Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
115: Controlling the Transmissions
Controlling the Transmissions This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines FreeBSD 2015 Vendor Dev Summit (https://wiki.freebsd.org/201511VendorDevSummit) FreeBSD Quarterly Status Report - Third Quarter 2015 (https://www.freebsd.org/news/status/report-2015-07-2015-09.html) We have a fresh quarterly status report from the FreeBSD project. Once again it almost merits an entire show, but we will try to hit all the highlights. Bhyve - Porting of the Intel edk2 UEFI firmware, allowing Windows in headless mode, and Illumos support. Also porting to ARM has begun! Improved Support for Acer C720 ChromeBooks High Availability Clustering in CTL (Cam Target Layer) Root Remounting (Similar to pivot_root in Linux). This work allows using “reboot -r” to do a fast-reboot, with a partial shutdown, kill all processes, and re-mount rootfs and boot. Especially useful for booting from mfs or similar then transitioning to iscsi or some other backing storage OpenCL Support in Mesa, as well as kernel progress on the i915 driver Improved support for UEFI FrameBuffer on a bunch of recent MacBook Pro and other Macs, in addition to improvements to “vt” framebuffer driver for high resolution displays. ZFS support for UEFI Boot (Needs testing, but used in PC-BSD for a couple months now), and importing new features from IllumOS (resumable send, receive prefetch, replication checksumming, 50% less ram required for L2ARC, better prefetch) DTrace SDT probes added to TCP code, to replace the old TCPDEBUG kernel option. Recompiling the kernel is no longer required to debug TCP, just use DTrace Ongoing work to bring us a native port/package of GitLab *** Meteor, the popular javascript web application framework has been forked to run on FreeBSD, OpenBSD and NetBSD - FreeBSD testers requested (https://forums.meteor.com/t/freebsd-testers-please/12919/10) We have a public call for testing for FreeBSD users of Meteor by Tom Freudenberg The included link includes all the details on how to currently get meteor boot-strapped on your box and bring up the server So far the reports are positive, many users reporting that it is running on their 10.2 systems / jails just fine. Just a day ago the original porter mentioned that OpenBSD is ready to go for testing using the prepared dev bundle. *** Mike Larkin work continues on an native OpenBSD hypervisor, which he has announced is now booting (http://undeadly.org/cgi?action=article&sid=20151101223132) Speaking of OpenBSD, we have an update from Mike Larkin about the status of the OpenBSD native hypervisor vmm(4). His twitter post included the output from a successful VM bootup of OpenBSD 5.8-current, all the way to multi-user While the code hasn’t been committed (yet) we will keep you informed when it lands so you too can begin playing with it. *** This is how I like open source (http://blog.etoilebsd.net/post/This_is_how_I_like_opensource) A blog post by FreeBSD Core Team member, and one of the lead developers of pkg, Baptiste Daroussin One project he has been working on is string collation Garrett d'Amore (of IllumOS) implemented unicode string collation while working for Nexenta and made it BSD license John Marino (from Dragonfly) imported the work done on Illumos into Dragonfly, while he was doing that he decided, it was probably a good idea to rework how locales are handled He discovered that Edwin Groothuis (from FreeBSD) had long ago started a project to simplify locales handling on FreeBSD He extended the tools written by Edwin and has been able to update Dragonfly to the latest (v27 so far) unicode definitions John Marino has worked with Bapt many times on various projects (including bringing pkg and ports to Dragonfly) Bapt decided it was time that FreeBSD got proper string collation support as well, and worked with John to import the support to FreeBSD Bapt spotted a couple of bugs and worked with John on fixing them: issues with eucJP encoding, issues with Russian encoding (John did most of the work on tracking down and fixing the bugs), Bapt also converted localedef (the tool to generate the locales) into using BSD license only code (original version used the CDDL libavl library which I modified to use tree(3)), fixed issues. I also took the locale generation from Edwin (extended by John) This work resulted in a nice flow of patches going from Dragonfly to FreeBSD and from FreeBSD to Dragonfly. And now Garrett is interested in grabbing back our patches into Illumos! The result of this collaboration is that now 3 OS share the same implementation for collation support! This is very good because when one discovers a bug the 3 of them benefit the fix! The biggest win here is that this was a lot of work, and not an area that many people are interested in working on, so it was especially important to share the work rather than reimplement it separately. *** Interview - Hiren Panchasara - hiren@freebsd.org (mailto:hiren@freebsd.org) / @hirenpanchasara (https://twitter.com/hirenpanchasara) Improving TCP *** iXsystems MissonComplete winners (https://www.ixsystems.com/whats-new/october-missioncomplete-winners/) *** News Roundup LibreSSL 2.3.1 released (http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt) LibreSSl keeps on chugging, the latest release has landed, 2.3.1, which is the second snapshot based upon the OpenBSD 5.9 development branch. Currently they are targeting a stable ABI/API sometime around March 2016 for the 2.3.X series. Included in this update are ASN. 1 cleanups and some compliance fixes for RFC5280 Switched internally to timet, with a check that the host OS supports 64bit timet Various TLS fixes, including the ability to check cert validity times with tlspeercert_not{before|after} Fixed a reported memory leak in OBJ_obj2txt *** Guide for Installing Ghost w/ Nginx on FreeBSD (http://linoxide.com/linux-how-to/install-ghost-nginx-freebsd-10-2/) A nice walkthrough for the week, we’ve found an article about how to install the Ghost blogging platform on FreeBSD 10.2. For those who don’t know, Ghost is a MIT licensed blogging tool, started in 2012 by a former WordPress UI developer and is entirely coded in Node.js While a port for FreeBSD does not yet exist (somebody get on that please), this tutorial can walk you through the process of getting it deployed manually Most of the requirements are simple, www/node, www/npm and sqlite3. With those installed, most of the steps are simply creating the username / home for ghost, and some “npm” setup. The walkthrough even includes a handy rc.d script, making the possibility of a port seem much more likely *** Adrian Chadd on 'Why attention to detail matters when you're a kernel developer (http://adrianchadd.blogspot.com/2015/10/fixing-up-qca9558-performance-on.html) Adrian was correctly trolled in the FreeBSD embedded IRC chatroom and started looking at why the bridging performance in MIPS boards was so bad 120-150 mbit/sec is not really enough anymore Using previous MIPS24k support as a starting point, Adrian managed to get HWPMC (Hardware Performance Monitoring Counters) working on MIPS74k Using the data collected from the performance counters Adrian was able to figure out that packets were being copied in order to meet alignment requirements of the NIC and the FreeBSD networking stack. It turns out this is no longer a requirement for most modern Atheros NICs, so the workaround could be removed Now performance was 180 mbit/sec Next, on the receive side, only the TCP stack requires strict alignment, the ethernet stack does not, so offset the start point by 2 bytes so that TCP ends up aligned, and problem solved. Or not, no performance difference... The problem appeared to be busdma, Ian Lepore had recently made improves in this area on armv6 and helpfully ported these over to MIPS Now 420 mbit/sec. Getting better, but not as fast as Linux After some further investigation, a missing ‘sync’ operation was added, and the memory caching was changed from writethrough to writeback Things were so fast now, that the descriptor ring was being run through the ring so quickly as to hit the next descriptor that is still being setup. The first was to mark the first descriptor of a multi-descriptor packet as ‘empty’ until the entire chain was setup, so it would not be processed before the latter bits were done being added to the ring. So now MIPS can bridge at 720 mbit/sec, and route 320 mbit/sec Adrian wants to improve the routing speed and get it caught up to the bridging speed, but as always, free time is scarce. *** Switching from OS X to FreeBSD (http://mirrorshades.net/post/132753032310) The story of a user who had used OS X since its beta, but 10.9 and 10.10, became more and more dissatisfied They found they were spending too much time fighting with the system, rather than getting work done They cover the new workstation they bought, and the process of getting FreeBSD going on it, including why they chose FreeBSD rather than PCBSD Also covered it setting up a Lenovo X220 laptop They setup the i3wm and mutt The blog is very detailed and goes so far as to share a github repo of dotfiles and configuration files to ease the transition from OS X. *** BeastieBits The Stack behind Netflix's scaling (http://www.scalescale.com/the-stack-behind-netflix-scaling/) The Amiga port of NetBSD now has xorg support (https://mail-index.netbsd.org/source-changes/2015/11/04/msg069873.html) NetBSD has announced EOL for v5.x to be November 9th (http://blog.netbsd.org/tnf/entry/end_of_life_for_netbsd) RetroArch ports allow playing PlayStation, Sega, Atari, etc., games on FreeBSD (https://lists.freebsd.org/pipermail/freebsd-current/2015-November/058266.html) OpenBSD booting on a 75mhz Cyrex system with 32MB RAM (http://gfycat.com/InnocentSneakyEwe) Matthew Green reports Nouveau Nvidia can support GL with his latest commit (http://mail-index.netbsd.org/source-changes/2015/10/29/msg069729.html) Releases! OPNsense releases 15.7.18 (https://opnsense.org/opnsense-15-7-18-released/) pfSense releases 2.2.5 (https://blog.pfsense.org/?p=1925) Feedback/Questions Eric (http://slexy.org/view/s2ogdURldm) Andrew (http://slexy.org/view/s22bK2LZLm) Joseph (http://slexy.org/view/s2to6ZpBTc) Sean (http://slexy.org/view/s2oLU0KM7Y) Dustin (http://slexy.org/view/s21k6oKvle) *** For those of you curious about Kris' new lighting here are the links to what he is using. Softbox Light Diffuser (http://smile.amazon.com/gp/product/B00OTG6474?psc=1&redirect=true&ref_=oh_aui_detailpage_o01_s00&pldnSite=1) Full Spectrum 5500K CFL Bulb (http://smile.amazon.com/gp/product/B00198U6U6?psc=1&redirect=true&ref_=oh_aui_detailpage_o06_s00) ***
