Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
100: Straight from the Src
We've finally reached a hundred episodes, and this week we'll be talking to Sebastian Wiedenroth about pkgsrc. Though originally a NetBSD project, now it runs pretty much everywhere, and he even runs a conference about it! This episode was brought to you by Headlines Remote DoS in the TCP stack (https://blog.team-cymru.org/2015/07/another-day-another-patch/) A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely This problem has a slightly confusing history that involves different fixes at different points in time from different people Juniper originally discovered the bug and announced a fix (https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10686) for their proprietary networking gear on June 8th On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch (https://svnweb.freebsd.org/base/head/sys/netinet/tcp_output.c?view=patch&r1=284941&r2=284940&pathrev=284941), but did not issue a security notice or MFC the fix back to the -stable branches On July 13th, two weeks later, OpenBSD fixed the issue (https://www.marc.info/?l=openbsd-cvs&m=143682919807388&w=2) in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found Immediately afterwards, they merged it back to -stable and issued an errata notice (http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/010_tcp_persist.patch.sig) for 5.7 and 5.6 On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix (https://svnweb.freebsd.org/base/head/sys/netinet/tcp_output.c?view=patch&r1=285777&r2=285776&pathrev=285777) and issued a security notice (https://lists.freebsd.org/pipermail/freebsd-announce/2015-July/001655.html) for the problem (which didn't include the first fix) After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way NetBSD confirmed they were vulnerable too, and applied another completely different fix (http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_output.c.diff?r1=1.183&r2=1.184&only_with_tag=MAIN) to -current on July 24th, but haven't released a security notice yet DragonFly is also investigating the issue now to see if they're affected as well *** c2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150721180312&mode=flat) Reports from OpenBSD's latest hackathon (http://www.openbsd.org/hackathons.html), held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these) The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?" With mandoc's new internal jump targets, this is a problem of the past now Jasper also sent in a report (http://undeadly.org/cgi?action=article&sid=20150723124332&mode=flat), doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information) Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!) Antoine Jacoutot gave a report (http://undeadly.org/cgi?action=article&sid=20150722205349&mode=flat) on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services) It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool") He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example) His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades Foundation director Ken Westerback was also there (http://undeadly.org/cgi?action=article&sid=20150722105658&mode=flat), getting some disk-related and laptop work done He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say (http://undeadly.org/cgi?action=article&sid=20150722182236&mode=flat) about the hackathon and what he did there (and even sent in his write-up before he got home) He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report) Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year." Jeremy Evans wrote in (http://undeadly.org/cgi?action=article&sid=20150725180527&mode=flat) to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon Rafael Zalamena, who got commit access at the event, gives his very first report (http://undeadly.org/cgi?action=article&sid=20150725183439&mode=flat) on his networking-related hackathon activities With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS (https://en.wikipedia.org/wiki/Virtual_Private_LAN_Service) Jonathan Gray got a lot done (http://undeadly.org/cgi?action=article&sid=20150728184743&mode=flat) in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix) Martin Pieuchot gave an write-up (http://undeadly.org/cgi?action=article&sid=20150724183210&mode=flat) on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did." He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle We're still eagerly awaiting a report from one of OpenBSD's newest developers (https://twitter.com/phessler/status/623291827878137856), Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes) OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint (https://www.marc.info/?l=openbsd-cvs&m=143766883514831&w=2)," so that may mean more big changes are still to come... *** FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2015-04-2015-06.html) FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012) The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon) ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though) The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more *** The OpenSSH bug that wasn't (http://bsdly.blogspot.com/2015/07/the-openssh-bug-that-wasnt.html) There's been a lot of discussion (https://www.marc.info/?t=143766048000005&r=1&w=2) about a supposed flaw (https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/) in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even) There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-July/034209.html) FreeBSD in its default configuration, with PAM (https://en.wikipedia.org/wiki/Pluggable_authentication_module) and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH (https://www.marc.info/?l=openbsd-misc&m=143767296016252&w=2), nor any of the other BSDs, and not even the majority of Linux distros If you disable all forms of authentication except public keys, like you're supposed to (https://stribika.github.io/2015/01/04/secure-secure-shell.html), then this is also not a big deal for FreeBSD systems Realistically speaking, it's more of a PAM bug (https://www.marc.info/?l=openbsd-misc&m=143782167322500&w=2) than anything else OpenSSH added an additional check (https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab) for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update (https://lists.freebsd.org/pipermail/freebsd-security-notifications/2015-July/000248.html)) *** Interview - Sebastian Wiedenroth - wiedi@netbsd.org (mailto:wiedi@netbsd.org) / @wied0r (https://twitter.com/wied0r) pkgsrc (https://en.wikipedia.org/wiki/Pkgsrc) and pkgsrcCon (http://pkgsrc.org/pkgsrcCon/) News Roundup Now served by OpenBSD (https://tribaal.io/this-now-served-by-openbsd.html) We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it The use case for the author was for a webserver, so he decided to try out the httpd in base Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting TLS 1.2 by default, strong ciphers with LibreSSL and HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) combined give you a pretty secure web server *** FreeBSD laptop playbooks (https://github.com/sean-/freebsd-laptops) A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops" It's based on ansible, and uses the playbook format for automatic set up and configuration Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop *** NetBSD on the NVIDIA Jetson TK1 (https://blog.netbsd.org/tnf/entry/netbsd_on_the_nvidia_jetson) If you've never heard of the Jetson TK1 (https://developer.nvidia.com/jetson-tk1), we can go ahead and spoil the secret here: NetBSD runs on it As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything) You can even run X11 on it, pretty sweet *** DragonFly power mangement options (http://lists.dragonflybsd.org/pipermail/users/2015-July/207911.html) DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well He also did some testing with each of them and gave his findings about power saving If you've been thinking about running DragonFly on a laptop, this would be a good one to read *** OpenBSD router under FreeBSD bhyve (https://www.quernus.co.uk/2015/07/27/openbsd-as-freebsd-router/) If one BSD just isn't enough for you, and you've only got one machine, why not run two at once This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware The author also includes a little bit of history on how he got into both operating systems There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research Of course, the next logical step is to put that bhyve host under Xen on NetBSD... *** Feedback/Questions Kevin writes in (http://slexy.org/view/s2yPVV5Wyp) Logan writes in (http://slexy.org/view/s21zcz9rut) Peter writes in (http://slexy.org/view/s21CRmiPwK) Randy writes in (http://slexy.org/view/s211zfIXff) ***
99: BSD Gnow
This week we'll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we'll hear about how the recent porting efforts have been since. This episode was brought to you by Headlines OpenBSD presents tame (https://www.marc.info/?l=openbsd-tech&m=143725996614627&w=2) Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops." Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously) Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation) Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc. This is an initial work-in-progress version of tame, so there may be more improvements or further (https://www.marc.info/?l=openbsd-tech&m=143740834710502&w=2) control (https://www.marc.info/?l=openbsd-tech&m=143741052411159&w=2) options added before it hits a release (very specific access policies can sometimes backfire (https://forums.grsecurity.net/viewtopic.php?f=7&t=2522), however) The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it) Kernel bits are in the tree now (https://www.marc.info/?l=openbsd-cvs&m=143727335416513&w=2), with userland changes starting to trickle in too Combined with a myriad of memory protections (http://www.bsdnow.tv/episodes/2015_05_13-exclusive_disjunction), tight privilege separation and (above all else (https://en.wikipedia.org/wiki/OpenBSD_security_features)) good coding practices, tame should further harden the OpenBSD security fortress Further discussion (https://news.ycombinator.com/item?id=9928221) can (https://www.reddit.com/r/programming/comments/3dsr0t) be (http://undeadly.org/cgi?action=article&sid=20150719000800&mode=flat) found (https://news.ycombinator.com/item?id=9909429) in (https://www.reddit.com/r/linux/comments/3ds66o) the (https://lobste.rs/s/tbbtfs) usual (https://www.reddit.com/r/openbsd/comments/3ds64c) places (https://www.reddit.com/r/BSD/comments/3ds681) you'd expect *** Using Docker on FreeBSD (https://wiki.freebsd.org/Docker) With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up This docker is "the real thing," and isn’t using a virtual machine as the backend - as such, it has some limitations The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support) For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally) Give it a try, let us know how you find it to be compared to other solutions *** OpenBSD imports doas, removes sudo (http://www.tedunangst.com/flak/post/doas) OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot) Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary? After the initial import, a number of developers began reviewing and improving various bits here and there You can check out the code (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/) now if you're interested Command usage (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1) and config syntax (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/doas.conf.5) seem pretty straightforward More discussion (https://news.ycombinator.com/item?id=9914693) on HN *** What would you like to see in FreeBSD (https://www.reddit.com/r/freebsd/comments/3d80vt/what_would_you_like_to_see_in_freebsd/) Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you're interested in more The top comment says things don't "just work," citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now - should they be removed, and more focus put into ipfw? Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD - similar comments were made about wireless chipsets as well Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more At least one user suggested better "marketing" for FreeBSD, with more advocacy and (hopefully) more business adoption That one really applies to all the BSDs, and regular users (that's you listening to this) can help make it happen for whichever ones you use right now Maybe Adrian can singlehandedly do all the work and make all the users happy *** Interview - Ryan Lortie & Baptiste Daroussin Porting the latest GNOME code to FreeBSD News Roundup Introducing resflash (http://stable.rcesoftware.com/resflash/) If you haven't heard of resflash before, it's "a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way" One of the major benefits to images like this is the read-only filesystem, so there's no possibility of filesystem corruption if power is lost There's an optional read-write partition as well, used for any persistent changes you want to make You can check out the source code on Github (https://github.com/bconway/resflash) or read the main site for more info *** Jails with iocage (http://pid1.com/posts/post10.html) There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others After looking at all the different choices, the author of this blog post eventually settled on iocage (https://github.com/iocage/iocage) for the job The post walks you through the basic configuration and usage of iocage for creating managing jails If you've been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration) *** DragonFly GPU improvements (http://lists.dragonflybsd.org/pipermail/users/2015-July/207892.html) DragonFlyBSD continues to up their graphics game, this time with Intel's ValleyView series of CPUs These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones A git branch was created to hold the fixes for now while the last remaining bugs get fixed Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing *** Branchless development (http://www.tedunangst.com/flak/post/branchless-development) Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once "For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else." The solution, according to him, is bringing all the code the developers are using closer together One big benefit is that WIP code gets tested much faster (and bugs get fixed early on) *** Feedback/Questions Matthew writes in (http://slexy.org/view/s21yQtBCCK) Chris writes in (http://slexy.org/view/s21oFA80kY) Anonymous writes in (http://slexy.org/view/s2JYvTlJlm) Bill writes in (http://slexy.org/view/s21LXvk53z) ***
98: Our Code is Your Code
Coming up this time on the show, we'll be talking with the CTO of Xinuos, David Meyer, about their adoption of FreeBSD. We also discuss the BSD license model for businesses and the benefits of contributing changes back. This episode was brought to you by Headlines Enabling FreeBSD on AArch64 (https://community.arm.com/groups/processors/blog/2015/07/07/enabling-freebsd-on-aarch64) One of the things the FreeBSD foundation has been dumping money into lately is ARM64 support, but we haven't heard too much about it - this article should change that Since it's on a mainstream ARM site, the article begins with a bit of FreeBSD history, leading up to the current work on ARM64 There's also a summary of some of the ARM work done at this year's BSDCan, including details about running it on the Cavium ThunderX platform (which has 48 cores) As of just a couple months ago, dtrace is even working on this new architecture Come 11.0-RELEASE, the plan is for ARM64 to get the same "tier 1" treatment as X86, which would imply binary updates for base and ports - something Raspberry Pi users often complain about not having *** OpenBSD's tcpdump detailed (https://www.youtube.com/watch?v=8kR-tW1kyDc#t=8) Most people are probably familiar with tcpdump (https://en.wikipedia.org/wiki/Tcpdump), a very useful packet sniffing and capturing utility that's included in all the main BSD base systems This video guide is specifically about the version in OpenBSD, which has gone through some major changes (it's pretty much a fork with no version number anymore) Unlike on the other platforms, OpenBSD's tcpdump will always run in a chroot as an unprivileged user - this has saved it from a number of high-profile exploits It also has support for the "pf.os" system, allowing you to filter out operating system fingerprints in the packet captures There's also PF (and pflog) integration, letting you see which line in your ruleset triggered a specific match Being able to run tcpdump directly on your router (http://www.bsdnow.tv/tutorials/openbsd-router) is pretty awesome for troubleshooting *** More FreeBSD foundation at BSDCan (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-kamil-czekirda.html) The FreeBSD foundation has another round of trip reports from this year's BSDCan First up is Kamil Czekirda, who gives a good summary of some of the devsummit, FreeBSD-related presentations, some tutorials, getting freebsd-update bugs fixed and of course eating cake A second post (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-christian.html) from Christian Brueffer, who cleverly planned ahead to avoid jetlag, details how he got some things done during the FreeBSD devsummit Their third report (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-warren-block.html) is from our buddy Warren Block, who (unsurprisingly) worked on a lot of documentation-related things, including getting more people involved with writing them In true doc team style, his report is the most well-written of the bunch, including lots of links and a clear separation of topics (doc lounge, contributing to the wiki, presentations...) Finally, the fourth one (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-shonali.html) comes to us from Shonali Balakrishna, who also gives an outline of some of the talks "Not only does a BSD conference have way too many very smart people in one room, but also some of the nicest." *** DragonFly on the Chromebook C720 (https://www.dragonflydigest.com/2015/07/08/16391.html) If you've got one of the Chromebook laptops and weren't happy with the included OS, DragonFlyBSD might be worth a go This article is a "mini-report" on how DragonFly functions on the device as a desktop, and While the 2GB of RAM proved to be a bit limiting, most of the hardware is well-supported DragonFly's wiki has a full guide (http://www.dragonflybsd.org/docs/newhandbook/ConfigChromebook/) on getting set up on one of these devices as well *** Interview - David Meyer - info@xinuos.com (mailto:info@xinuos.com) / @xinuos (https://twitter.com/xinuos) Xinuos, BSD license model vs. others, community interaction News Roundup Introducing LiteBSD (https://github.com/sergev/LiteBSD) We definitely don't talk about 4.4BSD a lot on the show LiteBSD is "a variant of [the] 4.4BSD operating system adapted for microcontrollers" If you've got really, really old hardware (or are working in the embedded space) then this might be an interesting hobby project to look info *** HardenedBSD announces ASLR completion (http://hardenedbsd.org/article/shawn-webb/2015-07-06/announcing-aslr-completion) HardenedBSD, now officially a full-on fork of FreeBSD (http://hardenedbsd.org/content/about), has declared their ASLR patchset to be complete The latest and last addition to the work was VDSO (Virtual Dynamic Shared Object) randomization, which is now configurable with a sysctl This post gives a summary of the six main features they've added since the beginning (http://www.bsdnow.tv/episodes/2014_08_27-reverse_takeover) Only a few small things are left to do - man page cleanups, possibly shared object load order improvements *** Unlock the reaper (https://www.marc.info/?l=openbsd-tech&m=143636371501474&w=2) In the ongoing quest to make more of OpenBSD SMP-friendly, a new patch was posted that unlocks the reaper in the kernel When there's a zombie process (https://en.wikipedia.org/wiki/Zombie_process) causing a resource leak, it's the reaper's job (https://en.wikipedia.org/wiki/Wait_%28system_call%29) to deallocate their resources (and yes we're still talking about computers, not horror movies) Initial testing has yielded positive (https://www.marc.info/?l=openbsd-tech&m=143642748717836&w=2) results (https://www.marc.info/?l=openbsd-tech&m=143639356810690&w=2) and no regressions (https://www.marc.info/?l=openbsd-tech&m=143638955809675&w=2) They're looking for testers, so you can install a -current snapshot and get it automatically An updated version of the patch is coming soon (https://www.marc.info/?l=openbsd-tech&m=143643025118637&w=2) too A hackathon (http://www.openbsd.org/images/hackathons/c2k15-s.gif) is going on right now, so you can expect more SMP improvements in the near future *** The importance of mentoring (http://adrianchadd.blogspot.com/2015/07/the-importance-of-mentoring-or-how-i.html) Adrian Chadd has a blog post up about mentoring new users, and it tells the story of how he originally got into FreeBSD He tells the story of, at age 11, meeting someone else who knew about making crystal sets that became his role model Eventually we get to his first FreeBSD 1.1 installation (which he temporarily abandoned for Linux, since it didn't have a color "ls" command) and how he started using the OS Nowadays, there's a formal mentoring system in FreeBSD While he talks about FreeBSD in the post, a lot of the concepts apply to all the BSDs (or even just life in general) *** Feedback/Questions Sean writes in (http://slexy.org/view/s29LpvIxDD) Herminio writes in (http://slexy.org/view/s21I1MZsDl) Stuart writes in (http://slexy.org/view/s20kk3ilM6) Richard writes in (http://slexy.org/view/s2pL5xA80B) ***
97: Big Network, SmallWall
Coming up this time on the show, we'll be chatting with Lee Sharp. He's recently revived the m0n0wall codebase, now known as SmallWall, and we'll find out what the future holds for this new addition to the BSD family. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan and pkgsrcCon videos (https://www.youtube.com/channel/UCAEx6zhR2sD2pAGKezasAjA/videos) Even more BSDCan 2015 videos are slowly but surely making their way to the internet Nigel Williams, Multipath TCP for FreeBSD (https://www.youtube.com/watch?v=P3vB_FWtyIs) Stephen Bourne, Early days of Unix and design of sh (https://www.youtube.com/watch?v=2kEJoWfobpA) John Criswell, Protecting FreeBSD with Secure Virtual Architecture (https://www.youtube.com/watch?v=hRIC_aF_u24) Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD (https://www.youtube.com/watch?v=stsaeKvF3no) John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto (https://www.youtube.com/watch?v=JaufZ7yCrLU) Sevan Janiyan, Adventures in building (https://www.youtube.com/watch?v=-HMXyzybgdM) open source software (https://www.youtube.com/watch?v=Xof-uKnQ6cY) And finally, the BSDCan 2015 closing (https://www.youtube.com/watch?v=Ynm0bGnYdfY) Some videos (https://vimeo.com/channels/pkgsrccon/videos) from this year's pkgsrcCon (http://pkgsrc.org/pkgsrcCon/2015/) are also starting to appear online Sevan Janiyan, A year of pkgsrc 2014 - 2015 (https://vimeo.com/channels/pkgsrccon/132767946) Pierre Pronchery, pkgsrc meets pkg-ng (https://vimeo.com/channels/pkgsrccon/132766052) Jonathan Perkin, pkgsrc at Joyent (https://vimeo.com/channels/pkgsrccon/132760863) Jörg Sonnenberger, pkg_install script framework (https://vimeo.com/channels/pkgsrccon/132757658) Benny Siegert, New Features in BulkTracker (https://vimeo.com/channels/pkgsrccon/132751897) This is the first time we've ever seen recordings from the conference - hopefully they continue this trend *** OPNsense 15.7 released (https://forum.opnsense.org/index.php?topic=839.0) The OPNsense team has released version 15.7, almost exactly six months after their initial debut (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server Taking a note from upstream PF's playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed (http://undeadly.org/cgi?action=article&sid=20140419151959) just over a year ago) The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI - switching between the two is simple; no commitment needed Various third party ports have also been bumped up to their latest versions to keep things fresh, and there's the usual round of bug fixes included Shortly afterwards, 15.7.1 (https://forum.opnsense.org/index.php?topic=915.0) was released with a few more small fixes *** NetBSD at Open Source Conference 2015 Okinawa (https://mail-index.netbsd.org/netbsd-advocacy/2015/07/04/msg000688.html) If you liked last week's episode (http://www.bsdnow.tv/episodes/2015_07_01-lost_technology) then you'll probably know what to expect with this one The NetBSD users group of Japan hit another open source conference, this time in Okinawa This time, they had a few interesting NetBSD machines on display that we didn't get to see in the interview last week We'd love to see something like this in North America or Europe too - anyone up for installing BSD on some interesting devices and showing them off at a Linux con? *** OpenBSD BGP and VRFs (http://firstyear.id.au/entry/21) "VRFs (https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding), or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic" This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness With multiple rdomains, it's also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them The idea of a "guest network" can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here The BSDCan talk on rdomains (https://www.youtube.com/watch?v=BizrC8Zr-YY) expands on the subject a bit more if you haven't seen it, as well as a few related (https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/) posts (http://cybermashup.com/2013/05/21/complex-routing-with-openbsd/) *** Interview - Lee Sharp - lee@smallwall.org (mailto:lee@smallwall.org) SmallWall (http://smallwall.org), a continuation of m0n0wall News Roundup Solaris adopts more BSD goodies (https://blogs.oracle.com/solarisfw/entry/pf_for_solaris) We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD's PF firewall to their next version, even contributing back patches for SMP and other bug fixes They recently published an article about PF, talking about what's different about it on their platform compared to others - not especially useful for BSD users, but interesting to read if you like firewalls Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post (https://blogs.oracle.com/darren/entry/openssh_in_solaris_11_3) up about their "SunSSH" fork Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two In a third blog post (https://blogs.oracle.com/darren/entry/solaris_new_system_calls_getentropy), they talk about a new system call they're borrowing from OpenBSD, getentropy(2) (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2), as well as the addition of arc4random (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/arc4random.3) to their libc With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us? Look forward to the upcoming "Solaris Now" podcast (not really) *** EuroBSDCon 2015 talks and tutorials (https://2015.eurobsdcon.org/talks/) This year's EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course There are also a few tutorials (https://2015.eurobsdcon.org/tutorials/) planned for the event, some you've probably seen already and some you haven't Registration for the event will be opening very soon (likely this week or next) *** Using ZFS replication to improve offsite backups (https://www.iceflatline.com/2015/07/using-zfs-replication-features-in-freebsd-to-improve-my-offsite-backups/) If you take backups seriously, you're probably using ZFS and probably keeping an offsite copy of the data This article covers doing just that, but with a focus on making use of the replication capability It'll walk you through taking a snapshot of your pool and then replicating it to another remote system, using "zfs send" and SSH - this has the benefit of only transferring the files that have changed since the last time you did it Steps are also taken to allow a regular user to take and manage snapshots, so you don't need to be root for the SSH transfer Data integrity is a long process - filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations... they all play a role in keeping your files secure; don't skip out on any of them One thing the author didn't mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important *** Block encryption in OpenBSD (http://anadoxin.org/blog/blog/20150705/block-encryption-in-openbsd/) We've covered (http://www.bsdnow.tv/tutorials/fde) ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt - that is, a file-backed virtual device with an encrypted filesystem It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device The encrypted container method offers the advantage of being a bit more portable across installations than other ways *** Docker hits FreeBSD ports (https://svnweb.freebsd.org/ports?view=revision&revision=391421) The inevitable has happened, and an early FreeBSD port of docker is finally here Some details and directions (https://github.com/kvasdopil/docker/blob/freebsd-compat/FREEBSD-PORTING.md) are available to read if you'd like to give it a try, as well as a list of which features work and which don't There was also some Hacker News discussion (https://news.ycombinator.com/item?id=9840025) on the topic *** Microsoft donates to OpenSSH (http://undeadly.org/cgi?action=article&sid=20150708134520&mode=flat) We've talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations - now it's Microsoft's turn With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor They've also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate - we're always glad to see this *** Feedback/Questions Joe writes in (http://slexy.org/view/s2NqbhwOoH) Mike writes in (http://slexy.org/view/s2T3NEia98) Randy writes in (http://slexy.org/view/s20RlTK6Ha) Tony writes in (http://slexy.org/view/s2rjCd0bGX) Kevin writes in (http://slexy.org/view/s21PfSIyG5) ***
96: Lost Technology
Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Out with the old, in with the less (http://www.tedunangst.com/flak/post/out-with-the-old-in-with-the-less) Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions" "Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs." In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers "Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver." In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness) He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it." Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it (https://marc.info/?l=openbsd-ports&m=143481227122523&w=2), called "doas" There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing (http://www.openbsd.org/papers/pruning.html)" talk is good complementary reading material *** More OpenZFS and BSDCan videos (https://www.youtube.com/channel/UC0IK6Y4Go2KtRueHDiQcxow/videos) We mentioned last week (http://www.bsdnow.tv/episodes/2015_06_24-bitrot_group_therapy) that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more Matt Ahrens did a Q&A session (https://www.youtube.com/watch?v=I6fXZ_6OT5c) and talked about ZFS send and receive (https://www.youtube.com/watch?v=iY44jPMvxog), as well as giving an overview of OpenZFS (https://www.youtube.com/watch?v=RQlMDmnty80) George Wilson talked about a performance retrospective (https://www.youtube.com/watch?v=KBI6rRGUv4E) Toshiba (https://www.youtube.com/watch?v=sSi47-k78IM), Syneto (https://www.youtube.com/watch?v=Hhje5KEF5cE) and HGST (https://www.youtube.com/watch?v=aKgxXipss8k) also gave some talks about their companies and how they're using ZFS As for BSDCan, more of their BSD presentations have been uploaded too... Ryan Stone, PCI SR-IOV on FreeBSD (https://www.youtube.com/watch?v=INeMd-i5jzM) George Neville-Neil, Measure Twice, Code Once (https://www.youtube.com/watch?v=LE4wMsP7zeA) Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD (https://www.youtube.com/watch?v=qNYXqpJiFN0) Warner Losh, I/O Scheduling in CAM (https://www.youtube.com/watch?v=3WqOLolj5EU) Kirk McKusick, An Introduction to the Implementation of ZFS (https://www.youtube.com/watch?v=l-RCLgLxuSc) Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support (https://www.youtube.com/watch?v=zZXvjhWcg_4) Baptiste Daroussin, Packaging FreeBSD's (https://www.youtube.com/watch?v=Br6izhH5P1I) base system (https://www.youtube.com/watch?v=v7px6ktoDAI) Matt Ahrens, New OpenZFS features supporting remote replication (https://www.youtube.com/watch?v=UOX7WDAjqso) Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities (https://www.youtube.com/watch?v=SVdF84x1EdA) The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here (http://www.bsdcan.org/2015/audio/mandoc.mp3), and the slides are here (http://www.openbsd.org/papers/bsdcan15-mandoc.pdf) *** SMP steroids for PF (https://www.marc.info/?l=openbsd-tech&m=143526329006942&w=2) An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review Attached to the mail was what may be the beginnings of making native PF SMP-aware Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle The initial response (https://www.marc.info/?l=openbsd-tech&m=143532243322281&w=2) has been quite positive though, with some back and forth (https://www.marc.info/?l=openbsd-tech&m=143532963824548&w=2) between developers and the submitter For now, let's be patient and see what happens *** DragonFly 4.2.0 released (http://www.dragonflybsd.org/release42/) DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page (http://www.dragonflybsd.com/docs/docs/newhandbook/mta/) about configuring it They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement There was also some hacker news discussion (https://news.ycombinator.com/item?id=9797932) you can check out, as well as upgrade instructions (http://lists.dragonflybsd.org/pipermail/users/2015-June/207801.html) *** OpenSMTPD 5.7.1 released (https://opensmtpd.org/announces/release-5.7.1.txt) The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default The long-awaited filter API is now enabled by default, though still considered slightly experimental Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones) Many more small additions and bugfixes were made, so check the changelog for the full list Starting with 5.7.1, releases are now cryptographically (https://twitter.com/OpenSMTPD/status/613257722574839808) signed (https://www.opensmtpd.org/archives/opensmtpd-5.7.1.sum.sig) to ensure integrity This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server (https://twitter.com/OpenSMTPD/status/608399272447471616) with thousands of emails per second, even offering prizes (https://twitter.com/OpenSMTPD/status/608235180839567360) to whoever can DDoS them the hardest OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately Let's all encourage (mailto:feedback@bsdnow.tv) Kris to stop procrastinating on switching from Postfix *** Interview - Jun Ebihara (蛯原純) - jun@netbsd.org (mailto:jun@netbsd.org) / @ebijun (https://twitter.com/ebijun) Lesser-known CPU architectures, embedded NetBSD devices News Roundup FreeBSD foundation at BSDCan (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-steven-douglas.html) The FreeBSD foundation has posted a few BSDCan summaries on their blog The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people." He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily Their second (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-ahmed-kamal.html) trip