBSD were accepted, and we'd love for anyone listening to check out their GSOC pages
The FreeBSD wiki has a list of things that they'd be interested in someone helping out with
OpenBSD's want list was also posted
DragonflyBSD and NetBSD were sadly not accepted this year ***

Yes, you too can be an evil network overlord

A new blog post about monitoring your network using only free tools
OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
There's also details about flowd and nfsen, more great tools to make network monitoring easy
If you're listening, Peter... stop ignoring our emails and come on the show! We know you're watching! ***

BSDMag's February issue is out

The theme is "configuring basic services on OpenBSD 5.4"
There's also an interview with Peter Hansteen (oh hey...)
Topics also include locking down SSH, a GIMP lesson, user/group management, and...
Linux and Solaris articles? Why?? ***

Changes in bcrypt

Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
There is a bug in bcrypt when hashing long passwords - other OSes need to update theirs too! (FreeBSD already has)
"The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor 'b'."
As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
Lots of specifics in the email, check the full thing ***

Interview - Will Backman - bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

Xorg has long since required root privileges to run the main server
With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
Now you can set the "machdep.allowaperture" sysctl to 0 and still use a GUI ***

OpenSSH 6.6 CFT

Shortly after the huge 6.5 release, we get a routine bugfix update
Test it out on as many systems as you can
Check the mailing list for the full bug list ***

Creating an OpenBSD USB drive

Since OpenBSD doesn't distribute any official USB images, here are some instructions on how to do it
Step by step guide on how you can make your very own
However, there's some recent emails that suggest official USB images may be coming soon... oh wait ***

PCBSD weekly digest

New PBI updates that allow separate ports from /usr/local
You need to rebuild pbi-manager if you want to try it out
Updates and changes to Life Preserver, App Cafe, PCDM ***

Feedback/Questions

26: Port Authority

JT Pennington — Wed, 26 Feb 2014 08:00:00 -0500

On today's show we have an interview with Joe Marcus Clark, one of the original portmgr members in FreeBSD, and one of the key GNOME porters. Keeping along with that topic, we have a FreeBSD ports tutorial for you as well. The latest news and answers to your BSD questions, right here on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Tailoring OpenBSD for an old, strange computer

The author of this article had an OmniBook 800CT, which comes with a pop-out mouse, black and white display, 32MB of RAM and a 133MHz CPU
Obviously he had to install some kind of BSD on it!
This post goes through all his efforts of trimming down OpenBSD to work on such a limited device
He goes through the trial and error of "compile, break it, rebuild, try again"
After cutting a lot out from the kernel, saving a precious megabyte here and there, he eventually gets it working ***

pkgsrcCon and BSDCan

pkgsrccon is "a technical conference for people working on the NetBSD Packages Collection, focusing on existing technologies, research projects, and works-in-progress in pkgsrc infrastructure"
This year it will be on June 21st and 22nd
The schedule is still being worked out, so if you want to give a talk, submit it
BSDCan's schedule was also announced
We'll be having presentations about ARM on NetBSD and FreeBSD, PF on OpenBSD, Capsicum and casperd, ASLR in FreeBSD, more about migrating from Linux to BSD, FreeNAS stuff and much more
Kris' presentation was accepted!
Tons of topics, look forward to the recorded versions of all of them hopefully! ***

Two factor auth with pushover

A new write-up from our friend Ted Unangst
Pushover is "a web hook to smartphone push notification gateway" - you sent a POST to a web server and it sends a code to your phone
His post goes through the steps of editing your login.conf and setting it all up to work
Now you can get a two factor authenticated login for ssh! ***

The status of GNOME 3 on BSD

It's no secret that the GNOME team is a Linux-obsessed bunch, almost to the point of being hostile towards other operating systems
OpenBSD keeps their GNOME 3 ports up to date very well, and Antoine Jacoutot writes about his work on that and how easy it is to use
This post goes through the process of how simple it is to get GNOME 3 set up on OpenBSD and even includes a screencast
A few recent posts from some GNOME developers show that they're finally working with the BSD guys to improve portability
The FreeBSD and OpenBSD teams are working together to bring the latest GNOME to all of us - it's a beautiful thing
This goes right along with our interview today! ***

Interview - Joe Marcus Clark - marcus@freebsd.org

The life and daily activities of portmgr, GNOME 3, Tinderbox, portlint, various topics

Tutorial

The FreeBSD Ports Collection

News Roundup

DragonflyBSD 3.8 goals and 3.6.1 release

The Dragonfly team is thinking about what should be in version 3.8
On their bug tracker, it lists some of the things they'd like to get done before then
In the meantime, 3.6.1 was released with lots of bugfixes ***

NYCBSDCon 2014 wrap-up piece

We've got a nice wrap-up titled "NYCBSDCon 2014 Heats Up a Cold Winter Weekend"
The author also interviews GNN about the conference
There's even a little "beginner introduction" to BSD segment
Includes a mention of the recently-launched journal and lots of pictures from the event ***

FreeBSD and Linux, a comparative analysis

GNN in yet another story - he gave a presentation at the NYLUG about the differences between FreeBSD and Linux
He mentions the history of BSD, the patch set and 386BSD, the lawsuit, philosophy and license differences, a complete system vs "distros," development models, BSD-only features and technologies, how to become a committer, overall comparisons, different hats and roles, the different bsds and their goals and actual code differences
Serves as a good introduction you can show your Linux friends ***

PCBSD CFT and weekly digest

Upgrade tools have gotten a major rewrite
You have to help test it, there is no choice! Read more here
How dare Kris be "unimpressed with" freebsd-update and pkgng!?
Various updates and fixes ***

Feedback/Questions

25: A Sixth pfSense

JT Pennington — Wed, 19 Feb 2014 08:00:00 -0500

We have a packed show for you this week! We'll sit down for an interview with Chris Buechler, from the pfSense project, to learn just how easy it can be to deploy a BSD firewall. We'll also be showing you a walkthrough of the pfSense interface so you can get an idea of just how convenient and powerful it is. Answers to your questions and the latest headlines, here on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

EuroBSDCon and AsiaBSDCon

This year, EuroBSDCon will be in September in Sofia, Bulgaria
They've got a call for papers up now, so everyone can submit the talks they want to present
There will also be a tutorial section of the conference
AsiaBSDCon will be next month, in March!
All the info about the registration, tutorials, hotels, timetable and location have been posted
Check the link for all the details on the talks - if you plan on going to Tokyo next month, hang out with Allan and Kris and lots of BSD developers! ***

FreeBSD 10 on Ubiquiti EdgeRouter Lite

The Ubiquiti EdgeRouter Lite is a router that costs less than $100 and has a MIPS CPU
This article goes through the process of installing and configuring FreeBSD on it to use as a home router
Lots of good pictures of the hardware and specific details needed to get you set up
It also includes the scripts to create your own images if you don't want to use the ones rolled by someone else
For such a cheap price, might be a really fun weekend project to replace your shitty consumer router
Of course if you're more of an OpenBSD guy, you can always see our tutorial for that too ***

