Podcasts about acpi

OpenBSD 7.7, ZFS Orchestration Tools – Part 2: Replication, Switching customers from Linux to BSD because boring is good, Graphed and measured: running TCP input in parallel, Introducing an OpenBSD LLDP daemon, Hardware discovery: ACPI & Device Tree, The 2025 FreeBSD Community Survey is Here, and more NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines OpenBSD 7.7 (https://OpenBSD.org/77.html) ZFS Orchestration Tools – Part 2: Replication (https://klarasystems.com/articles/zfs-orchestration-tools-part-2-replication/?utm_source=BSD%20Now&utm_medium=Podcast) News Roundup Switching customers from Linux to BSD because boring is good (https://www.theregister.com/2024/10/08/switching_from_linux_to_bsd/) Graphed and measured: running TCP input in parallel (http://undeadly.org/cgi?action=article;sid=20250418114827) Introducing an OpenBSD LLDP daemon (http://undeadly.org/cgi?action=article;sid=20250425082010) Hardware discovery: ACPI & Device Tree (https://blogsystem5.substack.com/p/hardware-autoconfiguration) The 2025 FreeBSD Community Survey is Here (https://freebsdfoundation.org/blog/the-2025-freebsd-community-survey-is-here/) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Brad - new users (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/610/feedback/brad%20-%20new%20users.md) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Join us and other BSD Fans in our BSD Now Telegram channel (https://t.me/bsdnow)

Through jubilant wins and gut punching losses, the pharmacists of New York never give up. Listen in as PUTTcast host Lauren Young digs into the upcoming positive changes under New York's new Medicaid carve out, and PSSNY's inexhaustible fight to get it across the finish line.   Special Guests: Heather Ferrarese, President, Pharmacists Society of the State of New York Steve Moore, Owner, Condo Pharmacy, Past President, Pharmacists Society of the State of New York Greg Reybold, Director of Healthcare Policy & General Counsel, ACPI

Through jubilant wins and gut punching losses, the pharmacists of New York never give up. Listen in as PUTTcast host Lauren Young digs into the upcoming positive changes under New York's new Medicaid carve out, and PSSNY's inexhaustible fight to get it across the finish line.   Special Guests: Heather Ferrarese, President, Pharmacists Society of the State of New York Steve Moore, Owner, Condo Pharmacy, Past President, Pharmacists Society of the State of New York Greg Reybold, Director of Healthcare Policy & General Counsel, ACPI

Rynek PC jest spadkobiercą 40 lat rozwoju który bardzo silnie związał użytkowników z “oprogramowaniem układowym”, którego nie sposób się pozbyć. Od BIOS po UEFI na binarnych fragmentach FW urządzeń peryferyjnych skończywszy, zawsze gdzieś w systemie czyha potencjalny cichy intruz.Nasuwają się więc pytania: “Czy jesteśmy skazani na Firmware”? Czy producenci sprzętu tworzą tajną lożę i chcą zawładnąć światem poprzez szpiegowanie nieświadomych użytkowników? W czyim interesie jest zaszywanie w krzemie instrukcji procesora weryfikujących podpis cyfrowy oprogramowania? Na te i podobne pytania postaramy się odpowiedzieć w tym odcinku podcastu Poziom Niżej.Prowadzący: Radosław Biernacki, Marcin Wojtas, Jan DąbrośHashtag: acpi, bios, coreboot, firmware, secureboot, uefi### Plan odcinka# 00:00 - Wprowadzenie# 04:56 - Czym jest firmware# 10:33 - Trochę historii - BIOS# 17:43 - Czas obecny - UEFI# 22:50 - EDK2# 28:30 - CSM - czyli UEFI potrafi w BIOS# 29:50 - Coreboot - KISS# 31:05 - Libreboot# 33:30 - Bootloader, czyli co następuje po…# 35:45 - RaspberryPi jako beneficjent otwartego firmware# 38:35 - Bootrom - czyli jak uruchamiają się nowoczesne procesory# 42:40 - Detale wczesnych etapów uruchomienia systemu# 45:40 - Microcode# 48:00 - Inicjalizacja (trening) RAM# 52:12 - Bootloader# 56:40 - Skąd firmware bierze sterowniki? (OptionROM)# 1:01:30 - Jak ładowany i uruchamiany jest kod kernela?# 1:03:18 - Dlaczego kelnerowi potrzebny jest opis sprzętu i środowiska?# 1:05:28 - Jak dokonywane są aktualizacje firmware?