Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
145: At the Core of it all
It’s BSDCan time! Allan and I are both enjoying what is sure to be a super-busy week, but don’t think we’ve forgotten about This episode was brought to you by Interview - Benno Rice - benno@freebsd.org (mailto:benno@freebsd.org) / @jeamland (https://twitter.com/jeamland) Manager, OS & Networking at EMC Isilon Emily Dunham: Community Automation (https://www.youtube.com/watch?v=dIageYT0Vgg) iXsystems 1U Rackmount Server - 4 Bay Hot-Swap SAS/SATA Drive Bays 400W Redundant Power Supply - Single Socket Embedded CPU (48 cores) - 8 DIMM Slots with 16GB DIMMs for a total of 128GB RAM – Dual Gigabit LAN, Dual 10GbE SFP+ and 1 x 40Gb QSFP+ port, (1) PCI-E Expansion Slots + IPMI Dedicated LAN - Cavium ThunderX ARM CN8890 48 Core ThunderX CPU - 2.5GHz per core System has 128GB RAM, 4 x 2TB SATA HDD, Additional Intel i350 (2 x 1GbE) Beastie Bits file considered harmful (http://www.tedunangst.com/flak/post/file-considered-harmful) An open source talk on ZFS. “Intro to ZFS” as a set of open source slides for the community to build on, and to reuse. Go give this talk at your local conference. (https://github.com/problame/talkintrozfs2016) ARMv7 now has a bootloader (http://undeadly.org/cgi?action=article&sid=20160529145411) SHA256/512 speed improvements in FreeBSD 11 (https://svnweb.freebsd.org/base?view=revision&revision=300966) pkgsrc 50th release interviews - Joerg Sonnenberg (http://blog.netbsd.org/tnf/entry/pkgsrc_50th_release_interview_with) DFly versus PC-BSD on a Laptop (http://lists.dragonflybsd.org/pipermail/users/2016-May/249636.html) FreeBSD ifconfig can print subnet masks in CIDR or dotted-quad, finally (https://svnweb.freebsd.org/base?view=revision&revision=301059) Feedback/Questions Eli - Getting rid of ports? (http://pastebin.com/4Y6VYSyN) Morgan - Best way to admin jails? (http://pastebin.com/w8hsMtbc) Simon - Use existing pkgs in poudriere (http://pastebin.com/mqSJk0pP) Pete - Lots of Q’s (http://pastebin.com/1M7HLAXs) Van - Made the switch (http://pastebin.com/NTVBvtC5) ***
144: The PF life
It’s only one-week away from BSDCan, both Allan and I are excited to meet some of you in person! However, the show keeps on This episode was brought to you by Headlines dotSecurity 2016 - Theo de Raadt - Privilege Separation and Pledge (http://www.dotsecurity.io/) Video (https://www.youtube.com/watch?v=a_EYdzGyNWs) Slides (https://www.openbsd.org/papers/dot2016.pdf) Interested in Privilege Separation and security in general? If so, then you are in for a treat, we have both the video and slides from Theo de Raadt at dotSecurity 2016. Specifically the the talk starts off looking at Pledge (no copyright issues with the pictures I hope??) and how their NTP daemon uses it. After going through some internals, Theo reveals that around 10% of programs “pledged” so far were found to be trying to do actions outside of their security scope. On the future-work side, they mention going back and looking at OpenSSH privilege separation next, as well as working with other OS’s that may want pledge support. *** bhyve now supports UEFI GOP (https://lists.freebsd.org/pipermail/freebsd-virtualization/2016-May/004471.html) The log awaited UEFI GOP (Graphics Output Protocol (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#GOP)) features has landed in bhyve This provides emulated graphics via an internal VNC server, allowing users to have full graphical access to the guest OS This allows installation of Windows guests without needing to create a modified ISO with an unattended installation script The code has not actually landed in FreeBSD head yet, but has been committed to a project branch Following a few simple commands, you can compile the new bhyve binary on your -CURRENT system and get started right away This feature is expected to be included in the upcoming FreeBSD 11.0 This commit drop also brings with it: XHCI -- an emulated usb tablet device that provides exact mouse positioning in supported OSs PS2 mouse for fallback if the guest does not support XHCI (Windows 7) PS2 keyboard “The code has been tested with Windows 7/8/8.1/10 and Server 2k12/2k16, Ubuntu 15.10, and FreeBSD 10.3/11-CURRENT” “For VNC clients, TightVNC, TigherVNC, and RealVNC (aka VNC Viewer) have been tested on various hosts. The OSX VNC client is known not to work.” The VNC server supports an optional ‘wait’ parameter, that causes the VM to not actually boot until the VNC client connects, allowing you to interrupt the boot process if need be Related user blog post (http://justinholcomb.me/blog/2016/05/28/bhyve-uefi-gop-support.html) SVN commit (https://svnweb.freebsd.org/base?view=revision&revision=300829) *** zfsd lands in FreeBSD HEAD, in time for 11.0-RELEASE (https://svnweb.freebsd.org/base?view=revision&revision=300906) zfsd has been committed to FreeBSD -CURRENT in time to be included in FreeBSD 11.0 zfsd is the missing piece required to make ‘hot spares’ work properly in FreeBSD ZFS “zfsd attempts to resolve ZFS faults that the kernel can't resolve by itself. It listens to devctl(4) events, which is how the kernel notifies of events such as I/O errors and disk removals. Zfsd attempts to resolve these faults by activating or deactivating hotspares and onlining offline vdevs.” “The administrator never interacts with zfsd directly. Instead, he controls its behavior indirectly through zpool configuration. There are two ways to influence zfsd: assigning hotspares and setting pool properties. Currently, only the autoreplace property has any effect. See zpool(8) for details.” So, what example does it do? Device Removal: “When a leaf vdev disappears, zfsd will activate any available hotspare.” Device Arrival: “When a new GEOM device appears, zfsd will attempt to read its ZFS label, if any. If it matches a previously removed vdev on an active pool, zfsd will online it. Once resilvering completes, any active hotspare will detach automatically.” So if you disconnect a drive, then reconnect it, it will automatically be brought back online. Since ZFS is smart, the resilver will only have to copy data that has changed since the device went offline. “If the new device has no ZFS label but its physical path matches the physical path of a previously removed vdev on an active pool, and that pool has the autoreplace property set, then zfsd will replace the missing vdev with the newly arrived device. Once resilvering completes, any active hotspare will detach automatically.” If the new drive is in the same slot in your hot swap array as a failed device, it will be used as a replacement immediately. vdev degrade or fault events: “If a vdev becomes degraded or faulted, zfsd will activate any available hotspare. If a leaf vdev generates more than 50 I/O errors in a 60 second period, then zfsd will mark that vdev as FAULTED. zfs(4) will no longer issue any I/Os to it. zfsd will activate a hotspare if one is available.” Same for checksum errors. So if zfsd detects a drive is going bad, it brings the hotspare online before it is too late Spare addition: “If the system administrator adds a hotspare to a pool that is already degraded, zfsd will activate the spare.” Resilver complete: “zfsd will detach any hotspare once a permanent replacement finishes resilvering.” Physical path change: “If the physical path of an existing disk changes, zfsd will attempt to replace any missing disk with the same physical path, if its pool's autoreplace property is set.” In general, this tool means less reliance on the system administrator to keep the pool healthy *** W^X now mandatory in OpenBSD (http://undeadly.org/cgi?action=article&sid=20160527203200) We’ve talked a bit about W^X in the past. (Refresher: Memory being writable and executable at once) Well, this major security no-no is no-more on OpenBSD. Theo has committed a change which now prevents violations of this policy: “W^X violations are no longer permitted by default. A kernel log message is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump creation.” There are a few cases where you may still need W^X, which Theo points out can be enabled on a file-system basis. “W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. At least your other filesystems don't permit such programs.” This is a great ability to grow, since now users can begin doing auditing of programs that violate this principle and making noise to upstream. *** Interview - Kristof Provost - kp@freebsd.org (mailto:kp@freebsd.org) @kprovst (https://twitter.com/kprovst) pf improvements on FreeBSD *** News Roundup GELI Support for the EFI Loader (https://ericmccorkleblog.wordpress.com/2016/05/28/freebsd-geli-support/) We’ve had Allan’s work to bring GELI support to the GPT / BIOS / ZFS loader for a while now, but the missing piece has been support for EFI. No longer, Eric McCorkle has posted a blog entry (with relevant github links) introducing us to his work to bring GELI encryption support to EFI. First the bad-news. This won’t make it into 11.0. (Maybe PC-BSD, TBD) Next he explains why this is more than just a new feature, but a re-factor of the EFI boot code: I have already written extensively about my EFI refactoring here. The reason for undertaking this effort, however, was driven by GELI support. Early in my work on this, I had implemented a non-EFI “providers” framework in boot1 in order to support the notion of disk partitions that may contain sub-partitions. This was deeply unsatisfying to me for several reasons: It implemented a lot of the same functionality that exists in the EFI framework. It involved implementing a GPT partition driver to deal with partition tables inside GELI partitions (GPT detection and support is guaranteed by the EFI spec). The interface between the EFI framework and the custom “providers” framework was awkward. The driver was completely boot1-specific, and exporting it to something like GRUB probably involved a total rewrite. Implementing it within loader was going to involve a lot of code duplication. There was no obvious was to pass keys between boot1, loader, and the kernel. With the issues known, Eric seems pleased with the results of the conversion so far: The GELI driver can be extracted from the FreeBSD codebase without too much trouble. While I was unable to go all the way to the EFI driver model, the only blocker is the bcache code, and once that is resolved, we can have hotplug support in the boot loader! The boot1 and loader codebases are now sharing all the backend drivers, and boot1 has been reduced to one very small source file. An interesting read, looking forward to playing with EFI more in the future! *** Faces of FreeBSD 2016: Michael W. Lucas (https://www.freebsdfoundation.org/blog/faces-of-freebsd-2016-michael-lucas/) On this edition of “Faces of FreeBSD”, Michael W Lucas tells the story of how he got started with FreeBSD After an amusing re-telling of his childhood (The words “Purina Monkey Chow” were mentioned), he then tells us how he got into BSD. His being thrown into the project may sound familiar to many: I came in at 11 PM one night and was told “The DNS administrator just got walked out the door. You’re the new lead DNS administrator. Make those servers work. Good luck.” From there (because he wanted more sleep), he began ripping out the systems that had been failing and waking him up at night. Good-bye UnixWare, Good-bye Solaris, hello BSD! A very amusing read, check it out! *** High Availability with PostgreSQL on FreeBSD (https://www.youtube.com/watch?v=ugct9-Mm7Ls) A talk by Sean Chittenden, who we interviewed previously on episode Episode 95 (http://www.bsdnow.tv/episodes/2015_06_24-bitrot_group_therapy) Explains how to setup Multi Data Center High Availability for PostgreSQL using consul Goes into how consul works, how it does the election, the gossip protocol, etc The HA setup uses DNS Failover, and the pros and cons of that approach are discussed Then he walks through the implementation details, and example configuration *** New FreeBSD i915 testing images (http://www.bsddesktop.com/images/) Still need users to test the Linux Kernel 4.6 DRM update to FreeBSD’s graphics stack Download the test image and write it to a USB stick and boot from it It will not modify your installed system, it runs entirely off of the USB drive Allows you to test the updated drivers without having to install the development branch on your device you can tell them that ATI/AMD support will be coming shortly and that stability has been steadily improving and that I'll do another announcement as soon as I've had a chance to test the newest Xorg bits *** Beastie Bits Comfortable on the CLI: Series Part 1 (https://www.cotcli.com/post/The-Very-Basics/) FreeBSD Booting on the Netgate uFW, a smaller-than-a-raspberry-pi dual port firewall (https://gist.github.com/gonzopancho/8e7df7a826e9a2949b36ed2a9d30312e) Picture of uFW (https://twitter.com/gonzopancho/status/737874921435594753) uFW OpenSSL Benchmarks (https://gist.github.com/gonzopancho/8f20b50487a4f7de56e99448866a147d) ***
143: One small step for DRM, one giant leap for BSD
This week on BSDNow, we have an interview with Matthew Macy, who has some exciting news to share with us regarding the state of graphics This episode was brought to you by Headlines How the number of states affects pf’s performance of FreeBSD (http://blog.cochard.me/2016/05/playing-with-freebsd-packet-filter.html) Our friend Olivier of FreeNAS and BSDRP fame has an interesting blog post this week detailing his unique issue with finding a firewall that can handle upwards of 4 million state table entries. He begins in the article with benchmarking the defaults, since without that we don’t have a framework to compare the later results. All done on his Netgate RCC-VE 4860 (4 cores ATOM C2558, 8GB RAM) under FreeBSD 10.3. “We notice a little performance impact when we reach the default 10K state table limit: From 413Kpps with 128 states in-used, it lower to 372Kpps.” With the initial benchmarks done and graphed, he then starts the tuning process by adjusting the “net.pf.states_hashsize”sysctl, and then playing with the number of states for the firewall to keep. “For the next bench, the number of flow will be fixed for generating 9800 pf state entries, but I will try different value of pf.states_hashsize until the maximum allowed on my 8GB RAM server (still with the default max states of 10k):” Then he cranks it up to 4 million states “There is only 12% performance penalty between pf 128 pf states and 4 million pf states.” “With 10M state, pf performance lower to 362Kpps: Still only 12% lower performance than with only 128 states” He then looks at what this does of pfsync, the protocol to sync the state table between two redundant pf firewalls Conclusions: There need to be a linear relationship between the pf hard-limit of states and the pf.stateshashsize; RAM needed for pf.stateshashsize = pf.stateshashsize * 80 Byte and pf.stateshashsize should be a power of 2 (from the manual page); Even small hardware can manage large number of sessions (it's a matter of RAM), but under too lot's of pressure pfsync will suffer. Introducing the BCHS Stack = BSD, C, httpd, SQLite (http://www.learnbchs.org/) Pronounced Beaches “It's a hipster-free, open source software stack for web applications” “Don't just write C. Write portable and secure C.” “Get to know your security tools. OpenBSD has systrace(4) and pledge(2). FreeBSD has capsicum(4).” “Statically scan your binary with LLVM” and “Run your application under valgrind” “Don't forget: BSD is a community of professionals. Go to conferences (EuroBSDCon, AsiaBSDCon, BSDCan, etc.)” This seems like a really interesting project, we’ll have to get Kristaps Dzonsons back on the show to talk about it *** Installing OpenBSD's httpd server, MariaDB, PHP 5.6 on OpenBSD 5.9 (https://www.rootbsd.net/kb/339/Installing-OpenBSDandsharp039s-httpd-server-MariaDB-PHP-56-on-OpenBSD-59.html) Looking to deploy your next web-stack on OpenBSD 5.9? If so this next article from rootbsd.net is for you. Specifically it will walk you through the process of getting OpenBSD’s own httpd server up and running, followed by MariaDB and PHP 5.6. Most of the setup is pretty straight-forward, the httpd syntax may be different to you, if this is your first time trying it out. Once the various packages are installed / configured, the rest of the tutorial will be easy, walking you through the standard hello world PHP script, and enabling the services to run at reboot. A good article for those wanting to start hosting PHP/DB content (wordpress anyone?) on your OpenBSD system. *** The infrastructure behind Varnish (https://www.varnish-cache.org/news/20160425_website.html) Dogfooding. It’s a term you hear often in the software community, which essentially means to “Run your own stuff”. Today we have an article by PKH over at varnish-cache, talking about what that means to them. Specifically, they recently went through a website upgrade, which will enable them to run more of their own stuff. He has a great quote on what OS they use:“So, dogfood: Obviously FreeBSD. Apart from the obvious reason that I wrote a lot of FreeBSD and can get world-class support by bugging my buddies about it, there are two equally serious reasons for the Varnish Project to run on FreeBSD: Dogfood and jails.Varnish Cache is not “software for Linux”, it is software for any competent UNIX-like operating system, and FreeBSD is our primary “keep us honest about this” platform.