report is from Ahmed Kamal, who flew in all the way from Egypt A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD There are also two more wrap-ups from Zbigniew Bodek (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-zbigniew-bodek.html) and Vsevolod Stakhov (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-vsevolod-stakhov.html), so you've got plenty to read *** OpenBSD from a veteran Linux user perspective (http://cfenollosa.com/blog/openbsd-from-a-veteran-linux-user-perspective.html) In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time "For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration." The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless." He also goes through some of the basics, installing and updating software, following different branches It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern." *** FreeBSD on the desktop, am I crazy (http://sysconfig.org.uk/freebsd-on-the-desktop-am-i-crazy.html) Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think." With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too *** OpenIKED and Cisco CSR 1000v IPSEC (https://www.netflask.net/ipsec-ikev2-cisco-csr1000v-openiked/) This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be *** HardenedBSD improves stack randomization (https://github.com/HardenedBSD/hardenedBSD/commit/bd5cecb4dc7947a5e214fc100834399b4bffdee8) The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well They're now stacking the new on top of the old as well, with the goal being even more entropy This change triggered an ABI and API incompatibility, so their major version has been bumped *** OpenSSH 6.9 released (https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-July/000121.html) The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments One very notable change is that the default cipher has changed as of this release The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits Many small bugs fixes and improvements were also made, so check the announcement for everything else The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon *** Feedback/Questions Brad writes in (http://slexy.org/view/s2Ws6Y2rZy) Mason writes in (http://slexy.org/view/s21GvZ5xbs) Jochen writes in (http://slexy.org/view/s209TrPK4e) Simon writes in (http://slexy.org/view/s21TQjUjxv) ***
95: Bitrot Group Therapy
This time on the show, we'll be talking some ZFS with Sean Chittenden. He's been using it on FreeBSD at Groupon, and has some interesting stories about how it's saved his data. Answers to your emails and all of this week's headlines, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More BSDCan 2015 videos (https://www.bsdcan.org/2015/schedule/) Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS (https://www.youtube.com/watch?v=lBE4BfxVDQc) Daichi Goto, FreeBSD for High Density Servers (https://www.youtube.com/watch?v=r2BoQ70bwK4) Ken Moore, Lumina-DE (https://www.youtube.com/watch?v=Qh_YK9y4_Os) Kevin Bowling, FreeBSD Operations at (https://www.youtube.com/watch?v=4l2rlRjkGhk) Limelight Networks (https://www.youtube.com/watch?v=K1-ZyiY5z48) Maciej Pasternacki, Jetpack, a container (https://www.youtube.com/watch?v=8phbsAhJ-9w) runtime for FreeBSD (https://www.youtube.com/watch?v=kJ74mgkzLxc) Ray Percival, Networking with OpenBSD in a virtualized environment (https://www.youtube.com/watch?v=gx5FILdSp2w) Reyk Floeter, Introducing OpenBSD's (https://www.youtube.com/watch?v=DV1-EfdIp8I) new httpd (https://www.youtube.com/watch?v=_v0lI6qDWFs) Still more to come, hopefully *** OpenBSD httpd rewrite support (https://www.marc.info/?l=openbsd-tech&m=143480475721221&w=2) One of the most-requested features of OpenBSD's new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings In the mailing list post, he shows an example of how to use it for redirects and provides the diff (https://www.marc.info/?l=openbsd-tech&m=143489473103114&w=2) if you'd like to give it a try now It's since been committed (https://www.marc.info/?l=openbsd-cvs&m=143507301715409&w=2) to -current, so you can try it out with a snapshot too *** SSH 2FA on FreeBSD (http://sysconfig.org.uk/two-factor-authentication-with-ssh.html) We've discussed different ways to lock down SSH access to your BSD boxes before - use keys instead of passwords, whitelist IPs, or even use two-factor authentication This article serves as a sort of "roundup" on different methods to set up two-factor authentication on FreeBSD It touches on key pairs with a server-side password, google authenticator and a few other variations While the article is focused on FreeBSD, a lot of it can be easily applied to the others too OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems *** NetBSD 7.0-RC1 released (https://blog.netbsd.org/tnf/entry/netbsd_7_0_rc1_binaries) NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago (http://www.bsdnow.tv/episodes/2014_07_23-des_challenge_iv)) Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1 They're looking for as much testing as possible, so give it a try and report your findings to the release engineering team *** Interview - Sean Chittenden - seanc@freebsd.org (mailto:seanc@freebsd.org) / @seanchittenden (https://twitter.com/seanchittenden) FreeBSD at Groupon, ZFS News Roundup OpenSMTPD and Dovecot (http://www.tumfatig.net/20150620/opensmtpd-and-dovecot-on-openbsd-5-7/) We've covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last This blog post about it has something not mentioned before: virtual domains and virtual users This means you can easily have "user1@domain.com" and "user2@otherdomain.com" both go to a local user on the box (or a different third address) It also covers SSL certificates, blocking spam and setting up IMAP access, the usual Now might also be a good time to test out OpenSMTPD 5.7.1-rc1 (https://www.mail-archive.com/misc@opensmtpd.org/msg02177.html), which we'll cover in more detail when it's released... *** OctoPkg, a QT frontend to pkgng (https://github.com/aarnt/octopkg) A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi (https://octopiproject.wordpress.com/about/) Obviously, it needed to be rewritten to use FreeBSD's pkg system instead of pacman There are some basic instructions on how to get it built and running on the github page After some testing, it'll likely make its way to the FreeBSD ports tree Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over *** AFL vs. mandoc, a quantitative analysis (http://undeadly.org/cgi?action=article&sid=20150619071929) Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL It's meant to be accompanying material to his BSDCan talk, which already covered nine topics mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input The article breaks down the 45 different bugs that were found, based on their root cause If you're interested in secure coding practices, this'll be a great one to read *** OpenZFS conference videos (https://www.youtube.com/playlist?list=PLaUVvul17xScvtic0SPoks2MlQleyejks) Videos from the second OpenZFS conference have just started to show up The first talk is by, you guessed it, Matt Ahrens In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on There are also videos from Nexenta (https://www.youtube.com/watch?v=5ciV4z7WWmo) and HGST (https://www.youtube.com/watch?v=a2lnMxMUxyc), talking about how they use and contribute to OpenZFS *** Feedback/Questions Bryson writes in (http://slexy.org/view/s2FqJfmeK3) Kevin writes in (http://slexy.org/view/s20erRHahQ) ***
94: Builder's Insurance
This week on the show, we'll be chatting with Marc Espie. He's recently added some additional security measures to dpb, OpenBSD's package building tool, and we'll find out why they're so important. We've also got all this week's news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 videos (https://www.bsdcan.org/2015/schedule/) BSDCan just ended last week, but some of the BSD-related presentation videos are already online Allan Jude, UCL for FreeBSD (https://www.youtube.com/watch?v=8l6bhKIDecg) Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon? (https://www.youtube.com/watch?v=XDIcD4LR5HE) Andy Tanenbaum, A reimplementation of NetBSD (https://www.youtube.com/watch?v=0pebP891V0c) using a MicroKernel (https://www.youtube.com/watch?v=Bu1JuwVfYTc) Brooks Davis, CheriBSD: A research fork of FreeBSD (https://www.youtube.com/watch?v=DwCg-51vFAs) Giuseppe Lettieri, Even faster VM networking with virtual passthrough (https://www.youtube.com/watch?v=Lo6wDCapo4k) Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD (https://www.youtube.com/watch?v=K2pnf1YcMTY) Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet (https://www.youtube.com/watch?v=6jhSvdnu4k0) Peter Hessler, Using routing domains / routing tables in a production network (https://www.youtube.com/watch?v=BizrC8Zr-YY) Ryan Lortie, a stitch in time: jhbuild (https://www.youtube.com/watch?v=YSVFnM3_2Ik) Ted Unangst, signify: Securing OpenBSD From Us To You (https://www.youtube.com/watch?v=9R5s3l-0wh0) Many more still to come... *** Documenting my BSD experience (http://pid1.com/posts/post1.html) Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in." In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that) You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon His second post (http://pid1.com/posts/post2.html) explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve *** PC-BSD tries HardenedBSD builds (https://github.com/pcbsd/hardenedBSD-stable) The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that (https://hardenedbsd.org/article/shawn-webb/2015-05-08/hardenedbsd-teams-opnsense) a few weeks ago - but this might open the door for more projects to give it a try as well With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have Time will tell if more projects and products like FreeNAS might be interested too *** C-states in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=143423172522625&w=2) People who run BSD on their notebooks, you'll want to pay attention to this one OpenBSD has recently committed some ACPI improvements for deep C-states (http://www.hardwaresecrets.com/article/Everything-You-Need-to-Know-About-the-CPU-C-States-Power-Saving-Modes/611), enabling the processor to enter a low-power mode According (https://twitter.com/StevenUniq/status/610586711358316545) to a (https://www.marc.info/?l=openbsd-misc&m=143430996602802&w=2) few users (https://www.marc.info/?l=openbsd-misc&m=143429914700826&w=2) so far (https://www.marc.info/?l=openbsd-misc&m=143425943026225&w=2), the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back (https://www.marc.info/?l=openbsd-misc&m=143423391222952&w=2) with your findings *** NetBSD at Open Source Conference 2015 Hokkaido (https://mail-index.netbsd.org/netbsd-advocacy/2015/06/13/msg000687.html) The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time) We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms *** Interview - Marc Espie - espie@openbsd.org (mailto:espie@openbsd.org) / @espie_openbsd (https://twitter.com/espie_openbsd) Recent (https://www.marc.info/?l=openbsd-ports&m=143051151521627&w=2) improvements (https://www.marc.info/?l=openbsd-ports&m=143151777209226&w=2) to OpenBSD's dpb (http://www.bsdnow.tv/tutorials/dpb) tool News Roundup Introducing xhyve, bhyve on OS X (https://github.com/mist64/xhyve/blob/master/README.md) We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS As the name "xhyve" might imply, it's a port of bhyve to Mac OS X Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer There are also a few examples (http://www.pagetable.com/?p=831) on how to use it *** 4K displays on DragonFlyBSD (http://www.dragonflybsd.org/docs/newhandbook/docs/newhandbook/4KDisplays/) If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas Some GUI applications might look weird on such a huge resolution, HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience *** Sandboxing port daemons on OpenBSD (http://coderinaworldofcode.blogspot.com/2015/06/chrooting-mumble-server-on-openbsd.html) We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots *** SmallWall 1.8.2 released (http://smallwall.freeforums.net/thread/44/version-1-8-2-released) SmallWall is a relatively new BSD-based project that we've never covered before It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits They've just released the first official version (http://www.smallwall.org/download.html), so you can give it a try now If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... *** Feedback/Questions David writes in (http://slexy.org/view/s21gRTNnk7) Brian writes in (http://slexy.org/view/s2DdiMvELg) Dan writes in (http://slexy.org/view/s2h4ZS6SMd) Joel writes in (http://slexy.org/view/s20kA1jeXY) Steve writes in (http://slexy.org/view/s2wJ9HP1bs) ***