Signed pkgsrc package guide

We got a request on IRC for more pkgsrc stuff on the show, and a listener provided a nice write-up
It shows you how to set up signed packages with pkgsrc, which works on quite a few OSes (not just NetBSD)
He goes through the process of signing packages with a public key and how to verify the packages when you install them
The author also happens to be an EdgeBSD developer ***

Big batch of OpenBSD hackathon reports

Five trip reports from the OpenBSD hackathon in New Zealand! In the first one, jmatthew details his work on fiber channel controller drivers, some octeon USB work and ARM fixes for AHCI
In the second, ketennis gets into his work with running interrupt handlers without holding the kernel lock, some SPARC64 improvements and a few other things
In the third, jsg updated libdrm and mesa and did various work on xenocara
In the fourth, dlg came with the intention to improve SMP support, but got distracted and did SCSI stuff instead - but he talks a little bit about the struggle OpenBSD has with SMP and some of the work he's done
In the fifth, claudio talks about some stuff he did for routing tables and misc. other things ***

Interview - Chris Buechler - cmb@pfsense.com / @cbuechler

pfSense

Tutorial

pfSense walkthrough

News Roundup

FreeBSD challenge continues

Our buddy from the Linux foundation continues his switching to BSD journey
In day 13, he covers some tips for new users, mentions trying things out in a VM first
In day 14, he starts setting up XFCE and X11, feels like he's starting over as a new Linux user learning the ropes again - concludes that ports are the way to go
In day 15, he finishes up his XFCE configuration and details different versions of ports with different names, as well as learns how to apply his first patch
In day 16, he dives into the world of FreeBSD jails! ***

BSD books in 2014

BSD books are some of the highest quality technical writings available, and MWL has written a good number of them
In this post, he details some of his plans for 2014
In includes at least one OpenBSD book, at least one FreeBSD book and...
Very strong possibility of Absolute FreeBSD 3rd edition (watch our interview with him)
Check the link for all the details ***

How to build FreeBSD/EC2 images

Our friend Colin Percival details how to build EC2 images in a new blog post
Most people just use the images he makes on their instances, but some people will want to make their own from scratch
You build a regular disk image and then turn it into an AMI
It requires a couple ports be installed on your system, but the whole process is pretty straightforward ***

PCBSD weekly digest

This time around we discuss how you can become a developer
Kris also details the length of supported releases
Expect lots of new features in 10.1 ***

Feedback/Questions

24: The Cluster & The Cloud

JT Pennington — Wed, 12 Feb 2014 08:00:00 -0500

This week on BSD Now... a wrap-up from NYCBSDCon! We'll also be talking to Luke Marsden, CEO of HybridCluster, about how they use BSD at large. Following that, our tutorial will show you how to securely share files with SFTP in a chroot. The latest news and answers to your questions, of course it's BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD 10 as a firewall

Back in 2012, the author of this site wrote an article stating you should avoid FreeBSD 9 for a firewall and use OpenBSD instead
Now, with the release of 10.0, he's apparently changed his mind and switched back over
It mentions the SMP version of pf, general performance advantages and more modern features
The author is a regular listener of BSD Now, hi Joe! ***

Network Noise Reduction Using Free Tools

Really long blog post, based on a BSDCan presentation, about fighting spam with OpenBSD
Peter Hansteen, author of the book of PF, goes through how he uses OpenBSD's spamd and other security features to combat spam and malware
He goes through his experiences with content filtering and disappointment with a certain proprietary vendor
Not totally BSD-specific, lots of people can enjoy the article - lots of virus history as well ***

FreeBSD ASLR patches submitted

So far, FreeBSD hasn't had Address Space Layout Randomization
ASLR is a nice security feature, see wikipedia for more information
With a giant patch from Shawn Webb, it might be integrated into a future version (after a vicious review from the security team of course)
We might have Shawn on the show to talk about it, but he's also giving a presentation at BSDCan about his work with ASLR ***

Old-style pkg_ tools retired

At last the old pkg_add tools are being retired in FreeBSD
pkgng is a huge improvement, and now portmgr@ thinks it's time to cut the cord on the legacy toolset
Ports aren't going away, and probably never will, but for binary package fans and new users that are used to things like apt, pkgng is the way to go
All pkg_ tools will be considered unsupported on September 1, 2014 - even on older branches ***

Interview - Luke Marsden - luke@hybridcluster.com / @lmarsden

BSD at HybridCluster

Tutorial

Filesharing with chrooted SFTP

News Roundup

FreeBSD on OpenStack

OpenStack is a cloud computing project
It consists of "a series of interrelated projects that control pools of processing, storage, and networking resources throughout a datacenter, able to be managed or provisioned through a web-based dashboard, command-line tools, or a RESTful API."
Until now, there wasn't a good way to run a full BSD instance on OpenStack
With a project in the vein of Colin Percival's AWS startup scripts, now that's no longer the case! ***

FOSDEM BSD videos

This year's FOSDEM had seven BSD presentations
The videos are slowly being uploaded for your viewing pleasure
Not all of the BSD ones are up yet, but by the time you're watching this they might be!
Check this directory for most of 'em
The BSD dev room was full, lots of interest in what's going on from the other communities ***

The FreeBSD challenge finally returns!

Due to prodding from a certain guy of a certain podcast, the "FreeBSD Challenge" series has finally resumed
Our friend from the Linux foundation picks up with day 11 and day 12 on his switching from Linux journey
This time he outlines the upgrade process of going from 9 to 10, using freebsd-update
There's also some notes about different options for upgrading ports and some extra tips ***

PCBSD weekly digest

After the big 10.0 release, the PCBSD crew is focusing on bug fixes for a while
During their "fine tuning phase" users are encouraged to submit any and all bugs via the trac system
Warden got some fixes and the package manager got some updates as well
Huge size reduction in PBI format ***

Feedback/Questions

23: Time Signatures

JT Pennington — Wed, 05 Feb 2014 08:00:00 -0500

On this week's episode, we'll be talking with Ted Unangst of the OpenBSD team about their new signing infrastructure. After that, we've got a tutorial on how to run your own NTP server. News, your feedback and even... the winner of our tutorial contest will be announced! So stay tuned to BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD foundation's 2013 fundraising results

The FreeBSD foundation finally counted all the money they made in 2013
$768,562 from 1659 donors
Nice little blog post from the team with a giant beastie picture
"We have already started our 2014 fundraising efforts. As of the end of January we are just under $40,000. Our goal is to raise $1,000,000. We are currently finalizing our 2014 budget. We plan to publish both our 2013 financial report and our 2014 budget soon."
A special thanks to all the BSD Now listeners that contributed, the foundation was really glad that we sent some people their way (and they mentioned us on Facebook) ***

OpenSSH 6.5 released

We mentioned the CFT last week, and it's finally here!
New key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519 (now the default when both clients support it)
Ed25519 public keys are now available for host keys and user keys, considered more secure than DSA and ECDSA
Funny side effect: if you ONLY enable ed25519 host keys, all the compromised Linux boxes can't even attempt to login lol~
New bcrypt private key type, 500,000,000 times harder to brute force
Chacha20-poly1305 transport cipher that builds an encrypted and authenticated stream in one
Portable version already in FreeBSD -CURRENT, and ports
Lots more bugfixes and features, see the full release note or our interview with Damien
Work has already started on 6.6, which can be used without OpenSSL! ***