# 1:09:55 - ACPI# 1:17:25 - DeviceTree i “sprawa ARM”# 1:21:32 - System Management BIOS (SMBIOS)# 1:23:10 - Bezpieczeństwo, zaufanie i prywatność# 1:26:10 - SecureBoot i VerifiedBoot# 1:31:45 - TPM# 1:35:50 - Podsumowanie# 1:39:25 - Bonus ### Linki do materiałów dodatkowych:# 22:55 - Specyfikacja UEFI - https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf# 23:19 - Repozytorium EDK2 - https://github.com/tianocore/edk2# 27:07 - Implementacja "UEFI runtime services" w u-boot - https://source.denx.de/u-boot/u-boot/-/blob/master/lib/efi_loader/efi_runtime.c# 30:18 - Repozytorium i strona główna coreboot - https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/heads/master, https://www.coreboot.org/# 31:13 - Strona główna libreboot - https://libreboot.org/# 31:35 - Repozytorium FSP - https://github.com/intel/FSP# 33:14 - Repozytorium oreboot - https://github.com/oreboot/oreboot# 35:15 - Strona główna i repozytorium LinuxBoot - https://www.linuxboot.org/, https://github.com/linuxboot/linuxboot# 44:05 - IME - https://en.wikipedia.org/wiki/Intel_Management_Engine# 49:17 - Więcej o SPD(Serial Presence Detect) - https://en.wikipedia.org/wiki/Serial_presence_detect# 59:16 - 1:01:30 - Sterownik do uruchamiania instrukcji x86 na AArch64 https://github.com/ardbiesheuvel/X86EmulatorPkg# 1:04:23 - Opis "runtime services" w specyfikacji UEFI: https://uefi.org/sites/default/files/resources/UEFI_Spec_2_9_2021_03_18.pdf#page=308# 1:05:06 - Opis "EFI system table": https://uefi.org/sites/default/files/resources/UEFI_Spec_2_9_2021_03_18.pdf#page=168# 1:11:46 - link do kernel.org i arch/arm/mach*: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm?h=master# 1:14:30 - Specyfikacja ACPI i główne koncepty: https://uefi.org/specs/ACPI/6.4/index.html + https://uefi.org/specs/ACPI/6.4/03_ACPI_Concepts/ACPI_Concepts.html#acpi-concepts# 1:15:20 - Specyfikacja AML: https://uefi.org/specs/ACPI/6.4/20_AML_Specification/AML_Specification.html# 1:21:40 - Specyfikacja SMBIOS - https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.6.0.pdf# 1:29:50 - Podcast Poziom Niżej #006 - "Bezpieczeństwo w krzemie zaklęte" - https://www.youtube.com/watch?v=kqaeyaH8jFs# 1:31:45 - Wpis dotyczący ataku na komunikacją SPI pomiędzy CPU a TPM - https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network

Aspire-ing to use 13 year hardware Dual boot image = /boot/vmlinuz root = /dev/sda3 label = Slackware15.0 read-only image = /boot/vmlinuz root = /dev/sda2 label = Slackware14.2 read-only First change # LILO configuration file # Append any additional kernel parameters: append="acpi=ht" Dropped CPU usage to 50% Second change grep . -r /sys/firmware/acpi/interrupts/ /sys/firmware/acpi/interrupts/gpe1D:322734808 STS enabled unmasked echo "mask" > /sys/firmware/acpi/interrupts/gpeXX Interrupts Interrupts My case was echo "mask" > /sys/firmware/acpi/interrupts/gpe1D Dropped usage to 0-5% Then added the mask to crontab -e under root Add 'acpi_mask_gpe=0x1D' or whatever interrupt corresponds to the overactive one, and remember to run the lilo command afterward to make the kernel option active. Htop options for CPU usage Click the thumbnail to see the full-sized image Htop display Upgrades Fan from AliExpress https://www.aliexpress.com/item/32861732299.html Replacement fan Click the thumbnail to see the full-sized image 2GB DDR2 667MHz SODIMM PC2-5300 https://www.amazon.com/gp/product/B00C53A37K 2Gb ram upgrade Click the thumbnail to see the full-sized image Resources https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/listing_of_kernel_parameters_and_values acpi=ht https://www.kernel.org/doc/ols/2005/ols2005v1-pages-59-76.pdf Use ACPI boot table parsing, but do not enable ACPI interpreter This disables any ACPI functionality that is not required for Hyper Threading. ACPI (Advanced Configuration and Power Interface) is an open industry specification establishing industry-standard interfaces for OS-directed configuration and power management on laptops, desktops, and servers. HPR3511 Podman like Vagrant https://archive.org/details/hpr3511

This is the audio from RQM+ Live! #52, recorded 7 April, 2022. During our previous show on this topic we were flooded with questions from viewers (which we love!) and couldn't answer them all, so we're back for a sequel. Generating evidence of biocompatibility continues to be a significant challenge to regulatory submission success and product-to-market timelines. And global requirements and interpretations continue to evolve, further increasing the challenge. Rollover questions we'll kick the discussion off with: Have you had any unique or unexpected feedback from notified bodies or FDA? Have you seen misinterpretations by the regulators? What is the difference between Physical and/or chemical information vs chemical characterization? For reusable devices, has there been any requests for "biocompatibility over the lifetime" per ISO 10993-1:2018, and if so, how is this typically handled? Is it necessary to have a toxicologist expert interpreting chemical characterization data? What do you do if you have a large number of unknowns in chemical characterization? How do you use exemptions for intact skin devices made of common materials (U.S.)