93: Stacked in Our Favor
We're at BSDCan this week, but fear not! We've got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we'll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we'll be back next week with more BSD Now - the place to B.. SD. This episode was brought to you by Interview - Sepherosa Ziehau - sephe@dragonflybsd.org (mailto:sephe@dragonflybsd.org) Features of DragonFlyBSD's network stack Discussion Comparing containment methods and privilege separation chroot, jails, systrace, capsicum, filesystem permissions, separating users *** Feedback/Questions Brad writes in (http://slexy.org/view/s2GjCsGPef) Anonymous writes in (http://slexy.org/view/s21jj3QgTj) Benjamin writes in (http://slexy.org/view/s2irrhYfPT) Jeroen writes in (http://slexy.org/view/s21gtuqXAe) ***
92: BSD After Midnight
Coming up this week, we'll be chatting with Lucas Holt, founder of MidnightBSD. It's a slightly lesser-known fork of FreeBSD, with a focus on easy desktop use. We'll find out what's different about it and why it was created. Answers to your emails and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Zocker, it's like docker on FreeBSD (http://toni.yweb.fi/2015/05/zocker-diy-docker-on-freebsd.html) Containment is always a hot topic, and docker has gotten a lot of hype in Linux land in the last couple years - they're working on native FreeBSD support at the moment This blog post is about a docker-like script, mainly for ease-of-use, that uses only jails and ZFS in the base system In total, it's 1,500 lines of shell script (https://github.com/toddnni/zocker) The post goes through the process of using the tool, showing off all the subcommands and explaining the configuration In contrast to something like ezjail, Zocker utilizes the jail.conf system in the 10.x branch *** Patrol Read in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=143285964216970&w=4) OpenBSD has recently imported some new code to support the Patrol Read (http://www.intel.com/support/motherboards/server/sb/CS-028742.htm) function of some RAID controllers In a nutshell, Patrol Read is a function that lets you check the health of your drives in the background, similar to a zpool "scrub" operation The goal is to protect file integrity by detecting drive failures before they can damage your data It detects bad blocks and prevents silent data corruption, while marking any bad sectors it finds *** HAMMER 2 improvements (http://lists.dragonflybsd.org/pipermail/commits/2015-May/418653.html) DragonFly BSD has been working on the second generation HAMMER FS It now uses LZ4 compression by default, which we've been big fans of in ZFS They've also switched to a faster CRC (http://lists.dragonflybsd.org/pipermail/commits/2015-May/418652.html) algorithm, further improving HAMMER's performance, especially (http://lists.dragonflybsd.org/pipermail/commits/2015-May/418651.html) when using iSCSI *** FreeBSD foundation May update (https://www.freebsdfoundation.org/press/2015mayupdate.pdf) The FreeBSD foundation has published another update newsletter, detailing some of the things they've been up to lately In it, you'll find some development status updates: notably more ARM64 work and the addition of 64 bit Linux emulation Some improvements were also made to FreeBSD's release building process for non-X86 architectures There's also an AsiaBSDCon recap that covers some of the presentations and the dev events They also have an accompanying blog post (http://freebsdfoundation.blogspot.com/2015/05/another-data-center-site-visit-nyi.html) where Glen Barber talks about more sysadmin and clusteradm work at NYI *** Interview - Lucas Holt - questions@midnightbsd.org (mailto:questions@midnightbsd.org) / @midnightbsd (https://twitter.com/midnightbsd) MidnightBSD News Roundup The launchd on train is never coming (http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/launchd-on-bsd.html) Replacement of init systems has been quite controversial in the last few years Fortunately, the BSDs have avoided most of that conflict thus far, but there have been a few efforts made to port launchd from OS X (https://en.wikipedia.org/wiki/Launchd) This blog post details the author's opinion on why he thinks we're never going to have launchd in any of the BSDs Email us your thoughts on the matter *** Native SSH comes to… Windows (http://blogs.msdn.com/b/looking_forward_microsoft__support_for_secure_shell_ssh1/archive/2015/06/02/managing-looking-forward-microsoft-support-for-secure-shell-ssh.aspx) In what may be the first (and last) mention of Microsoft on BSD Now... They've just recently announced that PowerShell will get native SSH support in the near future It's not based on the commercial SSH either, it's the same one from OpenBSD that we already use everywhere Up until now, interacting between BSD and Windows has required something like PuTTY, WinSCP, FileZilla or Cygwin - most of which are based on really outdated versions The announcement also promises that they'll be working with the OpenSSH community, so we'll see how many Microsoft-submitted patches make it upstream (or how many donations (http://www.openbsdfoundation.org/index.html) they make) *** Moving to FreeBSD (http://www.textplain.net/blog/2015/moving-to-freebsd/) This blog post describes a long-time Linux user's first BSD switching experience The author first talks about his Linux journey, eventually coming to love the more customization-friendly systems, but the journey ended with systemd After doing a bit of research, he gave FreeBSD a try and ended up liking it - the rest of the post mostly covers why that is He also plans to write about his experience with other BSDs, and is writing some tutorials too - we'll check in with him again later on *** Feedback/Questions Adam writes in (http://slexy.org/view/s29hS2cI05) Dan writes in (http://slexy.org/view/s20VRZYBsw) Ivan writes in (http://slexy.org/view/s20bumJ5u9) Josh writes in (http://slexy.org/view/s21BU6Pnka) ***
91: Vox Populi
This week on the show, we've got something pretty different. We went to a Linux convention and asked various people if they've ever tried BSD and what they know about it. Stay tuned for that, all this week's news and, of course, answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines LUKS in OpenBSD (https://www.marc.info/?l=openbsd-tech&m=143247114716771&w=2) Last week, we were surprised to find out that DragonFlyBSD has support (http://leaf.dragonflybsd.org/cgi/web-man?command=cryptsetup§ion=8) for dm-crypt (https://en.wikipedia.org/wiki/Dm-crypt), sometimes referred to as LUKS (Linux Unified Key Setup (https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)) It looks like they might not be the only BSD with support for it for much longer, as OpenBSD is currently reviewing a patch for it as well LUKS would presumably be an additional option in OpenBSD's softraid (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/softraid.4) system, which already provides native disk encryption Support hasn't been officially committed yet, it's still going through testing, but the code is there if you want to try it out and report your findings If enabled, this might pave the way for the first (semi-)cross platform encryption scheme since the demise of TrueCrypt (and maybe other BSDs will get it too in time) *** FreeBSD gets 64bit Linux emulation (https://lists.freebsd.org/pipermail/svn-src-head/2015-May/072255.html) For those who might be unfamiliar, FreeBSD has an emulation layer (https://www.freebsd.org/doc/handbook/linuxemu.html) to run Linux-only binaries (as rare as they may be) The most common use case is for desktop users, enabling them to run proprietary applications like Adobe Flash or Skype Similar systems can also be found in NetBSD (https://www.netbsd.org/docs/guide/en/chap-linux.html) and OpenBSD (http://www.openbsd.org/faq/faq9.html#Interact) (though disabled by default on the latter) However, until now, it's only supported binaries compiled for the i386 architecture This new update, already committed to -CURRENT, will open some new possibilities that weren't previously possible Meanwhile, HardenedBSD considers removing the emulation layer (https://hardenedbsd.org/content/poll-linuxulator-removal) entirely *** BSD at Open Source Conference 2015 Nagoya (https://mail-index.netbsd.org/netbsd-advocacy/2015/05/23/msg000686.html) We've covered the Japanese NetBSD users group setting up lots of machines at various conferences in the past, but now they're expanding Their latest report includes many of the NetBSD things you'd expect, but also a couple OpenBSD machines Some of the NetBSD ones included a Power Mac G4, SHARP NetWalker, Cubieboard2 and the not-so-foreign Raspberry Pi One new addition of interest is the OMRON LUNA88k, running the luna88k (http://www.openbsd.org/luna88k.html) port of OpenBSD There was even an old cell phone running Windows games (https://twitter.com/tsutsuii/status/601458973338775553) on NetBSD Check the mailing list post for some (https://pbs.twimg.com/media/CFrSmztWEAAS2uE.jpg) links (http://image.movapic.com/pic/m_201505230541335560130d49213.jpeg) to (http://image.movapic.com/pic/m_2015052305145455600ccea723a.jpeg) all (https://pbs.twimg.com/media/CFjPv9_UEAA8iEx.jpg:large) of (https://pbs.twimg.com/media/CD4k6ZUUMAA0tEM.jpg) the (https://pbs.twimg.com/media/CFqn1GXUsAAFuro.jpg) nice (https://pbs.twimg.com/media/CFdIS2IUkAAZvjc.jpg) pictures (https://pbs.twimg.com/media/CFf5mToUIAAFrRU.jpg) *** LLVM introduces OpenMP support (http://blog.llvm.org/2015/05/openmp-support_22.html) One of the things that has kept some people in the GCC camp is the lack of OpenMP (https://en.wikipedia.org/wiki/OpenMP) support in LLVM According to the blog post, it "enables Clang users to harness full power of modern multi-core processors with vector units" With Clang being the default in FreeBSD, Bitrig and OS X, and with some other BSDs exploring the option of switching, the need for this potential speed boost was definitely there This could also open some doors for more BSD in the area of high performance computing, putting an end to the current Linux monopoly *** Interview - Eric, FSF, John, Jose, Kris and Stewart Various "man on the street" style mini-interviews News Roundup BSD-licensed gettext replacement (https://gitlab.com/worr/libintl/blob/master/src/usr.bin/gettext/gettext.c) If you've ever installed ports on any of the BSDs, you've probably had GNU's gettext pulled in as a dependency Wikipedia says "gettext is an internationalization and localization (i18n) system commonly used for writing multilingual programs on Unix-like computer operating systems" A new BSD-licensed rewrite has begun, with the initial version being for NetBSD (but it's likely to be portable) If you've got some coding skills, get involved with the project - the more freely-licensed replacements, the better *** Unix history git repo (https://github.com/dspinellis/unix-history-repo) A git repository was recently created to show off some Unix source code history The repository contains 659 thousand commits and 2306 merges You can see early 386BSD commits all the way up to some of the more modern FreeBSD code If you want to browse through the giant codebase, it can be a great history lesson *** PCBSD 10.1.2 and Lumina updates (http://blog.pcbsd.org/2015/05/hotfix-release-to-10-1-2-now-available/) We mentioned 10.1.1 being released last week (and all the cool features a couple weeks before) but now 10.1.2 is out This minor update contained a few hotfixes: RAID-Z installation, cache and log devices and the text-only installer in UEFI mode There's also a new post (http://blog.pcbsd.org/2015/05/lumina-desktop-status-updatefaq/) on the PCBSD blog about Lumina, answering some frequently asked questions and giving a general status update *** Feedback/Questions Jake writes in (http://slexy.org/view/s25h4Biwzq) Van writes in (http://slexy.org/view/s2AF0bGmL6) Anonymous writes in (http://slexy.org/view/s20Ie1USFD) Dominik writes in (http://slexy.org/view/s20vBtoKqL) (text answer (http://slexy.org/view/s20RjbIT5v)) Chris writes in (http://slexy.org/view/s20USR3WzT) *** Mailing List Gold Death by chocolate (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/033945.html) ***