Crazed Ferrets in a Berkeley Shower

In 2000, MWL wrote an essay for linux.com about why he uses the BSD license: "It’s actually stood up fairly well to the test of time, but it’s fourteen years old now."
This is basically an updated version about why he uses the BSD license, in response to recent comments from Richard Stallman
Very nice post that gives some history about Berkeley, the basics of the BSD-style licenses and their contrast to the GNU GPL
Check out the full post if you're one of those people that gets into license arguments
The takeaway is "BSD is about making the world a better place. For everyone." ***

OpenBSD on BeagleBone Black

Beaglebone Blacks are cheap little ARM devices similar to a Raspberry Pi
A blog post about installing OpenBSD on a BBB from.. our guest for today!
He describes it as "everything I wish I knew before installing the newly renamed armv7 port on a BeagleBone Black"
It goes through the whole process, details different storage options and some workarounds
Could be a really fun weekend project if you're interested in small or embedded devices ***

Interview - Ted Unangst - tedu@openbsd.org / @tedunangst

OpenBSD's signify infrastructure, ZFS on OpenBSD

Tutorial

Running an NTP server

News Roundup

Getting started with FreeBSD

A new video and blog series about starting out with FreeBSD
The author has been a fan since the 90s and has installed it on every server he's worked with
He mentioned some of the advantages of BSD over Linux and how to approach explaining them to new users
The first video is the installation, then he goes on to packages and other topics - 4 videos so far ***

More OpenBSD hackathon reports

As a followup to last week, this time Kenneth Westerback writes about his NZ hackathon experience
He arrived with two goals: disklabel fixes for drives with 4k sectors and some dhclient work
This summary goes into detail about all the stuff he got done there ***

X11 in a jail

We've gotten at least one feedback email about running X in a jail Well.. with this commit, looks like now you can!
A new tunable option will let jails access /dev/kmem and similar device nodes
Along with a change to DRM, this allows full X11 in a jail
Be sure to check out our jail tutorial and jailed VNC tutorial for ideas ***

PCBSD weekly digest

10.0 "Joule Edition" finally released!
AMD graphics are now officially supported
GNOME3, MATE and Cinnamon desktops are available
Grub updates and fixes
PCBSD also got a mention in eweek ***

Feedback/Questions

22: Journaled News-Updates

JT Pennington — Wed, 29 Jan 2014 08:00:00 -0500

This time on the show, we'll be talking with George Neville-Neil about the brand new FreeBSD Journal and what it's all about. After that, we've got a tutorial on how to track the -stable and -current branches of OpenBSD. Answers to all your BSD questions and the latest headlines, only on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD quarterly status report

Gabor Pali sent out the October-December 2013 status report to get everyone up to date on what's going on
The report contains 37 entries and is very very long... various reports from all the different teams under the FreeBSD umbrella, probably too many to even list in the show notes
Lots of work going on in the ARM world, EC2/Xen and Google Compute Engine are also improving
Secure boot support hopefully coming [by mid-year](www.itwire.com/business-it-news/open-source/62855-freebsd-to-support-secure-boot-by-mid-year)
There's quite a bit going on in the FreeBSD world, many projects happening at the same time ***

n2k14 OpenBSD Hackathon Report

Recently, OpenBSD held one of their hackathons in New Zealand
15 developers gathered there to sit in a room and write code for a few days
Philip Guenther brings back a nice report of the event
If you've been watching the -current CVS logs, you've seen the flood of commits just from this event alone
Fixes with threading, Linux compat, ACPI, and various other things - some will make it into 5.5 and others need more testing
Another report from Theo details his work
Updates to the random subsystem, some work-in-progress pf fixes, suspend/resume fixes and more signing stuff ***

Four new NetBSD releases

NetBSD released versions 6.1.3, 6.0.4, 5.2.2 and 5.1.4
These updates include lots of bug fixes and some security updates, not focused on new features
You can upgrade depending on what branch you're currently on
Confused about the different branches? See this graph. ***

The future of open source ZFS development

On February 11, 2014, Matt Ahrens will be giving a presentation about ZFS
The talk will be about the future of ZFS and the open source development since Oracle closed the code
It's in San Jose, California - go if you can! ***

Interview - George Neville-Neil - gnn@freebsd.org / @gvnn3

The FreeBSD Journal

Tutorial

Tracking -STABLE and -CURRENT (OpenBSD)

News Roundup

pfSense news and 2.1.1 snapshots

pfSense has some snapshots available for the upcoming 2.1.1 release
They include FreeBSD security fixes as well as some other updates
There are recordings posted of some of the previous hangouts
Unfortunately they're only for subscribers, so you'll have to wait until next month when we have Chris on the show to talk about pfSense! ***

FreeBSD on Google Compute Engine

Recently we mentioned some posts about getting OpenBSD to run on GCE, here's the FreeBSD version
Nice big fat warning: "The team has put together a best-effort posting that will get most, if not all, of you up and running. That being said, we need to remind you that FreeBSD is being supported on Google Compute Engine by the community. The instructions are being provided as-is and without warranty."
Their instructions are a little too Linuxy (assuming wget, etc.) for our taste, someone should probably get it updated!
Other than that it's a pretty good set of instructions on how to get up and running ***

Dragonfly ACPI update

Sascha Wildner committed some new ACPI code
There's also a "heads up" to update your BIOS if you experience problems
Check the mailing list post for all the details ***

PCBSD weekly digest

10.0-RC4 users need to upgrade all their packages for 10.0-RC5
PBIs needed to be rebuilt.. actually everything did
Help test GNOME 3 so we can get it in the official ports tree
By the way, I think Kris has an announcement - PCBSD 10.0 is out! ***

Feedback/Questions

21: Tendresse for Ten

JT Pennington — Wed, 22 Jan 2014 08:00:00 -0500

This time on the show, we've got some great news for OpenBSD, as well as the scoop on FreeBSD 10.0-RELEASE - yes it's finally here! We're gonna talk to Colin Percival about running FreeBSD 10 on EC2 and lots of other interesting stuff. After that, we'll be showing you how to do some bandwidth monitoring and network performance testing in a combo tutorial. We've got a round of your questions and the latest news, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD 10.0-RELEASE is out

The long awaited, giant release of FreeBSD is now official and ready to be downloaded
One of the biggest releases in FreeBSD history, with tons of new updates
Some features include: LDNS/Unbound replacing BIND, Clang by default (no GCC anymore), native Raspberry Pi support and other ARM improvements, bhyve, hyper-v support, AMD KMS, VirtIO, Xen PVHVM in GENERIC, lots of driver updates, ZFS on root in the installer, SMP patches to pf that drastically improve performance, Netmap support, pkgng by default, wireless stack improvements, a new iSCSI stack, FUSE in the base system... the list goes on and on
Start up your freebsd-update or do a source-based upgrade ***