114: BSD-Schooling
This week, Allan is out of town at another Developer Summit, but we have a great episode coming This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines WhatsApp founder, on how it got so HUGE (http://www.wired.com/2015/10/whatsapps-co-founder-on-how-the-iconoclastic-app-got-huge/) Wired has interviewed WhatsApp co-founder Brian Acton, about the infrastructure behind WhatsApp WhatsApp manages 900 million users with a team of 50, while Twitter needs around 4,000 employees to manage 300 million users. “FreeBSD has a nicely tuned network stack and extremely good reliability. We find managing FreeBSD installations to be quite straightforward.” “Linux is a beast of complexity. FreeBSD has the advantage of being a single distribution with an extraordinarily good ports collection.” “To us, it has been an advantage as we have had very few problems that have occurred at the OS level. With Linux, you tend to have to wrangle more and you want to avoid that if you can.” “FreeBSD happened because both Jan and I have experience with FreeBSD from Yahoo!.” Additional Coverage (http://uk.businessinsider.com/whatsapp-built-using-erlang-and-freebsd-2015-10) *** User feedback in the SystemD vs BSD init (https://www.textplain.net/blog/2015/problems-with-systemd-and-why-i-like-bsd-init/) We have a very detailed blog post this week from Randy Westlund, about his experiences on Linux and BSD, contrasting the init systems. What he finds is that while, it does make some things easier, such as writing a service file once, and having it run everywhere, the tradeoff comes in the complexity and lack of transparency. Another area of concern was the reproducibility of boots, how in his examples on servers, there can often be times when services start in different orders, to save a few moments of boot-time. His take on the simplicity of BSD’s startup scripts is that they are very easy to hack on and monitor, while not introducing the feature creep we have seen in sysd. It will be interesting to see NextBSD / LaunchD and how it compares in the future! *** Learn to embrace open source, or get buried (http://opensource.com/business/15/10/ato-interview-jim-salter) At the recent “All Things Open” conference, opensource.com interviewed Jim Salter He describes how he first got started using FreeBSD to host his personal website He then goes on to talk about starting FreeBSDWiki.net and what its goals were The interview then talks about using Open Source at solve customers’ problems at his consulting firm Finally, the talks about his presentation at AllThingsOpen: Move Over, Rsync (http://allthingsopen.org/talks/move-over-rsync/) about switching to ZFS replication *** HP’s CTO Urges businesses to avoid permissive licenses (http://lwn.net/Articles/660428/) Martin Fink went on a rant about the negative effects of license proliferation While I agree that having too many new licenses is confusing and adds difficulty, I didn’t agree with his closing point “He then ended the session with an extended appeal to move the open-source software industry away from permissive licenses like Apache 2.0 and toward copyleft licenses like the GPL” “The Apache 2.0 license is currently the most widely used "permissive" license. But the thing that developers overlook when adopting it, he said, is that by using Apache they are also making a choice about how much work they will have to put into building any sort of community around the project. If you look at Apache-licensed projects, he noted, "you'll find that they are very top-heavy with 'governance' structures." Technical committees, working groups, and various boards, he said, are needed to make such projects function. But if you look at copyleft projects, he added, you find that those structures simply are not needed.” There are plenty of smaller permissively licensed projects that do not have this sort of structure, infact, most of this structure comes from being an Apache run project, rather than from using the Apache or any other permissive license Luckily, he goes on to state that the “OpenSwitch code is released under the Apache 2.0 license, he said, because the other partner companies viewed that as a requirement.” “HP wanted to get networking companies and hardware suppliers on board. In order to get all of the legal departments at all of the partners to sign on to the project, he said, HP was forced to go with a permissive license” Hopefully the trend towards permissive licenses continues Additionally, in a separate LWN post: RMS Says: “I am not saying that competitors to a GNU package are unjust or bad -- that isn't necessarily so. The pertinent point is that they are competitors. The goal of the GNU Project is for GNU to win the competition. Each GNU package is a part of the GNU system, and should contribute to the success of the GNU Project. Thus, each GNU package should encourage people to run other GNU packages rather than their competitors -- even competitors which are free software.” (http://lwn.net/Articles/659757/) Never thought I’d see RMS espousing vendor lock-in *** Interview - Brian Callahan - bcallah@devio.us (mailto:bcallah@devio.us) / @twitter (https://twitter.com/__briancallahan) The BSDs in Education *** News Roundup Digital Libraries in Africa making use of DragonflyBSD and HAMMER (http://lists.dragonflybsd.org/pipermail/users/2015-October/228403.html) In the international development context, we have an interesting post from Michael Wilson of the PeerCorps Trust Fund. They are using DragonFlyBSD and FreeBSD to support the Tanzanian Digital Library Initiative in very resource-limited settings. They cite among the most important reasons for using BSD as the availability and quality of the documentation, as well as the robustness of the filesystems, both ZFS and HAMMER. Their website is now online over at (http://www.tandli.com/) , check it out to see exactly how BSD is being used in the field *** netflix hits > 65gbps from a single freebsd box (https://twitter.com/ed_maste/status/655120086248763396) A single socket server, with a high end Xeon E5 processor and a dual ported Chelsio T580 (2x 40 Gbps ports) set a netflix record pushing over 65 Gbps of traffic from a single machine The videos were being pushed from SSDs and some new high end NVMe devices The previous record at Netflix was 52 Gbps from a single machine, but only with very experimental settings. The current work is under much more typical settings By the end of that night, traffic surged to over 70 Gbps Only about 10-15% of that traffic was encrypted with the in-kernel TLS engine that Netflix has been working on with John-Mark Gurney It was reported that the machine was only using about 65% cpu, and had plenty of head room If I remember the discussion correctly, there were about 60,000 streams running off the machine *** Lumina Desktop 0.8.7 has been released (http://lumina-desktop.org/lumina-desktop-0-8-7-released/) A very large update has landed for PC-BSD’s Lumina desktop A brand new “Start” menu has been added, which enables quick launch of favorite apps, pinning to desktop / favorites and more. Desktop icons have been overhauled, with better font support, and a new Grid system for placement of icons. Support for other BSD’s such as DragonFly has been improved, along with TONS of internal changes to functionality and backends. Almost too many things to list here, but the link above will have full details, along with screenshots. *** A LiveUSB for NetBSD has been released by Jibbed (http://www.jibbed.org/) After a three year absence, the Jibbed project has come back with a Live USB image for NetBSD! The image contains NetBSD 7.0, and is fully R/W, allowing you to run the entire system from a single USB drive. Images are available for 8Gb and 4Gb sticks (64bit and 32bit respectively), along with VirtualBox images as well For those wanting X, it includes both X and TWM, although ‘pkgin’ is available, so you can quickly add other desktops to the image *** Beastie Bits After recent discussions of revisiting W^X support in Mozilla Firefox, David Coppa has flipped the switch to enable it for OpenBSD users running -current. (http://undeadly.org/cgi?action=article&sid=20151021191401&mode=expanded) Using the vt(4) driver to change console resolution (http://lme.postach.io/post/changing-console-resolution-in-freebsd-10-with-vt-4) The FreeBSD Foundation gives a great final overview of the Grace Hopper Conference (http://freebsdfoundation.blogspot.com/2015/10/conference-recap-grace-hopper.html) A dialog about Compilers in the (BSD) base system (https://medium.com/@jmmv/compilers-in-the-bsd-base-system-1c4515a18c49) One upping their 48-core work from July, The Semihalf team shows off their the 96-core SMP support for FreeBSD on Cavium ThunderX (ARMv8 architecture (https://www.youtube.com/watch?v=1q5aDEt18mw) NYC Bug's November meeting will be featuring a talk by Stephen R. Bourne (http://lists.nycbug.org/pipermail/talk/2015-October/016384.html) New not-just-BSD postcast, hosted by two OpenBSD devs Brandon Mercer and Joshua Stein (http://garbage.fm/) Feedback/Questions Stefan (http://slexy.org/view/s21wjbhCJ4) Zach (http://slexy.org/view/s21TbKS5t0) Jake (http://slexy.org/view/s20AkO1i1R) Corey (http://slexy.org/view/s2nrUMatU5) Robroy (http://slexy.org/view/s2pZsC7arX) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv)
113: What’s Next for BSD?