? The panel of subject matter experts, including former FDA CDRH and BSI leaders: Jaishankar (Jai) Kutty, Ph.D. - VP, Intelligence & Innovation Kevin Go, RAC - Project Engineer (former FDA CDRH Lead Reviewer) Lucie Dalet, Ph.D. - Senior Regulatory Specialist Questions: 2:28 -- Have you had any unique or unexpected feedback from notified bodies or the FDA? Have you seen any misinterpretations? 9:26 -- Does the FDA influx of new staff factor into the micromanaged questioning and more rigorous approach? 13:20 -- Are we seeing any delays because of laboratories being backed up? 16:50 -- Are there trends from the FDA on adopting biocompatibility testing? Is there an uptake for special 510(k) submissions? 18:02 -- Has anyone had FDA pushback on LCMS ionization mode justification ACPI vs. ESI? (more context added throughout question) 23:29 -- Has anyone had any experience with questions on biocompatibility over the lifetime? If the device is reusable, should the cleaning agents be incorporated in the testing as well? 26:57 -- What testing do you recommend to confirm that a suspected cleaning operation doesn't leave the part with significant contamination; e.g., cleaning off mold release or stainless-steel solder flux? 30:10 -- How are we advising our clients with legacy devices and their approach? 32:44 -- How do you use exemptions for intact skin devices made of common materials (U.S.)? 36:58 -- Differences between physical and/or chemical information vs. chemical characterization... what are your thoughts? 39:40 -- What do you do if you have a large number of unknowns in chemical characterization? 41:20 -- What about devices that are compatible with chemical characterization? 43:30 -- Do the manufacturers need to provide any evidence for their CrCo device whether the cancer and death cases reported in their PMS are not related to Cobalt content in the device? --- Send in a voice message: https://anchor.fm/deviceadvice/message

kvalitetsdatorer.se https://www.kvalitetsdatorer.se/se/ The company where I bought my refurbished Thinkpad T530 inxi -Bxxx Command to get full information about all batteries in the system. Even on devices connected to the computer, as my Sansa Clip+ f.ex. Thinkpad X230 battery patch https://bystram.be/posts/thinkpad-x230-battery-ec-patch/ batteriexperten.se https://www.batteriexperten.com/sv/ tpacpi-bat A Perl script with ACPI calls for recent ThinkPads (such as T420 and W520) whose battery thresholds are not supported by tp_smapi

Yabba Dabba Distro! Run every major distribution on one native host. How we hijacked a Fedora install and turned it into the ultimate meta Linux box. Plus Valve and AMD team up to improve Linux performance and the duct-tape solution holding our server together. Special Guests: Brent Gervais and paradigm.

My terminal journey, part 02. Becoming terminal friendly. series: Apt Spelunking. tags: terminal, apt-get, apt-cache, apt-mark, dpkg Discovering the packages; vertical lists. apt package manager First Command: sudo apt list --upgradeable Command Breakdown: sudo is root privileges (to become admin for a single command). apt is the Command Name. list to display a list of packages satisfying certain criteria. --upgradeable the criteria Command Standard Output: (abridged) Listing... alsa-ucm-conf/focal-updates,focal-updates 1.2.2-1ubuntu0.7 all [upgradable from: 1.2.2-1ubuntu0.6] alsa-utils/focal-updates 1.2.2-1ubuntu2.1 amd64 [upgradable from: 1.2.2-1ubuntu2] bluetooth/focal-updates,focal-updates 5.53-0ubuntu3.1 all [upgradable from: 5.53-0ubuntu3] gir1.2-webkit2-4.0/focal-updates,focal-security 2.32.0-0ubuntu0.20.04.1 amd64 [upgradable from: 2.30.6-0ubuntu0.20.04.1] google-chrome-stable/stable 90.0.4430.212-1 amd64 [upgradable from: 90.0.4430.93-1] iio-sensor-proxy/focal-updates 2.8-1ubuntu1 amd64 [upgradable from: 2.8-1] qemu-system-x86/focal-updates 1:4.2-3ubuntu6.16 amd64 [upgradable from: 1:4.2-3ubuntu6.15] qemu-utils/focal-updates 1:4.2-3ubuntu6.16 amd64 [upgradable from: 1:4.2-3ubuntu6.15] samba-common-bin/focal-updates,focal-security 2:4.11.6+dfsg-0ubuntu1.8 amd64 [upgradable from: 2:4.11.6+dfsg-0ubuntu1.6] Discovering the packages; horizontal list. apt-get package manager Second Command: sudo apt-get -u upgrade --assume-no Command Breakdown: sudo is root privileges (to become admin for a single command). apt-get is the Command Name. -u or --show-upgraded list of packages that are to be upgraded; must be used with upgrade. upgrade is used to install the newest versions of all packages currently installed. --assume-no Automatically answers "No" when the command asks, “Do you want to continue? [Y/n]”. (Do you want to upgrade at this moment? No. You get it). Note: Linux Mint 20 manpage for apt-get does not include the -u option or description. -u, --show-upgraded Show upgraded