OpenSSH 6.5 CFT

Our buddy Damien Miller announced a Call For Testing for OpenSSH 6.5
Huge, huge release, focused on new features rather than bugfixes (but it includes those too)
New ciphers, new key formats, new config options, see the mailing list for all the details
Should be in OpenBSD 5.5 in May, look forward to it - but also help test on other platforms! ***

DIY NAS story, FreeNAS 9.2.1-BETA

Another new blog post about FreeNAS!
Instead of updating the older tutorials, the author started fresh and wrote a new one for 2014
"I did briefly consider suggesting nas4free for the EconoNAS blog, since it’s essentially a fork off the FreeNAS tree but may run better on slower hardware, but ultimately I couldn’t recommend anything other than FreeNAS"
Really long article with lots of nice details about his setup, why you might want a NAS, etc.
Speaking of FreeNAS, they released 9.2.1-BETA with lots of bugfixes ***

OpenBSD needed funding for electricity.. and they got it

Briefly mentioned at the end of last week's show, but has blown up over the internet since
OpenBSD in the headlines of major tech news sites: slashdot, zdnet, the register, hacker news, reddit, twitter.. thousands of comments
They needed about $20,000 to cover electric costs for the server rack in Theo's basement
Lots of positive reaction from the community helping out so far, and it appears they have reached their goal and got $100,000 in donations
From Bob Beck: "we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation"
This is a shining example of the BSD community coming together, and even the Linux people realizing how critical BSD is to the world at large ***

Interview - Colin Percival - cperciva@freebsd.org / @cperciva

FreeBSD on Amazon EC2, backups with Tarsnap, 10.0-RELEASE, various topics

Tutorial

Bandwidth monitoring and testing

News Roundup

pfSense talk at Tokyo FreeBSD Benkyoukai

Isaac Levy will be presenting "pfSense Practical Experiences: from home routers, to High-Availability Datacenter Deployments"
He's also going to be looking for help to translate the pfSense documentation into Japanese
The event is on February 17, 2014 if you're in the Tokyo area ***

m0n0wall 1.8.1 released

For those who don't know, m0n0wall is an older BSD-based firewall OS that's mostly focused on embedded applications
pfSense was forked from it in 2004, and has a lot more active development now
They switched to FreeBSD 8.4 for this new version
Full list of updates in the changelog
This version requires at least 128MB RAM and a disk/CF size of 32MB or more, oh no! ***

Ansible and PF, plus NTP

Another blog post from our buddy Michael Lucas
There've been some NTP amplification attacks recently in the news
The post describes how he configured ntpd on a lot of servers without a lot of work
He leverages pf and ansible for the configuration
OpenNTPD is, not surprisingly, unaffected - use it ***

ruBSD videos online

Just a quick followup from a few weeks ago
Theo and Henning's talks from ruBSD are now available for download
There's also a nice interview with Theo ***

PCBSD weekly digest

10.0-RC4 images are available
Wine PBI is now available for 10
9.2 systems will now be able to upgrade to version 10 and keep their PBI library ***

Feedback/Questions

20: Bhyve Mind

JT Pennington — Wed, 15 Jan 2014 08:00:00 -0500

It's our big 20th episode! We're going to sit down for a chat with Neel Natu and Peter Grehan, the developers of bhyve. Not familiar with bhyve? Our tutorial will show you all you need to know about this awesome new virtualization technology. Answers to your questions and all the latest news, here on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

OpenBSD automatic installation

A CFT (call for testing) was posted for OpenBSD's new automatic installer process
Using this new system, you can spin up fully-configured OpenBSD installs very quickly
It will answer all the questions for you and can put files into place and start services
Great for large deployments, help test it and report your findings ***

FreeNAS install guide and blog posts

A multipart series on YouTube about installing FreeNAS
In part 1, the guy (who is possibly Dracula, with his very Transylvanian accent..) builds his new file server and shows off the hardware
In part 2, he shows how to install and configure FreeNAS, uses IPMI, sets up his pools
He pronounces gigabytes as jiggabytes and it's hilarious
We've also got an unrelated blog post about a very satisfied FreeNAS user who details his setup
As well as another blog post from our old pal Devin Teske about his recent foray into the FreeNAS development world ***

FreeBSD 10.0-RC5 is out

Another, unexpected RC is out for 10.0
Minor fixes included, please help test and report any bugs
You can update via freebsd-update or from source
Hopefully this will be the last one before 10.0-RELEASE, which has tons of new features we'll talk about
It's been tagged -RELEASE in SVN already too! ***

OpenBSD 5.5-beta is out

Theo updated the branch status to 5.5-beta
A list of changes
Help test and report any bugs you find
Lots of rapid development with signify (which we mentioned last week), the beta includes some "test keys"
Does that mean it'll be part of the final release? We'll find out in May.. or when we interview Ted (soon) ***

Interview - Neel Natu & Peter Grehan - neel@freebsd.org & grehan@freebsd.org

BHyVe - the BSD hypervisor

Tutorial

Virtualization with bhyve

News Roundup

Hostname canonicalisation in OpenSSH

Blog post from our friend Damien Miller
This new feature allows clients to canonicalize unqualified domain names
SSH will know if you typed "ssh bsdnow" you meant "ssh bsdnow.tv" with new config options
This will help clean up some ssh configs, especially if you have many hosts
Should make it into OpenSSH 6.5, which is "due really soon" ***

Dragonfly on a Chromebook

Some work has been done by Matthew Dillon to get DragonflyBSD working on a Google Chromebook
These couple of posts detail some of the things he's got working so far
Changes were needed to the boot process, trackpad and wifi drivers needed updating...
Also includes a guide written by Dillon on how to get yours working ***

Spider in a box

"Spiderinabox" is a new OpenBSD-based project
Using a combination of OpenBSD, Firefox, XQuartz and VirtualBox, it creates a secure browsing experience for OS X
Firefox runs encapsulated in OpenBSD and doesn't have access to OS X in any way
The developer is looking for testers on other operating systems! ***

PCBSD weekly digest

PCBSD 10 has entered into the code freeze phase
They're focusing on fixing bugs now, rather than adding new features
The update system got a lot of improvements
PBI load times reduced by up to 40%! what!!! ***

Feedback/Questions

19: The Installfest

JT Pennington — Wed, 08 Jan 2014 08:00:00 -0500

We've got some special treats for you this week on the show. It's the long-awaited "installfest" segment, where we go through the installer of each of the different BSDs. Of course we also have your feedback and the latest news as well... and... we even have our very first viewer contest! There's a lot to get to today on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

FreeBSD's new testing infrastructure

A new test suite was added to FreeBSD, with 3 powerful machines available
Both -CURRENT and stable/10 have got the test suite build infrastructure in place
Designed to help developers test and improve major scalability across huge amounts of CPUs and RAM
More details available here
Could the iXsystems monster server be involved...? ***

OpenBSD gets signify

At long last, OpenBSD gets support for signed releases!
For "the world's most secure OS" it was very easy to MITM kernel patches, updates, installer isos, everything
A commit to the -current tree reveals a new "signify" tool is currently being kicked around
More details in a blog post from the guy who committed it
Quote: "yeah, briefly, the plan is to sign sets and packages. that's still work in progress." ***