“ He then goes through the process of explaining how they would setup a new Varnish-cache website, or upgrade it. All together a great read, and if you are one of the admin-types, you really should pay attention to how they build from the ground up. Some valuable knowledge here which every admin should try to replicate. I can not reiterate the value of having your config files in a private source control repo strongly enough The biggest take-away is: “And by doing it this way, I know it will work next time also.” *** Interview - Matt Macy - mmacy@nextbsd.org (mailto:mmacy@nextbsd.org)Graphics Stack Update (https://lists.freebsd.org/pipermail/freebsd-x11/2016-May/017560.html) News Roundup Followup on packaging base with pkg(8) (https://lists.freebsd.org/pipermail/freebsd-pkgbase/2016-May/000238.html) In spite of the heroic last minute effort by a team of contributors, pkg’d base will not be ready in time for FreeBSD 11.0 There are just too many issues that were discovered during testing The plan is to continue using freebsd-update in the meantime, and introduce a pkg based upgrade mechanism in FreeBSD 11.1 With the new support model for the FreeBSD 11 branch, 11.1 may come sooner than with previous major releases *** FreeBSD Core Election (https://www.freebsd.org/internal/bylaws.html) It is time once again for the FreeBSD Core Election Application period begins: Wednesday, 18 May 2016 at 18:00:00 UTC Application period ends: Wednesday, 25 May 2016 at 18:00:00 UTC Voting begins: Wednesday, 25 May 2016 at 18:00:00 UTC Voting ends: Wednesday, 22 June 2016 at 18:00:00 UTC Results announced Wednesday, 29 June 2016 New core team takes office: Wednesday, 6 July 2016 As of the time I was writing these notes, 3 hours before the application deadline, the candidates are: Allan Jude: Filling in the potholes Marcelo Araujo: We are not vampires, but we need new blood. Baptiste Daroussin (incumbent): Keep on improving Benedict Reuschling: Learn and Teach Benno Rice: Revitalising The Community Devin Teske: Here to help Ed Maste (incumbent): FreeBSD is people George V. Neville-Neil (incumbent): There is much to do… Hiroki Sato (incumbent): Keep up with our good community and technical strength John Baldwin: Ready to work Juli Mallett: Caring for community. Kris Moore: User-Focused Mathieu Arnold: Someone ask for fresh blood ? Ollivier Robert: Caring for the project and you, its developers The deadline for applications is around the time we finish recording the live show We welcome any of the candidates to schedule an interview in the next few weeks. We will make an attempt to hunt many of them down at BSDCan as well. *** Wayland/Weston with XWayland works on DragonFly (http://lists.dragonflybsd.org/pipermail/users/2016-May/249620.html) We haven’t talked a lot about Wayland on BSD recently (or much at all), but today we have a post from Peter to the dragonfly mailing list, detailing his experience with it. Specifically he talks about getting XWayland working, which provides the compat bits for native X applications to run on WayLand displays. So far on the working list of apps: “gtk3: gedit nautilus evince xfce4: - xfce4-terminal - atril firefox spyder scilab” A pretty impressive list, although he said “chrome” failed with a seg-fault This is something I’m personally interested in. Now with the newer DRM bits landing in FreeBSD, perhaps it’s time for some further looking into Wayland. Broadcom WiFi driver update (http://adrianchadd.blogspot.ca/2016/05/updating-broadcom-softmac-driver-bwn-or.html) In this blog post Adrian Chadd talks about his recent work on the bwn(4) driver for Broadcom WiFi chips This work has added support for a number of older 802.11g chips, including the one from 2009-era Macbooks Work is ongoing, and the hope is to add 802.11n and 5ghz support as well Adrian is mentoring a number of developers working on embedded or wifi related things, to try to increase the projects bandwidth in those areas If you are interested in driver development, or wifi internals, the blog post has lots of interesting details and covers the story of Adrian’s recent adventures in bringing the drivers up *** Beastie Bits The Design of the NetBSD I/O Subsystems (2002) (http://arxiv.org/abs/1605.05810) ZFS, BTRFS, XFS, EXT4 and LVM with KVM – a storage performance comparison (http://www.ilsistemista.net/index.php/virtualization/47-zfs-btrfs-xfs-ext4-and-lvm-with-kvm-a-storage-performance-comparison.html?print=true) Swift added to FreeBSD Ports (http://www.freshports.org/lang/swift/) misc@openbsd: 'NSA addition to ifconfig' (http://marc.info/?l=openbsd-misc&m=146391388912602&w=2) Papers We Love: Memory by the Slab: The Tale of Bonwick's Slab Allocator (http://paperswelove.org/2015/video/ryan-zezeski-memory-by-the-slab/) Feedback/Questions Lars - Poudriere (http://pastebin.com/HRRyfxev) Warren - .NET (http://pastebin.com/fESV1egk) Eddy - Sys Init (http://pastebin.com/kQecpA1X) Tim - ZFS Resources (http://pastebin.com/5096cGXr) Morgan - Ports and Kernel (http://pastebin.com/rYr1CDcV) ***
142: Diving for BSD Perls
This week on the show, we have all the latest news and stories! Plus an interview with BSD developer Alfred Perlstein, that you This episode was brought to you by Headlines The May issus of BSDMag is now out (https://bsdmag.org/download/reusing_openbsd/) GhostBSD Reusing OpenBSD's arc4random in multi-threaded user space programs Securing VPN's with GRE / Strongswan Installing XFCE 4.12 on NetBSD 7 Interview with Fernando Rodriguez, the co-founder of KeepCoding *** A rundown of the FPTW^XEXT.1 security reqiurement for General Purpose Operating Systems by the NSA (http://blog.acumensecurity.net/fpt_wx_ext-1-a-rundown/) NIST/NSA Validation Scheme Report (https://www.commoncriteriaportal.org/files/ppfiles/pp_os_v4.1-vr.pdf) The SFR or Security Functional Requirement requires that; "The OS shall prevent allocation of any memory region with both write and execute permissions except for [assignment: list of exceptions]." While nearly all operating systems currently support the use of the NX bit, or the equivalent on processors such as SPARC and ARM, and will correctly mark the stack as non-executable, the fact remains that this in and of itself is deemed insufficient by NIST and NSA. OpenBSD 5.8, FreeBSD, Solaris, RHEL, and most other Linux distro have failed. HardenedBSD passes all three tests out of the box. NetBSD will do so with a single sysctl tweak. Since they are using the PaX model, anything else using PaX, such as a grsecurity-enabled Linux distribution pass these assurance activities as well. OpenBSD 5.9 does not allow memory mapping due to W^X being enforced by the kernel, however the kernel will panic if there are any attempts to create such mappings. *** DistroWatch reviews new features in FreeBSD 10.3 (https://distrowatch.com/weekly.php?issue=20160516#freebsd) DistroWatch did a review of FreeBSD 10.3 They ran into a few problems, but hopefully those can be fixed An issue with beadm setting the canmount property incorrectly causing the ZFS BE menu to not work as expected should be resolved in the next version, thanks to a patch from kmoore The limitations of the Linux 64 support are what they are, CentOS 6 is still fairly popular with enterprise software, but hopefully some folks are interested in working on bringing the syscall emulation forward In a third issue, the reviewer seemed to have issues SSHing from inside the jail. This likely has to do with how they got a console in the jail. I remember having problems with this in the past, something about a secure console. *** BSD Unix: Power to the people, from the code (https://www.salon.com/2000/05/16/chapter_2_part_one/) Salon.com has a very long article, chronicling much of the history behind BSD UNIX. It starts with detailing the humble origins of BSD, starting with Bill Joy in the mid-70’s, and then goes through details on how it rapidly grew, and the influence that the University of Berkeley had on open-source. “But too much focus on Joy, a favorite target for business magazine hagiography, obscures the larger picture. Berkeley’s most important contribution was not software; it was the way Berkeley created software. At Berkeley, a small core group — never more than four people at any one time — coordinated the contributions of an ever-growing network of far-flung, mostly volunteer programmers into progressive releases of steadily improving software. In so doing, they codified a template for what is now referred to as the “open-source software development methodology.” Put more simply, the Berkeley hackers set up a system for creating free software.” The article goes on to talk about some of the back and forth between Linux and BSD, and why Linux has captured more of the market in recent years, but BSD is far from throwing in the towel. “BSD patriots argue that the battle is far from over, that BSD is technically superior and will therefore win in the end. That’s for the future to determine. What’s indisputable is BSD’s contribution in the past. Even if, by 1975, Berkeley’s Free Speech Movement was a relic belonging to a fast-fading generation, on the fourth floor of Evans Hall, where Joy shared an office, the free-software movement was just beginning.” An excellent article (If a bit long), but well worth your time to understand the origins of what we consider modern day BSD, and how the University of Berkley helped shape it. *** iXsystems (http://ixsystems.com) #ServerEnvy: It's over 10,000 Terabytes! (https://www.ixsystems.com/blog/serverenvy-10000-terabytes/) *** Interview - Alfred Perlstein - alfred@freebsd.org (mailto:alfred@freebsd.org) / @splbio (https://twitter.com/splbio) Using BSD for projects *** News Roundup .NET framework ported to NetBSD (https://github.com/dotnet/coreclr/pull/4504/files) This pull request adds basic support for the .NET framework on NetBSD 7.x amd64 It includes documentation on how to get the .NET framework installed It uses pkgsrc to bootstrap the required tools pkgsrc-wip is used to get the actual .NET framework, as porting is still in progress The .NET Core-CLR is now available for: FreeBSD, Linux, NetBSD, and OS X *** OpenBSD SROP mitigation – call for testing (https://marc.info/?l=openbsd-tech&m=146281531025185&w=2) A new technique for exploiting flaws in applications and operating systems has been developed, called SROP “we describe Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. Like return-oriented programming (ROP), sigreturn oriented programming constructs what is known as a ‘weird machine’ that can be programmed by attackers to change the behavior of a process. To program the machine, attackers set up fake signal frames and initiate returns from signals that the kernel never really delivered. This is possible, because UNIX stores signal frames on the process’ stack.” “Sigreturn oriented programming is interesting for attackers, OS developers and academics. For attackers, the technique is very versatile, with pre-conditions that are different from those of existing exploitation techniques like ROP. Moreover, unlike ROP, sigreturn oriented programming programs are portable. For OS developers, the technique presents a problem that has been present in one of the two main operating system families from its inception, while the fixes (which we also present) are non-trivial. From a more academic viewpoint, it is also interesting because we show that sigreturn oriented programming is Turing complete.” Paper describing SROP (http://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf) OpenBSD has developed a mitigation against SROP “Utilizing a trick from kbind(2), the kernel now only accepts signal returns from the PC address of the sigreturn(2) syscall in the signal trampoline. Since the signal trampoline page is randomized placed per process, it is only known by directly returning from a signal handler.” “As well, the sigcontext provided to sigreturn(2) now contains a magic cookie constructed from a per-process cookie XOR'd against the address of the signal context.” This is just a draft of the patch, not yet considered production quality *** Running Tor in a NetBSD rump unikernel (https://github.com/supradix/rumprun-packages/tree/33d9cc3a65a39e32b4bc8034c151a5d7e0b89f66/tor) We’ve talked about “rump” kernels before, and also Tor pretty frequently, but this new github project combines the two! Specifically, this set of Makefile and scripts will prep a system to run Tor via the Unikernel through Qemu. The script mainly describes how to do the initial setup on Linux, using iptables, but could easily be adapted to a BSD if somebody wants to do so. (Send them a pull request with the instructions!) All in all, this is a fascinating way to run a Tor node or relay, in the most minimal operating environment possible. *** An update on SSH protocol 1 ("we're most of the way towards fully deprecating SSH protocol 1" (http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-May/035069.html) Damien Miller has given us an update on the status of the “SSH protocol 1”, and the current plans to deprecate it in an upcoming version of openssh. “We've had this old protocol in various stages of deprecation for almost 10 years and it has been compile-time disabled for about a year. Downstream vendors, to their credit, have included this change in recent OS releases by shipping OpenSSH packages that disable protocol 1 by default and/or offering separate, non-default packages to enable it. This seems to have proceeded far more smoothly than even my most optimistic hopes, so this gives us greater confidence that we can complete the removal of protocol 1 soon. We want to do this partly to hasten the demise of this cryptographic trainwreck, but also because doing so removes a lot of legacy code from OpenSSH that inflates our attack surface. Having it gone will make our jobs quite a bit easier as we maintain and refactor.” The current time-line looks like removing server-size protocol 1 support this August after OpenSSH 7.4 is released, leaving client-side disabled. Then a year from now (June 2017) all protocol 1 code will be removed. Beastie Bits Last day to get your BSDNow Shirts! Order now, wear at BSDCan! (https://teespring.com/bsdnow) Move local government (Austin TX) from Microsoft Windows (incl. Office) to Linux and/or PC-BSD (https://github.com/atxhack4change/2016-project-proposals/issues/15) Plan9 boot camp is back... and already at capacity. Another opportunity may come in September (http://lists.nycbug.org/pipermail/talk/2016-May/016642.html) Smaller is better - building an openbsd based router (https://functionallyparanoid.com/2016/04/22/smaller-is-better/) Baby Unix (https://i.redditmedia.com/KAjSscL9XOUdpIEWBQF1qi3QMr7zWgeETzQM6m3B4mY.jpg?w=1024&s=e8c08a7d4c4cea0256adb69b1e7c1887) Security Update for FreeBSD (https://security.freebsd.org/advisories/FreeBSD-SA-16:19.sendmsg.asc) & Another security update for FreeBSD (https://security.freebsd.org/advisories/FreeBSD-SA-16:18.atkbd.asc) Feedback/Questions Eric - The iX experience (http://pastebin.com/ZknTuKGv) Mike - Building Ports (http://pastebin.com/M760ZmHQ) David - ZFS Backups (http://pastebin.com/Pi0AFghV) James - BSD VPS (http://pastebin.com/EQ7envez) Rich - ZFS Followup (http://pastebin.com/p0HPDisH) ***
141: BSD Likes Ike!