packages. Print out a list of all packages that are to be upgraded. Command Standard Output: Reading package lists... Building dependency tree... Reading state information... Calculating upgrade... The following packages were automatically installed and are no longer required: libllvm10 libllvm10:i386 libnvidia-common-450 libnvidia-compute-455:i386 libnvidia-decode-455:i386 libnvidia-encode-455:i386 libnvidia-fbc1-455:i386 libnvidia-gl-455:i386 libnvidia-ifr1-455:i386 nvidia-kernel-common-455 nvidia-kernel-source-455 nvidia-utils-455 xserver-xorg-video-nvidia-455 Use 'sudo apt autoremove' to remove them. The following packages have been kept back: libnvidia-common-450 libnvidia-common-460 linux-generic linux-headers-generic linux-image-generic The following packages will be upgraded: alsa-ucm-conf alsa-utils bluetooth bluez bluez-cups bluez-obexd firefox firefox-locale-en flatpak gir1.2-flatpak-1.0 gir1.2-javascriptcoregtk-4.0 gir1.2-webkit2-4.0 google-chrome-stable iio-sensor-proxy libasound2 libasound2-data libatopology2 libbluetooth3 libexiv2-27 libflatpak0 libjavascriptcoregtk-4.0-18 liblightdm-gobject-1-0 libmysqlclient21 libnetplan0 libsmbclient libvirt-clients libvirt-daemon libvirt-daemon-driver-qemu libvirt-daemon-driver-storage-rbd libvirt-daemon-system libvirt-daemon-system-systemd libvirt0 libwacom-bin libwacom-common libwacom2 libwbclient0 libwebkit2gtk-4.0-37 libxmlb1 lightdm linux-firmware linux-libc-dev netplan.io openvpn python3-apport python3-problem-report python3-samba python3-yaml qemu-block-extra qemu-kvm qemu-system-common qemu-system-data qemu-system-gui qemu-system-x86 qemu-utils samba-common samba-common-bin samba-libs smbclient thermald xul-ext-lightning 60 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. Need to get 295 MB of archives. After this operation, 4,023 kB of additional disk space will be used. Do you want to continue? [Y/n] N Abort. Discovering the packages; colums & rows. dpkg-query Third Command: dpkg-query -l Command Breakdown: dpkg-query is the Command Name. -l or --list list all installed packages on your system. Fourth Command: dpkg-query -L add-apt-key Command Breakdown: dpkg-query is the Command Name. -L or --listfiles list specific package, add-apt-key in this example, installed on your system. Command Standard Output: (abridged) dpkg-query -l all installed packages. Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=================================================-=====================================-============-====================================================================================================== ii accountsservice 0.6.55-0ubuntu12~20.04.4 amd64 query and manipulate user account information ii acl 2.2.53-6 amd64 access control list - utilities ii acpi-support 0.143 amd64 scripts for handling many ACPI events ii acpid 1:2.0.32-1ubuntu1 amd64 Advanced Configuration and Power Interface event daemon ii add-apt-key 1.0-0.5 all Command line tool to add GPG keys to the APT keyring ii adduser 3.118ubuntu2 all add and remove users and groups ii adwaita-icon-theme 3.36.1-2ubuntu0.20.04.2 all default icon theme of GNOME (small subset) ii adwaita-icon-theme-full 3.36.1-2ubuntu0.20.04.2 all default icon theme of GNOME dpkg-query -L add-apt-key single package. /. /usr /usr/share /usr/share/doc /usr/share/doc/add-apt-key /usr/share/doc/add-apt-key/README /usr/share/doc/add-apt-key/AUTHORS /usr/share/doc/add-apt-key/README.Debian /usr/share/doc/add-apt-key/copyright /usr/share/doc/add-apt-key/changelog.Debian.gz /usr/share/man /usr/share/man/man8 /usr/share/man/man8/add-apt-key.8.gz /usr/sbin /usr/sbin/add-apt-key /etc /etc/default /etc/default/add-apt-key Marking the packages; hold. apt-mark Fifth & Sixth Commands: sudo apt-mark hold google-chrome-stable; sudo apt-mark showhold Command Breakdown: sudo is root privileges (to become admin for a single command). apt-mark is the Command Name. hold will prevent the package from being automatically installed, upgraded or removed. google-chrome-stable is the package effected by hold. ; is the end of a command; command seperation. sudo is root privileges (to become admin for a single command). apt-mark is the Command Name. showhold will print a list of packages effected by hold. Command Standard Output: (abridged) google-chrome-stable set on hold. Marking the packages; unhold. apt-mark Seventh Command: sudo apt-mark unhold google-chrome-stable Command Breakdown: sudo is root privileges (to become admin for a single command). apt-mark is the Command Name. unhold will remove hold, allowing the package to be automatically installed, upgraded or removed. google-chrome-stable is the package once effected by hold; no longer