This episode was brought to you by

Headlines

OpenBSD hypervisor coming soon

• Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
• From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm"
• Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
• Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
• One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route
• He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on ***

Why FreeBSD should not adopt launchd

• Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
• One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned)
• In this article, the author talks about why he thinks this is a bad idea
• He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail
• The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
• Reddit had quite a bit to say about this one, some in agreement and some not ***

DragonFly graphics improvements

• The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
• This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
• You should also see some power management improvements, longer battery life and various other bug fixes
• If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around ***

OpenBSD tames the userland

• Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are
• Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
• It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff)
• Some classic utilities are even being reworked to make taming them easier - the "w" command, for example
• The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
• More discussion can be found on HN, as one might expect
• If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release ***

Interview - Scott Courtney - vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

• We first heard about OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits
• This is their first big status update, covering some of the things that've happened since the project was born
• There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything ***

LibreSSL nukes SSLv3

• With their latest release, LibreSSL began to turn off SSLv3 support, starting with the "openssl" command
• At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
• They've now flipped the switch, and the process of complete removal has started
• From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!"
• With this change and a few more to follow shortly, Libre*SSL* won't actually support SSL anymore - time to rename it "LibreTLS" ***

FreeBSD MPTCP updated

• For anyone unaware, Multipath TCP is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy."
• There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
• Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
• Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start ***

UEFI and GPT in OpenBSD

• There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
• Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
• This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
• Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in)
• The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made ***

Feedback/Questions

• John writes in
• Mason writes in
• Earl writes in ***

This episode was brought to you by

Headlines

EdgeRouter Lite, meet OpenBSD

• The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it
• We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)
• Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it
• He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware
• More discussion can be found on Hacker News and various other places
• One thing to note about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no W^X at all) ***

Design and Implementation of the FreeBSD Operating System interview

• For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development
• InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors
• "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points."
• Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics ***

Path list parameter in OpenBSD tame

• We've mentioned OpenBSD's relatively new "tame" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges
• One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between
• Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers
• The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9
• More discussion can be found on Reddit and Hacker News ***

FreeBSD & PC-BSD 10.2-RELEASE

• The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out
• The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13
• New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to
• A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet
• The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions
• ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards
• The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups
• In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail
• Check the full release notes for the rest of the details and changes
• PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

OpenSSH: phasing out broken crypto, default cipher changes

News Roundup

NetBSD at Open Source Conference Shimane

• We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another
• This time they had NetBSD running on some Sony NWS devices (MIPS-based)
• JavaStations were also on display - something we haven't ever seen before (made between 1996-2000) ***

BAFUG videos

• The Bay Area FreeBSD users group has been uploading some videos of their recent meetings
• Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works
• Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts
• In a second video, Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X"
• In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)
• People should record presentations at their BSD users groups and send them to us ***

L2TP over IPSEC on OpenBSD

• If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well
• Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic
• This guide specifically covers L2TP, using npppd and pre-shared keys
• Server setup, client setup, firewall configuration and routing-related settings are all covered in detail ***

Reliable bare metal with TrueOS

• Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS
• This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution
• Most importantly, he also covers how to keep everything redundant and deal with hard drives failing
• The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like
• Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are ***

Kernel W^X on i386

• We mentioned some big W^X kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now)
• Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well
• Check out our interview with Mike for some more background info on memory protections like W^X ***

Feedback/Questions

• Markus writes in
• Sean writes in
• Theo writes in ***

This episode was brought to you by

Headlines

OpenBSD presents tame

• Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do
• When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do
• As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops."
• Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking
• Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously)
• Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation)
• Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc.
• This is an initial work-in-progress version of tame, so there may be more improvements or further control options added before it hits a release (very specific access policies can sometimes backfire, however)
• The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it)
• Kernel bits are in the tree now, with userland changes starting to trickle in too
• Combined with a myriad of memory protections, tight privilege separation and (above all else) good coding practices, tame should further harden the OpenBSD security fortress
• Further discussion can be found in the usual places you'd expect ***

Using Docker on FreeBSD

• With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up
• This docker is "the real thing," and isn’t using a virtual machine as the backend - as such, it has some limitations
• The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations
• When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support)
• For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally)
• Give it a try, let us know how you find it to be compared to other solutions ***

OpenBSD imports doas, removes sudo

• OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev
• The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code
• Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot)
• Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact
• There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary?
• After the initial import, a number of developers began reviewing and improving various bits here and there
• You can check out the code now if you're interested
• Command usage and config syntax seem pretty straightforward
• More discussion on HN ***

What would you like to see in FreeBSD

• Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see
• There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you're interested in more
• The top comment says things don't "just work," citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable
• Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now - should they be removed, and more focus put into ipfw?
• Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD - similar comments were made about wireless chipsets as well
• Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more
• At least one user suggested better "marketing" for FreeBSD, with more advocacy and (hopefully) more business adoption
• That one really applies to all the BSDs, and regular users (that's you listening to this) can help make it happen for whichever ones you use right now
• Maybe Adrian can singlehandedly do all the work and make all the users happy ***

Interview - Ryan Lortie & Baptiste Daroussin

Porting the latest GNOME code to FreeBSD

News Roundup

Introducing resflash

• If you haven't heard of resflash before, it's "a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way"
• One of the major benefits to images like this is the read-only filesystem, so there's no possibility of filesystem corruption if power is lost
• There's an optional read-write partition as well, used for any persistent changes you want to make
• You can check out the source code on Github or read the main site for more info ***

Jails with iocage

• There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others
• After looking at all the different choices, the author of this blog post eventually settled on iocage for the job
• The post walks you through the basic configuration and usage of iocage for creating managing jails
• If you've been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration) ***

DragonFly GPU improvements

• DragonFlyBSD continues to up their graphics game, this time with Intel's ValleyView series of CPUs
• These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones
• A git branch was created to hold the fixes for now while the last remaining bugs get fixed
• Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing ***

Branchless development

• Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them
• He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once
• "For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else."
• The solution, according to him, is bringing all the code the developers are using closer together
• One big benefit is that WIP code gets tested much faster (and bugs get fixed early on) ***

Feedback/Questions

• Matthew writes in
• Chris writes in
• Anonymous writes in
• Bill writes in ***