This week on the show, we have all the latest news and stories! Plus we’ll be hearing more about OpnSense from the man himself, Ike! This episode was brought to you by Headlines Regarding Embargoes (http://www.tedunangst.com/flak/post/regarding-embargoes) Our buddy TedU has a great thought piece today on the idea of “embargoes” for security advisories. This all stemmed from a recent incident with LibreSSL patches from embargoed OpenSSL vulns, that accidentally got committed too early. Ted makes a pretty good case on the difficulties of having embargos, and maybe the reason there shouldn’t be. Couple of quotes to give you a taste: “There are several difficulties maintaining embargoes. Keeping secrets is against human nature. I don’t want to be the one who leaks, but if I see something that looks like the secret is out, it’s a relief to be able to speak freely. There is a bias towards recognizing such signs where they may not really exist. (Exacerbated by broad embargoes where some parts leak but other parts don’t. It’s actually very hard to tell what’s not publicly known when you know everything.) The most thorough embargo and release timeline reconstruction is the heartbleed timeline. It’s another great case study. Who exactly decided who were the haves and have nots? Was it determined by who needed to know or who you needed to know? Eventually the dam started to crack.” “When Cloudflare brags that they get advance notice of vulnerabilities, attracting more customers, and therefore requiring even more early access, how are smaller players to compete? What happens if you’re not big enough to prenotify? Sometimes vulnerabilities are announced unplanned. Zero day cyber missiles are part of our reality, which means end users don’t really have the luxury of only patching on Tuesday. They need to apply patches when they appear. If applying patches at inconvenient times is a problem, make it not a problem. Not really a gripe about embargoes per se, but the scheduled timing of coordinated release at the end of the embargo is catering to a problem that shouldn’t exist.” I will admit that CloudFlare bragging around Heartbleed was upsetting The biggest issue here is the difficulty with coordinating so many open source projects, which are often done by volunteers, in different countries and time zones The other issue is determining when the secret is “out of the bag” *** MAJOR ABI BREAK: csu, ld.so, libc, libpthread update (http://www.openbsd.org/faq/current.html#r20160507) OpenBSD warns those following the -current (development) branch to be careful as they upgrade because of a major ABI break that will result in applications not working “Handling of single-threaded programs is now closer to multi-threaded, with ld.so and libc.a doing thread information base (TIB) allocation. Threaded programs from before the 2016/03/19 csu and ld.so update will no longer run. An updated ld.so must be built and installed before running make build.” A special note for those on PowerPC: “PowerPC has been updated to offset the TIB from the hardware register. As a result, all threaded programs are broken until they have been rebuilt with the new libc and libpthread. perl must be built after building the libraries and before building the rest of base.” “The definitions of environ and __progname for dynamically linked programs have been moved from the C startup code to ld.so(1). An updated ld.so must be built and installed before running make build.” The link provides instructions on how to update your system properly *** How to install FreeBSD 10.3 on VMWare Workstation 12 Pro (http://random-notes-of-a-sysadmin.blogspot.be/2016/04/howto-install-freebsd-103-on-vmware.html) This tutorial starts at the very basics, running through the FreeBSD installer But then it goes on to configuring the machine specifically for VMWare After the system has been booted, the tutorial walks through installing the VMWare tools Then networking is configured in both VMWare and FreeBSD A small hack is required to make the VMWare tools startup script wait until the network is up A very nice tutorial for people using VMWare I am working on a patch to bsdinstall to ensure that the swap partition is put before the main partition, so it can more easily be resized if you later decide you need more space in your VM the camcontrol reprobe subcommand has been added (https://svnweb.freebsd.org/base?view=revision&revision=299371), “This makes it possible to manually force updating capacity data after the disk got resized. Without it it might be necessary to reboot before FreeBSD notices updated disk size under eg VMWare.” *** BSD Router project releases v1.59 (https://sourceforge.net/projects/bsdrp/files/BSD_Router_Project/1.59/) We’ve talked about the BSD Router project a bit in the past, but today we have a brand new release to bring to you. For those who don’t remember, the BSDrp is a router aimed at replacing more of your big-commercial type systems. First up in the new hotness, we have it based upon recently released FreeBSD 10.3! In addition, there is a new package: New package: mlvpn (aggregated network links in order to benefit from the bandwidth of multiple links) Other packages have gotten a bump with this release as well: bsnmp-ucd to 0.4.2 dma to 0.11 dmidecode to 3.0 exabgp to 3.4.15 iperf3 to 3.1.2 monit to 5.17 mpd5 to 5.8 openvpn to 2.3.10 python to 2.7.11 quagga to 1.0.20160315 strongswan to 5.4.0 What are you waiting for? Amd64 and i386 images are ready for you to download now. Interview - Isaac (.Ike) Levy - See Ike again at SEMIBug in Troy, Michigan on May 17th (http://semibug.org/) *** News Roundup Tredly - Prebuilt containers on FreeBSD (https://github.com/tredly/) Discussion regarding its GPLv3 licensing (https://www.reddit.com/r/freebsd/comments/4gggw8/introducing_tredly_containers_for_unix_freebsd/) A new “container” solution called “Trendly” has started making some news around various tech sites. In particular, this new project uses FreeBSD as its base OS and jail functionality in the backend. Their solution seems based around the idea of shipping containers as manifests, such as lists of packages to install and configuration knobs. The project is still rather new, and we’ll be keeping an eye on it for the future. One notable change already though, it was (for some reason) released under GPLv3. Understandably this caused quite a ruckus with various folks in the community, since it’s built specifically on BSD. Since this, the code has been re-licensed as MIT, which is far more in the spirit of a traditional BSD license. *** NVMe driver added to NetBSD - ported from OpenBSD (https://www.netbsd.org/changes/changes-8.0.html#nvme%284%29) NetBSD has gained support for Non-Volatile Memory Express, the new standard for PCIe attached Flash Memory The change of interface from SATA to NVMe offers a number of advantages, mostly, it doesn’t require the device to pretend to be a spinning disk One of the biggest advantages is that it supports completing multiple operations at once, with the Intel hardware I have tested, 63 I/Os can happen concurrently, so a very large queue depth is required to keep the device busy. The 64th I/O channel is reserved for administrative commands, to keep them from being delayed by the large queue depth The device I tested could read at 3800 MB/s, and write 1700MB/s, something that wouldn’t be possible with a normal SSD It is interesting that NetBSD took the NVMe support from OpenBSD, whereas the FreeBSD implementation was contributed directly by Intel This may have to do with that fact that OpenBSD’s device model is closer to that of NetBSD Commit Log (http://mail-index.netbsd.org/source-changes/2016/05/01/msg074367.html) *** New BSDNow T-Shirts (https://teespring.com/bsdnow) By popular demand, we have created a more subtle BSDNow shirt Featuring only the smallish BSDNow logo over the left breast Available in a number of styles (T-Shirt, Women’s T-Shirt, Long Sleeve, and Hoodie) as well as a number of colours: Black, Blue, Grey, and White The hope is that enough orders come though so we can get them shipped in and your sweaty little hands in time for BSDCan. (I’ll be wearing mine, will you B...SD?) If you still want one of our now-famous “The Usual BSD’s” t-shirts, you can also indicate your interest here, and once 10 or more shirts are ordered, a reprint will happen automatically (https://teespring.com/bsd105) *** PC-BSD 11-CURRENT with Package Base (http://lists.pcbsd.org/pipermail/testing/2016-May/010616.html) Looking for a way to play with the new FreeBSD base package system? This month’s PC-BSD -CURRENT image now used packages for base system installation, and is asking for testers to help find bugs. Known issues so far: setuid binaries (Fix in works) Missing tzone files Distrib packages If all that doesn’t scare you away, then give it a whirl! Upgrades for previous APRIL images are now online also. *** BeastieBits HardenedBSD + LibreSSL (https://hardenedbsd.org/article/shawn-webb/2016-05-05/libressl-hardenedbsd-base) Michael Dexter's talk at LFNW 2016 is the 2nd highest youtube views from this years conference (https://www.youtube.com/watch?v=6k1Mf0c6YW8) Why OpenBSD is important to me (http://ggr.com/why-openbsd-is-important-to-me.html) Study of nginx-1.9.12 performance/latency on DragonFlyBSD-g67a73 (http://lists.dragonflybsd.org/pipermail/users/2016-May/249581.html) Running FreeBSD / OpenBSD / NetBSD as a virtualised guest on Online.net (https://www.geeklan.co.uk/?p=2109) The interesting story of how IllumOS syscalls work (http://zinascii.com/2016/the-illumos-syscall-handler.html) The BeaST is the FreeBSD based dual-controller reliable storage system concept with aim to implement ZFS and in-memory cache. (https://mezzantrop.wordpress.com/portfolio/the-beast/) Francois Tigeot updates the drm/i915 driver to match what’s in Linux kernel 4.3 (http://lists.dragonflybsd.org/pipermail/commits/2016-May/500352.html) FreeBSD is working on the update to Linux Kernel 4.6, we may finally get ahead of Dragonfly! (https://twitter.com/ed_maste/status/730450314889924608) Feedback/Questions Oskar - Torrent Jail (http://pastebin.com/RT7tVtQ7) Shane - ZFS Delete (http://pastebin.com/VkpMeims) Adam - Zimbra Port (http://pastebin.com/MmQ00Sv1) Ray - PC-BSD - FrameBuffer (http://pastebin.com/Xx9TkX7A) Richard - ZFS Backups (http://pastebin.com/ncYxqpg3) ***
140: Tracing it back to BSD
This week on BSDNow, Allan is back in down from Europe! We’ll get to hear some of his wrap-up and get caught up on the latest BSD This episode was brought to you by Headlines FreeBSD Quarterly Report (http://www.freebsd.org/news/status/report-2016-01-2016-03.html) This quarterly status report starts with a rather interesting introduction by Warren Block ASLR Porting CEPH to FreeBSD RCTL I/O Rate Limiting The Graphics Stack on FreeBSD (Haswell is in, work is progressing on the next update) CAM I/O Scheduler NFS Server updates, working around the 16 group limit, and implementing pNFS, allowing NFS to scale beyond a single server Static Analysis of the FreeBSD Kernel with PVS Studio PCI-express HotPlug GitLab Port committed! WITHFASTDEPEND and other improvements to the FreeBSD build system Lots of other interesting stuff *** A Prog By Any Other Name (http://www.tedunangst.com/flak/post/a-prog-by-any-other-name) Ted Unangst looks at what goes into the name of a program “Sometimes two similar programs are really the same program with two names. For example, grep and egrep are two commands that perform very similar functions and are therefore implemented as a single program. Running ls -i and observing the inode number of each file will reveal that there is only one file. Calling the program egrep is a shorthand for -E and does the same thing.” So BSD provides __progname in libc, so a program can tell what its name is But, what if it has more than one name? “In fact, every program has three names: its name in the filesystem, the name it has been invoked with, and whatever it believes its own name to be.” Of course it is not that easy. “there’s another set of choices for each name, the full path and the basename” “It’s even possible on some systems for argv[0] to be NULL.” He then goes on to rename doas (the OpenBSD light replacement for sudo) to banana and discuss what happens “On that note, another possible bug is to realize that syslog by default uses progname. A user may be able to evade log monitoring by invoking doas with a different name. (Just fixed.)” Another interesting article from our friend Ted *** FreeBSD (https://summerofcode.withgoogle.com/organizations/4892834293350400/) and NetBSD (https://summerofcode.withgoogle.com/organizations/6246531984261120/) Google Summer of Code projects have been announced Some FreeBSD highlights: Add SCSI passthrough to CTL (share an optical drive via iSCSI) Add USB target mode driver based on CTL (share a USB device via iSCSI) API to link created /dev entries to sysctl nodes Implement Ethernet Ring Protection Switching (ERPS) HD Audio device model in userspace for bhyve Some NetBSD highlights: Implement Ext4fs support in ReadOnly mode NPF and blacklistd web interface Port U-Boot so it can be compiled on NetBSD Split debug symbols for pkgsrc builds *** libressl - more vague priomises (http://www.tedunangst.com/flak/post/libressl-more-vague-promises) We haven’t had a Ted U article on the show as of late, however this week we get several! In his next entry “LibreSSL, more vague promises” He then goes into some detail on what has happened with LibreSSL in the past while, as well as future plans going forward. “With an eye to the future, what new promises can we make? Some time ago I joked that we only promised to make a better TLS implementation, not a better TLS. Remains true, but fortunately there are people working on that, too. TLS 1.3 support is on the short term watchlist. The good news is we may be ahead of the game, having already removed compression. How much more work can there be?” “LibreSSL integrated the draft chacha20-poly1305 construction from BoringSSL. The IETF has since standardized a slightly different version because if it were the same it wouldn’t be different. Support for standard variant, and the beginning of deprecation for the existing code, should be landing very shortly. Incidentally, some people got bent out of shape because shipping chacha20 meant exposing non IANA approved numbers to Internet. No promises that won’t happen again.” *** Interview - Samy Al Bahra - @0xF390 (https://twitter.com/0xF390) Backtrace *** News Roundup systrace(1) is removed for OpenBSD 6.0 (http://marc.info/?l=openbsd-cvs&m=146161167911029&w=2) OpenBSD has removed systrace, an older mechanism for limiting what syscalls an application can make It is mostly replaced by the pledge() system OpenBSD was the first implementation, most others have been unmaintained for some