due to unhold. Note: showhold will now print blank/nothing because packages are no longer effected by hold. Exporting Manpage to text file. Bonus Command: it's a big one. touch apt-get01.txt; date > ~/Documents/apt-get01.txt; echo -e "n" >> ~/Documents/apt-get01.txt; apt-get --version >> ~/Documents/apt-get01.txt; echo -e "nnapt-get --helpnn" >> ~/Documents/apt-get01.txt; apt-get --help >> ~/Documents/apt-get01.txt; echo -e "nnman apt-getnn" >> ~/Documents/apt-get01.txt; man apt-get >> ~/Documents/apt-get01.txt; echo -e "nnCompleted."; Command Breakdown: touch apt-get01.txt; this command will create the "apt-get01.txt" file. date > ~/Documents/apt-get01.txt; this command stores the date and time with the "apt-get01.txt" file. echo -e "n" >> ~/Documents/apt-get01.txt; this command gives us a blank line or new line within the "apt-get01.txt" file. apt-get --version >> ~/Documents/apt-get01.txt; this command adds the version of apt-get we have installed to the "apt-get01.txt" file. echo -e "nnapt-get --helpnn" >> ~/Documents/apt-get01.txt; this command adds to new lines or blank lines to the file then, adds the label "apt-get -- help" to the "apt-get01.txt" file. apt-get --help >> ~/Documents/apt-get01.txt; this command adds the standard output of apt-get --help to the "apt-get01.txt" file. echo -e "nnman apt-getnn" >> ~/Documents/apt-get01.txt; intentionally left blank. man apt-get >> ~/Documents/apt-get01.txt; intentionally left blank. echo -e "nnCompleted."; intentionally left blank. NATO Phonetic Alphabet The NATO phonetic alphabet is a Spelling Alphabet; a set of words used instead of letters in oral communication (i.e. over the phone or military radio). Each word ("code word") stands for its initial letter (alphabetical "symbol"). The 26 code words in the NATO phonetic alphabet are assigned to the 26 letters of the English alphabet in alphabetical order as follows: Symbol, Code Word, Morse Code, Phonic. (pronunciation) A, Alfa/Alpha, AL FAH. B, Bravo, BRAH VOH. C, Charlie, CHAR LEE. D, Delta, DELL TAH. E, Echo, ECK OH. F, Foxtrot, FOKS TROT. G, Golf, GOLF. H, Hotel, HOH TELL. I, India, IN DEE AH. J, Juliett, JEW LEE ETT. K, Kilo, KEY LOH. L, Lima, LEE MAH. M, Mike, MIKE. N, November, NO VEMBER. O, Oscar, OSS CAH. P, Papa, PAH PAH. Q, Quebec, KEH BECK. R, Romeo, ROW ME OH. S, Sierra, SEE AIRRAH. T, Tango, TANG OH. U, Uniform, YOU NEE FORM. V, Victor, VIK TAH. W, Whiskey, WISS KEY. X, X-ray, ECKS RAY. Y, Yankee, YANG KEY. Z, Zulu, ZOO LOO. Hacker Public Radio Correspondent: Some Guy On The Internet. Host ID: 391 E-mail: Lyunpaw@gmail.com use hpr391 as the subject for all emails. If not, junk filter. license: Creative Commons Attribution-ShareAlike 4.0 International Shows: In GNU/Linux, there is no "diversity", we're all just data. ogg: http://hackerpublicradio.org/local/hpr3272.ogg spx: http://hackerpublicradio.org/local/hpr3272.spx mp3: http://hackerpublicradio.org/local/hpr3272.mp3 Embrace Firefox ogg: http://hackerpublicradio.org/local/hpr3273.ogg spx: http://hackerpublicradio.org/local/hpr3273.spx mp3: http://hackerpublicradio.org/local/hpr3273.mp3 HP Laptop with AMD Ryzen 3 Mobile with Radeon Graphics ogg: http://hackerpublicradio.org/local/hpr3282.ogg spx: http://hackerpublicradio.org/local/hpr3282.spx mp3: http://hackerpublicradio.org/local/hpr3282.mp3 Poisoning The Well ogg: http://hackerpublicradio.org/local/hpr3298.ogg spx: http://hackerpublicradio.org/local/hpr3298.spx mp3: http://hackerpublicradio.org/local/hpr3298.mp3 let's talk about Thunderbird ogg: http://hackerpublicradio.org/local/hpr3308.ogg spx: http://hackerpublicradio.org/local/hpr3308.spx mp3: http://hackerpublicradio.org/local/hpr3308.mp3 This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Special Purpose Acquisition Companies are known in the investment world as SPACs. These structures have taken the limelight in the world of fund raising in the past year, with over $81bn issuances in 2020. SPACs in fact made up for nearly half of the IPO market in the US last year.  We at Kopi Time can’t let such a major driver of capital market activity go unaddressed, so we reach out to an industry expert, Alok Oberoi. Alok has over three decades of experience with asset management, including senior roles at Goldman Sachs and ACPI.  We go through the ABC of SPACs (what, why, how big, players, sectors where there is activity, life cycle, history), along with their purpose, usefulness, and potential. Alok provides lucid explanations of the structure and operation of this mega growth activity, and is forthright is laying out that there are open questions about the performance and challenges of SPACs.   See omnystudio.com/listener for privacy information.