90: ZFS Armistice
This time on the show, we'll be chatting with Jed Reynolds about ZFS. He's been using it extensively on a certain other OS, and we can both learn a bit about the other side's implementation. Answers to your questions and all this week's news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Playing with sandboxing (http://blog.conviso.com.br/2015/05/playing-with-sandbox-analysis-of_13.html) Sandboxing and privilege separation are popular topics these days - they're the goal of the new "shill" scripting language, they're used heavily throughout OpenBSD, and they're gaining traction with the capsicum framework This blog post explores capsicum in FreeBSD, some of its history and where it's used in the base system They also include some code samples so you can verify that capsicum is actually denying the program access to certain system calls Check our interview about capsicum (http://www.bsdnow.tv/episodes/2014_05_28-the_friendly_sandbox) from a while back if you haven't seen it already *** OpenNTPD on by default (https://www.marc.info/?l=openbsd-cvs&m=143195693612629&w=4) OpenBSD has enabled ntpd (http://www.bsdnow.tv/episodes/2015_02_11-time_for_a_change) by default in the installer, rather than prompting the user if they want to turn it on In nearly every case, you're going to want to have your clock synced via NTP With the HTTPS constraints feature also enabled by default, this should keep the time checked and accurate, even against spoofing attacks Lots of problems can be traced back to the time on one system or another being wrong, so this will also eliminate some of those cases For those who might be curious (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/ntpd.conf), they're using the "pool.ntp.org (http://www.pool.ntp.org/en/)" cluster of addresses and google for HTTPS constraints (but these can be easily changed (http://www.bsdnow.tv/tutorials/ntpd)) *** FreeBSD workshop in Landshut (https://www.banym.de/freebsd/review-first-freebsd-workshop-in-landshut-on-15-may-2015) We mentioned a BSD installfest happening in Germany a few weeks back, and the organizer wrote in with a review of the event The installfest instead became a "FreeBSD workshop" session, introducing curious new users to some of the flagship features of the OS They covered when to use UFS or ZFS, firewall options, the release/stable/current branches and finally how to automate installations with Ansible If you're in south Germany and want to give similar introduction talks or Q&A sessions about the other BSDs, get in touch We'll hear more from him about how it went in the feedback section today *** Swap encryption in DragonFly (http://lists.dragonflybsd.org/pipermail/users/2015-May/207690.html) Doing full disk encryption (http://www.bsdnow.tv/tutorials/fde) is very important, but something that people sometimes overlook is encrypting their swap This can actually be more important than the contents of your disks, especially if an unencrypted password or key hits your swap (as it can be recovered quite easily) DragonFlyBSD has added a new experimental option to automatically encrypt your swap partition in fstab There was another way (http://lists.dragonflybsd.org/pipermail/users/2015-May/207691.html) to do it previously, but this is a lot easier You can achieve similar results in FreeBSD by adding ".eli" to the end of the swap device in fstab, there are a few steps (https://www.netbsd.org/docs/misc/#cgd-swap) to do it in NetBSD and swap in OpenBSD is encrypted by default A one-time key will be created and then destroyed in each case, making recovery of the plaintext nearly impossible *** Interview - Jed Reynolds - jed@bitratchet.com (mailto:jed@bitratchet.com) / @jed_reynolds (https://twitter.com/jed_reynolds) Comparing ZFS on Linux and FreeBSD News Roundup USB thermometer on OpenBSD (http://www.cambus.net/rding-temper-gold-usb-thermometer-on-openbsd/) So maybe you've got BSD on your server or router, maybe NetBSD on a toaster, but have you ever used a thermometer with one? This blog post introduces the RDing TEMPer Gold USB thermometer, a small device that can tell the room temperature, and how to get it working on OpenBSD Wouldn't you know it, OpenBSD has a native "ugold (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/ugold.4)" driver to support it with the sensors framework How useful such a device would be is another story though *** NAS4Free now on ARM (http://sourceforge.net/projects/nas4free/files/NAS4Free-ARM/10.1.0.2.1511/) We talk a lot about hardware for network-attached storage devices on the show, but ARM doesn't come up a lot That might be changing soon, as NAS4Free has just released some ARM builds These new (somewhat experimental) images are based on FreeBSD 11-CURRENT Included in the announcement is a list of fully-supported and partially-supported hardware that they've tested it with If anyone has experience with running a NAS on slightly exotic hardware, write in to us *** pkgsrcCon 2015 CFP and info (http://pkgsrc.pub/pkgsrcCon/2015/) This year's pkgsrcCon will be in Berlin, Germany on July 4th and 5th (https://mail-index.netbsd.org/pkgsrc-users/2015/05/16/msg021560.html) They're looking for talk proposals and ideas for things you'd like to see If you or your company uses pkgsrc, or if you're just interested in NetBSD in general, it would be a good event to check out *** BSDTalk episode 253 (http://bsdtalk.blogspot.com/2015/05/bsdtalk253-george-neville-neil.html) BSDTalk has released another new episode In it, he interviews George Neville-Neil about the 2nd edition of "The Design and Implementation of the FreeBSD Operating System" They discuss what's new since the last edition, who the book's target audience is and a lot more We're up to 90 episodes now, slowly catching up to Will... *** Feedback/Questions Dominik writes in (http://slexy.org/view/s2SWlyuOeb) Brad writes in (http://slexy.org/view/s216z44lDU) Corvin writes in (http://slexy.org/view/s2djtX0dSE) James writes in (http://slexy.org/view/s21XM4hPRh) ***
89: Exclusive Disjunction
This week on the show, we'll be talking to Mike Larkin about various memory protections in OpenBSD. We'll cover recent W^X improvements, SSP, ASLR, PIE and all kinds of acronyms! We've also got a bunch of news and answers to your questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines OpenSMTPD for the whole family (http://homing-on-code.blogspot.com/2015/05/accept-from-any-for-any-relay-via.html) Setting up a BSD mail server is something a lot of us are probably familiar with doing, at least for our own accounts This article talks about configuring a home mail server too, but even for the other people you live with After convincing his wife to use their BSD-based Owncloud server for backups, the author talks about moving her over to his brand new OpenSMTPD server too If you've ever run a mail server and had to deal with greylisting, you'll appreciate the struggle he went through In the end, BGP-based list distribution saved the day, and his family is being served well by a BSD box *** NetBSD on the Edgerouter Lite (https://blog.netbsd.org/tnf/entry/hands_on_experience_with_edgerouter) We've talked a lot about building your own BSD-based router on the show, but not many of the devices we mention are in the same price range as consumer devices The EdgeRouter Lite, a small MIPS-powered machine, is starting to become popular (and is a bit cheaper) A NetBSD developer has been hacking on it, and documents the steps to get a working install in this blog post The process is fairly simple, and you can cross-compile (http://www.bsdnow.tv/tutorials/current-nbsd) your own installation image on any CPU architecture (even from another BSD!) OpenBSD and FreeBSD also have some (http://www.openbsd.org/octeon.html) support (http://rtfm.net/FreeBSD/ERL/) for these devices *** Bitrig at NYC*BUG (https://www.youtube.com/watch?v=h4FhgBdYSUU) The New York City BSD users group has semi-regular meetings with presentations, and this time the speaker was John Vernaleo John discussed Bitrig (http://www.bsdnow.tv/episodes/2014_12_10-must_be_rigged), an OpenBSD fork that we've talked about a couple times on the show He talks about what they've been up to lately, why they're doing what they're doing, difference in supported platforms Ports and packages between the two projects are almost exactly the same, but he covers the differences in the base systems, how (some) patches get shared between the two and finally some development model differences *** OPNsense, meet HardenedBSD (https://hardenedbsd.org/article/shawn-webb/2015-05-08/hardenedbsd-teams-opnsense) Speaking of forks, two FreeBSD-based forked projects we've mentioned on the show, HardenedBSD (http://www.bsdnow.tv/episodes/2014_08_27-reverse_takeover) and OPNsense (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach), have decided to join forces Backporting their changes to the 10-STABLE branch, HardenedBSD hopes to introduce some of their security additions to the OPNsense codebase Paired up with LibreSSL, this combination should offer a good solution for anyone wanting a BSD-based firewall with an easy web interface We'll cover more news on the collaboration as it comes out *** Interview - Mike Larkin - mlarkin@openbsd.org (mailto:mlarkin@openbsd.org) / @mlarkin2012 (https://twitter.com/mlarkin2012) Memory protections in OpenBSD: W^X (https://en.wikipedia.org/wiki/W%5EX), ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization), PIE (https://en.wikipedia.org/wiki/Position-independent_code), SSP (https://en.wikipedia.org/wiki/Buffer_overflow_protection) News Roundup A closer look at FreeBSD (http://www.techopedia.com/2/31035/software/a-closer-look-at-freebsd) The week wouldn't be complete without at least one BSD article making it to a mainstream tech site This time, it's a high-level overview of FreeBSD, some of its features and where it's used Being that it's an overview article on a more mainstream site, you won't find anything too technical - it covers some BSD history, stability, ZFS, LLVM and Clang, ports and packages, jails and the licensing If you have any BSD-curious Linux friends, this might be a good one to send to them *** Linksys NSLU2 and NetBSD (http://ramblingfoo.blogspot.com/2015/05/linksys-nslu2-adventures-into-netbsd.html) The Linksys NSLU2 is a proprietary network-attached storage device introduced back in 2004 "About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener [...]" After doing some research, the author of this post discovered that he could cross-compile NetBSD for the device straight from his Linux box If you've got one of these old devices kicking around, check out this write-up and get some BSD action on there *** OpenBSD disklabel templates (http://blog.jeffreyforman.net/2015/05/09/from-0-to-an-openbsd-install-with-no-hands-and-a-custom-disk-layou) We've covered OpenBSD's "autoinstall" feature for unattended installations in the past, but one area where it didn't offer a lot of customization was with the disk layout With a few recent changes (http://undeadly.org/cgi?action=article&sid=20150505123418), there are now a series of templates you can use for a completely customized partition scheme This article takes you through the process of configuring an autoinstall answer file and adding the new section for disklabel Combine this new feature with our -stable iso tutorial (http://www.bsdnow.tv/tutorials/stable-iso), and you could deploy completely patched and customized images en masse pretty easily *** FreeBSD native ARM builds (https://svnweb.freebsd.org/base?view=revision&revision=282693) FreeBSD -CURRENT builds for the ARM CPU architecture can now be built natively, without utilities that aren't part of base Some of the older board-specific kernel configuration files have been replaced, and now the "IMC6" target is used This goes along with what we read in the most recent quarterly status report - ARM is starting to get treated as a first class citizen *** Feedback/Questions Sean writes in (http://slexy.org/view/s2088U2OjO) Ron writes in (http://slexy.org/view/s29ZKhQKOz) Charles writes in (http://slexy.org/view/s2NCVHEKt1) Bostjan writes in (http://slexy.org/view/s2mGRoKo5G) ***