Faces of FreeBSD

This time they interview Isabell Long
She's a volunteer staff member on the freenode IRC network
In 2011, she participated in the Google Code-In contest and became involved with documentation
"The new committer mentoring process proved very useful and that, plus the accepting community of FreeBSD, are reasons why I stay involved." ***

pkgsrc-2013Q4 branched

The quarterly pkgsrc branch from NetBSD is out
13472 total packages for NetBSD-current/amd64 + 13049 binary packages built with clang!
Lots of numbers and stats in the announcement
pkgsrc works on quite a few different OSes, not just NetBSD
See our interview with Amitai Schlair for a bit about pkgsrc ***

OpenBSD on Google's Compute Engine

Google Compute Engine is a "cloud computing" platform similar to EC2
Unfortunately, they only offer poor choices for the OS (Debian and CentOS)
Recently it's been announced that there is a custom OS option
It's using a WIP virtio-scsi driver, lots of things still need more work
Lots of technical and networking details about the struggles to get OpenBSD working on it ***

The Installfest

We'll be showing you the installer of each of the main BSDs. As of the date this episode airs, we're using:

FreeBSD 10.0
OpenBSD 5.4
NetBSD 6.1.2
DragonflyBSD 3.6
PCBSD 10.0 ***

News Roundup

Building an OpenBSD wireless access point

A neat write up we found around the internet about making an OpenBSD wifi router
Goes through the process of PXE booting, installing base, using a serial console, setting up networking and wireless
Even includes a puffy sticker on the Soekris box at the end, how cute ***

FreeBSD 4.X jails on 10.0

Blog entry from our buddy Michael Lucas
For whatever reason (an "in-house application"), he needed to run a FreeBSD 4 jail in FreeBSD 10
Talks about the options he had: porting software, virtualizing, dealing with slow old hardware
He goes through the whole process of making an ancient jail
It's "an acceptable trade-off, if it means I don’t have to touch actual PHP code." ***

Unscrewed: a story about OpenBSD

Pretty long blog post about how a network admin used OpenBSD to save the day
To set the tone, "It was 5am, and the network was down"
Great war story about replacing expensive routers and networking equipment with cheaper hardware and BSD
Mentions a lot of the built in tools and how OpenBSD is great for routers and high security applications ***

PCBSD weekly digest

10.0-RC3 is out and ready to be tested
New detection of ATI Hybrid Graphics, they're working on nVidia next
Re-classifying Linux jails as unsupported / experimental ***

Feedback/Questions

Daniel writes in
Erik writes in
SW writes in
[Bostjan writes in[(http://slexy.org/view/s20N9bfkum)
Samuel writes in ***

18: Eclipsing Binaries

JT Pennington — Wed, 01 Jan 2014 08:00:00 -0500

Put away the Christmas trees and update your ports trees! We're back with the first show of 2014, and we've got some catching up to do. This time on the show, we have an interview with Baptiste Daroussin about the future of FreeBSD binary packages. Following that, we'll be highlighting a cool script to do binary upgrades on OpenBSD. Lots of holiday news and listener feedback, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Faces of FreeBSD continues

Our first one details Shteryana Shopova, the local organizer for EuroBSDCon 2014 in Sophia
Gives some information about how she got into BSD
"I installed FreeBSD on my laptop, alongside the Windows and Slackware Linux I was running on it at the time. Several months later I realized that apart from FreeBSD, I hadn't booted the other two operating systems in months. So I wiped them out."
She wrote bsnmpd and extended it with the help of a grant from the FreeBSD Foundation
We've also got one for Kevin Martin
Started off with a pinball website, ended up learning about FreeBSD from an ISP and starting his own hosting company
"FreeBSD has been an asset to our operations, and while we have branched out a bit, we still primarily use FreeBSD and promote it whenever possible. FreeBSD is a terrific technology with a terrific community." ***

OpenPF?

A blog post over at the Dragonfly digest
What if we had some cross platform development of OpenBSD's firewall?
Similar to portable OpenSSH or OpenZFS, there could be a centrally-developed version with compatibility glue
Right now FreeBSD 9's pf is old, FreeBSD 10's pf is old (but has the best performance of any implementation due to custom patches), NetBSD's pf is old (but they're working on a fork) and Dragonfly's pf is old
Further complicated by the fact that PF itself doesn’t have a version number, since it was designed to just be ‘the pf that came with OpenBSD 5.4’
Not likely to happen any time soon, but it's good food for thought ***

Year of BSD on the server

A good blog post about switching servers from Linux to BSD
2014 is going to be the year of a lot of switching, due to FreeBSD 10's amazing new features
This author was particularly taken with pkgng and the more coherent layout of BSD systems
Similarly, there was also a recent reddit thread, "Why did you choose BSD over Linux?"
Both are excellent reads for Linux users that are thinking about making the switch, send 'em to your friends ***

Getting to know your portmgr

This time in the series they interview Bryan Drewery, a fairly new addition to the team
He started maintaining portupgrade and portmaster, and eventually ended up on the ports management team
Believe it or not, his wife actually had a lot to do with him getting into FreeBSD full-time
Lots of fun trivia and background about him
Speaking of portmgr, our interview for today is... ***

Interview - Baptiste Daroussin - bapt@freebsd.org

The future of FreeBSD's binary packages, ports' features, various topics

News Roundup

pfSense december hang out

Interview/presentation from pfSense developer Chris Buechler with an accompanying blog post
"This is the first in what will be a monthly recurring series. Each month, we’ll have a how to tutorial on a specific topic or area of the system, and updates on development and other happenings with the project. We have several topics in mind, but also welcome community suggestions on topics"
Speaking of pfSense, they recently opened an online store
We're planning on having a pfSense episode next month! ***

BSDMag December issue is out

The free monthly BSD magazine gets a new release for December
Topics include CARP on FreeBSD, more BSD programming, "unix basics for security professionals," some kernel introductions, using OpenBSD as a transparent proxy with relayd, GhostBSD overview and some stuff about SSH ***

OpenBSD gets tmpfs

In addition to the recently-added FUSE support, OpenBSD now has tmpfs
To get more testing, it was enabled by default in -current
Should make its way into 5.5 if everything goes according to plan
Enables lots of new possibilities, like our ccache and tmpfs guide ***

PCBSD weekly digests

Catching up with all the work going on in PCBSD land..
10.0-RC2 is now available
The big pkgng 1.2 problems seem to have been worked out ***

Feedback/Questions

17: The Gift of Giving

JT Pennington — Wed, 25 Dec 2013 08:00:00 -0500

Merry Christmas everyone! We're taking the holiday off and just have an interview for you today. We sat down with Scott Long to discuss using FreeBSD at Netflix and lots of other things. Next week we will return with the normal round of news and tutorials.