time The last reported Linux version was for kernel 2.6.1 NetBSD removed systrace in 2007 *** pfSense Video Series: Comprehensive Guide To pfSense 2.3 (https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo0Zga2juUBxxFTH4Bk) A series of videos (11 so far), about pfSense Covers Why you would use it, how to pick your hardware, and installation Then the series covers some networking basics, to make sure you are up to speed before configuring your pfSense Then a comprehensive tour of the WebUI Then goes on to cover graphing, backing up and restoring configuration There are also videos on running DHCP, NTP, and DNS servers *** DuckDuckGo announces its 2016 FOSS Donations (https://duck.co/blog/post/303/2016-foss-donations-announcement) The theme is “raising the standard of trust online” Supported projects include: OpenBSD Foundation announces DuckDuckGo as a Gold Sponsor (http://undeadly.org/cgi?action=article&sid=20160503085227&mode=expanded) the Freedom of the Press Foundation for SecureDrop the Freenet Project the CrypTech Project the Tor Project Fight for the Future for Save Security Open Source Technology Improvement Fund for VeraCrypt (based on TrueCrypt) Riseup Labs for LEAP (LEAP Encryption Access Project) GPGTools for GPGMail *** Larry the BSD Guy hangs up his hat at FOSS Force (http://fossforce.com/2016/04/bsd-linuxfest-northwest/) After 15 years, Larry the BSD Guy has decided to hang it up, and walk into the sunset! (Figuratively of course) After wrapping up coverage of recent LinuxFest NorthWest (Which he didn’t attend), Larry has decided it’s time for a change and is giving up his column over at FOSS Force, as well as stepping away from all things technical. His last write-up is a good one, and he has some nice plugs for both Dru Lavigne and Michael Dexter of the BSD community. He will be missed, but we wish him all the luck with the future! He also puts out the plug that FOSS Force will be needing a new columnist in the near future, so if you are interested please let them know! *** Beastie Bits If you sponsored “FreeBSD Mastery: Advanced ZFS”, check your mail box (http://blather.michaelwlucas.com/archives/2648) pkg-1.7.0 is an order of magnitude slower than pkg-1.6.4 (https://marc.info/?l=freebsd-ports&m=146001143408868&w=2) -- Caused by a problem not in pkg LinuxFest Northwest 2016 Recap (https://www.ixsystems.com/blog/linuxfest-northwest-2016/) Dru Lavigne's 'Doc like an Egyption' talk from LFNW (https://www.linuxfestnorthwest.org/2016/sessions/doc-egyptian) Michael Dexters' 'Switching to BSD from Linux' talk from LFNW (https://www.linuxfestnorthwest.org/2016/sessions/devil-details-switching-bsd-linux) Michael Dexters' 'Secrets to enduring user groups' talk from LFNW (https://www.linuxfestnorthwest.org/2016/sessions/20-year-and-counting-secrets-enduring-user-groups) January issue of Freebsd Journal online for free (https://www.freebsdfoundation.org/journal/) Ghost BSD releases 10.3 Alpha1 for testing (http://ghostbsd.org/10.3_alpha1) EuroBSDcon 2016 - Call for Papers - Dealine: May 8th (https://www.freebsdnews.com/2016/04/15/eurobsdcon-2016-call-for-papers/) KnoxBUG Initial Meeting (http://www.knoxbug.org/content/knoxbug-maiden-voyage) Photos, slides, and videos from the Open Source Data Center Conference (https://www.netways.de/en/events_trainings/osdc/archive/osdc2016/) *** Feedback/Questions Mohammad - Replication (http://pastebin.com/KDnyWf6Y) John - Rolling new packages (http://pastebin.com/mAbRwbEF) Clint - Unicast (http://pastebin.com/BNa6pyir) Bill - GhostBSD (http://pastebin.com/KDjS2Hxa) Charles - BSD Videos (http://pastebin.com/ABUUtzWM) ***
139: Cheri-picking BSD
This week, Allan is out of town, but since when has that ever stopped us from bringing you a new episode of BSDNow? We have news, This episode was brought to you by Headlines Unix's file durability problem (https://utcc.utoronto.ca/~cks/space/blog/unix/FileSyncProblem) Another article by Chris Siebenmann from the University of Toronto This time, the issue was a lost comment on his Python based blog which uses files on disk rather than a database After an unexpected restart of the system, a recently posted comment no longer existed The post goes on to investigate what the ‘right way’ to ensure file durability is The answer, as you might expect, is “it depends…” Normally, fsync() should work, but it seems with ext4 and some other file systems, you must also fsync() the directory where the file was created, or it might not be possible to find the file after a crash Do you need to fsync() the parent of that directory too? Then what is fdatasync() for? What about just calling sync()? “One issue is that unlike many other Unix API issues, it's impossible to test to see if you got it all correct and complete. If your steps are incomplete, you don't get any errors; your data is just silently sometimes at risk. Even with a test setup to create system crashes or abrupt power loss (which VMs make much easier), you need uncommon instrumentation to know things like if your OS actually issued disk flushes or just did normal buffered writes. And straightforward testing can't tell you if what you're doing will work all the time, because what is required varies by Unix, kernel version, and the specific filesystem involved.” Second post by author: How I'm trying to do durable disk writes (https://utcc.utoronto.ca/~cks/space/blog/python/HowISyncDataDWiki) Additional Discussion on Hacker News (https://news.ycombinator.com/item?id=11511269) The discussion on HN also gets into AIO and other more complicated facilities, but even those seem to be vague about when your data is actually safe At least ZFS ensures you never get half of your new data, and half of your old data. *** Build a FreeBSD 10.3-release Openstack Image with bsd-cloudinit (https://raymii.org/s/tutorials/FreeBSD_10.3-release_Openstack_Image.html) Are you using FreeBSD and OpenStack or would you like to be? We next have a great tutorial which explains the ins-and-outs of doing exactly that. Remy van Elst brings us a great walkthrough on his site on how to get started, and hint it involves just a few ‘pip’ commands. After getting the initial Python tools bootstrapped, next he shows us how to save our OpenStack settings in a sourceable shell command, which comes in handy before doing admin on a instance. Next the ‘glance’ and ‘cinder’ tools are used to upload the target OS ISO file and then create a volume for it to install onto. Next the VM is started and some specific steps are outlined on getting FreeBSD 10.3 installed into the instance. It includes some helpful hints as how to fix a mountroot error, if you installed to ada0, but need to mount via vtdb0 instead now. After the installation is finished, the prep for ‘cloudinit’ is done, and the resulting image is compressed and made ready for deployment. We’ve kinda stepped through some of the more gory steps here, but if OpenStack is something you work with, this tutorial should be at the top of your “must read” list. *** Undeadly and HTTPS (http://undeadly.org/cgi?action=article&sid=20160411201504) Undeadly, the OpenBSD journal, is thinking of moving to HTTPS only In order to do this, they would like some help rewriting part of the site Currently, when you login to post comments, this is done over HTTPS, but to an stunnel instance running a custom script that gives you a cookie, and sends you back to the non-HTTPS site They would like to better integrate the authentication system, and otherwise improve the code for the site There is some pushback as well, questioning whether it makes sense to block users who are unable to use HTTPS for one reason or another I think it makes sense to have the site default to HTTPS, but, maybe HTTPS only doesn’t make sense. There is nothing private on the site, other than the authentication system which is optional, not required to post a comment. There is also some discussion about the code for the site, including the fact that when the code was released, the salt for the password database was included This is not actually a security problem, but the discussion may be interesting to some viewers *** FreeBSD Journal March/April Edition (https://www.freebsdfoundation.org/journal/browser-based-edition/) The next issue of the FreeBSD Journal is here, and this time it is about Teaching with Operating Systems In addition to the usual columns, including: svn update, the ports report, a conference report from FOSDEM, a meetup report from PortsCamp Taipei, A book review of "The Algorithm Design Manual", and the Events Calendar; there are a set of feature articles about teaching Teaching with FreeBSD through Tracing, Analysis, and Experimentation CHERI: Building a foundation for secure, trusted computing bases A brief history of Fast Filesystems There is also an interview with Gleb Smirnoff, a member of the Core team, release engineering, and the deputy security officer, as well as a senior software developer at Netflix Get the latest issue from your favourite mobile store, or the “Desktop Edition” directly in your browser from the FreeBSD Foundation’s website *** Interview - Brooks Davis - brooks@FreeBSD.org (mailto:brooks@FreeBSD.org) / @brooksdavis (https://twitter.com/brooksdavis) CHERI and Capabilities *** TrueNAS Three-Peats!!! (https://www.ixsystems.com/blog/truenas-three-peats/) News Roundup UbuntuBSD Is Looking To Become An Official Ubuntu Flavor (http://linux.softpedia.com/blog/ubuntubsd-is-looking-to-become-an-official-ubuntu-flavor-502746.shtml) You may recall a few weeks back that we were a bit surprised by the UbuntuBSD project and its longevity / goals. However the project seems to be pushing forward, with news on softpedia.com that they are now seeking to become an ‘official’ Ubuntu Flavor. They’ve already released a forth beta, so it seems the project currently has some developers pushing it forward: "I would like to contribute all my work to Ubuntu Community and, if you think it is worthy, make ubuntuBSD an official Ubuntu project like Xubuntu or Edubuntu," said Jon Boden. "If you're interested, please let me know how would you like me to proceed." It's Just Bits (http://blog.appliedcompscilab.com/its_just_bits/index.html) We have next an interesting blog post talking about the idea that “It’s just all bits!” The author then takes us down the idea of no matter how old or mysterious the code may be, in the end it is ending up as bits arranged a certain way. Then the article transitions and takes us through the idea that old bits, and bits that have grown too large should often be good candidates for replacement by “simpler” bits, using OpenBSD as an example. “The OpenBSD community exemplifies this in many ways by taking existing solutions and simplifying them. Processing man pages is as old as Unix, and even in the 21st century OpenBSD has taken the time to rewrite the existing solution to be simpler and safer. It's just bits that need to be turned into other bits. Similarly, OpenBSD has introduced doas as an alternative to sudo. While not replacing sudo entirely, doas makes the 99.99% case of what people use sudo for easier and safer. They are just bits that need to be authenticated. “ All in all, a good read, and it reinforces the point that nothing is really truly “finished”. As computing advances and new technologies / practices are made available, sometimes it makes a lot of sense to go back and re-write things in order to simplify the complexity that has snuck in over time. *** Disk IO limiting is coming to FreeBSD (https://lists.freebsd.org/pipermail/svn-src-head/2016-April/084288.html) A much requested feature for both Jails and VM’s on FreeBSD has just landed with experimental support in -HEAD, Disk IO limiting! The Commit message states as follows: “Add four new RCTL resources - readbps, readiops, writebps and writeiops, for limiting disk (actually filesystem) IO. Note that in some cases these limits are not quite precise. It's ok, as long as it's within some reasonable bounds. Testing - and review of the code, in particular the VFS and VM parts - is very welcome.” Well, what are you waiting for? This is a fantastic new feature which I’m sure will get incorporated into other tools for controlling jails and VM’s down the road. If you give it a spin, be sure to report back bugs so they can get quashed in time for 11. *** BeastieBits PC-BSD 10.3 Is the Last in the Series, PC-BSD 11.0 Arrives Later This Year (http://news.softpedia.com/news/pc-bsd-10-3-is-the-last-in-the-series-pc-bsd-11-0-arrives-later-this-year-502570.shtml) ASLR now on by default in NetBSD amd64 (http://mail-index.netbsd.org/source-changes/2016/04/10/msg073939.html) Daniel Bilik's fix for hangs on Baytrail (http://lists.dragonflybsd.org/pipermail/users/2016-April/228682.html) Don’t forget about PGCon 2016 (http://www.pgcon.org/2016/) Get your paper in for EuroBSDCon 2016, deadline is May 8th (https://2016.eurobsdcon.org/call-for-papers/) Feedback/Questions John - Destroy all Dataset (http://pastebin.com/QdGWn0TW) Thomas - Misc Questions (http://pastebin.com/43YkwBjP) Ben - ZFS Copy (http://pastebin.com/gdi3pswe) Bryson - SysV IPC (http://pastebin.com/E9n938D1) Drin - IPSEC (http://pastebin.com/bgGTmbDG) ***
138: Rushing into BSD