Coming up on this week’s episode, we have an interview This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines OpenBSD 5.8 is released on the 20th birthday of the OpenBSD project (http://bsdsec.net/articles/openbsd-5-8-released) 5.8 has landed, and just in time for the 20th birthday of OpenBSD, Oct 18th A long list of changes can be found on the release announcement, but here’s a small scattering of them Drivers for new hardware, such as: rtwn = Realtek RTL8188CE wifi hpb = HyperTransport bridge in IBM CPC945 Improved sensor support for upd driver (USB power devices) Jumbo frame support on re driver, using RTL8168C/D/E/F/G and RTL8411 Updated to installer, improve autoinstall, and questions about SSH setup Sudo in base has been replace with “doas”, sudo moved to package tree New file(1) command with sandboxing and priv separation The tame(2) API WiP Improvements to the httpd(8) daemon, such as support for lua pattern matching redirections Bugfixes and the security updates to OpenSMTPD 5.4.4 LibreSSL security fixes, removed SSLv3 support from openssl(1) (Still working on nuking SSLv3 from all ports) And much more, too much to mention here, read the notes for all the gory details! OpenBSD Developer Interviews To go along with the 20th birthday, we have a whole slew of new interviews brought to us by the beastie.pl team. English and Polish are both provided, so be sure not to miss these! Dmitrij D. Czarkoff (http://beastie.pl/deweloperzy-openbsd-dmitrij-d-czarkoff/) Vadim Zhukov (http://beastie.pl/deweloperzy-openbsd-vadim-zhukov/) Marc Espie (http://beastie.pl/deweloperzy-openbsd-marc-espie/) Bryan Steele (http://beastie.pl/deweloperzy-openbsd-bryan-steele/) Ingo Schwarze (http://beastie.pl/deweloperzy-openbsd-ingo-schwarze/) Gilles Chehade (http://beastie.pl/deweloperzy-openbsd-gilles-chehade/) Jean-Sébastien Pédron has submitted a call for testing out the neIntel i915 driver (http://lists.freebsd.org/pipermail/freebsd-x11/2015-October/016758.html) A very eagerly awaited feature, Haswell GPU support has begun the testing process The main developer, Jean-Sébastien Pédron dumbbell@freebsd.org looking for users to test the patch, both those that have older supported cards (Sandybridge, Ivybridge) that are currently working, and users with Haswell devices that have, until now, not been supported Included is a link to the Wiki with instructions on how to enable debugging, and grab the updated branch of FreeBSD with the graphical improvements. Jean-Sébastien is calling for testers to send results both good and bad over to the freebsd-x11 mailing lists For those who want an “out of box solution” the next PC-BSD 11.0-CURRENT November images will include these changes as well How to install FreeBSD on a Raspberry Pi 2 (http://www.cyberciti.biz/faq/how-to-install-freebsd-on-raspberry-pi-2-model-b/) We have a nice walkthrough this week on how to install FreeBSD, both 10 or 11-CURRENT on a RPi 2! The walkthrough shows us how to use OSX to copy the image to SD card, then booting. In this case, we have him using a USB to serial cable to capture output with screen This is a pretty quick way for users sitting on a RPi2 to get up and running with FreeBSD Interview - Jordan Hubbard - jkh@ixsystems.com (mailto:email@email) NextBSD (http://www.nextbsd.org/) | NextBSD Github (https://github.com/NextBSD/NextBSD) Beastie Bits OpenBSD's Source Tree turned 20 on October 18th (https://marc.info/?l=openbsd-misc&m=144515087006177&w=2) GhostBSD working on Graphical ZFS Configuration Utility (https://plus.google.com/+GhostbsdOrg/posts/JoNZzrKrhtB) EuroBSDcon 2014 videos finally online (https://www.youtube.com/channel/UCz6C-szau90f9Vn07A6W2aA/videos) Postdoctoral research position at Memorial University is open (http://www.mun.ca/postdoc/tc-postdoc-2015.pdf) NetBSD Security Advisory: TCP LAST_ACK memory exhaustion, reported by NetFlix and Juniper (http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-009.txt.asc) DesktopBSD making a comeback? (http://www.desktopbsd.net/forums/threads/desktopbsd-2-0-roadmap.798/) Feedback/Questions Steve (http://slexy.org/view/s20PllfFXt) Ben (http://slexy.org/view/s21jJm1lFN) Frank (http://slexy.org/view/s20TsrN3uq) Tyler (http://slexy.org/view/s20AydOevW)
112: Tracing the source
This week Allan is away at a ZFS conference, so it seems This episode was brought to you by Headlines pfsense - 2.3 alpha snapshots available (https://blog.pfsense.org/?p=1854) pfsense 2.3 Features and Changes (https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes) The entire front end has been re-written Upgrade of base OS to FreeBSD 10-STABLE The PPTP server component has been removed, PBIs have been replaced with pkg PHP upgraded to 5.6 The web interface has been converted to Bootstrap *** BSDMag October 2015 out (http://bsdmag.org/download/bsd-09-2015/) A Look at the New PC-BSD 10.2 - Kris Moore Basis Of The Lumina Desktop Environment 18 - Ken Moore A Secure Webserver on FreeBSD with Hiawatha - David Carlier Defeating CryptoLocker Attacks with ZFS - Michael Dexter Emerging Technology Has Increasingly Been a Force for Both Good and Evil - Rob Somerville Interviews with: Dru Lavigne, Luca Ferrari, Oleksandr Rybalko *** OpnSense 15.7.14 Released (https://opnsense.org/opnsense-15-7-14-released/) Another update to OpnSense has landed! Some of the notable takeaways this time are that it isn’t a security update Major rework of the firewall rules sections including, rules, schedules, virtual ip, nat and aliases pages Latest BIND and Squid packages Improved configuration management, including fixes to importing an old config file. New location for configuration history / backups. *** OpenBSD in Toyota Highlander (http://marc.info/?l=openbsd-misc&m=144327954931983&w=2) Images (http://imgur.com/a/SMVdp) While looking through the ‘Software Information’ screen of a Toyota Highlander, Chad Dougherty of the ACM found a bunch of OpenBSD copyright notices At least one of which I recognize as OpenCrypto, because of the comment about “transforms” It is likely that the vehicle is running QNX, which contains various bits of BSD QNX: Third Party License Terms List version 2.17 (http://support7.qnx.com/download/download/25111/TPLTL.v2.17.Jul23-13.pdf) Some highlights Robert N. M. Watson (FreeBSD) TrustedBSD Project (FreeBSD) NetBSD Foundation NASA Ames Research Center (NetBSD) Damien Miller (OpenBSD) Theo de Raadt (OpenBSD) Sony Computer Science Laboratories Inc. Bob Beck (OpenBSD) Christos Zoulas (NetBSD) Markus Friedl (OpenBSD) Henning Brauer (OpenBSD) Network Associates Technology, Inc. (FreeBSD) 100s of others OpenSSH seems to be included It also seems to contain tcpdump for some reason Interview - Adam Leventhal - adam.leventhal@delphix.com (mailto:adam.leventhal@delphix.com) / @ahl (https://twitter.com/ahl) ZFS and DTrace Beastie-Bits isboot, an iSCSI boot driver for FreeBSD 9 and 10 (https://lists.freebsd.org/pipermail/freebsd-current/2015-September/057572.html) tame() is now called pledge() (http://marc.info/?l=openbsd-tech&m=144469071208559&w=2) Interview with NetBSD developer Leoardo Taccari (http://beastie.pl/deweloperzy-netbsd-7-0-leonardo-taccari/) Fuguita releases LiveCD based on OpenBSD 5.8 (http://fuguita.org/index.php?FuguIta) Dtrace toolkit gets an update and imported into NetBSD (http://mail-index.netbsd.org/source-changes/2015/09/30/msg069173.html) An older article about how to do failover / load-balancing in pfsense (http://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/) Feedback/Questions Michael writes in (http://slexy.org/view/s217HyOZ9U) Possniffer writes in (http://slexy.org/view/s2YODjppwX) Erno writes in (http://slexy.org/view/s21xltQ6jd) ***
111: Xenocratic Oath
Coming up on this weeks episode, we have BSD news, tidbits and articles out the wazoo to share. Also, be sure to stick around for our interview with Brandon Mercer as he tells us about OpenBSD being used in the healthcare industry. This episode was brought to you by Headlines NetBSD 7.0 Release Announcement (http://www.netbsd.org/releases/formal-7/NetBSD-7.0.html) DRM/KMS support brings accelerated graphics to x86 systems using modern Intel and Radeon devices (Linux 3.15) Multiprocessor ARM support. Support for many new ARM boards, including the Raspberry Pi 2 and BeagleBone Black Major NPF improvements: BPF with just-in-time (JIT) compilation by default support for dynamic rules support for static (stateless) NAT support for IPv6-to-IPv6 Network Prefix Translation (NPTv6) as per RFC 6296 support for CDB based tables (uses perfect hashing and guarantees lock-free O(1) lookups) Multiprocessor support in the USB subsystem. GPT support in sysinst via the extended partitioning menu. Lua kernel scripting GCC 4.8.4, which brings support for C++11 Experimental support for SSD TRIM in wd(4) and FFS tetris(6): Add colours and a 'down' key, defaulting to 'n'. It moves the block down a line, if it fits. *** CloudFlare develops interesting new netmap feature (https://blog.cloudflare.com/single-rx-queue-kernel-bypass-with-netmap/) Normally, when Netmap is enabled on an interface, the kernel is bypassed and all of the packets go to the Netmap consumers CloudFlare has developed a feature that allows all but one of the RX queues to remain connected to the kernel, and only a single queue be passed to Netmap The change is a simple modification to the nm_open API, allowing the application to open only a specific queue of the NIC, rather than the entire thing The RSS or other hashing must be modified to not direct traffic to this queue Then specific flows are directed to the netmap application for matching traffic For example under Linux: ethtool -X eth3 weight 1 1 1 1 0 1 1 1 1 1 ethtool -K eth3 lro off gro off ethtool -N eth3 flow-type udp4 dst-port 53 action 4 Directs all name server traffic to NIC queue number 4 Currently there is no tool like ethtool to accomplish this same under FreeBSD I wonder if the flows could be identified more specifically using something like ipfw-netmap *** Building your own OpenBSD based Mail