The boys are at it again! Join Buck, Ibba, and Jolly for the latest #TunayNaRider episode! On this episode, they are joined by Dino Santos, the COO of ACPI & President and CCO of KAMMI, and Ruel Maranan, President of the Ayala Foundation! Join the five of them on this very inspiring and jaw-dropping episode as the guest dropped a major bomb on the show. Tune-in to find out what. #TunayNaRider #PodcastNetworkAsia #Season02

The past, present and future of Linux on Arm. The major challenges still facing full Linux support, and why ServerReady might be a solution to unify Arm systems. Plus we chat with the Manjaro team about recent changes. Chapters: 0:00 Pre-Show 0:58 Intro 2:01 Terminal 2.0 in ChromeOS 4:41 Manjaro's Process Problems 13:49 Manjaro Sneak Peaks 15:41 Weekend Manjaro Journey 21:02 Housekeeping 22:09 ARM on Linux 24:01 The History of ARM 28:16 Single Board Computing Revolution 31:47 ARM Reaching into the Present 33:17 The Future of ARM 36:42 Not Everyone Loves ARM 43:01 Wants and What Ifs 48:30 App Pick: tuptime 49:48 App Pick: s-tui 50:21 Outro 51:36 Post-Show Special Guests: Brent Gervais, Dalton Durst, Drew DeVore, Jeremy Soller, Marius Gripsgard, Neal Gompa, and Philip Muller.

W siódmym odcinku rozmawiamy o błędach w układach krzemowych.Praca z producentami układów krzemowych daje niecodzienną możliwość zajrzenia za kulisy rewolucji naszych czasów tj miniaturyzacji układów cyfrowych. Osławione prawo Moore'a niesie ze sobą wykładniczy wzrost gęstości tranzystorów. Co za tym idzie z biegiem czasu układy stają się coraz bardziej skomplikowane a tym samym pomyłki stają się nieuniknione.W trzech krótkich historiach opowiadanych przez członków załogi Semihalf, staramy się przybliżyć wam ciekawe strony pracy z najnowszą technologią, często niosącą bardzo intensywne tygodnie “walki” na styku oprogramowania i sprzętu. Jeśli zastanawialiście się dlaczego aktualizacje firmware (np BIOSU) są konieczne oraz dlaczego procesory zaraz po premierze rynkowej czasami po prostu nie działają jak reklamuje producent, to ten odcinek powinien odpowiedzieć na wasze pytania.Prowadzący: Radosław Biernacki, Jan Dąbroś, Marcin Wojtas, Stanisław KardachHashtag: FPGA, VHDL, Ryzen, ARM, hardware, symulator, emulator, bug### Plan odcinka# 6:10 - Od czego zaczyna się projektowanie układów krzemowych# 7:30 - Testowanie i praca z SW - symulatory i emulatory# 9:20 - Dlaczego emulacja jest czasochłonna?# 11:50 - Narodziny krzemu - tapeout# 15:10 - Marcin - historia wdrożenia zarządzania energią w ARMv8# 23:30 - Janek - historia błędu przekierowania przerwań do Arm Trustzone# 30:40 - Staszek - historia błędu w procesorze sieciowym do zastosowań DataPlane# 34:10 - Staszek - historia błedu w ARMv8 w instrukcjach LDP/STP # 42:08 - Łatki w firmware# 48:47 - Quirki i upstream do kernela Linuxa# 1:01:00 - Podsumowanie, jak błędy w krzemie manifestują się u użytkowników### Linki# 6:20 - Fabless chip manufacturing - https://en.wikipedia.org/wiki/Fabless_manufacturing# 8:50 - Cadance Palladium - https://www.cadence.com/en_US/home/tools/system-design-and-verification/acceleration-and-emulation/palladium-z1.html# 12:45 - Tape-out - https://en.wikipedia.org/wiki/Tape-out# 18:00 - Poziomy uprzywilejowania (Exception levels) na ARMv8Prezentacja ARM Trusted Firmware (ale z fajnym opowiadaniem jak Exception Levels działają) https://www.slideshare.net/linaroorg/arm-trusted-firmareforarmv8alcu13Artykuł w magazynie "Programista" numer #63, 08/2017r. "Na granicy światów – technologia bezpieczeństwa ARM TrustZone"Dość szczegółowy opis technologii ARM TrustZone http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf# 18:35 - Power Management na ARMv8Całość problemu opisana w magazynie “Programista” numer #56, 01/2017r. “Zarządzanie energią w ARMv8”Opis przebiegu usypiania systemu podczas Suspend-To-Ram https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/power/suspend-and-cpuhotplug.rstOpis funkcji zwrotnych zarządzania energią w ARM Trusted Firmware https://github.com/scorp2kk/atf/blob/master/docs/platform-migration-guide.md#22-composite-power-state-framework-platform-api-modifications# 35:10 - Problem atomowości instrukcji LDP/STP:https://developer.arm.com/docs/ddi0487/latest/arm-architecture-reference-manual-armv8-for-armv8-a-architecture-profile - Arm Architecture Reference Manual, rozdział B2.2.1 Requirements for single-copy atomicityhttps://www.element14.com/community/servlet/JiveServlet/previewBody/41836-102-1-229511/ARM.Reference_Manual.pdf - ARMv8 Instruction Set Overview, rozdział 5.2 Memory Access# 51:30 - Upstream quirka do ECAM w ArmadzieDyskusja na listach mailingowych odnośnie możliwości odstępstw od generycznego działania PCIE na ARMv8 opisanego tablicami ACPI https://lkml.org/lkml/2016/9/20/391Opis Extended Configuration Space (ECAM) dla standardu PCIE https://wiki.osdev.org/PCI_Express#Extended_Configuration_SpaceObejście problemu niezgodności ze standardowym kontrolerem przy zastosowaniu sztuczki z tablicami ACPI https://github.com/tianocore/edk2-platforms/commit/a273cb49fe4f98f662bacb69cfd323722e0993a2#diff-e57f3ee89616dd138928c3655287b0d0Proste rozwiązanie problemu na poziomie sterownika w Linuksie - dozwolone tylko przy opisie poprzez Device Tree https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/pci/controller/pci-host-generic.c#n27

