NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Useless use of GNU

Meet the 2021 FreeBSD Google Summer of Code Students

News Roundup

Large Unix programs were historically not all that portable between Unixes

• References this article: I’m not sure that UNIX won *** ### A new path: vm86-based venix emulator *** ### ZFS Is Mysteriously Eating My CPU *** ### traceroute(8) gets speed boost ***

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Al - TransAtlantic Cables
• Christopher - NVMe
• JohnnyK - Vivaldi ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

FreeBSD and custom firmware on the Google Pixelbook

• FreeBSD and custom firmware on the Google Pixelbook

Back in 2015, I jumped on the ThinkPad bandwagon by getting an X240 to run FreeBSD on. Unlike most people in the ThinkPad crowd, I actually liked the clickpad and didn\u2019t use the trackpoint much. But this summer I\u2019ve decided that it was time for something newer. I wanted something..

• lighter and thinner (ha, turns out this is actually important, I got tired of carrying a T H I C C laptop - Apple was right all along);
• with a 3:2 display (why is Lenovo making these Serious Work\u2122 laptops 16:9 in the first place?? 16:9 is awful in below-13-inch sizes especially);
• with a HiDPI display (and ideally with a good size for exact 2x scaling instead of fractional);
• with USB-C ports;
• without a dGPU, especially without an NVIDIA GPU;
• assembled with screws and not glue (I don\u2019t necessarily need expansion and stuff in a laptop all that much, but being able to replace the battery without dealing with a glued chassis is good);
• supported by FreeBSD of course (\u201csome development required\u201d is okay but I\u2019m not going to write big drivers);
• how about something with open source firmware, that would be fun.

I was considering a ThinkPad X1 Carbon from an old generation - the one from the same year as the X230 is corebootable, so that\u2019s fun. But going back in processor generations just doesn\u2019t feel great. I want something more efficient, not less!

And then I discovered the Pixelbook. Other than the big huge large bezels around the screen, I liked everything about it. Thin aluminum design, a 3:2 HiDPI screen, rubber palm rests (why isn\u2019t every laptop ever doing that?!), the \u201cconvertibleness\u201d (flip the screen around to turn it into.. something rather big for a tablet, but it is useful actually), a Wacom touchscreen that supports a pen, mostly reasonable hardware (Intel Wi-Fi), and that famous coreboot support (Chromebooks\u2019 stock firmware is coreboot + depthcharge).

So here it is, my new laptop, a Google Pixelbook.

• Conclusion

Pixelbook, FreeBSD, coreboot, EDK2 good.

Seriously, I have no big words to say, other than just recommending this laptop to FOSS enthusiasts :)

Porting NetBSD to the AMD x86-64: a case study in OS portability

• Abstract

NetBSD is known as a very portable operating system, currently running on 44 different architectures (12 different types of CPU). This paper takes a look at what has been done to make it portable, and how this has decreased the amount of effort needed to port NetBSD to a new architecture. The new AMD x86-64 architecture, of which the specifications were published at the end of 2000, with hardware to follow in 2002, is used as an example.

• Portability

Supporting multiple platforms was a primary goal of the NetBSD project from the start. As NetBSD was ported to more and more platforms, the NetBSD kernel code was adapted to become more portable along the way.

• General

Generally, code is shared between ports as much as possible. In NetBSD, it should always be considered if the code can be assumed to be useful on other architectures, present or future. If so, it is machine-independent and put it in an appropriate place in the source tree. When writing code that is intended to be machine-independent, and it contains conditional preprocessor statements depending on the architecture, then the code is likely wrong, or an extra abstraction layer is needed to get rid of these statements.

• Types

Assumptions about the size of any type are not made. Assumptions made about type sizes on 32-bit platforms were a large problem when 64-bit platforms came around. Most of the problems of this kind had to be dealt with when NetBSD was ported to the DEC Alpha in 1994. A variation on this problem had to be dealt with with the UltraSPARC (sparc64) port in 1998, which is 64-bit, but big endian (vs. the little-endianness of the Alpha). When interacting with datastructures of a fixed size, such as on-disk metadata for filesystems, or datastructures directly interpreted by device hardware, explicitly sized types are used, such as uint32_t, int8_t, etc.

• Conclusions and future work

The port of NetBSD to AMD's x86-64 architecture was done in six weeks, which confirms NetBSD's reputation as being a very portable operating system. One week was spent setting up the cross-toolchain and reading the x86-64 specifications, three weeks were spent writing the kernel code, one week was spent writing the userspace code, and one week testing and debugging it all. No problems were observed in any of the machine-independent parts of the kernel during test runs; all (simulated) device drivers, file systems, etc, worked without modification.

News Roundup

ZFS performance really does degrade as you approach quota limits

Every so often (currently monthly), there is an "OpenZFS leadership meeting". What this really means is 'lead developers from the various ZFS implementations get together to talk about things'. Announcements and meeting notes from these meetings get sent out to various mailing lists, including the ZFS on Linux ones.