This week on the show, we will be talking to Benedict Reushling about his role with the FreeBSD foundation and the journey that took him This episode was brought to you by Headlines HardenedBSD introduces full PIE support (https://hardenedbsd.org/article/shawn-webb/2016-04-15/introducing-full-pie-support) PIE base for amd64 and i386 Only nine applications are not compiled as PIEs Tested PIE base on several amd64 systems, both virtualized and bare metal Hoped to be to enabled it for ARM64 before or during BSDCan. Shawn will be bringing ten Raspberry Pi 3 devices (which are ARM64) with to BSDCan, eight of which will be given out to lucky individuals. “We want the BSD community to hack on them and get ARM64/Aarch64 fully functional on them.” *** Lessons learned from 30 years of MINIX (http://m.cacm.acm.org/magazines/2016/3/198874-lessons-learned-from-30-years-of-minix/fulltext) Eat your own dog food. By not relying on idiosyncratic features of the hardware, one makes porting to new platforms much easier. The Internet is like an elephant; it never forgets. When standards exist (such as ANSI Standard C) stick to them. Even after you have adopted a strategy, you should nevertheless reexamine it from time to time. Keep focused on your real goal, Einstein was right: Things should be as simple as possible but not simpler. *** pfSense 2.3 released (https://blog.pfsense.org/?p=2008) Rewrite of the webGUI utilizing Bootstrap TLS v1.0 disabled for the GUI Moved to a FreeBSD 10.3-RELEASE base PHP Upgraded to 5.6 The "Full Backup" feature has been deprecated Closed 760 total tickets of which 137 are fixed bugs Known Regressions OpenVPN topology change IP aliases with CARP IP parent lose their parent interface association post-upgrade IPsec IPComp does not work. IGMP Proxy does not work with VLAN interfaces. Many other updates and changes *** OPNsense 16.1.10 released (https://opnsense.org/opnsense-16-1-10-released/) openvpn: revive windows installer binaries system: improved config history and backup pages layout system: increased backup count default from 30 to 60 system: /var /tmp MFS awareness for crash dumps added trust: add “IP security IKE intermediate” to server key usage firmware: moved reboot, halt and defaults pages to new home languages: updates to Russian, French, German and Japanese Many other updates and changes *** Interview - Benedict Reuschling - bcr@freebsd.org (mailto:bcr@freebsd.org) FreeBSD Foundation in Europe *** News Roundup Write opinionated workarounds (http://www.daemonology.net/blog/2016-04-11-write-opinionated-workarounds.html) Colin Percival has written a great blog post this past week, specifically talking about his policy of writing “opinionated workarounds”. The idea came about due to his working on multi-platform software, and the frustrations of dealing with POSIX violations The crux of the post is how he deals with these workarounds. Specifically by only applying them to the particular system in which it was required. And doing so loudly. This has some important benefits. First, it doesn’t potentially expose other systems to bugs / security flaws when a workaround doesn’t “work” on a system for which it wasn’t designed. Secondly it’s important to complain. Loudly. This lets the user know that they are running on a system that doesn’t adhere to POSIX compliance, and maybe even get the attention of a developer who could remedy the situation. *** Privilege escalation in calendar(1) (http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-003.txt.asc) File this one under “Ouch that hurts” a new security vuln has been posted, this time against NetBSD’s ‘calendar’ command. Specifically it looks like some of the daily scripts uses the ‘-a’ flag, which requires super-user privs in order to process all users calendar files and mail the results. However the bug occurred because the calendar command didn’t drop priv properly before executing external commands (whoops!) To workaround you can set run_calendar=NO in the daily.conf file, or apply the fixed binary from upstream. *** PGCon 2016 (http://www.pgcon.org/2016/) PGCon 2016 is now only 4 weeks away The conference will be held at the University of Ottawa (same venue as BSDCan) from May 17th to 20th Tutorials: 17-18 May 2016 (Tue & Wed) Talks: 19-20 May 2016 (Thu-Fri) Wednesday is a developer unconference. Saturday is a user unconference. “PGCon is an annual conference for users and developers of PostgreSQL, a leading relational database, which just happens to be open source. PGCon is the place to meet, discuss, build relationships, learn valuable insights, and generally chat about the work you are doing with PostgreSQL. If you want to learn why so many people are moving to PostgreSQL, PGCon will be the place to find out why. Whether you are a casual user or you've been working with PostgreSQL for years, PGCon will have something for you.” New to PGSQL? Just a user? Long time developers? This conference has something for you. A great lineup of talks (https://www.pgcon.org/2016/schedule/events.en.html), plus unconference days focused on both users and developers *** CfP EuroBSDCon 2016 (https://2016.eurobsdcon.org/call-for-papers/) The call for papers has been issued for EuroBSDCon 2016 in Belgrade, Serbia The conference will be held from the 22nd to 25th of September, 2016 The deadline for talk submissions is: Sunday the 8th of May, 2016 Submit your talk or tutorial proposal before it is too late *** Beastie Bits “FreeBSD Mastery: Advanced ZFS” has officially been released (https://www.michaelwlucas.com/nonfiction/fmaz) Support of OpenBSD pledge(2) in programming Languages (https://gist.github.com/ligurio/f6114bd1df371047dd80ea9b8a55c104) pkgsrcCon 2016 -Call for Presentations (http://daemonforums.org/showthread.php?t=9781) Christos Zoulas talks about blacklistd (http://blog.netbsd.org/tnf/entry/talks_about_blacklistd) Penguicon 2016 Lucas Track Schedule (http://blather.michaelwlucas.com/archives/2617) Feedback/Questions Peter - NVME (http://pastebin.com/HiiDpGcT) Jeremy - Wireless Gear (http://pastebin.com/L5XeVS1H) Ted - Rpi2 Packages (http://pastebin.com/yrCEnkWt) - Cross Building Wiki (https://wiki.freebsd.org/FreeBSD/arm/crossbuild) Geoff - Jail Failover (http://pastebin.com/pYFC1vdQ) Zach - Graphical Bhyve? (http://pastebin.com/WEgN0ZVw) ***
137: FreeNAS Mini XL
This week on BSD Now, I’m out of town for the week, but we have a special unboxing video to share with you, that you won’t want to miss. That, plus the latest BSD news, is coming your way right now! This episode was brought to you by Headlines Example of a FreeBSD bug hunting session by a simple user (http://blog.cochard.me/2016/01/example-of-freebsd-bug-hunting-session.html) Don’t be fooled, Olivier Cochard-Labbé is a bit more than just a FreeBSD user Original founder of the FreeNAS project many years ago, and currently leads the BSD Router Project (designed as a replacement for “Big Iron” routers like Cisco’s etc) However, he is not actually a committer on any of the BSD projects, and is mostly focused on networking, rather than development, so it is fair to call him a user He walks us through a bug hunting session that started when he updated his wireless router “My wireless-router configuration was complex: it involves routing, wireless in hostap mode, ipfw, snort, bridge, openvpn, etc.” Provides helpful advice on writing problem reports to developers, including trying to reproduce your issue with as minimal a setup as possible. This both reduces the amount of setup a developer has to do to try to recreate your issue, and can often make it more obvious where the problem actually lies As you might expect, the more he researched the problem, the more questions he had The journey goes through the kernel debugger, learning dtrace, and reading some source code In the end it seems the problem is that the bridge interface marks itself as down if none of the interfaces are in an ‘UP’ state. The wireless interface was in the unknown state, and was actually up, but when the wired interface was disconnected, this caused the bridge to mark it self as down. *** How-to Install OpenBSD 5.9 plus XFCE desktop and basic applications (http://ribalinux.blogspot.com/2016/04/how-to-install-openbsd-59-plus-xfce.html) Now this is the way to do videos. Over at the RibaLinux blogspot site, we have a great video showing how to setup and install OpenBSD 5.9 with XFCE and basic desktop applications. Along with the video tutorial, another nicety is the commands-used script, so you can see exactly how the setup was done, without having to pause/rewind the video to keep up. How to install PC-BSD 10.3 (http://ribalinux.blogspot.com/2016/04/how-to-install-pc-bsd-103.html) In addition to the OpenBSD 5.9 setup video, they just published a PC-BSD 10.3 installation video as well, check it out! *** FreeBSD on xhyve tutorial (https://gist.github.com/tanb/f8fefa22332edc7a641d) Originally only able to boot linux, xhyve, a “sort of” port of bhyve to OS X, can now run FreeBSD This tutorial makes it much easier, providing a script There are a few small command line flag differences from bhyve on FreeBSD The tutorial also covers sharing a directory between the guest and the host, resizing and growing the disk for the guest, and converting a QEMU image to be run under xhyve *** How to Configure SSHguard With IPFW Firewall On FreeBSD (http://www.unixmen.com/configure-sshguard-ipfw-firewall-freebsd) It’s been a while, but UNIXMen has dropped on us another FreeBSD tutorial, this time on how to setup IPFW and ‘sshguard’ to protect your system. In this tutorial they first lay down the rationale for picking IPFW as the firewall, but the reasons mainly boil down to IPFW being developed primarily on FreeBSD, and as such isn’t lagging behind when it comes to features / support. Interestingly enough, they also go the route of adding their own /usr/local/etc/rc.firewall script which will be used to specify TCP/UDP ports to open through IPFW via the rc.conf file Once that setup is complete (which you can just copy-n-paste) they then move onto ‘sshguard’ setup. Specifically you’ll need to be sure to install the correct port/pkg, sshguard-ipfw in order to work in this setup, although sshguard-pf and friends are available also. The article mentions that the name ‘sshguard’ can also be misleading, since it can be used to detect brute force attempts into a number of services. From there a bunch of configuration is thrown at you, which will allow you to start making the most out of sshguard’s potential, well worth your read if you are using IPFW, or even PF and want to get the basics down of using sshguard properly. *** FreeNAS Mini XL Video Unboxing Beastie Bits Amazon lists FreeBSD as 'Other Linux' (https://i.imgur.com/NJ7lpso.png) sbin/hammer: Make hammer commands print root volume path (http://lists.dragonflybsd.org/pipermail/commits/2016-April/459667.html) sbin/hammer: Print volume list after volume-add|del (http://lists.dragonflybsd.org/pipermail/commits/2016-April/459674.html) Front cover reveal for the upcoming 'FreeBSD Mastery: Advanced ZFS" book (https://twitter.com/mwlauthor/status/716328414072872960) If you don’t already have one, get your FreeBSD Pillow (http://linuxpillow.blogspot.com/2016/03/world-backup-day.html) Feedback/Questions Daniel - SysVIPC (http://pastebin.com/raw/JBbMj87t) Shane - OpenToonz (http://pastebin.com/raw/54ngYVEN) ***
136: This is GNN
This week on the show, we will be interviewing GNN of the FreeBSD project to talk about the new TeachBSD initiative. That plus the latest BSD headlines, all coming your way right now! This episode was brought to you by Headlines FreeBSD 10.3-RELEASE Announcement (https://www.freebsd.org/releases/10.3R/announce.html) FreeBSD 10.3 has landed, with extended support until April 30, 2018 This is likely to be the last extended support release, as starting with 11, the new support model will encourage upgrading to the latest minor version by ending support for the previous minor version approximately 2 months after each point release. The Major version / stable branch will still be supported for the same 5 year term. This will allow the FreeBSD project to move forward more quickly, while still providing the same level of long term support The UEFI boot loader is much improved, and now supports booting root-on-ZFS, and the beastie menu The beastie menu itself has been updated with support for ZFS Boot Environments The CAM Target Layer (CTL) now supports High Availability, allowing the construction of much more advanced storage systems The 64bit Linux Emulation Layer was backported Reroot support was added, allowing the system to boot off of a minimal image, such as a mfsroot and then reload all of userland from a different root file system (such as iSCSI, NFS, etc) The version of xz(1) has been updated to support multi-threaded compression sesutil(8) has been introduced, making it easier to manage large storage nodes Various ZFS updates As usual, a huge number of driver updates are also included *** How to use OpenBSD with Libreboot: detailed instructions (https://lists.nongnu.org/archive/html/libreboot/2016-04/msg00010.html) This tutorial covers installing OpenBSD on a Thinkpad X200 using Libreboot, a replacement for the traditional BIOS/firmware that comes from the manufacturer “Since 5.9, OpenBSD supports EFI boot mode, which means that it also have had to support framebuffer out of the box, so lack of proprietary VGA BIOS blob is no longer a problem and you can boot it with unmodified Libreboot binary release 20150518.” “In order to install OpenBSD on such a machine you will need someadditional preparations, since regular install59.fs won't work because bsd.rd doesn't have a framebuffer console.” A few extra steps are required to get it going, but they are outlined in the post This may be very interesting to those who prefer not to depend on binary blobs *** Linking the FreeBSD base system with lld -- status update (http://lists.llvm.org/pipermail/llvm-dev/2016-March/096449.html) The FreeBSD Foundation’s Ed Maste provides an update on the LLVM mailing list about the progress of replacing the GNU linker with the lld in the FreeBSD base system “I'm pleased to report that I can now build a runnable FreeBSD system using lld as the linker (for buildworld), with a few workarounds and work-in-progress patches. I have not yet extensively tested the result but it is possible to login to the resulting system, and basic sanity tests I've tried are successful. Note that the kernel is still linked with ld.bfd.” Outstanding Issues Symbol version support (PR 23231). FreeBSD uses symbol versioning for backwards compatibility Linker script expression support (PR 26731). The FreeBSD kernel linker scripts contain expressions not currently supported by lld Library search paths. GNU LD automatically searches /lib, and lld does not the -N flag makes the text and data sections RW and does not page-align data. It is used by boot loader components. The -dc flag assigns space to common symbols when producing relocatable output (-r). It is used by the /rescue build, which is a single binary assembled from a collection of individual tools (sh, ls, fsck, ...) -Y adds a path to the default library search path. It is used by the lib32 build, which provides i386 builds of the system libraries for compatibility with i386 applications. With the ongoing work, it might be possible for FreeBSD 11 to use lld by default, although it might be best to wait to throw that particular switch *** Your favorite billion user company using BSD just flipped on encryption for all their users -- and it took 15 Engineers to do it (http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/) With the help of Moxie Marlinspike’s Open Whisper Systems, WhatsApp has integrated the ‘Signal’ encryption system for all messages, class, pictures, and videos sent between individuals or groups It uses public key cryptography, very similar to GPG, but with automated public key servers It also includes a system of QR codes to verify the identity of individuals in person, so you can be sure the person you are talking to is actually the person you met with WhatsApp runs their billion user network, using FreeBSD, with only about 50 engineers Only 15 of those engineers we needed to work on the project that has now deployed complete end-to-end encryption across the entire network The Wired article is very detailed and well worth the read *** Interview - George Neville-Neil - gnn@freebsd.org (mailto:gnn@freebsd.org) / @gvnn3 (https://twitter.com/gvnn3) Teaching BSD with Tracing News Roundup Faces of FreeBSD 2016: Scott Long (https://www.freebsdfoundation.org/blog/faces-of-freebsd-2016-scott-long/) It’s been awhile since we’ve had a new entry into the “Faces of FreeBSD” series, but due to popular demand it’s back! This installment features developer Scott Long, who currently works at NetFlix, previously at Yahoo and Adaptec. Scott got a very early start into BSD, first discovering i386BSD 0.1 on a FTP server at Berkeley, back at 1992. From there on it’s been a journey, following along with FreeBSD since version 1.0 in 1993. So what stuff can we blame Scott for? In his own words: I’ve been a source committer since 2000. I got my start by taking over maintainership of the Adaptec ‘aac’ RAID driver. From 2002-2006 I was the Release Engineer and was responsible for the 5.x and 6.x releases. Though the early 5.x releases were not great, they were necessary stepping stones to the success of FreeBSD 6.x and beyond. I’m exceptionally proud of my role in helping FreeBSD move forward during that time. I authored and maintained the ‘mfi’ and ‘mps’ storage drivers, the ‘udf’ filesystem driver, and several smaller sound and USB drivers. I’ve maintained, or at least touched, most of the storage device drivers in the system to some extent, and I implemented medium-grained locking on the CAM storage stack. Recently I’ve been working on overall system scalability and performance. ASCII Flow (http://asciiflow.com/) A website that lets to draw and share ASCII diagrams Great for network layout maps, rack diagrams, protocol analysis etc Use it in your presentations and slides Sample (https://drive.google.com/open?id=0BynxTTJrNUOKeWxCVm1ERExrNkU) *** System Under Test: FreeBSD (http://lowlevelbits.org/system-under-test-freebsd/) Part of a series looking at testing across a number of projects Outlines the testing framework of FreeBSD Provides a mini-tutorial on how to run the tests There are some other tests that are now covered, but this is due to a lack of documentation on the fact that the tests exist, and how to run them There is much ongoing work in this area *** Worst April Fools Joke EVER! (http://www.rhyous.com/2016/04/01/microsoft-announces-it-is-acquiring-freebsd-for-300-million/) While a bad April Fool’s joke, it also shows some common misconceptions The FreeBSD Foundation does not own the source repository, it is only the care taken of the trademark, and other things that require a single legal entity OpenBSD and NetBSD are not ‘sub brands’ of FreeBSD Bash was not ported to Windows, but rather Windows gained a system similar to FreeBSD’s linux_compat It would be nice to have ZFS on Windows *** Beastie Bits Credit where credit's due... (https://forums.freebsd.org/threads/55642/) M:Tier's OpenBSD packages and binpatches updated for 5.9 (https://stable.mtier.org/) NYC BUG Meeting (2016-04-06) - Debugging with LLVM, John Wolfe (http://www.nycbug.org/index.cgi) Need to create extremely high traffic loads? kq_sendrecv is worth checking out (http://lists.dragonflybsd.org/pipermail/commits/2016-March/459651.html) If you're in the Maryland region, CharmBug has a meetup next week (http://www.meetup.com/CharmBUG/events/230048300/) How to get a desktop on DragonFly (https://www.dragonflybsd.org/docs/how_to_get_to_the_desktop/) Linux vs BSD Development Models (https://twitter.com/q5sys/status/717509675630084096) Feedback/Question Paulo - ZFS Setup (http://pastebin.com/raw/GrM0jKZK) Jonathan - Installation (http://pastebin.com/raw/13KCkhMU) Andrew - Career / School (http://pastebin.com/wsx90L2m)
135: Speciality MWL
This week on the show, we interview author Michael W Lucas to discuss his new book in the FreeBSD This episode was brought to you by Headlines OpenBSD 5.9 Released early (http://undeadly.org/cgi?action=article&sid=20160329181346&mode=expanded) Finished ahead of schedule! OpenBSD 5.9 has officially landed We’ve been covering some of the ongoing changes as they landed in the tree, but with the official release it’s time to bring you the final list of the new hotness which landed. First up: Pledge - Over 70%! Of the userland utilities have been converted to use it, and the best part, you probably didn’t even notice UEFI - Laptops which are pre-locked down to boot UEFI only can now be installed and used - GPT support has also been greatly improved ‘Less’ was replaced with a fork from Illumos, and has been further improved Xen DomU support - OpenBSD now plays nice in the cloud X11 - Broadwell and Bay Trail are now supported Initial work on making the network stack better support SMP has been added, this is still ongoing, but things are starting to happen 802.11N! Specifically for the iwn/iwm drivers In addition to support for UTF-8, most other locales have been ripped out, leaving only C and UTF-8 left standing in the wake All and all, sounds like a solid new release with plenty of new goodies to play with. Go grab a copy now! *** New routing table code (ART) enabled in -current (http://undeadly.org/cgi?action=article&sid=20160324093944) While OpenBSD 5.9 just landed, we also have some interesting work landing right now in -CURRENT as well. Specifically the new routing table code (ART) has landed: “I just enabled ART in -current, it will be the default routing table backend in the next snapshots. The plan is to squash the possible regressions with this new routing table backend then when we're confident enough, take its route lookup out of the KERNEL_LOCK(). Yes, this is one of the big steps for our network SMP improvements. In order to make progress, we need your help to make sure this new backend works well on your setup. So please, go download the next snapshot and report back. If you encounter any routing table regression, please make sure that you cannot reproduce it with your old kernel and include the output of # route -n show for the 2 kernels as well as the dmesg in your report. I know that simple dhclient(8) based setups work with ART, so please do not flood us too much. It's always great to know that things work, but it's also hard to keep focus ;) Thank your very much for your support!” + There you have it folks! If 5.9 is already too stale for you, time to move over to -CURRENT and give the new routing tables a whirl. fractal cells - FreeBSD-based All-In-One solution for software development startups (https://forums.freebsd.org/threads/55561/) Fractal Cells is a suite that transforms a stock FreeBSD installation into an instant “Startup Software Development Platform” It Integrates ZFS, PostgreSQL, OpenSMTPD, NGINX, OpenVPN, Redmine, Jenkins, Zabbix, Gitlab, and Ansible, all under OpenLDAP common authentication The suite is available under the 2-clause BSD license Provides all of the tools and infrastructure to build your application, including code review, issue tracking, continuous integration, and monitoring An interesting way to make it easier for people to start building new applications and startups on top of FreeBSD *** LinuxSecrets publishes guide on installing FreeBSD ezJail (http://www.linuxsecrets.com/blog/51freebsd/2016/02/29/1726-installing) Covers all of the steps of setting up ezjail on FreeBSD Includes the instructions for updating the version of the OS in the jail In a number of places the tutorial uses: > cat << EOF >> /etc/rc.conf > setting=”value” Instead, use: sysrc setting=”value” It is safer, and easier to type When you create the jail, if you specify an IP address, it is expected that this IP address is already setup on the host machine If instead you specify: ‘em0|192.168.1.105’ (where em0 is your network interface), the IP address will be added as an alias when the jail starts, and removed from the host when the jail is stopped You can also comma separate a list of addresses to have multiple IPs (possibly on different interfaces) in the jail Although recently posted, this appears as if it might be an update to a previous tutorial, as there are a few old references that have not been updated (pkg_add, rc.d/ezjail.sh), while the start of the article clearly covers pkg(8) *** Interview - Michael W. Lucas - mwlucas@michaelwlucas.com (mailto:mwlucas@michaelwlucas.com) / @mwlauthor (https://twitter.com/mwlauthor) + New Book: “FreeBSD Mastery: Specialty Filesystems” News Roundup NetBSD on Dreamcast (https://github.com/fwbug/dreamcast-slides) Ahh the dreamcast, so much promise. So much potential. If you are still holding onto your beloved dreamcast hoping that someday Sega will re-enter the console market… Then give it up now! In the meantime, you can now do something more interesting with that box taking up space in the closet. We have a link to a GitHub repo where a user has uploaded his curses-based slide-show for the upcoming Fort-Wayne, Indiana meetup. Aside from the novelty of using a curses-based slide setup, the presenter will also be displaying them from his beloved dreamcast, which “of course” runs NetBSD 7 The slide source code is available, which you too can view / compile and find out details of getting NetBSD boot-strapped on the DC. *** OPNsense 16.1.7 Released (https://opnsense.org/opnsense-16-1-7-released/) captive portal: add session timeout to status info firewall: fix non-report of errors when filter reload errors couldn’t be parsed proxy: adjust category visibility as not all of them were shown before firmware: fix an overzealous upgrade run when the package tool only changes options firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD’s package tool system: removed NTP settings from general settings access: let only root access status.php as it leaks too much info development: remove the automount features development: addition of “opnsense-stable” package on our way to nightly builds development: opnsense-update can now install locally available base and kernel sets *** “FreeBSD Mastery: Advanced ZFS” in tech review (http://blather.michaelwlucas.com/archives/2570) Most of the tech review is finished It was very interesting to hear from many ZFS experts that they learned something from reading the review copy of the book, I was not expecting this Many minor corrections and clarifications have been integrated The book is now being copy edited *** Why OpenBSD? (http://www.cambus.net/why-openbsd/) Frederic Cambus gives us a nice perspective piece today on what his particular reasons are for choosing OpenBSD. Frederic is no stranger to UNIX-Like systems, having used them for 20 years now. In particular starting on Slackware back in ‘96 and moving to FreeBSD from 2000-2005 (around the 4.x series) His adventure into OpenBSD began sometime after 2005 (specific time unknown), but a bunch of things left a very good impression on him throughout the years. First, was the ease of installation, with its very minimalistic layout, which was one of the fastest installs he had ever done. Second was the extensive documentation, which extends beyond just manpages, but into other forms of documentation, such as presentations and papers as well. He makes the point about an “ecosystem of quality” that surrounds OpenBSD: OpenBSD is an ecosystem of quality. This is the result of a culture of code auditing, reviewing, and a rigorous development process where each commit hitting the tree must be approved by other developers. It has a slower evolution pace and a more carefully planned development model which leads to better code quality overall. Its well deserved reputation of being an ultra secure operating system is the byproduct of a no compromise attitude valuing simplicity, correctness, and most importantly proactivity. OpenBSD also deletes code, a lot of code. Everyone should know that removing code and keeping the codebase modern is probably as important as adding new one. Quoting Saint-Exupery: "It seems that perfection is attained not when there is nothing more to add, but when there is nothing more to remove". The article then covers security mechanisms, as well as the defaults which are turned specifically with an eye towards security. All-in-all a good perspective piece about the reasons why OpenBSD is the right choice for Frederic, worth your time to read up on it if you want to learn more about OpenBSD’s differences. *** BeastieBits Call for 2016Q1 quarterly status reports (https://docs.freebsd.org/cgi/getmsg.cgi?fetch=9011+0+current/freebsd-hackers) FreeBSD Mastery: Advanced ZFS” sponsorships ending soon (http://blather.michaelwlucas.com/archives/2593) Shawn Webb from HardenedBSD talking about giving away RPi3’s at BSDCan and hacking on them to get FreeBSD working (https://docs.freebsd.org/cgi/getmsg.cgi?fetch=250105+0+archive/2016/freebsd-arm/20160306.freebsd-arm) xterm(1) now UTF-8 by default (http://undeadly.org/cgi?action=article&sid=20160308204011) Call For Artists: New Icon Theme (https://blog.pcbsd.org/2016/03/call-for-artists-new-icon-theme/) Happy 23rd Birthday, src! (http://blog.netbsd.org/tnf/entry/happy_23rd_birthday_src) Feedback/Questions Alison - Readahead and Wayland (http://slexy.org/view/s2oqRuXCYW) Kenny - Gear (http://slexy.org/view/s2sQ8MxNPh) Ben - IPFW2/3 (http://slexy.org/view/s20SRvXPZA) Brad - ZFS Writeback (http://slexy.org/view/s207mV2Ph1) Simon - BSD Toonz (http://slexy.org/view/s202loSWdf) ***
134: Marking up the Ports tree