vBSDcon 2019 recap, Unix at 50, OpenBSD on fan-less Tuxedo InfinityBook, humungus - an hg server, how to configure a network dump in FreeBSD, and more. Headlines vBSDcon Recap Allan and Benedict attended vBSDcon 2019, which ended last week. It was held again at the Hyatt Regency Reston and the main conference was organized by Dan Langille of BSDCan fame.The two day conference was preceded by a one day FreeBSD hackathon, where FreeBSD developers had the chance to work on patches and PRs. In the evening, a reception was held to welcome attendees and give them a chance to chat and get to know each other over food and drinks. The first day of the conference was opened with a Keynote by Paul Vixie about DNS over HTTPS (DoH). He explained how we got to the current state and what challenges (technical and social) this entails. If you missed this talk and are dying to see it, it will also be presented at EuroBSDCon next week John Baldwin followed up by giving an overview of the work on “In-Kernel TLS Framing and Encryption for FreeBSD” abstract (https://www.vbsdcon.com/schedule/2019-09-06.html#talk:132615) and the recent commit we covered in episode 313. Meanwhile, Brian Callahan was giving a separate session in another room about “Learning to (Open)BSD through its porting system: an attendee-driven educational session” where people had the chance to learn about how to create ports for the BSDs. David Fullard’s talk about “Transitioning from FreeNAS to FreeBSD” was his first talk at a BSD conference and described how he built his own home NAS setup trying to replicate FreeNAS’ functionality on FreeBSD, and why he transitioned from using an appliance to using vanilla FreeBSD. Shawn Webb followed with his overview talk about the “State of the Hardened Union”. Benedict’s talk about “Replacing an Oracle Server with FreeBSD, OpenZFS, and PostgreSQL” was well received as people are interested in how we liberated ourselves from the clutches of Oracle without compromising functionality. Entertaining and educational at the same time, Michael W. Lucas talk about “Twenty Years in Jail: FreeBSD Jails, Then and Now” closed the first day. Lucas also had a table in the hallway with his various tech and non-tech books for sale. People formed small groups and went into town for dinner. Some returned later that night to some work in the hacker lounge or talk amongst fellow BSD enthusiasts. Colin Percival was the keynote speaker for the second day and had an in-depth look at “23 years of software side channel attacks”. Allan reprised his “ELI5: ZFS Caching” talk explaining how the ZFS adaptive replacement cache (ARC) work and how it can be tuned for various workloads. “By the numbers: ZFS Performance Results from Six Operating Systems and Their Derivatives” by Michael Dexter followed with his approach to benchmarking OpenZFS on various platforms. Conor Beh was also a new speaker to vBSDcon. His talk was about “FreeBSD at Work: Building Network and Storage Infrastructure with pfSense and FreeNAS”. Two OpenBSD talks closed the talk session: Kurt Mosiejczuk with “Care and Feeding of OpenBSD Porters” and Aaron Poffenberger with “Road Warrior Disaster Recovery: Secure, Synchronized, and Backed-up”. A dinner and reception was enjoyed by the attendees and gave more time to discuss the talks given and other things until late at night. We want to thank the vBSDcon organizers and especially Dan Langille for running such a great conference. We are grateful to Verisign as the main sponsor and The FreeBSD Foundation for sponsoring the tote bags. Thanks to all the speakers and attendees! humungus - an hg server (https://humungus.tedunangst.com/r/humungus) Features View changes, files, changesets, etc. Some syntax highlighting. Read only. Serves multiple repositories. Allows cloning via the obvious URL. Supports go get. Serves files for downloads. Online documentation via mandoc. Terminal based admin interface. News Roundup OpenBSD on fan-less Tuxedo InfinityBook 14″ v2. (https://hazardous.org/archive/blog/openbsd/2019/09/02/OpenBSD-on-Infinitybook14) The InfinityBook 14” v2 is a fanless 14” notebook. It is an excellent choice for running OpenBSD - but order it with the supported wireless card (see below.). I’ve set it up in a dual-boot configuration so that I can switch between Linux and OpenBSD - mainly to spot differences in the drivers. TUXEDO allows a variety of configurations through their webshop. The dual boot setup with grub2 and EFI boot will be covered in a separate blogpost. My tests were done with OpenBSD-current - which is as of writing flagged as 6.6-beta. See Article for breakdown of CPU, Wireless, Video, Webcam, Audio, ACPI, Battery, Touchpad, and MicroSD Card Reader Unix at 50: How the OS that powered smartphones started from failure (https://arstechnica.com/gadgets/2019/08/unix-at-50-it-starts-with-a-mainframe-a-gator-and-three-dedicated-researchers/) Maybe its pervasiveness has long obscured its origins. But Unix, the operating system that in one derivative or another powers nearly all smartphones sold worldwide, was born 50 years ago from the failure of an ambitious project that involved titans like Bell Labs, GE, and MIT. Largely the brainchild of a few programmers at Bell Labs, the unlikely story of Unix begins with a meeting on the top floor of an otherwise unremarkable annex at the sprawling Bell Labs complex in Murray Hill, New Jersey. It was a bright, cold Monday, the last day of March 1969, and the computer sciences department was hosting distinguished guests: Bill Baker, a Bell Labs vice president, and Ed David, the director of research. Baker was about