server! (http://www.theregister.co.uk/2015/09/12/feature_last_post_build_mail_server/?mt=1442858572214) part 2 (http://www.theregister.co.uk/2015/09/19/feature_last_post_build_mailserver_part_2/) part 3 (http://www.theregister.co.uk/2015/09/26/feature_last_post_build_mailserver_part_3/) The UK Register gives us a great writeup on getting your own mail server setup specifically on OpenBSD 5.7 In this article they used a MiniPC the Acer Revo One RL85, which is a decently priced little box for a mail server (http://www.theregister.co.uk/2015/07/24/review_acer_revo_one_rl85_/) While a bit lengthy in 3 parts, it does provide a good walkthrough of getting OpenBSD setup, PostFix and DoveCot configured and working. In the final installment it also provides details on spam filtering and antivirus scanning. Getting started with the UEFI bootloader on OpenBSD (http://blog.jasper.la/openbsd-uefi-bootloader-howto/) If you've been listening over the past few weeks, you've heard about OpenBSD.s new UEFI boot-loader. We now have a blog post with detailed instructions on how to get setup with this on your own system. The initial setup is pretty straightforward, and should only take a few minutes at most. In involves the usual fdisk commands to create a FAT EFI partition, and placing the bootx64.efi file in the correct location. As a bonus, we even get instructions on how to enable the frame-buffer driver on systems without native Intel video support (ThinkPad x250 in this example) *** Recipe for building a 10Mpps FreeBSD based router (http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html) Olivier, (of FreeNAS and BSD Router Project fame) treats us this week to a neat blog post about building your own high-performance 10Mpps FreeBSD router As he first mentions, the hardware required will need to be beefy, no $200 miniPC here. In his setup he uses a 8 core Intel Xeon E5-2650, along with a Quad port 10 Gigabit Chelsio TS540-CR. He mentions that this doesn't work quite on stock FreeBSD yet, you will need to pull code in from the projects/routing (https://svnweb.freebsd.org/base/projects/routing/) which fixes an issue with scaling on cores, in this case he is shrinking the NIC queues down to 4 from 8. If you don't feel like doing the compiles yourself, he also includes links to experimental BSDRouter project images which he used to do the benchmarks Bonus! Nice graphic of the benchmarks from enabling IPFW or PF and what that does to the performance. *** Interview - Brandon Mercer - bmercer@openbsd.org (mailto:bmercer@openbsd.org) / @knowmercymod (https://twitter.com/knowmercymod) OpenBSD in Healthcare Sorry about the audio quality degradation. The last 7 or 8 minutes of the interview had to be cut, a problem with the software that captures the audio from skype and adds it to our compositor. My local monitor is analogue and did not experience the issue, so I was unaware of the issue during the recording *** News Roundup Nvidia releases new beta FreeBSD driver along with new kernel module (https://devtalk.nvidia.com/default/topic/884727/unix-graphics-announcements-and-news/linux-solaris-and-freebsd-driver-358-09-beta-/) Includes a new kernel module, nvidia-modeset.ko While this module does NOT have any user-settable features, it works with the existing nvidia.ko to provide kernel-mode setting (KMS) used by the integrated DRM within the kernel. The beta adds support for 805A and 960A nvidia cards Also fixes a memory leak and some regressions *** MidnightBSD 0.7-RELEASE (http://www.midnightbsd.org/pipermail/midnightbsd-users/Week-of-Mon-20150914/003462.html) We missed this while away at Euro and elsewhere, but MidnightBSD (A desktop-focused FreeBSD 6.1 Fork) has come out with a new 0.7 release This release primarily focuses on stability, but also includes important security fixes as well. It cherry-picks updates to a variety of FreeBSD base-system updates, and some important ZFS features, such as TRIM and LZ4 compression Their custom .mports. system has also gotten a slew of updates, with almost 2000 packages now available, including a WiP of Gnome3. It also brings support for starting / stopping services automatically at pkg install or removal. They note that this will most likely be the last i386 release, joining the club of other projects that are going 64bit only. *** "Open Source as a Career Path" (http://media.medfarm.uu.se/play/video/5400) The FreeBSD Project held a panel discussion (http://www.cb.uu.se/~kristina/WomENcourage/2014/2015-09-25_Friday/2015-09-25%20113238.JPG) of why Open Source makes a good career path at the ACM.s womENcourage conference in Uppsala, Sweden, the weekend before EuroBSDCon The Panel was lead by Dru Lavigne, and consisted of Deb Goodkin, Benedict Reuschling, Dan Langille, and myself We attempted to provide a cross section of experiences, including women in the field, the academic side, the community side, and the business side During the question period, Dan gave a great answer (https://gist.github.com/dlangille/e262bccdea08b89b5360) to the question of .Why do open source projects still use old technologies like mailing lists and IRC. The day before, the FreeBSD Foundation also had a booth at the career fair. We were the only open source project that attended. Other exhibitors included: Cisco, Facebook, Intel, Google, and Oracle. The following day, Dan also gave a workshop (http://www.cb.uu.se/~kristina/WomENcourage/2014/2015-09-25_Friday/2015-09-25%20113238.JPG) on how to contribute to an open source project *** Beastie-Bits NetBSD 2015PkgSrc Freeze (http://mail-index.netbsd.org/pkgsrc-users/2015/09/12/msg022186.html) Support for 802.11N for RealTek USB in FreeBSD (https://github.com/freebsd/freebsd/commits/master/sys/dev/usb/wlan/if_rsu.c) Wayland ported to DragonFlyBSD (https://github.com/DragonFlyBSD/DeltaPorts/pull/123) OpenSMTPd developer debriefs on audit report (http://undeadly.org/cgi?action=article&sid=20151013161745) FreeBSD fixes issue with pf under Xen with TSO. Errata coming soon (https://svnweb.freebsd.org/base?view=revision&revision=289316) Xinuos funds the HardenedBSD project (http://slexy.org/view/s2EBjrxQ9M) Feedback/Questions Evan (http://slexy.org/view/s21PMmNFIs) Darin writes in (http://slexy.org/view/s20qH07ox0) Jochen writes in (http://slexy.org/view/s2d0SFmRlD) ***
110: - Firmware Fights
This week on BSDNow, we get to hear all of Allans post EuroBSDCon wrap-up and a great interview with Benno Rice from Isilon. We got to discuss some of the pain of doing major forklift upgrades, and why your business should track -CURRENT. This episode was brought to you by Headlines EuroBSDCon Videos EuroBSDCon has started posting videos of the talks online already. The videos posted online are archives of the live stream, so some of the videos contain multiple talks Due to a technical complication, some videos only have 1 channel of audio EuroBSDCon Talk Schedule (https://2015.eurobsdcon.org/talks-and-schedule/talk-schedule/) Red Room Videos (https://www.youtube.com/channel/UCBPvcqZrNuKZuP1LQhlCp-A) Yellow Room Videos (https://www.youtube.com/channel/UCJk8Kls9LT-Txu-Jhv7csfw) Blue Room Videos (https://www.youtube.com/channel/UC-3DOxIOI5oHXE1H57g3FzQ) Photos of the conference courtersy of Ollivier Robert (https://assets.keltia.net/photos/EuroBSDCon-2015/) *** A series of OpenSMTPd patches fix multiple vulnerabilities (http://undeadly.org/cgi?action=article&sid=20151005200020) Qualys recently published an audit of the OpenSNMPd source code (https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt) The fixes for these vulnerabilities were released as 5.7.2 After its release, two additional vulnerabilities (http://www.openwall.com/lists/oss-security/2015/10/04/2) were found. One, in the portable version, newer code that was added after the audit started All users are strongly encouraged to upgrade to 5.7.3 OpenBSD users should apply the latest errata or upgrade to the newest snapshot *** FreeBSD updates in -CURRENT (https://svnweb.freebsd.org/base?view=revision&revision=288917) Looks like Xen header support has been bumped in FreeBSD from 4.2 -> 4.6 It also enables support for ARM Update to Clang / LLVM to 3.7.0 (https://lists.freebsd.org/pipermail/freebsd-current/2015-October/057691.html) http://llvm.org/releases/3.7.0/docs/ReleaseNotes.html ZFS gets FRU (field replaceable unit) tracking (https://svnweb.freebsd.org/base?view=revision&revision=287745) OpenCL makes it way into the ports tree (https://svnweb.freebsd.org/ports?view=revision&revision=397198) bhyve has grown UEFI support, plus a CSM module bhyve can now boot Windows (https://lists.freebsd.org/pipermail/freebsd-virtualization/2015-October/003832.html) Currently there is still only a serial console, so the post includes an unattended install .xml file and instructions on how to repack the ISO. Once Windows is installed, you can RDP into the machine bhyve can also now run IllumOS (https://lists.freebsd.org/pipermail/freebsd-virtualization/2015-October/003833.html) *** OpenBSD Initial Support for Broadwell Graphics (http://marc.info/?l=openbsd-cvs&m=144304997800589&w=2) OpenBSD joins DragonFly now with initial support for broadwell GPUs landing in their development branch This brings Open up to Linux 3.14.52 DRM, and Mark Kettenis mentions that it isn.t perfect yet, and may cause some issues with older hardware, although no major regressions yet *** OpenBSD Slides for TAME (http://www.openbsd.org/papers/tame-fsec2015/) and libTLS APIs (http://www.openbsd.org/papers/libtls-fsec-2015/) The first set of slides are from a talk Theo de Raadt gave in Croatia, they describe the history and impetus for tame Theo specifically avoids comparisons to other sandboxing techniques like capsicum and seccomp, because he is not impartial tame() itself is only about 1200 lines of code Sandboxing the file(1) command with systrace: 300 lines of code, with tame: 4 lines Theo makes the point that .optional security. is irrelevant. If a mitigation feature has a knob to turn it off, some program will break and advise users to turn the feature off. Eventually, no one uses the