This episode was brought to you by

Interview - Scott Long - scottl@freebsd.org

FreeBSD at Netflix, OpenConnect, network performance, various topics

16: Cryptocrystalline

JT Pennington — Wed, 18 Dec 2013 08:00:00 -0500

This time on the show, we'll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller - one of the lead developers of OpenSSH - about some recent crypto changes in the project. If you're into data security, today's the show for you. The latest news and all your burning questions answered, right here on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Secure communications with OpenBSD and OpenVPN

Starting off today's theme of encryption...
A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show)
Part 2 covers the initial setup of OpenVPN certificates and keys
Parts 3 and 4 are the OpenVPN server and client configuration
Part 5 is some updates and closing remarks ***

FreeBSD Foundation Newsletter

The December 2013 semi-annual newsletter was sent out from the foundation
In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
The president's letter alone is worth the read, really amazing
Really long, with lots of details and stories from the conferences and projects ***

Use of NetBSD with Marvell Kirkwood Processors

Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)."
Really cool little NetBSD ARM project with lots of graphs, pictures and details ***

Experimenting with zero-copy network IO

Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD
Discusses the different OS' implementations and options
He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there
Tons of details, check the full post ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Tutorial

Full disk encryption in FreeBSD & OpenBSD

News Roundup

OpenZFS office hours

Our buddy George Wilson sat down to take some ZFS questions from the community
You can see more info about it here ***

License summaries in pkgng

A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow
Maybe we could get a "pkg licenses" command to display the license of all installed packages
Ok bapt, do it ***

The FreeBSD challenge continues

Checking in with our buddy from the Linux foundation...
The switching from Linux to FreeBSD blog series continues for his month-long trial
Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding."
Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more ***

Ports gets a stable branch

For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch
This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes
All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 ***

Feedback/Questions

15: Kickin' NAS

JT Pennington — Wed, 11 Dec 2013 08:00:00 -0500

This time on the show, we'll be looking at the new version of FreeNAS, a BSD-based network attached storage solution, as well as talking to Josh Paetzel - one of the key developers of FreeNAS. Actually, he's on the FreeBSD release engineering team too, and does quite a lot for the project. We've got answers to your viewer-submitted questions and plenty of news to cover, so get ready for some BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

More faces of FreeBSD

Another installment of the FoF series
This time they talk with Reid Linnemann who works at Spectra Logic
Gives a history of all the different jobs he's done, all the programming languages he knows
Mentions how he first learned about FreeBSD, actually pretty similar to Kris' story
"I used the system to build and install ports, and explored, getting actively involved in the mailing lists and forums, studying, passing on my own limited knowledge to those who could benefit from it. I pursued my career in the open source software world, learning the differences in BSD and GNU licensing and the fragmented nature of Linux distributions, realizing the FreeBSD community was more mature and well distributed about industry, education, and research. Everything steered me towards working with and on FreeBSD."
Now works on FreeBSD as his day job
The second one covers Brooks Davis
FreeBSD committer since 2001 and core team member from 2006 through 2012
He's helped drive our transition from a GNU toolchain to a more modern LLVM-based toolchain
"One of the reasons I like FreeBSD is the community involved in the process of building a principled, technically-advanced operating system platform. Not only do we produce a great product, but we have fun doing it."
Lots more in the show notes ***

We cannot trust Intel and Via’s chip-based crypto

We woke up to see FreeBSD on the front page of The Register, Ars Technica, Slashdot and Hacker News for their strong stance on security and respecting privacy
At the EuroBSDCon dev summit, there was some discussion about removing support for hardware-based random number generators.
FreeBSD's /dev/random got some updates and, for 10.0, will no longer allow the use of Intel or VIA's hardware RNGs as the sole point of entropy
"It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more" ***

OpenSMTPD 5.4.1 released

The OpenBSD developers came out with major a new version
Improved config syntax (please check your smtpd.conf before upgrading)
Adds support for TLS Perfect Forward Secrecy and custom CA certificate
MTA, Queue and SMTP server improvements
SNI support confirmed for the next version
Check the show notes for the full list of changes, pretty huge release
Watch Episode 3 for an interview we did with the developers ***

More getting to know your portmgr

The portmgr secretary, Thomas Abthorpe, interviews... himself!
Joined as -secretary in March 2010, upgraded to full member in March 2011
His inspiration for using BSD is "I wanted to run a webserver, and I wanted something free. I was going to use something linux, then met up with a former prof from university, and shared my story with him. He told me FreeBSD was the way to go."
Mentions how he loves that anyone can contribute and watch it "go live"
The second one covers Baptiste Daroussin
The reason for his nick, bapt, is "Baptiste is too long to type"
There's even a video of bapt joining the team! ***

Interview - Santa Clause - josh@ixsystems.com / @freenasteam

FreeNAS 9.2.0

Note: we originally scheduled the interview to be with Josh Paetzel, but Santa showed up instead.

Tutorial

FreeNAS walkthrough

News Roundup

Introducing configinit

CloudInit is "a system originally written for Ubuntu which performs configuration of a system at boot-time based on user-data provided via EC2"
Wasn't ideal for FreeBSD since it requires python and is designed around the concept of configuring a system by running commands (rather than editing configuration files)
Colin Percival came up with configinit, a FreeBSD alternative
Alongside his new "firstboot-pkgs" port, it can spin up a webserver in 120 seconds from "launch" of the EC2 instance
Check the show notes for full blog post ***

OpenSSH support for Ed25519 and bcrypt keys

New Ed25519 key support (hostkeys and user identities) using the public domain ed25519 reference code
SSH private keys were encrypted with a symmetric key that's just an MD5 of their password
Now they'll be using bcrypt by default
We'll get more into this in next week's interview ***

The FreeBSD challenge

A member of the Linux foundation blogs about using FreeBSD
Goes through all the beginner steps, has to "unlearn" some of his Linux ways
Only a few posts as of this time, but it's a continuing series that may be helpful for switchers ***

PCBSD weekly digest

GNOME3, cinnamon and mate desktops are in the installer
Compat layer updated to CentOS 6, enables newest Skype
Looking for people to test printers and hplip
Continuing work on grub, but the ability to switch between bootloaders is back ***

Feedback/Questions

14: Zettabytes for Days

JT Pennington — Wed, 04 Dec 2013 08:00:00 -0500

This week is the long-awaited episode you've been asking for! We'll be giving you a crash course on becoming a ZFS wizard, as well as having a chat with George Wilson about the OpenZFS project's recent developments. We have answers to your feedback emails and there are some great news items to get caught up on too, so stay tuned to BSD Now - the place to B.. SD.