• In the September meeting notes, I read a very interesting (to me) agenda item:
  • Relax quota semantics for improved performance (Allan Jude)
  • Problem: As you approach quotas, ZFS performance degrades.
  • Proposal: Can we have a property like quota-policy=strict or loose, where we can optionally allow ZFS to run over the quota as long as performance is not decreased.

This is very interesting to me because of two reasons. First, in the past we have definitely seen significant problems on our OmniOS machines, both when an entire pool hits a quota limit and when a single filesystem hits a refquota limit. It's nice to know that this wasn't just our imagination and that there is a real issue here. Even better, it might someday be improved (and perhaps in a way that we can use at least some of the time).

Second, any number of people here run very close to and sometimes at the quota limits of both filesystems and pools, fundamentally because people aren't willing to buy more space. We have in the past assumed that this was relatively harmless and would only make people run out of space. If this is a known issue that causes serious performance degradation, well, I don't know if there's anything we can do, but at least we're going to have to think about it and maybe push harder at people. The first step will have to be learning the details of what's going on at the ZFS level to cause the slowdown. (It's apparently similar to what happens when the pool is almost full, but I don't know the specifics of that either.)

With that said, we don't seem to have seen clear adverse effects on our Linux fileservers, and they've definitely run into quota limits (repeatedly). One possible reason for this is that having lots of RAM and SSDs makes the effects mostly go away. Another possible reason is that we haven't been looking closely enough to see that we're experiencing global slowdowns that correlate to filesystems hitting quota limits. We've had issues before with somewhat subtle slowdowns that we didn't understand (cf), so I can't discount that we're having it happen again.

Fixing up KA9Q-unix, or "neck deep in 30 year old codebases.."

I'll preface this by saying - yes, I'm still neck deep in FreeBSD's wifi stack and 802.11ac support, but it turns out it's slow work to fix 15 year old locking related issues that worked fine on 11abg cards, kinda worked ok on 11n cards, and are terrible for these 11ac cards. I'll .. get there.

Anyhoo, I've finally been mucking around with AX.25 packet radio. I've been wanting to do this since I was a teenager and found out about its existence, but back in high school and .. well, until a few years ago really .. I didn't have my amateur radio licence. But, now I do, and I've done a bunch of other stuff with a bunch of other radios. The main stumbling block? All my devices are either Apple products or run FreeBSD - and none of them have useful AX.25 stacks. The main stacks of choice these days run on Linux, Windows or are a full hardware TNC.

So yes, I was avoiding hacking on AX.25 stuff because there wasn't a BSD compatible AX.25 stack. I'm 40 now, leave me be.

But! A few weeks ago I found that someone was still running a packet BBS out of San Francisco. And amazingly, his local node ran on FreeBSD! It turns out Jeremy (KK6JJJ) ported both an old copy of KA9Q and N0ARY-BBS to run on FreeBSD! Cool!

I grabbed my 2m radio (which is already cabled up for digital modes), compiled up his KA9Q port, figured out how to get it to speak to Direwolf, and .. ok. Well, it worked. Kinda.

HAMMER2 and fsck for review

HAMMER2 is Copy on Write, meaning changes are made to copies of existing data. This means operations are generally atomic and can survive a power outage, etc. (You should read up on it!) However, there\u2019s now a fsck command, useful if you want a report of data validity rather than any manual repair process.

[The return of startx(1) for non-root users with some caveats

Mark Kettenis (kettenis@) has recently committed changes which restore a certain amount of startx(1)/xinit(1) functionality for non-root users. The commit messages explain the situation:

CVSROOT:    /cvs
Module name:    src
Changes by:    kettenis@cvs.openbsd.org    2019/09/15 06:25:41

Modified files:
    etc/etc.amd64  : fbtab 
    etc/etc.arm64  : fbtab 
    etc/etc.hppa   : fbtab 
    etc/etc.i386   : fbtab 
    etc/etc.loongson: fbtab 
    etc/etc.luna88k: fbtab 
    etc/etc.macppc : fbtab 
    etc/etc.octeon : fbtab 
    etc/etc.sgi    : fbtab 
    etc/etc.sparc64: fbtab 

Log message:
Add ttyC4 to lost of devices to change when logging in on ttyC0 (and in some cases also the serial console) such that X can use it as its VT when running without root privileges.

ok jsg@, matthieu@
CVSROOT:    /cvs
Module name:    xenocara
Changes by:    kettenis@cvs.openbsd.org    2019/09/15 06:31:08

Modified files:
    xserver/hw/xfree86/common: xf86AutoConfig.c 

Log message:
Add modesetting driver as a fall-back when appropriate such that we can use it when running without root privileges which prevents us from scanning the PCI bus.