feature, and it dies This has lead to OpenBSD.s policy: .Once working, these features cannot be disabled. Application bugs must be fixed. The second talk is by Bob Beck, about LibreSSL when LibreSSL was forked from OpenSSL 1.0.1g, it contained 388,000 lines of C code 30 days in LibreSSL, they had deleted 90,000 lines of C OpenSSL 1.0.2d has 432,000 lines of C (728k total), and OpenSSL Current has 411,000 lines of C (over 1 million total) LibreSSL today, contains 297,000 lines of C (511k total) None of the high risk CVEs against OpenSSL (there have been 5) have affected LibreSSL. It turns out removing old code and unneeded features is good for security. The talk focuses on libtls, an alternative to the OpenSSL API, designed to be easier to use and less error prone In the libtls api, if -1 is returned, it is always an error. In OpenSSL, it might not be an error, needs additional code to check errno In OpenBSD: ftp, nc, ntpd, httpd, spamd, syslog have been converted to the new API The OpenBSD Foundation is looking for donations in order to sponsor 2-3 developers to spend 6 months dedicated to LibreSSL *** Interview - Benno Rice - benno@FreeBSD.org (mailto:benno@FreeBSD.org) / @jeamland (https://twitter.com/jeamland) Isilon and building products on top of FreeBSD News Roundup ReLaunchd (https://github.com/mheily/relaunchd/blob/master/doc/rationale.txt) This past week we got a heads up about another init/launchd replacement, this time .Relaunchd. The goals of this project appear to be keeping launchd functionality, while being portable enough to run on FreeBSD / Linux, etc. It also has aspirations of being .container-aware. with support for jailed services, ala-docker, as well as cluster awareness. Written in ruby :(, it also maintains that it wishes to NOT take over PID1 or replace the initial system boot scripts, but extend / leverage them in new ways. *** Static Intrusion Detection in NetBSD (https://mail-index.netbsd.org/source-changes/2015/09/24/msg069028.html) Alistar Crooks has committed a new .sid. utility to NetBSD, which allows intrusion detection by comparing the file-system contents to a database of known good values The utility can compare the entire root file system of a modest NetBSD machine in about 15 seconds The following parameters of each file can be checked: atime, block count, ctime, file type, flags, group, inode, link target, mtime, number of links, permissions, size, user, crc32c checksum, sha256 checksum, sha512 checksum A JSON report is issued at the end, for any detected variances *** LibreSSL 2.3.0 in PC-BSD If you.re running PC-BSD 10.2-EDGE or October's -CURRENT image, LibreSSL 2.3.0 is now a thing Thanks to the hard work of Bernard Spil and others, we have merged in the latest LibreSSL which actually removes SSL support in favor of TLS Quite a number of bugs have been fixed, as well as patches brought over from OpenBSD to fix numerous ports. Allan has started a patchset that sets the OpenSSL in base to "private" (http://allanjude.com/bsd/privatessl_2015-10-07.patch) This hides the library so that applications and ports cannot find it, so only tools in the base system, like fetch, will be able to use it. This makes OpenSSL no longer part of the base system ABI, meaning the version can be upgraded without breaking the stable ABI promise. This feature may be important in the future as OpenSSL versions now have EoL dates, that may be sooner than the EoL on the FreeBSD stable branches. *** PC-BSD and boot-environments without GRUB (http://lists.pcbsd.org/pipermail/testing/2015-October/010173.html) In this month.s -CURRENT image of PC-BSD, we began the process of moving back from the GRUB boot-loader, in favor of FreeBSD.s A couple of patches have been included, which enables boot-environment support via the 4th menus (Thanks Allan) and support for booting ZFS on root via UEFI "beadm" has also been updated to seamlessly support both boot-loaders No full-disk encryption support yet (hopefully soon), but GRUB is still available on installer for those who need it *** Import of IWM wireless to DragonFly (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/24a8d46a22f9106b0c1466c41ba73460d7d22262) Matthew Dillon has recently imported the newer if_iwm driver from FreeBSD -> DragonFly Across the internet, users with newer Intel chipsets rejoiced! Coupled with the latest Broadwell DRM improvements, DragonFly sounds very ready for the latest laptop chipsets Also, looks like progress is being made on i386 removal (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/cf37dc2040cea9f384bd7d3dcaf24014f441b8a6) *** Feedback/Questions Dan writes in about PCBSD (http://slexy.org/view/s27ZeOiM4t) Matt writes in about ZFS (http://slexy.org/view/s219J3ebx5) Anonymous writes in about problems booting (http://slexy.org/view/s21uuMAmZb) ***
109: Impish BSD
This week, we have a great interview with Warner Losh of the FreeBSD project! We will be discussing everything from automatic kernel module loading, IO scheduling and of course NanoBSD. This episode was brought to you by Interview - Warner Losh - imp@bsdimp.com (imp@bsdimp.com) / @bsdimp (https://twitter.com/bsdimp) SSD performance and driver auto-loader
108: ServeUp BSD
This week on the show, Allan is heading to Sweden, but we have a great interview with Andrew Pantyukhin to bring you. We will be discussing everything from contributions to FreeBSD, which technologies worked best in the datacenter, config management and more. This episode was brought to you by Headlines Allan is away this week, traveling to Sweden for the ACM womENcourage conference followed by EuroBSDCon, but we have an excellent interview for you, so sit back and enjoy the show. Allan will be back on October 5th, so we look forward to bringing you a live show, with all the details about EuroBSD and more! Interview - Andrew Pantyukhin - infofarmer@gmail.com (mailto:infofarmer@gmail.com) / @infofarmer (https://twitter.com/infofarmer) Building products with FreeBSD
107: In their midst
This week, we are going to be talking with Aaron Poffenberger, who has much to share about his first-hand experience in infiltrating Linux conferences with BSD-goodness. This episode was brought to you by Headlines Alexander Motin implements CTL High Availability (https://svnweb.freebsd.org/changeset/base/r287621) CTL HA allows two .head. nodes to be connected to the same set of disks, safely An HA storage appliance usually consists of 2 totally separate servers, connected to a shared set of disks in separate JBOD sleds The problem with this setup is that if both machines try to use the disks at the same time, bad things will happen With CTL HA, the two nodes can communicate, in this case over a special TCP protocol, to coordinate and make sure they do not step on each others toes, allowing safe operation The CTL HA implementation in FreeBSD can operate in the following four modes: Active/Unavailable -- without interlink between nodes Active/Standby -- with the second node handling only basic LUN discovery and reservation, synchronizing with the first node through the interlink Active/Active -- with both nodes processing commands and accessing the backing storage, synchronizing with the first node through the interlink Active/Proxy -- with second node working as proxy, transferring all commands to the first node for execution through the interlink The custom TCP protocol has no authentication, so it should never be enabled on public interfaces Doc Update (https://svnweb.freebsd.org/base?view=revision&revision=287707) *** Panel Self-Refresh support lands in DragonFlyBSD (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d13e957b0d66a395b3736c43f18972c282bbd58a) In what seems almost weekly improvements being made to the Xorg stack for DragonFly, we now have Panel Self-Refresh landing, thanks to Imre Vadász Understanding Panel Self-Refresh (http://www.anandtech.com/show/7208/understanding-panel-self-refresh) and More about Panel Self-Refresh (http://www.hardwaresecrets.com/introducing-the-panel-self-refresh-technology/) In a nutshell, the above articles talks about how in the case of static images on the screen, power-savings can be obtained by refreshing static images from display memory (frame-buffer), disabling the video processing of the CPU/GPU and associated pipeline during the process. And just for good measure, Imre also committed some further Intel driver cleanup, reducing the diff with Linux 3.17 (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6b231eab9db5ef4d4dc3816487d8e3d48941e0e2) *** Introducing Sluice, a new ZFS snapshot management tool (https://bitbucket.org/stevedrake/sluice) A new ZFS snapshot management tool written in Python and modeled after Apple.s Time Machine Simple command line interface No configuration files, settings are stored as ZFS user properties Includes simple remote replication support Can operate on remote systems with the zfs://user@host/path@snapname url schema Future feature list includes .import. command to moved files from non-ZFS storage to ZFS and create a snapshot, and .export. to do the inverse Thanks to Dan for tipping us about this new project *** Why WhatsApp only needs 50 engineers for 900 million users (http://www.wired.com/2015/09/whatsapp-serves-900-million-users-50-engineers/) Wired has a good write-up on the behind-the-scenes work taking place at WhatsApp While the article mentions FreeBSD, it spends the bulk of its discussion about Erlang and using its scalable concurrency and deployment of new code to running processes. FB messenger uses Haskell to accomplish much the same thing, while Google and Mozilla are currently trying to bring the same level of flexibility to Go and Rust respectively. video (https://www.youtube.com/watch?v=57Ch2j8U0lk) Thanks to Ed for submitting this news item *** Interview - Aaron Poffenberger - email@email (mailto:akp@hypernote.com) / @akpoff (https://twitter.com/akpoff) BSD in a strange place + KM: Go ahead and tell us about yourself and how did you first get involved with BSD? + AJ: You.ve presented recently at