88: Below the Clouds
This time on the show, we'll be talking with Ed Schouten about CloudABI. It's a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week's BSD news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2015-01-2015-03.html) The FreeBSD team has posted a report of the activities that went on between January and March of this year As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc) The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code Lots of activity is happening in bhyve, some of which we've covered recently (http://www.bsdnow.tv/episodes/2015_04_29-on_the_list), and a number of improvements were made this quarter Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already ASLR work (http://www.bsdnow.tv/episodes/2014_08_27-reverse_takeover) is still being done by the HardenedBSD guys, and their next aim is position-independent executable The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) *** OpenBSD 5.7 released (http://www.openbsd.org/57.html) OpenBSD has formally released another new version, complete with the giant changelog we've come to expect In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs If you're using one of the Soekris boards, there's even a new driver (http://bodgitandscarper.co.uk/openbsd/further-soekris-net6501-improvements-for-openbsd/) to manipulate the GPIO and LEDs on them - this has some fun possibilities Some new security improvements include: SipHash (https://en.wikipedia.org/wiki/SipHash) being sprinkled in some areas to protect hashing functions, big W^X improvements (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2) in the kernel space, static PIE (http://www.bsdnow.tv/episodes/2015_04_15-pie_in_the_sky) on all architectures, deterministic "random" functions being replaced (https://www.marc.info/?l=openbsd-tech&m=141807224826859&w=2) with strong randomness, and support for remote logging over TLS The entire source tree has also been audited to use reallocarray (http://lteo.net/blog/2014/10/28/reallocarray-in-openbsd-integer-overflow-detection-for-free/), which unintentionally saved (https://splone.com/blog/2015/3/11/integer-overflow-prevention-in-c) OpenBSD's libc from being vulnerable to earlier attacks (https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/) affecting other BSDs' implementations Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL) Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon Speaking of httpd, it's gotten a number of new (http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf) features (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/httpd.conf.5), and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc (http://www.bsdnow.tv/episodes/2014_11_12-a_mans_man) Check the errata page (http://www.openbsd.org/errata57.html) for any post-release fixes, and the upgrade guide (http://www.openbsd.org/faq/upgrade57.html) for specific instructions on updating from 5.6 Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases There's a song and artwork (http://www.openbsd.org/lyrics.html#57) to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week Consider picking one up (https://www.openbsdstore.com) to support the project (and it's the only way to get puffy stickers) For those of you paying close attention, the banner image (http://www.openbsd.org/images/puffy57.gif) for this release just might remind you of a certain special episode (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time) of BSD Now... *** Tor-BSD diversity project (https://torbsd.github.io/) We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now) A new initiative has started to do just that, called the Tor-BSD diversity project "Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity." In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy There's an additional progress report (http://trac.haqistan.net/blog/tor-browser-ports-progress) for that part specifically, and it looks like most of the work is done now Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list If you've been considering running a node to help out, there's always our handy tutorial (http://www.bsdnow.tv/tutorials/tor) on getting set up *** PC-BSD 10.1.2-RC1 released (http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-rc1-now-available/) If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab This quarterly update includes a number of new features, improvements and even some additional utilities PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network IPFW is now the default firewall, offering improved VIMAGE capabilities The life preserver backup tool now allows for bare-metal restores via the install CD ISC's NTP daemon has been replaced with OpenNTPD (http://www.bsdnow.tv/episodes/2015_02_11-time_for_a_change), and OpenSSL has been replaced with LibreSSL (http://www.bsdnow.tv/episodes/2015_03_25-ssl_in_the_wild) It also includes the latest Lumina (http://www.bsdnow.tv/episodes/2014_09_10-luminary_environment) desktop, and there's another post dedicated to that (http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-rc1-lumina-desktop-0-8-4-released/) Binary packages have also been updated to fresh versions from the ports tree More details, including upgrade instructions, can be found in the linked blog post *** Interview - Ed Schouten - ed@freebsd.org (mailto:ed@freebsd.org) / @edschouten (https://twitter.com/edschouten) CloudABI (https://www.bsdcan.org/2015/schedule/track/Security/524.en.html) News Roundup Open Household Router Contraption (http://code.saghul.net/index.php/2015/05/01/announcing-the-open-household-router-contraption/) This article introduces OpenHRC, the "Open Household Router Contraption" In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation All the code is open source and on Github (https://github.com/ioc32/openhrc), so you can read through what's actually being changed and put in place There's also a video guide (https://www.youtube.com/watch?v=LZeKDM5jc90) to the entire process, if you're more of a visual person *** OPNsense 15.1.10 released (https://forum.opnsense.org/index.php?topic=365.0) Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well Version 15.1.10.1 (https://twitter.com/opnsense/status/596009164746432512) was released shortly thereafter, including a hotfix for VLANs *** IBM Workpad Z50 and NetBSD (https://www.ibm.com/developerworks/community/blogs/hpcgoulash/entry/ibm_workpad_z50_netbsd_an_interesting_combination1?lang=en) Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same Back in 1999, they released the Workpad Z50 (http://www.hpcfactor.com/reviews/hardware/ibm/workpad-z50/) with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display You can probably tell where this is going... the article is about installing NetBSD it "What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running" The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern He's also got a couple (https://www.youtube.com/watch?v=hSLVnSZKB9I) videos (https://www.youtube.com/watch?v=mIA-NWEHLM4) of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) *** FreeBSD from the trenches (http://freebsdfoundation.blogspot.com/2015/04/from-trenches-tips-tricks-edition.html) The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually Each command is explained, and he walks you through the process of doing an encrypted installation (http://www.bsdnow.tv/tutorials/fde) on your root zpool *** Broadwell in DragonFly (http://lists.dragonflybsd.org/pipermail/users/2015-May/207671.html) DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being *** Feedback/Questions Bostjan writes in (http://slexy.org/view/s216QQcHyX) Hunter writes in (http://slexy.org/view/s21hGSk3c0) Hrishi writes in (http://slexy.org/view/s20JwPw9Je) Clint writes in (http://slexy.org/view/s2x1GYr7y6) Sergei writes in (http://slexy.org/view/s2swXxr2PX) *** Mailing List Gold How did you guess (https://lists.freebsd.org/pipermail/freebsd-advocacy/2015-May/004541.html) ***
87: On the List
Coming up this time on the show, we'll be speaking with Christos Zoulas, a NetBSD security officer. He's got a new project called blacklistd, with some interesting possibilities for stopping bruteforce attacks. We've also got answers to your emails and all this week's news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines New PAE support in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=142990524317070&w=2) OpenBSD has just added Physical Address Extention (https://en.wikipedia.org/wiki/Physical_Address_Extension) support to the i386 architecture, but it's probably not what you'd think of when you hear the term In most operating systems, PAE's main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms - this version isn't for that Instead, this change specifically allows the system to use the No-eXecute Bit (https://en.wikipedia.org/wiki/NX_bit#OpenBSD) of the processor for the userland, further hardening the in-place memory protections Other operating systems enable the CPU feature without doing anything to the page table entries (https://en.wikipedia.org/wiki/Page_table#Role_of_the_page_table), so they do get the available memory expansion, but don't get the potential security benefit As we discussed in a previous episode (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach), the AMD64 platform already saw some major W^X kernel and userland improvements - the i386 kernel reworking will begin shortly Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there The AMD64 improvements will be in 5.7, due out in just a couple days as of when we're recording this, but the i386 improvements will likely be in 5.8 *** Booting Windows in bhyve (https://twitter.com/nahannisys/status/591733319357730816) Work on FreeBSD's bhyve (http://www.bsdnow.tv/episodes/2014_01_15-bhyve_mind) continues, and a big addition is on the way Thus far, bhyve has only been able to boot operating systems with a serial console - no VGA, no graphics, no Windows This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter Graphics emulation is still in the works; this image was taken by booting headless and using RDP A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan) Not a lot of details on the matter currently, but we'll be sure to bring you more info as it comes out Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts *** MidnightBSD 0.6 released (http://www.midnightbsd.org/notes/) MidnightBSD is a smaller project we've not covered a lot on the show before It's an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use They also have their own, smaller version of FreeBSD ports, called "mports" If you're already using it, this new version is mainly a security and bugfix release It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions You can check their site (http://www.midnightbsd.org/about/) for more information about the project We're trying to get the lead developer to come on for an interview, but haven't heard anything back yet *** OpenBSD rewrites the file utility (https://www.marc.info/?l=openbsd-cvs&m=142989267412968&w=4) We're all probably familiar with the traditional file (https://en.wikipedia.org/wiki/File_%28command%29) command - it's been around since the 1970s (http://darwinsys.com/file/) For anyone who doesn't know, it's used to determine what type of file something actually is This tool doesn't see a lot of development these days, and it's had its share of security issues as well Some of those security issues remain (https://www.marc.info/?l=openbsd-tech&m=141857001403570&w=2) unfixed (https://www.marc.info/?l=freebsd-security&m=142980545021888&w=2) in various BSDs even today, despite being publicly known for a while It's not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it When you think about it, file was technically designed to be used on untrusted files OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite - this time with modern coding practices and the usual OpenBSD scrutiny This new version will, by default, run as an unprivileged user (https://www.marc.info/?l=openbsd-cvs&m=143014212727213&w=2) with no shell, and in a systrace sandbox (https://www.marc.info/?l=openbsd-cvs&m=143014276127454&w=2), strictly limiting what system calls can be made With these two things combined, it should drastically reduce the damage a malicious file could potentially do Ian Darwin, the original author of the utility, saw the commit and replied (https://www.marc.info/?l=openbsd-cvs&m=142989483913635&w=4), in what may be a moment in BSD history to remember It'll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future - someone's already thrown together an unofficial portable version Coincidentally, the lead developer and current maintainer of file just happens to be our guest today… *** Interview - Christos Zoulas - christos@netbsd.org (mailto:christos@netbsd.org) blacklistd (https://www.youtube.com/watch?v=0UKCAsezF3Q) and NetBSD advocacy News Roundup GSoC-accepted BSD projects (https://www.google-melange.com/gsoc/projects/list/google/gsoc2015) The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list FreeBSD's list (https://wiki.freebsd.org/SummerOfCode2015Projects) includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication OpenBSD's list (http://www.openbsdfoundation.org/gsoc2015.html) includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it... porting HAMMER FS to OpenBSD We'll be sure to keep you up to date on developments from both projects Hopefully the other BSDs will make the cut too next year *** FreeBSD on the Gumstix Duovero (http://www.jumpnowtek.com/gumstix-freebsd/FreeBSD-Duovero-build-workstation-setup.html) If you're not familiar with the Gumstix Duovero, it's an dual core ARM-based computer-on-module (https://store.gumstix.com/index.php/coms/duovero-coms.html) They actually look more like a stick of RAM than a mini-computer This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd (https://github.com/freebsd/crochet) If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us *** EU study recommends OpenBSD (https://joinup.ec.europa.eu/community/osor/news/ep-study-%E2%80%9Ceu-should-finance-key-open-source-tools%E2%80%9D) A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools This is especially important, in all countries, after the mass surveillance documents came out "[...] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts." The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: "Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways" Reddit, Undeadly and Hacker News also had (https://www.reddit.com/r/programming/comments/340xh3/eu_study_recommends_use_of_openbsd_for_its/) some (http://undeadly.org/cgi?action=article&sid=20150427093546) discussion (https://news.ycombinator.com/item?id=9445831), particularly about corporations giving back to the BSDs that they make use of in their infrastructure - something we've discussed with Voxer (http://www.bsdnow.tv/episodes/2014_10_08-behind_the_masq) and M:Tier (http://www.bsdnow.tv/episodes/2015_04_22-business_as_usual) before *** FreeBSD workflow with Git (https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055551.html) If you're interested in contributing to FreeBSD, but aren't a big fan of SVN, they have a Github mirror too This mailing list post talks about interacting between (https://wiki.freebsd.org/GitWorkflow/GitSvn) the official source repository and the Git mirror This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved *** Feedback/Questions Sean writes in (http://slexy.org/view/s2vjh3ogvG) Bryan writes in (http://slexy.org/view/s20GMcWvKE) Sean writes in (http://slexy.org/view/s21M1imT3d) Charles writes in (http://slexy.org/view/s25ScxQSwb) ***
86: Business as Usual
Coming up this time on the show, we'll be chatting with Antoine Jacoutot about how M:Tier uses BSD in their business. After that, we'll be discussing the different release models across the BSDs, and which style we like the most. As always, answers to your emails and all the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Optimizing TLS for high bandwidth applications (https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf) Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD TLS has traditionally had too much overhead for the levels of bandwidth they're using, so this pdf outlines some of their strategy in optimizing it The sendfile() syscall (which nginx uses) isn't available when data is encrypted in userland To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel Having encrypted movie streams would be pretty neat *** Crypto in unexpected places (https://www.marc.info/?l=openbsd-cvs&m=142944822223482&w=2) OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc) One place you might not expect crypto to be used (or even needed) is in the "ping" utility, right? Well, think again David Gwynne recently committed (https://www.marc.info/?l=openbsd-cvs&m=142944754923359&w=2) a change that adds MAC (https://en.wikipedia.org/wiki/Message_authentication_code) to the ping timestamp payload By default, it'll be filled with a ChaCha stream instead of an unvarying payload, and David says "this lets us have some confidence that the timestamp hasn't been damaged or tampered with in transit" Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward Maybe we can look forward to a cryptographically secure "echo" command next... *** Broadwell in DragonFly (http://www.dragonflybsd.org/docs/newhandbook/docs/newhandbook/BroadwellBoxes/) The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn't work The two main show-stoppers right now are the graphics and wireless, but they have someone who's already making progress with the GPU support Wireless support will likely have to wait until FreeBSD gets it, then they'll port it back over None of the BSDs currently have full Broadwell support, so stay tuned for further updates *** DIY NAS software roundup (http://blog.brianmoses.net/2015/04/diy-nas-software-roundup.html) In this blog post, the author compares a few different software solutions for a network attached storage device He puts FreeNAS, one of our favorites, up against a number of opponents - both BSD and Linux-based NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface If you've been thinking about putting together a NAS, but aren't quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names Some competition is always good, gotta keep those guys on their toes *** Interview - Antoine Jacoutot - ajacoutot@openbsd.org (mailto:ajacoutot@openbsd.org) / @ajacoutot (https://twitter.com/ajacoutot) OpenBSD at M:Tier (http://www.mtier.org/about-us/), business adoption of BSD, various topics News Roundup OpenBSD on DigitalOcean (http://www.tubsta.com/2015/04/openbsd-on-digital-ocean/) When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction - we hoped that all the other BSDs would soon follow This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS Using a -current snapshot and some swapfile trickery, it's possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk After doing so, you just boot from their web UI-based console and can perform a standard installation You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step *** Initial ARM64 support lands in FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=281494) The ARM64 architecture, sometimes called ARMv8 or AArch64 (https://wiki.freebsd.org/arm64), is a new generation of CPUs that will mostly be in embedded devices FreeBSD has just gotten support for this platform in the -CURRENT branch Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU - now a full build (https://lists.freebsd.org/pipermail/freebsd-testing/2015-April/000918.html) is possible Work should now start happening in the main source code tree, and hopefully they'll have full support in a branch soon *** Scripting with least privilege (http://shill.seas.harvard.edu/) A new scripting language with a focus on privilege separation and running with only what's absolutely needed has been popular in the headlines lately Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc. Shill aims to answer the questions "how do we limit the authority of scripts" and "how do we determine what authority is necessary" by including a declarative security policy that's checked and enforced by the language runtime If used on FreeBSD, Shill will use Capsicum for sandboxing You can find some more of the technical information in their documentation pdf (http://shill.seas.harvard.edu/shill-osdi-2014.pdf) or watch their USENIX presentation (https://2459d6dc103cb5933875-c0245c5c937c5dedcca3f1764ecc9b2f.ssl.cf2.rackcdn.com/osdi14/moore.mp4) video Hacker News also had some discussion (https://news.ycombinator.com/item?id=9328277) on the topic *** OpenBSD first impressions (http://blog.greduan.com/2015-04-19-mstobfi.html) A brand new BSD user has started documenting his experience through a series of blog posts Formerly a Linux guy, he's tried out FreeBSD and OpenBSD so far, and is currently working on an OpenBSD desktop The first post goes into why he chose BSD at all, why he's switching away from Linux, how the initial transition has been, what you'll need to relearn and what he's got planned going forward He's only been using OpenBSD for a few days as of the time this was written - we don't usually get to hear from people this early in on their BSD journey, so it offers a unique perspective *** PCBSD and 4K oh my! (http://blog.pcbsd.org/2015/04/pc-bsd-and-4k-oh-my/) Yesterday, Kris got ahold of some 4K monitor hardware to test PC-BSD out The short of it - It works great! Minor tweaks being made to some of the PC-BSD defaults to better accommodate 4K out of box This particular model monitor ships with DisplayPort set to 1.1 mode only, switching it to 1.2 mode enables 60Hz properly *** Feedback/Questions Darin writes in (http://slexy.org/view/s21kFuvAFs) Mitch writes in (http://slexy.org/view/s2nf4o9p4E) *** Discussion Comparison of BSD release cycles FreeBSD (https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/introduction.html#idp55486416), OpenBSD (http://www.openbsd.org/faq/faq5.html#Flavors), NetBSD (https://www.netbsd.org/releases/release-map.html) and DragonFlyBSD (https://www.dragonflybsd.org/releases/) ***