This makes startx(1)/xinit(1) work again on modern systems with inteldrm(4), radeondrm(4) and amdgpu(4).  In some cases this will result in using a different driver than with xenodm(4) which may expose issues (e.g. when we prefer the intel Xorg driver) or loss of acceleration (e.g. older cards supported by radeondrm(4)).

ok jsg@, matthieu@

Beastie Bits

• ASCII table and history. Or, why does Ctrl+i insert a Tab in my terminal?
• Sourcehut makes BSD software better
• Chaosnet for Unx
• The Vim-Inspired Editor with a Linguistic Twist
• bhyvearm64: CPU and Memory Virtualization on Armv8.0-A
• DefCon25 - Are all BSD created Equally - A Survey of BSD Kernel vulnerabilities

Feedback/Questions

• Tim - GSoC project ideas for pf rule syntax translation
• Brad - Steam on FreeBSD
• Ruslan - FreeBSD Quarterly Status Report - Q2 2019

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

Remote DoS in the TCP stack

• A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections
• While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely
• This problem has a slightly confusing history that involves different fixes at different points in time from different people
• Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th
• On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches
• On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found
• Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6
• On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn't include the first fix)
• After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way
• NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven't released a security notice yet
• DragonFly is also investigating the issue now to see if they're affected as well ***

c2k15 hackathon reports

• Reports from OpenBSD's latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these)
• The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event
• He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?"
• With mandoc's new internal jump targets, this is a problem of the past now
• Jasper also sent in a report, doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information)
• Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!)
• Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services)
• It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool")
• He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example)
• His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades
• Foundation director Ken Westerback was also there, getting some disk-related and laptop work done
• He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues
• Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home)
• He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report)
• Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work
• One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year."
• Jeremy Evans wrote in to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem
• While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon
• Rafael Zalamena, who got commit access at the event, gives his very first report on his networking-related hackathon activities
• With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS
• Jonathan Gray got a lot done in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code
• As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix)
• Martin Pieuchot gave an write-up on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did."
• He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack
• Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle
• We're still eagerly awaiting a report from one of OpenBSD's newest developers, Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes)
• OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint," so that may mean more big changes are still to come... ***

FreeBSD quarterly status report

• FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far
• It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others
• Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased
• In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages
• The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon
• Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012)
• The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support
• Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon)
• ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August
• PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though)
• The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling
• Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report
• Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot
• Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more ***

The OpenSSH bug that wasn't

• There's been a lot of discussion about a supposed flaw in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even)
• There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections
• FreeBSD in its default configuration, with PAM and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH, nor any of the other BSDs, and not even the majority of Linux distros
• If you disable all forms of authentication except public keys, like you're supposed to, then this is also not a big deal for FreeBSD systems
• Realistically speaking, it's more of a PAM bug than anything else
• OpenSSH added an additional check for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update) ***

Interview - Sebastian Wiedenroth - wiedi@netbsd.org / @wied0r

pkgsrc and pkgsrcCon

News Roundup

Now served by OpenBSD

• We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it
• The use case for the author was for a webserver, so he decided to try out the httpd in base
• Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting
• TLS 1.2 by default, strong ciphers with LibreSSL and HSTS combined give you a pretty secure web server ***

FreeBSD laptop playbooks

• A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops"
• It's based on ansible, and uses the playbook format for automatic set up and configuration
• Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models
• Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop ***

NetBSD on the NVIDIA Jetson TK1

• If you've never heard of the Jetson TK1, we can go ahead and spoil the secret here: NetBSD runs on it
• As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE
• This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything)
• You can even run X11 on it, pretty sweet ***

DragonFly power mangement options

• DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there
• In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well
• He also did some testing with each of them and gave his findings about power saving
• If you've been thinking about running DragonFly on a laptop, this would be a good one to read ***

OpenBSD router under FreeBSD bhyve

• If one BSD just isn't enough for you, and you've only got one machine, why not run two at once
• This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it
• If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware
• The author also includes a little bit of history on how he got into both operating systems
• There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research
• Of course, the next logical step is to put that bhyve host under Xen on NetBSD... ***

Feedback/Questions

• Kevin writes in
• Logan writes in
• Peter writes in
• Randy writes in ***

This episode was brought to you by

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we'd love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they'd be interested in someone helping out with
• OpenBSD's want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year ***

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There's also details about flowd and nfsen, more great tools to make network monitoring easy
• If you're listening, Peter... stop ignoring our emails and come on the show! We know you're watching! ***

BSDMag's February issue is out

• The theme is "configuring basic services on OpenBSD 5.4"
• There's also an interview with Peter Hansteen (oh hey...)
• Topics also include locking down SSH, a GIMP lesson, user/group management, and...
• Linux and Solaris articles? Why?? ***

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords - other OSes need to update theirs too! (FreeBSD already has)
• "The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor 'b'."
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full thing ***

Interview - Will Backman - bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the "machdep.allowaperture" sysctl to 0 and still use a GUI ***

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list ***

Creating an OpenBSD USB drive

• Since OpenBSD doesn't distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there's some recent emails that suggest official USB images may be coming soon... oh wait ***

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM ***

Feedback/Questions

• espressowar writes in
• Antonio writes in
• Christian writes in
• Adam writes in
• Alex writes in ***