This week on the show, Allan and I have gotten a bit more sleep since AsiaBSDCon, which is excellent since there is a LOT of news to cover. That plus our interview with Ports SecTeam member Mark Felder. So keep it This episode was brought to you by Headlines FreeNAS 9.10 Released (http://lists.freenas.org/pipermail/freenas-announce/2016-March/000028.html) OS: The base OS version for FreeNAS 9.10 is now FreeBSD 10.3-RC3, bringing in a huge number of OS-related bug fixes, performance improvements and new features. +Directory Services: You can now connect to large AD domains with cache disabled. +Reporting: Add the ability to send collectd data to a remote graphite server. +Hardware Support: Added Support for Intel I219-V & I219-LM Gigabit Ethernet Chipset Added Support for Intel Skylake architecture Improved support for USB devices (like network adapters) USB 3.0 devices now supported. +Filesharing: Samba (SMB filesharing) updated from version 4.1 to 4.3.4 Added GUI feature to allow nfsv3-like ownership when using nfsv4 Various bug fixes related to FreeBSD 10. +Ports: FreeBSD ports updated to follow the FreeBSD 2016Q1 branch. +Jails: FreeBSD Jails now default to a FreeBSD 10.3-RC2 based template. Old jails, or systems on which jails have been installed, will still default to the previous FreeBSD 9.3 based template. Only those machinesusing jails for the first time (or deleting and recreating their jails dataset) will use the new template. +bhyve: ++In the upcoming 10 release, the CLI will offer full support for managing virtual machines and containers. Until then, the iohyve command is bundled as a stop-gap solution to provide basic VM management support - *** Ubuntu BSD's first Beta Release (https://sourceforge.net/projects/ubuntubsd/) Under the category of “Where did this come from?”, we have a first beta release of Ubuntu BSD. Specifically it is Ubuntu, respun to use the FreeBSD kernel and ZFS natively. From looking at the minimal information up on sourceforge, we gather that is has a nice text-based installer, which supports ZFS configuration and iSCSI volume creation setups. Aside from that, it includes the XFCE desktop out of box, but claims to be suitable for both desktops and servers alike right now. We will keep an eye on this, if anybody listening has already tested it out, maybe drop us a line on your thoughts of how this mash-up works out. *** FreeBSD - a lesson in poor defaults (http://vez.mrsk.me/freebsd-defaults.txt) Former BSD producer, and now OpenBSD developer, TJ, writes a post detailing the defaults he changes in a fresh FreeBSD installation Maybe some of these should be the defaults While others are definitely a personal preference, or are not as security related as they seem A few of these, while valid criticisms, but some are done for a reason Specifically, the OpenSSH changes. So, you’re a user, you install FreeBSD 10.0, and it comes with OpenSSH version X, which has some specific defaults As guaranteed by the FreeBSD Project, you will have a nice smooth upgrade path to any version in the 10.x branch Just because OpenSSH has released version Y, doesn’t mean that the upgrade can suddenly remove support for DSA keys, or re-adding support for AES-CBC (which is not really weak, and which can be hardware accelerated, unlikely most of the replacements) “FreeBSD is the team trying to increase the risk.” Is incorrect, they are trying to reduce the impact on the end user Specifically, a user upgrading from 10.x to 10.3, should not end up locked out of their SSH server, or otherwise confronted by unexpected errors or slowdowns because of upstream changes I will note again, (and again), that the NONE cipher can NOT allow a user to “shoot themselves in the foot”, encryption is still used during the login phase, it is just disabled for the file transfer phase. The NONE cipher will refuse to work for an interactive session. While the post states that the NONE cipher doesn’t improve performance that much, it infact does In my own testing, chacha20-poly1305 1.3 gbps, aes128-gcm (fastest) 5.0 gbps, NONE cipher 6.3 gbps That means that the NONE cipher is an hour faster to transfer 10 TB over the LAN. The article suggests just removing sendmail with no replacement. Not sure how they expect users to deliver mail, or the daily/weekly reports Ports can be compiled as a regular user. Only the install phase requires root for ntpd, it is not clear that there is an acceptable replacement yet, but I will not that it is off by default In the sysctl section, I am not sure I see how enabling tcp blackhole actually increases security at all I am not sure that linking to every security advisory in openssl since 2001 is actually useful Encrypted swap is an option in bsdinstall now, but I am not sure it is really that important FreeBSD now uses the Fortuna PRNG, upgraded to replace the older Yarrow, not vanilla RC4. “The resistance from the security team to phase out legacy options makes mewonder if they should be called a compatibility team instead.” I do not think this is the choice of the security team, it is the ABI guarantee that the project makes. The stable/10 branch will always have the same ABI, and a program or driver compiled against it will work with any version on that branch The security team doesn’t really have a choice in the matter. Switching the version of OpenSSL used in FreeBSD 9.x would likely break a large number of applications the user has installed Something may need to be done differently, since it doesn’t look like any version of OpenSSL, (or OpenSSH), will be supported for 5 years ever again *** ZFS Raidz Performance, Capacity and Integrity (https://calomel.org/zfs_raid_speed_capacity.html) An updated version of an article comparing the performance of various ZFS vdev configurations The settings users in the test may not reflect your workload If you are benchmarking ZFS, consider using multiple files across different datasets, and not making all of the writes synchronous Also, it is advisable to run more than 3 runs of each test Comparing the numbers from the 12 and 24 disk tests, it is surprising to see that the 12 mirror sets did not outperform the other configurations. In the 12 drive tests, the 6 mirror sets had about the same read performance as the other configurations, it is not clear why the performance with more disks is worse, or why it is no longer in line with the other configurations More investigation of this would be required There are obviously so other bottlenecks, as 5x SSDs in RAID-Z1 performed the same as 17x SSDs in RAID-Z1 Interesting results none the less *** iXSystems FreeNAS Mini Review (http://www.nasanda.com/2016/03/ixsystems-freenas-mini-nas-device-reviewed/) Interview - Mark Felder - feld@freebsd.org (mailto:feld@freebsd.org) / @feldpos (https://twitter.com/feldpos) Ports, Ports and more Ports DigitalOcean Digital Ocean's guide to setting up an OpenVPN server (https://www.digitalocean.com/community/tutorials/how-to-configure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1) News Roundup AsiaBSDCon OpenBSD Papers (http://undeadly.org/cgi?action=article&sid=20160316153158&mode=flat&count=0) + Undeadly.org has compiled a handy list of the various OpenBSD talks / papers that were offered a few weeks ago at AsiaBSDCon 2016. Antoine Jacoutot (ajacoutot@) - OpenBSD rc.d(8) (slides | paper) Henning Brauer (henning@) - Running an ISP on OpenBSD (slides) Mike Belopuhov (mikeb@) - Implementation of Xen PVHVM drivers in OpenBSD (slides | paper) Mike Belopuhov (mikeb@) - OpenBSD project status update (slides) Mike Larkin (mlarkin@) - OpenBSD vmm Update (slides) Reyk Floeter (reyk@) - OpenBSD vmd Update (slides) Each talk provides slides, and some the papers as well. Also included is the update to ‘vmm’ discussed at bhyveCon, which will be of interest to virtualization enthusiasts. *** Bitcoin Devs could learn a lot from BSD (http://bitcoinist.net/bitcoin-devs-could-learn-a-lot-from-bsd/) An interesting article this week, comparing two projects that at first glance may not be entirely related, namely BitCoin and BSD. The article first details some of the woes currently plaguing the BitCoin development community, such as toxic community feedback to changes and stakeholders with vested financial interests being unable to work towards a common development purpose. This leads into the crux or the article, about what BitCoin devs could learn from BSD: First and foremost, the way code is developed needs change to stop the current negative trend in Bitcoin. The FreeBSD project has a rigid internal hierarchy of people with write access to their codebase, which the various Bitcoin implementations also have, but BSD does this in a way that is very open to fresh eyes on their code, allowing parallel problem solving without the petty infighting we see in Bitcoin. Anyone can propose a commit publicly to the code, make it publicly available, and democratically decide which change ends up in the codebase. FreeBSD has a tiny number of core developers compared to the size of their codebase, but at any point, they have a huge community advancing their project without hard forks popping up at every small disagreement. Brian Armstrong commented recently on this flaw with Bitcoin development, particularly with the Core Devs: “Being high IQ is not enough for a team to succeed. You need to make reasonable tradeoffs, collaborate, be welcoming, communicate, and be easy to work with. Any team that doesn’t have this will be unable to attract top talent and will struggle long term. In my opinion, perhaps the biggest risk in Bitcoin right now is, ironically, one of the things which has helped it the most in the past: the Bitcoin Core developers.” A good summary of the culture that could be adopted is summed up as follows: The other thing Bitcoin devs could learn from is the BSD community’s adoption of the Unix Design philosophy. Primarily “Worse is Better,” The rule of Diversity, and Do One Thing and Do It Well. “Worse is Better” emphasizes using extant functional solutions rather than making more complex ones, even if they would be more robust. The Rule of Diversity stresses flexibility of the program being developed, allowing for modification and different implementations without breaking. Do one Thing and Do it well is a mantra of the BSD and Unix Communities that stresses modularity and progress over “perfect” solutions. Each of these elements help to make BSD a wildly successful open source project with a healthy development community and lots of inter-cooperation between the different BSD systems. While this is the opposite of what we see with Bitcoin at present, the situation is salvageable provided changes like this are made, especially by Core Developers. All in all, a well written and interesting take on the FreeBSD/BSD project. We hope the BitCoin devs can take something useful from it down the road. *** FreeBSD cross-compiling with gcc and poudriere (http://ben.eficium.net/2016/03/freebsd-cross-compiling-with-gcc.html) Cross-Compiling, always a challenge, has gotten easier using poudriere and qemu in recent years. However this blog post details some of the particular issues still being face when trying to compile some certain ports for ARM (I.E. rPi) that don’t play nicely with FreeBSD’s default CLANG compiler. The writer (Ben Slack) takes us through some of the work-arounds he uses to build some troublesome ports, namely lsof and libatomic_ops. Note this is not just an issue with cross compile, the above mentioned ports also don’t build with clang on the Pi directly. After doing the initial poudriere/qemu cross-compile setup, he then shows us the minor tweaks to adjust which compiler builds specific ports, and how he triggers the builds using poudriere. With the actual Makefile adjustment being so minor, one wonders if this shouldn’t just be committed upstream, with some if (ARM) - USE_GCC=yes type conditional. *** Nvidia releases new Beta graphics driver for FreeBSD (https://devtalk.nvidia.com/default/topic/925607/unix-graphics-announcements-and-news/linux-solaris-and-freebsd-driver-364-12-beta-/) Added support for the following GPUs: GeForce 920MX & GeForce 930MX Added support for the Vulkan API version 1.0. Fixed a bug that could cause incorrect frame rate reporting on Quadro Sync configurations with multiple GPUs. Added a new RandR property, CscMatrix, which specifies a 3x4 color-space conversion matrix. Improved handling of the X gamma ramp on GF119 and newer GPUs. On these GPUs, the RandR gamma ramp is always 1024 entries and now applies to the cursor and VDPAU or workstation overlays in addition to the X root window. Fixes for bugs and added several other EGL extensions *** Beastie Bits New TN Bug started (http://knoxbug.org/) DragonFlyBSD Network/TCP Performance's gets a bump (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/4a43469a10cef8c17553c342aab9d73611ea7bc8?utm_source=anzwix) FreeBSD Foundation introduces a new website and logo (https://www.freebsdfoundation.org/blog/introducing-a-new-look-for-the-foundation/) Our producer made these based on the new logo: http://q5sys.sh/2016/03/a-new-freebsd-foundation-logo-means-its-time-for-some-new-wallpapers/ http://q5sys.sh/2016/03/pc-bsd-and-lumina-desktop-wallpapers/ https://github.com/pcbsd/lumina/commit/60314f46247b7ad6e877af503b3814b0be170da8 IPv6 errata for 5.7/5.8, pledge errata for 5.9 (http://undeadly.org/cgi?action=article&sid=20160316190937&mode=flat) Sponsoring “PAM Mastery” (http://blather.michaelwlucas.com/archives/2577) A visualization of FreeBSD commits on GitHub for 2015 (https://rocketgraph.com/s/v89jBkKN4e-) The VAX platform is no more (http://undeadly.org/cgi?action=article&sid=20160309192510) Feedback/Questions Hunter - Utils for Blind (http://slexy.org/view/s20KPYDOsq) Chris - ZFS Quotas (http://slexy.org/view/s2EHdI3z3L) Anonymous - Tun, Tap and Me! (http://slexy.org/view/s21Nx1VSiU) Andrew - Navigating the BSDs (http://slexy.org/view/s2ZKK2DZTL) Brent - Wifi on BSD (http://slexy.org/view/s20duO29mN) ***
133: The Tokyo Debrief
This week on BSDNow, Allan and I are back from AsiaBSDCon and we have an interview with Brad Davis about the new “Packaging Base” call-for-testing. We’ll be sharing our thoughts and stories on how the week This episode was brought to you by Headlines AsiaBSDCon 2016 - Wrap-up FreeBSD gets Haswell graphics support in time for 11.0-RELEASE (https://svnweb.freebsd.org/changeset/base/296548) The moment that many have been waiting for has finally arrived, support for Haswell graphics has been committed to FreeBSD -CURRENT The brings the DRM/i915 code up to date with Linux kernel 3.8.13 Work has already started on updating to Linux kernel 3.9 It is hoped that subsequent updates will be much easier, and much faster It does not appear to require setting the i915.preliminaryhwsupport loader tunable *** OpenBSD vmm/vmd Update (http://bhyvecon.org/bhyvecon2016-Mike.pdf) For the third year running, bhyvecon was held last week, during the lead up to AsiaBSDCon Bhyvecon has expanded, and now covers all virtualization on BSDs There were presentations on bhyve, Xen Dom0 on FreeBSD, Xen DomU for OpenBSD, and OpenBSD’s vmm OpenBSD vmm started at the Brisbane 2015 hackathon in Australia Work continued through the summer and fall thanks to funding by the OpenBSD Foundation The presentation answered some outstanding questions, such as, why not just port bhyve? Initial focus is OpenBSD on OpenBSD Loader currently supports FreeBSD and NetBSD as well After the initial commits, other developers joined in to help with the work Reyk reworked the vmd and vmctl commands, to provide a better user interface Future plans: Nested VMX i386 support AMD SVM support Filesystem passthru Live migration (with ZFS like command syntax) Other developers are working on related projects: qemu interface: Allow qemu to be accelerated by the vmm backend, while providing emulated hardware, for legacy systems KVM interface: Make vmm look like KVM, so existing tools like openstack “just work” *** Interview - Brad Davis - brd@freebsd.org (mailto:brd@freebsd.org) / @so14k (https://twitter.com/so14k) Packaging Base News Roundup Packaging the base system with pkg(8) (https://lists.freebsd.org/pipermail/freebsd-pkgbase/2016-March/000032.html) The official call for testing for FreeBSD’s pkg(8)’d base is out Users are requested to checkout the release-pkg branch, and build it as normal (buildworld, buildkernel) Instead of installworld, run: make