Texas Linux Fest, both on FreeBSD and FreeNAS. What specifically prompted you to do that? + KM: What would you say are the main selling points when presenting BSD to Linux users and admins? + AJ: On the flip side of this topic, in what areas to do you think we could improve BSD to present better to Linux users? + KM: What would you specifically recommend to other BSD users or fans who may also want to help present or teach about BSD? Any things specifically to avoid? + AJ: What is the typical depth of knowledge you encounter when presenting BSD to a mostly Linux crowd? Any surprises when doing so? + KM: Since you have done this before, are you mainly writing your own material or borrowing from other talks that have been done on BSD? Do you think there.s a place for some collaboration, maybe having a repository of materials that can be used for other BSD presenters at their local linux conference / LUG? + AJ: Since you are primarily an OpenBSD user have you thought about doing any talks related to it? Is OpenBSD something on the radar of the typical Linux conference-goer? + KM: Is there anything else you would like to mention before we wrap up? News Roundup GhostBSD 10.1 released (http://ghostbsd.org/10.1_release_eve) GhostBSD has given us a new release, this time it also includes XFCE as an alternative to the MATE desktop The installer has been updated to allow using GRUB, BSD loader, or none at all It also includes the new OctoPKG manager, which proves a Qt driven front-end to pkgng Thanks to Shawn for submitting this *** Moving to FreeBSD (https://www.textplain.net/blog/2015/moving-to-freebsd/) In this blog post, Randy Westlund takes us through his journey of moving from Gentoo over to FreeBSD Inspired in part due to Systemd, he first spent some time on Wikipedia reading about BSD before taking the plunge to grab FreeBSD and give it a whirl in a VM. "My first impression was that installation was super easy. Installing Gentoo is done manually and can be a "fun" weekend adventure if you're not sure what you're doing. I can spin up a new FreeBSD VM in five minutes." "There's a man page for everything! And they're well-written! Gentoo has the best documentation of any Linux distro I've used, but FreeBSD is on another level. With a copy of the FreeBSD Handbook and the system man pages, I can actually get things done without tabbing over to Google every five minutes." He goes on to mention everything from Init system, Jails, Security, Community and License, a well-rounded article. Also gives a nice shout-out to PC-BSD as an even easier way to get started on a FreeBSD journey, thanks! Shout out to Matt for tipping us to this blog post *** OpenBSD Enables GPT by default (https://marc.info/?l=openbsd-cvs&m=144190275908215&w=2) Looks like OpenBSD has taken the plunge and enabled GPT by default now Ken Westerback does us the honors, by removing the kernel option for GPT Users on -CURRENT should give this a whirl, and of course report issues back upstream Credit to Jona for writing in about this one *** DISCUSSION: Are reproducible builds worth-while? (http://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time) In this weeks article / rant, Ted takes on the notion of reproducible builds being the end-all be-all for security. What about compiler backdoors? This does not prevent shellshock, or other bugs in the code itself Personally, I.m all in favor, another .Trust but verify. mechanism of the distributed binaries, plus it makes it handy to do source builds and not end up with various checksum changes where no code actually changed. *** Feedback/Questions David writes in (http://slexy.org/view/s20Q7XjxNH) Possnfiffer writes in (http://slexy.org/view/s2QtE6XzJK) Daniel writes in (http://slexy.org/view/s20uloOljw) ***
106: Multipath TCP
This week, we have Nigel Williams here to bring us all sorts of info about Multipath TCP, what it is, how it works and the ongoing effort to bring it into FreeBSD. All that and of course the latest BSD news coming your way, right now! This episode was brought to you by Headlines Backing out changes doesn.t always pinpoint the problem (https://blog.crashed.org/dont-backout/) Peter Wemm brings us a fascinating look at debugging an issue which occurred on the FreeBSD build cluster recently. Bottom line? Backing out something isn.t necessarily the fix, rather it should be apart of the diagnostic process In this particular case, a change to some mmap() functionality ended up exposing a bug in the kernel.s page fault handler which existed since (wait for it.) 1997! As Peter mentions at the bottom of the Article, this bug had been showing up for years, but was sporadic and often written off as a networking hiccup. *** BSD Router Project benchmarks new routing changes to FreeBSD (https://github.com/ocochard/netbenchs/blob/master/Xeon_E5-2650-8Cores-Chelsio_T540-CR/nXxq10g/results/fbsd11-melifaro.r287531/README.md) A project branch of FreeBSD -CURRENT has been created with a number of optimizations to the routing code Alexander V. Chernikov (melifaro@).s routing branch (https://svnweb.freebsd.org/base/projects/routing/?view=log) The net result is an almost doubling of peak performance in packets per second Performance scales well with the number of NIC queues (2 queues is 88% faster than 1 queue, 3 is 270% faster). Unlike the previous code, when the number of queues hits 4, performance is down by only 10%, instead of being cut nearly in half Other Benchmark Results, and the tools to do your own tests (https://github.com/ocochard/netbenchs) *** When is SSL not SSL? (http://www.tedunangst.com/flak/post/the-peculiar-libretunnel-situation) Our buddy Ted has a good write-up on a weird situation related to licensing of stunnel and LibreSSL The problem exists due to stunnel being released with a different license, that is technically incompatible with the GPL, as well as linking against non-OpenSSL versions. The author has also decided to create specific named exceptions when the *SSL lib is part of the base operating system, but does not personally consider LibreSSL as a valid linking target on its own Ted points out that the LibreSSL team considers LibreSSL == OpenSSL, so this may be a moot concern *** Update on systembsd (http://darknedgy.net/files/systembsd.pdf) We.ve mentioned the GSoC project to create a SystemD shim in OpenBSD before. Now we have the slides from Ian Sutton talking about this project. As a refresher, this project is to take DBUS and create daemons emulating various systemd components, such as hostnamed, localed, timedated, and friends. Written from scratch in C, it was mainly created in the hopes of becoming a port, allowing Gnome and related tools to function on OpenBSD. This is a good read, especially for current or aspiring porters who want to bring over newer versions of applications which now depend upon SystemD. *** Interview - Nigel Williams - njwilliams@swin.edu.au (njwilliams@swin.edu.au) Multipath TCP News Roundup OpenBSD UEFI boot loader (http://marc.info/?l=openbsd-cvs&m=144115942223734&w=2) We.ve mentioned the ongoing work to bring UEFI booting to OpenBSD and it looks like this has now landed in the tree The .fdisk. utility has also been updated with a new -b flag, when used with .-i. will create the special EFI system partition on amd64/i386 . (http://marc.info/?l=openbsd-cvs&m=144139348416071&w=2) Some twitter benchmarks (https://twitter.com/mherrb/status/641004331035193344) *** FreeBSD Journal, July/August issue (https://www.freebsdfoundation.org/journal/vol2_no4/) The latest issue of the FreeBSD Journal has arrived As always, the Journal opens with a letter from the FreeBSD Foundation Feature Articles: Groupon's Deal on FreeBSD -- How to drive adoption of FreeBSD at your organization, and lessons learned in retraining Linux sysadmins FreeBSD: The Isilon Experience -- Mistakes not to make when basing a product on FreeBSD. TL;DR: track head Reflections on FreeBSD.org: Packages -- A status update on where we are with binary packages, what issues have been overcome, and which still remain Inside the Foundation -- An overview of some of the things you might not be aware that the FreeBSD Foundation is doing to support the project and attract the next generation of committers Includes a book review of .The Practise of System and Network Administration. As usual, various other reports are included: The Ports Report, SVN Update, A conference report, a report from the Essen hackathon, and the Event Calendar *** Building ARMv6 packages on FreeBSD, the easy way (http://blogs.freebsdish.org/brd/2015/08/25/building-arm-packages-with-poudriere-the-simple-way/) Previously we have discussed how to build ARMv6 packages on FreeBSD We also interviewed Sean Bruno about his work in this area Thankfully, over time this process has been simplified, and no longer requires a lot of manual configuration, or fussing with the .image activator. Now, you can just build packages for your Raspberry Pi or similar device, just as simply as you would build for x86, it just takes longer to build. *** New PC-BSD Release Schedule (http://blog.pcbsd.org/2015/09/new-release-schedule-for-pc-bsd/) The PC-BSD Team has announce an updated release schedule for beyond 10.2 This schedule follows more closely the FreeBSD schedules, with major releases only occurring when FreeBSD does the next point update, or major version bump. PC-BSD.s source tree has been split into master(current) and stable as well PRODUCTION / EDGE packages will be built from stable, with PRODUCTION updated monthly now. The -CURRENT monthly images will contain the master source builds. *** Feedback/Questions Joris writes in (http://slexy.org/view/s21cguSv7E) Anonymous (http://slexy.org/view/s217A5NNGg) Darin (http://slexy.org/view/s20HyiqJV0) ***
105: Virginia BSD Assembly