Headlines

pkgng 1.2 released

bapt and bdrewery from the portmgr team released pkgng 1.2 final
New features include an improved build system, plugin improvements, new bootstrapping command, SRV mirror improvements, a new "pkg config" command, repo improvements, vuXML is now default, new fingerprint features and much more
Really simple to upgrade, check our pkgng tutorial if you want some easy instructions
It's also made its way into Dragonfly
See the show notes for the full list of new features and fixes ***

ChaCha20 and Poly1305 in OpenSSH

Damien Miller recently committed support for a new authenticated encryption cipher for OpenSSH, chacha20-poly1305
Long blog post explaining what these are and why we need them
This cipher combines two primitives: the ChaCha20 cipher and the Poly1305 MAC
RC4 is broken, we needed an authenticated encryption mode to complement AES-GCM that doesn't show the packet length in cleartext
Great explanation of the differences between EtM, MtE and EaM and their advantages
"Both AES-GCM and the EtM MAC modes have a small downside though: because we no longer desire to decrypt the packet as we go, the packet length must be transmitted in plaintext. This unfortunately makes some forms of traffic analysis easier as the attacker can just read the packet lengths directly." ***

Is it time to dump Linux and move to BSD

ITworld did an article about switching from Linux to BSD
The author's interest was sparked from a review he was reading that said "I feel the BSD communities, especially the FreeBSD-based projects, are where the interesting developments are happening these days. Over in FreeBSD land we have efficient PBI bundles, a mature advanced file system in the form of ZFS, new friendly and powerful system installers, a new package manager (pkgng), a powerful jail manager and there will soon be new virtualization technology coming with the release of FreeBSD 10.0"
The whole article can be summed up with "yes" - ok, next story! ***

OpenZFS devsummit videos

The OpenZFS developer summit discussion and presentation videos are up
People from various operating systems (FreeBSD, Mac OS X, illumos, etc.) were there to discuss ZFS on their platforms and the challenges they faced
Question and answer session from representatives of every OS - had a couple FreeBSD guys there including one from the foundation
Presentations both about ZFS itself and some hardware-based solutions for implementing ZFS in production
TONS of video, about 6 hours' worth
This leads us into our interview, which is... ***

Interview - George Wilson - wilzun@gmail.com / @zfsdude

OpenZFS

Tutorial

A crash course on ZFS

News Roundup

ruBSD 2013 information

The ruBSD 2013 conference will take place on Saturday December 14, 2013 at 10:30 AM in Moscow, Russia
Speakers include three OpenBSD developers, Theo de Raadt, Henning Brauer and Mike Belopuhov
Their talks are titled "The bane of backwards compatibility," "OpenBSD's pf: Design, Implementation and Future" and "OpenBSD: Where crypto is going?"
No word on if there will be video recordings, but we'll let you know if that changes ***

DragonFly roadmap, post 3.6

John Marino posted a possible roadmap for DragonFly, now that they're past the 3.6 release
He wants some third party vendor software updated from very old versions (WPA supplicant, bmake, binutils)
Plans to replace GCC44 with Clang, but GCC47 will probably be the primary compiler still
Bring in fixes and new stuff from FreeBSD 10 ***

BSDCan 2014 CFP

BSDCan 2014 will be held on May 16-17 in Ottawa, Canada
They're now accepting proposals for talks
If you are doing something interesting with a BSD operating system, please submit a proposal
We'll be getting lots of interviews there ***

casperd added to -CURRENT

"It (and its services) will be responsible forgiving access to functionality that is not available in capability modes and box. The functionality can be precisely restricted."
Lists some sysctls that can be controlled ***

ZFS corruption bug fixed in -CURRENT

Just a quick follow-up from last week, the ZFS corruption bug in FreeBSD -CURRENT was very quickly fixed, before that episode was even uploaded ***

Feedback/Questions

13: Bridging the Gap

JT Pennington — Wed, 27 Nov 2013 08:00:00 -0500

This week on the show, we sit down for an interview with Jordan Hubbard, one of the founders of the FreeBSD project - and the one who invented ports! Later in the show, we'll be showing you some new updates to the OpenBSD router tutorial from a couple weeks ago. We've also got news, your questions and even our first viewer-submitted video, right here on BSD Now.. the place to B.. SD.

Headlines

Getting to know your portmgr

In this interview they talk to one of the "Annoying Reminder Guys" - Erwin Lansing, the second longest serving member of FreeBSD's portmgr (also vice-president of the FreeBSD Foundation)
He actually maintains the .dk ccTLD
Describes FreeBSD as "the best well-hidden success story in operating systems, by now in the hands of more people than one can count and used by even more people, and not one of them knows it! It’s not only the best operating system currently around, but also the most supportive and inspiring community."
In the next one they speak with Martin Wilke (miwi@)
The usual, "what inspires you about FreeBSD" "how did you get into it" etc. ***

vBSDCon wrap-up compilation

Lots of write-ups about vBSDCon gathered in one place
Some from OpenBSD guys
Some from FreeBSD guys
Some from RootBSD
Some from iXsystems
Some from Verisign
And of course our own wrap-up chat in BSD Now Episode 009 ***

Faces of FreeBSD

This week they talk to Gábor Páli from Hungary
Talks about his past as a game programmer and how it got involved with FreeBSD
"I met János Háber, who admired the technical merits of FreeBSD and recommended it over the popular GNU/Linux distributions. I downloaded FreeBSD 4.3-RELEASE, found it reliable, consistent, easy to install, update and use."
He's been contributing since 2008 and does lots of work with Haskell in ports
He also organizes EuroBSDCon and is secretary of the FreeBSD Core Team ***

Dragonfly 3.6 released

dports now default instead of pkgsrc
Big SMP scaling improvements
Experimental i915 and KMS support
See our interview with Justin Sherrill if you want to hear (a lot) more about it - nearly an hour long ***

Interview - Jordan Hubbard - jkh@freebsd.org / @omgjkh

FreeBSD's founding and future

Tutorial

Building an OpenBSD router, part 2

Note: there was a mistake in the video version of the tutorial, please consult the written version for the proper instructions. ***

News Roundup

pfSense 2.1 on AWS EC2

We now have pfSense 2.1 available on Amazon’s Elastic Compute Cloud (EC2)
In keeping with the community spirit, they’re also offering a free "public" AMI
Check the FAQ and User Guide on their site for additional details
Interesting possibilities with pfSense in the cloud ***

Puffy on the desktop

Distrowatch, a primarily Linux-focused site, features an OpenBSD 5.4 review
They talk about using it on the desktop, how to set it up
Very long write-up, curious Linux users should give it a read
Ends with "Most people will still see OpenBSD as an operating system for servers and firewalls, but OpenBSD can also be used in desktop environments if the user doesn't mind a little manual work. The payoff is a very light, responsive system that is unlikely to ever misbehave" ***

Two-factor authentication with SSH

Blog post about using a yubikey with SSH public keys
Uses a combination of a OTP, BSDAuth and OpenBSD's login.conf, but it can be used with PAM on other systems as well
Allows for two-factor authentication (a la gmail) in case your private key is compromised
Anyone interested in an extra-hardened SSH server should give it a read ***

PCBSD weekly digest

10.0 has approximately 400 PBIs for public consumption
They will be merging the GNOME3, MATE and Cinnamon desktops into the 10.0 ports tree - please help test them, this is pretty big news in and of itself!
PCDM is coming along nicely, more bugs are getting fixed
Added ZFS dataset options to PCBSD’s new text installer front-end ***

Feedback/Questions

Ben writes in
Florian writes in
Zach writes in
Addison writes in
Adam writes in
Adam's BSD Router Project tutorial can be downloaded here. ***

12: Collecting SSHells

JT Pennington — Wed, 20 Nov 2013 08:00:00 -0500

This week we'll be talking to Amitai Schlair of the NetBSD foundation about pkgsrc, NetBSD's future plans and much more. After that, if you've ever wondered what all this SSH stuff is about, today's tutorial has got you covered. We'll be showing you the basics of SSH, as well as how to combine it with tmux for persistent sessions. News, feedback and everything else, right here on BSD Now - the place to B.. SD.