packages This will produce a pkg repo in the /usr/obj directory The post to the mailing list includes an example pkg repo config file to point to those packages Run: pkg update -r FreeBSD-base This will read the metadata from the new repository Then run: pkg install -g 'FreeBSD-*' This will find all packages that start with ‘FreeBSD-’ and install them In the future, there will be meta packages, so you can just install FreeBSD-base and it will pull in other packages are dependencies Currently, there are a large number of packages (over 700), because each shared library is packaged separately, and almost all optional features are in a separate package The number of packages is also increased because there are separate -debug, -profiling, etc versions of each package New features are being added to pkg(8) to mark important system components, like libc, as ‘vital’, so they cannot be deleted accidently However, in the case of using pkg(8)’d base to create a jail, the administrator should be able to delete the entire base system Classic conundrum: “UNIX does not stop you doing something stupid, as that would also stop you doing something clever” Work is still ongoing At AsiaBSDCon, after the interview was recorded, bapt@ and brd@ had a whiteboarding session and have come up with how they expect to handle the kernel package, to ensure there is a /boot/kernel.old for you to fall back to incase the newly installer kernel does not work correctly. *** FreeBSD 10.3-RC2 Now Available (https://lists.freebsd.org/pipermail/freebsd-stable/2016-March/084384.html) The second release candidate for FreeBSD 10.3 is now available for testing Notable changes include: Import an upstream fix for ‘zfs send -i’ to avoid data corruption in specific instances Boot loaders and kernel have been taught to handle ELF sections of type SHTAMD64UNWIND. This does not really apply to FreeBSD 10.3, but is required for 11.0, so will make upgrades easier Various mkdb commands (/etc/services, /etc/login.conf, etc) commands now use fsync() instead of opening the files as O_SYNC, greatly increasing the speed of the database generation From the earlier BETA3, the VFS improvements that were causing ZFS hangs, and the new ‘tryforward’ routing code, have been reverted Work is ongoing to fix these issues for FreeBSD 11.0 There are two open issues: A fix for OpenSSH CVE-2016-3115 has not be included yet the re-addition of AES-CBC ciphers to the default server proposal list. AES-CBC was removed as part of the update to OpenSSH version 7.1p2, but the plan is to re-add it, specifically for lightweight clients who rely on hardware crypto offload to have acceptable SSH performance Please go out and test *** OPNsense 16.1.6 released (https://forum.opnsense.org/index.php?topic=2378.0) A new point-release of OPNsense has dropped, and apart from the usual security updates, some new features have been included firmware: bootstrap utility can now directly install e.g. the development version dhcp: all GUI pages have been reworked for a polished look and feel proxy: added category-based remote file support if compressed file contains multiple files proxy: added ICAP support (contributed by Fabian Franz) proxy: hook up the transparent FTP proxy proxy: add intercept on IPv6 for FTP and HTTP proxy options logging: syslog facilities, like services, are now fully pluggable vpn: stripped an invalid PPTP server configuration from the standard configuration vpn: converted to pluggable syslog, menu and ACL dyndns: all GUI pages have been reworked for a polished look and feel dyndns: widget now shows IPv6 entries too dns forwarder: all GUI pages have been reworked for a polished look and feel dns resolver: all GUI pages have been reworked for a polished look and feel dns resolver: rewrote the dhcp lease registration hooks dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly interfaces: fix problem when VLAN tags weren't generated properly interfaces: improve interface capability reconfigure ipsec: fix service restart behaviour from GUI captive portal: add missing chain in certificate generation configd: improve recovery and reload behaviour load balancer: reordered menu entries for clarity ntp: reordered menu entries for clarity traffic shaper: fix mismatch for direction + dual interfaces setup languages: updated German and French Call for testing - ASLR patch (https://lists.freebsd.org/pipermail/freebsd-arch/2016-March/017719.html) A patch that provides a first pass implementation of basic ASLR (Address Space Layout Randomization) for FreeBSD has been posted to the mailing list “Stack gap, W^X, shared page randomization, KASLR and other techniques are explicitly out of scope of this work.” “ASLR is enabled on per-ABI basis, and currently it is only enabled on native i386 and amd64 (including compat 32bit) ABIs. I expect to test and enable ASLR for armv6 and arm64 as well, later” “Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD project for pursuing ASLR for FreeBSD. Although this work is not based on theirs, it was inspired by their efforts.” *** Feedback/Questions Daniel - OpenZFS (http://slexy.org/view/s20Z81SPq3) Florian - JBODS (http://slexy.org/view/s2be4zDkG6) Hunter - SSL on DO (http://slexy.org/view/s2o0MijCFy) Ben - Backups (http://slexy.org/view/s2fXlOwdU7) Damian - Bug’in Me! (http://slexy.org/view/s2weBPb8sx) ***
132: Scaling up with BSD
This week, Allan and I are away at AsiaBSDCon! (If you aren’t there, you are missing out). We will be back with a live episode next week. However, we’ve been asked for Allan to tell us about ScaleEngine’s This episode was brought to you by Interview - Allan Jude - allanjude@freebsd.org (mailto:allanjude@freebsd.org) / @allanjude (https://twitter.com/allanjude) Spotlight on ScaleEngine *** Beastie Bits NetBSD on an RPi Zero (https://github.com/ebijun/NetBSD/blob/master/dmesg/earmv6hf/RPI0) DragonFly tips for printing with CUPS (http://lists.dragonflybsd.org/pipermail/users/2016-February/228608.html) Fighting fraudulent networks using secure connections (SSL) blacklisting with OPNsense. Blocks known-bad certificates as listed at abuse.ch (https://opnsense.org/fighting-fraudulent-networks-using-secure-connections-ssl-with-opnsense/) Fix for running NetBSD/amd64 7.0 on kvm based virtual machines (https://imil.net/blog/2016/01/29/netbsdamd64-7-0-kvm/) Michael W. Lucas’s new book, FreeBSD Mastery: Specialty Filesystems is now escaping (http://blather.michaelwlucas.com/archives/2537) The Penguicon Lucas Tech Track (http://blather.michaelwlucas.com/archives/2534) FreeBSD based nginx/ffmpeg camera recording and live streaming (http://www.unixmen.com/freebsd-nginx-ffmpeg-camera-recording-and-live-streaming/) CFT: New Jenkins Builder for FreeNAS / PC-BSD (https://github.com/iXsystems/ixbuild/) Status Update: PC-BSD’s SysAdm Server (https://github.com/pcbsd/sysadm/) Status Update: PC-BSD’s SysAdm Client UI (https://github.com/pcbsd/sysadm-ui-qt)
131: BSD behind the chalkboard
This week on the show, we have an interview with Jamie This episode was brought to you by Headlines BSDCan 2016 List of Talks (http://www.bsdcan.org/2016/list-of-talks.txt) We are all looking forward to BSDCan Make sure you arrive in time for the Goat BoF, the evening of Tuesday June 7th at the Royal Oak, just up the street from the university residence There will also be a ZFS BoF during lunch of one of the conference days, be sure to grab your lunch and bring it to the BoF room Also, don’t forget to get signed up for the various DevSummits taking place at BSDCan. *** What does Load Average really mean (https://utcc.utoronto.ca/~cks/space/blog/unix/ManyLoadAveragesOfUnix) Chris Siebenmann, a sysadmin at the University of Toronto, does some comparison of what “Load Average” means on different unix systems, including Solaris/IllumOS, FreeBSD, NetBSD, OpenBSD, and Linux It seems that no two OSes use the same definition, so comparing load averages is impossible On FreeBSD, where I/O does not affect load average, you can divide the load average by the number of CPU cores to be able to compare across machines with different core counts *** GPL violations related to combining ZFS and Linux (http://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/) As we mentioned in last week’s episode, Ubuntu was preparing to release their next version with native ZFS support. + As expected, the Software Freedom Conservancy has issued a statement detailing the legal argument why they believe this is a violation of the GPL license for the Linux kernel. It’s a pretty long and complete article, but we wanted to bring you the summary of the whole, and encourage you to read the rest, since it’s good to be knowledgeable about the various open-source projects and their license conditions. “We are sympathetic to Canonical's frustration in this desire to easily support more features for their users. However, as set out below, we have concluded that their distribution of zfs.ko violates the GPL. We have written this statement to answer, from the point of view of many key Linux copyright holders, the community questions that we've seen on this matter. Specifically, we provide our detailed analysis of the incompatibility between CDDLv1 and GPLv2 — and its potential impact on the trajectory of free software development — below. However, our conclusion is simple: Conservancy and the Linux copyright holders in the GPL Compliance Project for Linux Developers believe that distribution of ZFS binaries is a GPL violation and infringes Linux's copyright. We are also concerned that it may infringe Oracle's copyrights in ZFS. As such, we again ask Oracle to respect community norms against license proliferation and simply relicense its copyrights in ZFS under a GPLv2-compatible license.” The Software Freedom Law Center’s take on the issue (https://softwarefreedom.org/resources/2016/linux-kernel-cddl.html) Linux SCSI subsystem Maintainer, James Bottomley, asks “where is the harm” (http://blog.hansenpartnership.com/are-gplv2-and-cddl-incompatible/) FreeBSD and ZFS (http://freebsdfoundation.blogspot.ca/2016/02/freebsd-and-zfs.html) *** DragonFly i915 reaches Linux 4.2 (https://www.phoronix.com/scan.php?page=news_item&px=DragonFlyBSD-i915-4.2) The port of the Intel i915 DRM/KMS Linux driver to DragonFlyBSD has been updated to match Linux kernel 4.2 Various improvements and better support for new hardware are included One big difference, is that DragonFlyBSD will not require the binary firmware blob that Linux does François Tigeot explains: "starting from Linux 4.2, a separate firmware blob is required to save and restore the state of display engines in some low-power modes. These low-power modes have been forcibly disabled in the DragonFly version of this driver in order to keep it blob-free." Obviously this will have some disadvantage, but as those modes were never available on DragonFlyBSD before, users are not likely to miss them *** Interview - Jamie McParland - mcparlandj@newberg.k12.or.us (mailto:mcparlandj@newberg.k12.or.us) / @nsdjamie (https://twitter.com/nsdjamie) FreeBSD behind the chalkboard *** iXsystems My New IXSystems Mail Server (https://www.reddit.com/r/LinuxActionShow/comments/48c9nt/my_new_ixsystems_mail_server/) News Roundup Installing ELK on FreeBSD, Tutorial Part 1 (https://blog.gufi.org/2016/02/15/elk-first-part/) Are you an ELK user, or interested in becoming one? If so, Gruppo Utenti has a nice blog post / tutorial on how to get started with it on FreeBSD. Maybe you haven’t heard of ELK, but its not the ELK in ports, specifically in this case he is referring to “ElasticSearch/Logstash/Kibana” as a stack. Getting started is relatively simply, first we install a few ports/packages: textproc/elasticsearch sysutils/logstash textproc/kibana43 www/nginx After enabling the various services for those (hint: sysrc may be easier), he then takes us through the configuration of ElasticSearch and LogStash. For the most part they are fairly straightforward, but you can always copy and paste his example config files as a template. Follow up to Installing ELK on FreeBSD (https://blog.gufi.org/2016/02/23/elk-second-part/) Jumping directly into the next blog entry, he then takes us through the “K” part of ELK, specifically setting up Kibana, and exposing it via nginx publically. At this point most of the CLI work is finished, and we have a great walkthrough of doing the Kibana configuration via their UI. We are still awaiting the final entry to the series, where the setup of ElastAlert will be detailed, and we will bring that to your attention when it lands. *** From 1989: An Empirical Study of the Reliablity of Unix Utilities (http://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf) A paper from 1989 on the results of fuzz testing various unix utilities across a range of available unix operating systems Very interesting results, it is interesting to look back at before the start of the modern BSD projects New problems are still being found in utilities using similar testing methodologies, like afl (American Fuzzy lop) *** Google Summer of Code Both FreeBSD (https://summerofcode.withgoogle.com/organizations/4892834293350400/) and NetBSD (https://summerofcode.withgoogle.com/organizations/6246531984261120/) Are running 2016 Google Summer of Code projects. Students can start submitting proposals on March 14th. In the meantime, if you have any ideas, please post them to the Summer Of Code Ideas Page (https://wiki.freebsd.org/SummerOfCodeIdeas) on the FreeBSD wiki Students can start looking at the list now and try to find mentors to get a jump start on their project. *** High Availablity Sync for ipfw3 in Dragonfly (http://lists.dragonflybsd.org/pipermail/commits/2016-February/459424.html) Similar to pfsync, this new protocol allows firewall dynamic rules (state) to be synchronized between two firewalls that are working together in HA with CARP Does not yet sync NAT state, it seems libalias will need some modernization first Apparently it will be relatively easy to port to FreeBSD This is one of the only features ipfw lacks when compared to pf *** Beastie Bits FreeBSD 10.3-BETA3 Now Available (https://lists.freebsd.org/pipermail/freebsd-stable/2016-February/084238.html) LibreSSL isnt affected by the OpenSSL DROWN attack (http://undeadly.org/cgi?action=article&sid=20160301141941&mode=expanded) NetBSD machines at the Open Source Conference 2016 in Toyko (http://mail-index.netbsd.org/netbsd-advocacy/2016/02/29/msg000703.html) OpenBSD removes Linux Emulation (https://marc.info/?l=openbsd-ports-cvs&m=145650279825695&w=2) Time is an illusion - George Neville-Neil (https://queue.acm.org/detail.cfm?id=2878574) OpenSSH 7.2 Released (http://www.openssh.com/txt/release-7.2) Feedback/Questions Shane - IPSEC (http://slexy.org/view/s2qCKWWKv0) Darrall - 14TB Zpool (http://slexy.org/view/s20CP3ty5P) Pedja - ZFS setup (http://slexy.org/view/s2qp7K9KBG) ***