It's already our two-year anniversary! This time on the show, we'll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year's vBSDCon. What's it have to offer in an already-crowded BSD conference space? We'll find out. This episode was brought to you by Headlines OpenBSD hypervisor coming soon (https://www.marc.info/?l=openbsd-tech&m=144104398132541&w=2) Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output (http://pastebin.com/raw.php?i=F2Qbgdde) on Twitter recently From what little he revealed at the time (https://twitter.com/mlarkin2012/status/638265767864070144), it appeared to be a new hypervisor (https://en.wikipedia.org/wiki/Hypervisor) (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm" Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on *** Why FreeBSD should not adopt launchd (http://blog.darknedgy.net/technology/2015/08/26/0/) Last week (http://www.bsdnow.tv/episodes/2015_08_26-beverly_hills_25519) we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned) In this article, the author talks about why he thinks this is a bad idea He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities Reddit had quite a bit (https://www.reddit.com/r/BSD/comments/3ilhpk) to say (https://www.reddit.com/r/freebsd/comments/3ilj4i) about this one, some in agreement and some not *** DragonFly graphics improvements (http://lists.dragonflybsd.org/pipermail/commits/2015-August/458108.html) The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs You should also see some power management improvements, longer battery life and various other bug fixes If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around *** OpenBSD tames the userland (https://www.marc.info/?l=openbsd-tech&m=144070638327053&w=2) Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff) Some classic utilities are even being reworked to make taming them easier - the "w" command (https://www.marc.info/?l=openbsd-cvs&m=144103945031253&w=2), for example The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse) More discussion can be found on HN (https://news.ycombinator.com/item?id=10135901), as one might expect If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release *** Interview - Scott Courtney - vbsdcon@verisign.com (mailto:vbsdcon@verisign.com) / @verisign (https://twitter.com/verisign) vBSDCon (http://vbsdcon.com/) 2015 News Roundup OPNsense, beyond the fork (https://opnsense.org/opnsense-beyond-the-fork) We first heard about (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits This is their first big status update, covering some of the things that've happened since the project was born There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything *** LibreSSL nukes SSLv3 (http://undeadly.org/cgi?action=article&sid=20150827112006) With their latest release, LibreSSL began to turn off SSLv3 (http://disablessl3.com) support, starting with the "openssl" command At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example) They've now flipped the switch, and the process of complete removal has started From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!" With this change and a few more to follow shortly, LibreSSL won't actually support SSL anymore - time to rename it "LibreTLS" *** FreeBSD MPTCP updated (http://caia.swin.edu.au/urp/newtcp/mptcp/tools/v05/mptcp-readme-v0.5.txt) For anyone unaware, Multipath TCP (https://en.wikipedia.org/wiki/Multipath_TCP) is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy." There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start *** UEFI and GPT in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=144092912907778&w=2) There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently Some support (https://github.com/yasuoka/openbsd-uefi) for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review This comes along with a number (https://www.marc.info/?l=openbsd-cvs&m=143732984925140&w=2) of (https://www.marc.info/?l=openbsd-cvs&m=144088136200753&w=2) other (https://www.marc.info/?l=openbsd-cvs&m=144046793225230&w=2) commits (https://www.marc.info/?l=openbsd-cvs&m=144045760723039&w=2) related to GPT, much of which is being refactored and slowly reintroduced Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in) The UEFI bootloader support has been committed (https://www.marc.info/?l=openbsd-cvs&m=144115942223734&w=2), so stay tuned for more updates (http://undeadly.org/cgi?action=article&sid=20150902074526&mode=flat) as further (https://twitter.com/kotatsu_mi/status/638909417761562624) progress (https://twitter.com/yojiro/status/638189353601097728) is made *** Feedback/Questions John writes in (http://slexy.org/view/s2sIWfb3Qh) Mason writes in (http://slexy.org/view/s2Ybrx00KI) Earl writes in (http://slexy.org/view/s20FpmR7ZW) ***
104: Beverly Hills 25519
Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you. This episode was brought to you by Headlines EdgeRouter Lite, meet OpenBSD (http://www.tedunangst.com/flak/post/OpenBSD-on-ERL) The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8) Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware More discussion can be found on Hacker News (https://news.ycombinator.com/item?id=10079210) and various (https://www.reddit.com/r/openbsd/comments/3hgf2c) other (https://www.marc.info/?t=143974140500001&r=1&w=2) places (https://lobste.rs/s/acz9bu/openbsd_on_edgerouter_lite) One thing to note (https://www.marc.info/?l=openbsd-misc&m=143991822827285&w=2) about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no W^X at all) *** Design and Implementation of the FreeBSD Operating System interview (http://www.infoq.com/articles/freebsd-design-implementation-review) For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points." Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics *** Path list parameter in OpenBSD tame (https://www.marc.info/?l=openbsd-cvs&m=144027474117290&w=2) We've mentioned OpenBSD's relatively new "tame (https://marc.info/?l=openbsd-tech&m=143725996614627&w=2)" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9 More discussion can be found on Reddit (https://www.reddit.com/r/openbsd/comments/3i2lk7) and Hacker News (https://news.ycombinator.com/item?id=10104886) *** FreeBSD & PC-BSD 10.2-RELEASE (https://www.freebsd.org/releases/10.2R/announce.html) The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13 New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail Check the full release notes (https://www.freebsd.org/releases/10.2R/relnotes.html) for the rest of the details and changes PC-BSD also followed with their 10.2-RELEASE (http://blog.pcbsd.org/2015/08/pc-bsd-10-2-release-now-available), sporting a few more additional features *** Interview - Damien Miller - djm@openbsd.org (mailto:djm@openbsd.org) / @damienmiller (https://twitter.com/damienmiller) OpenSSH: phasing out broken crypto, default cipher changes News Roundup NetBSD at Open Source Conference Shimane (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/22/msg000692.html) We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another This time they had NetBSD running on some Sony NWS devices (MIPS-based) JavaStations (https://en.wikipedia.org/wiki/JavaStation) were also on display - something we haven't ever seen before (made between 1996-2000) *** BAFUG videos (https://www.youtube.com/watch?v=-XF20nitI90) The Bay Area FreeBSD users group has been uploading some videos of their recent meetings Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts In a second video (https://www.youtube.com/watch?v=49sPYHh473U), Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X" In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc) People should record presentations at their BSD users groups and send them to us *** L2TP over IPSEC on OpenBSD (http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients) If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic This guide specifically covers L2TP, using npppd and pre-shared keys Server setup, client setup, firewall configuration and routing-related settings are all covered in detail *** Reliable bare metal with TrueOS (http://www.tubsta.com/2015/08/reliable-bare-metal-server-using-trueosfreebsd) Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution Most importantly, he also covers how to keep everything redundant and deal with hard drives failing The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are *** Kernel W^X on i386 (https://www.marc.info/?l=openbsd-cvs&m=144047868127049&w=2) We mentioned some big W^X kernel changes in OpenBSD a while back (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2), but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now) Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well Check out our interview with Mike (http://www.bsdnow.tv/episodes/2015_05_13-exclusive_disjunction) for some more background info on memory protections like W^X *** Feedback/Questions Markus writes in (http://slexy.org/view/s2iGoeYMyb) Sean writes in (http://slexy.org/view/s21bIFfmUS) Theo writes in (http://slexy.org/view/s21Hjm8Tsa) ***
103: Ubuntu Slaughters Kittens
Allan's away at BSDCam this week, but we've still got an exciting episode for you. We sat down with Bryan Cantrill, CTO of Joyent, to talk about a wide variety of topics: dtrace, ZFS, pkgsrc, containers and much more. This is easily our longest interview to date! This episode was brought to you by Interview - Bryan Cantrill - bryan@joyent.com (mailto:bryan@joyent.com) / @bcantrill (https://twitter.com/bcantrill) BSD and Solaris history, illumos, dtrace, Joyent, pkgsrc, various topics (and rants) Feedback/Questions Randy writes in (http://slexy.org/view/s2b6dA7fAr) Jared writes in (http://slexy.org/view/s2vABMHiok) Steve writes in (http://slexy.org/view/s2194ADVUL) ***
102: May Contain ZFS