Headlines

Faces of FreeBSD

The FreeBSD foundation is publishing articles on different FreeBSD developers
This one is about Colin Percival (cperciva@), the ex-security officer
Tells the story of how he first found BSD, what he contributed back, how he eventually became the security officer
Running series with more to come ***

Lots of BSD presentation videos uploaded

EuroBSDCon 2013 dev summit videos, AsiaBSDCon 2013 videos, MWL's presentation video
Most of us never get to see the dev summit talks since they're only for developers
AsiaBSDCon 2013 videos also up finally
List of AsiaBSDCon presentation topics here
Our buddy Michael W Lucas gave an "OpenBSD for Linux users" talk at a Michigan Unix Users Group.
He says "Among other things, I compare OpenBSD to Richard Stallman and physically assault an audience member. We also talk long long time, memory randomization, PF, BSD license versus GPL, Microsoft and other OpenBSD stuff"
Really informative presentation, pretty long, answers some common questions at the end ***

Call for Presentations: FOSDEM 2014 and NYCBSDCon 2014

FOSDEM 2014 will take place on 1–2 February, 2014, in Brussels, Belgium
Just like in the last years, there will be both a BSD booth and a developer's room
The topics of the devroom include all BSD operating systems. Every talk is welcome, from internal hacker discussion to real-world examples and presentations about new and shiny features.
If you are in the area or want to go, check the show notes for details
NYCBSDCon is also accepting papers.
It'll be in New York City at the beginning of February 2014
If anyone wants to give a talk at one of these conferences, go ahead and send in your stuff! ***

FreeBSD foundation's year-end fundraising campaign

The FreeBSD foundation has been supporting the FreeBSD project and community for over 13 years
As of today they have raised about half a million dollars, but still have a while to go
Donations go towards new features, paying for the server infrastructure, conferences, supporting the community, hiring full-time staff members and promoting FreeBSD at events
They are preparing the debut of a new online magazine, the FreeBSD Journal
Typically big companies make their huge donations in December, like a couple of anonymous donors that gave around $250,000 each last year
Make your donation today over at freebsdfoundation.org, every little bit helps
Everyone involved with BSD Now made a donation last year and will do so again this year ***

Interview - Amitai Schlair - schmonz@netbsd.org / @schmonz

The NetBSD Foundation, pkgsrc, future plans

Tutorial

Combining SSH and tmux

Note: there was a mistake in the video version of the tutorial, please consult the written version for the proper instructions. ***

News Roundup

PS4 released

Sony's Playstation 4 is finally released
As previously thought, its OS is heavily based on FreeBSD and uses the kernel among other things
Link in the show notes contains the full list of BSD software they're using
Always good to see BSD being so widespread ***

BSD Mag November issue

Free monthly BSD magazine publishes another issue
This time their topics include: Configuring a Highly Available Service on FreeBSD, IT Inventory & Asset Management Automation, more FreeBSD Programming Primer, PfSense and Snort and a few others
PDF linked in the show notes ***

pbulk builds made easy

NetBSD's pbulk tool is similar to poudriere, but for pkgsrc
While working on updating the documentation, a developer cleaned up quite a lot of code
He wrote a script that automates pbulk deployment and setup
The whole setup of a dedicated machine has been reduced to just three commands ***

PCBSD weekly digest

Over 200 PBIs have been populated in to the PC-BSD 10 Stable Appcafe
Many PC-BSD programs received some necessary bug fixes and updates
Some include network detection in the package and update managers, nvidia graphic detection, security updates for PCDM ***

Feedback/Questions

11: The Gateway Drug

JT Pennington — Wed, 13 Nov 2013 08:00:00 -0500

This time on the show, we sit down to chat with Justin Sherrill of the DragonflyBSD project about their new 3.6 release. Later on, we'll be showing you a huge tutorial that's been baking for over a month - how to build an OpenBSD router that'll destroy any consumer router on the market! There's lots of news to get caught up on as well, so sit back and enjoy some BSD Now - the place to B.. SD.

Headlines

OpenSSH 6.4 released

Security fixes in OpenSSH don't happen very often
6.4 fixes a memory corruption problem, no new features
If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations.
Disabling AES-GCM in the server configuration is a workaround
Only affects 6.2 and 6.3 if compiled against a newer OpenSSL (so FreeBSD 9's base OpenSSL is unaffected, for example)
Full details here ***

Getting to know your portmgr-lurkers

Next entry in portmgr interview series
This time they chat with Mathieu Arnold, one of the portmgr-lurkers we mentioned previously
Lots of questions ranging from why he uses BSD to what he had for breakfast
Another one was since released, with Antoine Brodin aka antoine@ ***

FUSE in OpenBSD

As we glossed over last week, FUSE was recently added to OpenBSD
Now the guys from the OpenBSD Journal have tracked down more information
This version is released under an ISC license
Should be in OpenBSD 5.5, released a little less than 6 months from now
Will finally enable things like SSHFS to work in OpenBSD ***

Automated submission of kernel panic reports

New tool from Colin Percival
Saves information about kernel panics and emails it to FreeBSD
Lets you review before sending so you can edit out any private info
Automatically encrypted before being sent
FreeBSD never kernel panics so this won't get much use ***

Interview - Justin Sherrill - justin@dragonflybsd.org / @dragonflybsd

DragonflyBSD 3.6 and the Dragonfly Digest

Tutorial

Building an OpenBSD Router

News Roundup

BSD router project 1.5 released

Nice timing for our router tutorial; TBRP is a FreeBSD distribution for installing on a router
It's an alternative to pfSense, but not nearly as well known or popular
New version is based on 9.2-RELEASE, includes lots of general updates and bugfixes
Fits on a 256MB Compact Flash/USB drive ***

Curve25519 now default key exchange

We mentioned in an earlier episode about a patch for curve25519
Now it's become the default for key exchange
Will probably make its way into OpenSSH 6.5, would've been in 6.4 if we didn't have that security vulnerability
It's interesting to see all these big changes in cryptography in OpenBSD lately ***

FreeBSD kernel selection in boot menu

Adds a kernel selection menu to the beastie menu
List of kernels is taken from 'kernels' in loader.conf as a space or comma separated list of names to display (up to 9)
From our good buddy Devin Teske ***

PCBSD weekly digest

PCDM has officially replaced GDM as the default login manager
New ISO build scripts (we got a sneak preview last week)
Lots of bug fixes
Second set of 10-STABLE ISOs available with new artwork and much more ***

Theo de Raadt speaking at MUUG

Theo will be speaking at Manitoba UNIX User Group in Winnipeg
On Friday, Nov 15, 2013 at 5:30PM (see show notes for the address)
If you're watching the show live you have time to make plans, if you're watching the downloaded version it might be happening right now!
No agenda, but expect some OpenBSD discussion ***