This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up. This episode was brought to you by Headlines FreeBSD on Olimex RT5350F-OLinuXino (https://www.bidouilliste.com/blog/2015/07/22/FreeBSD-on-Olimex-RT5350F-OLinuXino) If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it) It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment In part two of the series (https://www.bidouilliste.com/blog/2015/07/24/FreeBSD-on-Olimex-RT5350F-OLinuXino-Part-2), he talks about the GPIO and how you can configure it Part three is still in the works, so check the site later on for further progress and info *** The modern OpenBSD home router (https://www.azabani.com/2015/08/06/modern-openbsd-home-router.html) In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway (http://www.bsdnow.tv/tutorials/openbsd-router) for his home network "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst" Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless This guide also covers PPP and IPv6, in case you have those requirements In a similar but unrelated series (http://jaytongarnett.blogspot.com/2015/07/openbsd-router-bt-home-hub-5-replacement.html), another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge He also has a separate post (http://jaytongarnett.blogspot.com/2015/08/openbsd-l2tpipsec-vpn-works-with.html) for setting up an IPSEC VPN on the router *** NetBSD at Open Source Conference 2015 Kansai (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/10/msg000691.html) The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it And what conference would be complete without an LED-powered towel *** OpenSSH 7.0 released (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034289.html) The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now If you're using an older configuration file, the "without-password" option still works, so no change is required You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications Various bug fixes and documentation improvements are also included Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled *** Interview - Peter Toth - peter.toth198@gmail.com (mailto:peter.toth198@gmail.com) / @pannonp (https://twitter.com/pannonp) Containment with iocage (https://github.com/iocage/iocage) News Roundup More c2k15 reports (http://undeadly.org/cgi?action=article&sid=20150809105132) A few more hackathon reports from c2k15 in Calgary are still slowly trickling in Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things) He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging Renato Westphal sent in a report (http://undeadly.org/cgi?action=article&sid=20150811171006) of his very first hackathon He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network Philip Guenther also wrote in (http://undeadly.org/cgi?action=article&sid=20150809165912), getting some very technical and low-level stuff done at the hackathon His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well *** FreeBSD jails, the hard way (https://clinta.github.io/freebsd-jails-the-hard-way) As you learned from our interview this week, there's quite a selection of tools available to manage your jails This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf Unlike with iocage, ZFS isn't actually a requirement for this method If you are using it, though, you can make use of snapshots for making template jails *** OpenSSH hardware tokens (http://www.tancsa.com/mdtblog/?p=73) We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server? This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too *** LibreSSL 2.2.2 released (http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.2-relnotes.txt) The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well *** Feedback/Questions James writes in (http://slexy.org/view/s216lrsVVd) Stuart writes in (http://slexy.org/view/s20uGUHWLr) ***
101: I'll Fix Everything
Coming up this week, we'll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like "what would you like to see in FreeBSD?" and hundreds of responses, well, we've got a lot to cover... This episode was brought to you by Headlines OpenBSD, from distribution to project (http://www.tedunangst.com/flak/post/from-distribution-to-project) Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through It's the third part of his ongoing (http://www.openbsd.org/papers/pruning.html) series (http://www.tedunangst.com/flak/post/out-with-the-old-in-with-the-less) of posts about OpenBSD removing large bits of code in favor of smaller replacements In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..) After importing new updates every release cycle, they eventually hit a transitional phase - things were updated, but nothing new was imported When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons More discussion on HN (https://news.ycombinator.com/item?id=9980373) and reddit (https://www.reddit.com/r/openbsd/comments/3f9o19/from_distribution_to_project/) *** Remote ZFS mirrors, the hard way (https://github.com/hughobrien/zfs-remote-mirror) Backups to "the cloud" have become a hot topic in recent years, but most of them require trade-offs between convenience and security You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren't without some compromise As the author puts it: "We don't need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we'll-deletes, or any of the noise that comes with using someone else's infrastructure." This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself The end result is an automatic system for incremental backups that's backed (pun intended) by ZFS If you're serious about keeping your important data safe and sound, you'll want to give this one a read - lots of detailed instructions *** Various DragonFlyBSD updates (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419064.html) The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree Intel ValleyView graphics support was finally committed to the main repository While on the topic of graphics, they've also issued a call for testing (http://lists.dragonflybsd.org/pipermail/users/2015-July/207923.html) for a DRM update (matching Linux 3.16's and including some more Broadwell fixes) Their base GCC compiler is also now upgraded to version 5.2 (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419045.html) If your hardware supports it, DragonFly will now use an accelerated console by default (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419070.html) *** QuakeCon runs on OpenBSD (https://youtu.be/mOv62lBdlXU?t=292) QuakeCon (https://en.wikipedia.org/wiki/QuakeCon), everyone's favorite event full of rocket launchers, recently gave a mini-tour of their network setup For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution There's also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff Follow-up questions can be asked in this reddit thread (https://www.reddit.com/r/BSD/comments/3f43fh/bsd_runs_quakecon/) The host doesn't seem to be that familiar with the topics at hand, mentioning "OpenPF" multiple times among other things, so our listeners should get a kick out of it *** Interview - Adrian Chadd - adrian@freebsd.org (mailto:adrian@freebsd.org) / @erikarn (https://twitter.com/erikarn) Rethinking ways to improve FreeBSD (https://www.reddit.com/r/freebsd/comments/3d80vt) News Roundup CII contributes to OpenBSD (http://undeadly.org/cgi?action=article&sid=20150804161939) If you recall back to when we talked to the OpenBSD foundation (http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2), one of the things Ken mentioned was the Core Infrastructure Initiative (https://www.coreinfrastructure.org) In a nutshell (https://www.coreinfrastructure.org/faq), it's an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers) To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they've just made a large donation to the foundation - this makes them the first (http://www.openbsdfoundation.org/contributors.html) "platinum" level donor as well While the exact amount wasn't disclosed, it was somewhere between $50,000 and $100,000 The donation comes less than a month after Microsoft's big donation (http://undeadly.org/cgi?action=article&sid=20150708134520), so it's good to see these large organizations helping out important open source projects that we depend on every day *** Another BSDCan report (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-mark-linimon.html) The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon In his report, he mainly covers the devsummit and some discussion with the portmgr team One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch - Mark talks a bit about this as well He also gives his thoughts on using QEMU for cross-compiling packages (http://www.bsdnow.tv/episodes/2015_03_04-just_add_qemu) and network performance testing *** Lumina 0.8.6 released (http://blog.pcbsd.org/2015/08/lumina-desktop-0-8-6-released/) The PC-BSD team has released another version of Lumina (http://www.lumina-desktop.org/), their BSD-licensed desktop environment This is mainly a bugfix and performance improvement release, rather than one with lots of new features The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc) Lots of non-English translation updates and assorted fixes are included as well If you haven't given it a try yet, or maybe you're looking for a new window manager, Lumina runs on all the BSDs *** More c2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150730180506) Even more reports from OpenBSD's latest hackathon are starting to pour in The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle) He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD Second up is Andrew Fresh (http://undeadly.org/cgi?action=article&sid=20150731191156&mode=flat), who went without any specific plans, but still ended up getting some UTF8 work done On the topic of ARMv7, "I did enjoy being there when things weren't working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn't much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon." Florian Obser sent in a report that includes a little bit of everything (http://undeadly.org/cgi?action=article&sid=20150805151453): setting up the hackathon's network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food Paul Irofti wrote in as well (http://undeadly.org/cgi?action=article&sid=20150801100002&mode=flat) about his activities, which were mainly focused on the Octeon CPU architecture He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices) *** Feedback/Questions Hamza writes in (http://slexy.org/view/s205kqTEIj) Florian writes in (http://slexy.org/view/s2ogIP6cEf) Dominik writes in (http://slexy.org/view/s214xE9ulK) ***