to pull the plug on Multics (a condensed form of MULTiplexed Information and Computing Service), a software project that the computer sciences department had been working on for four years. Multics was two years overdue, way over budget, and functional only in the loosest possible understanding of the term. Trying to put the best spin possible on what was clearly an abject failure, Baker gave a speech in which he claimed that Bell Labs had accomplished everything it was trying to accomplish in Multics and that they no longer needed to work on the project. As Berk Tague, a staffer present at the meeting, later told Princeton University, “Like Vietnam, he declared victory and got out of Multics.” Within the department, this announcement was hardly unexpected. The programmers were acutely aware of the various issues with both the scope of the project and the computer they had been asked to build it for. Still, it was something to work on, and as long as Bell Labs was working on Multics, they would also have a $7 million mainframe computer to play around with in their spare time. Dennis Ritchie, one of the programmers working on Multics, later said they all felt some stake in the success of the project, even though they knew the odds of that success were exceedingly remote. Cancellation of Multics meant the end of the only project that the programmers in the Computer science department had to work on—and it also meant the loss of the only computer in the Computer science department. After the GE 645 mainframe was taken apart and hauled off, the computer science department’s resources were reduced to little more than office supplies and a few terminals. Some of Allan’s favourite excerpts: In the early '60s, Bill Ninke, a researcher in acoustics, had demonstrated a rudimentary graphical user interface with a DEC PDP-7 minicomputer. Acoustics still had that computer, but they weren’t using it and had stuck it somewhere out of the way up on the sixth floor. And so Thompson, an indefatigable explorer of the labs’ nooks and crannies, finally found that PDP-7 shortly after Davis and Baker cancelled Multics. With the rest of the team’s help, Thompson bundled up the various pieces of the PDP-7—a machine about the size of a refrigerator, not counting the terminal—moved it into a closet assigned to the acoustics department, and got it up and running. One way or another, they convinced acoustics to provide space for the computer and also to pay for the not infrequent repairs to it out of that department’s budget. McIlroy’s programmers suddenly had a computer, kind of. So during the summer of 1969, Thompson, Ritchie, and Canaday hashed out the basics of a file manager that would run on the PDP-7. This was no simple task. Batch computing—running programs one after the other—rarely required that a computer be able to permanently store information, and many mainframes did not have any permanent storage device (whether a tape or a hard disk) attached to them. But the time-sharing environment that these programmers had fallen in love with required attached storage. And with multiple users connected to the same computer at the same time, the file manager had to be written well enough to keep one user’s files from being written over another user’s. When a file was read, the output from that file had to be sent to the user that was opening it. It was a challenge that McIlroy’s team was willing to accept. They had seen the future of computing and wanted to explore it. They knew that Multics was a dead-end, but they had discovered the possibilities opened up by shared development, shared access, and real-time computing. Twenty years later, Ritchie characterized it for Princeton as such: “What we wanted to preserve was not just a good environment in which to do programming, but a system around which a fellowship could form.” Eventually when they had the file management system more or less fleshed out conceptually, it came time to actually write the code. The trio—all of whom had terrible handwriting—decided to use the Labs’ dictating service. One of them called up a lab extension and dictated the entire code base into a tape recorder. And thus, some unidentified clerical worker or workers soon had the unenviable task of trying to convert that into a typewritten document. Of course, it was done imperfectly. Among various errors, “inode” came back as “eye node,” but the output was still viewed as a decided improvement over their assorted scribbles. In August 1969, Thompson’s wife and son went on a three-week vacation to see her family out in Berkeley, and Thompson decided to spend that time writing an assembler, a file editor, and a kernel to manage the PDP-7 processor. This would turn the group’s file manager into a full-fledged operating system. He generously allocated himself one week for each task. Thompson finished his tasks more or less on schedule. And by September, the computer science department at Bell Labs had an operating system running on a PDP-7—and it wasn’t Multics. By the summer of 1970, the team had attached a tape drive to the PDP-7, and their blossoming OS also had a growing selection of tools for programmers (several of which persist down to this day). But despite the successes, Thompson, Canaday, and Ritchie were still being rebuffed by labs management in their efforts to get a brand-new computer. It wasn’t until late 1971 that the computer science department got a truly modern computer. The Unix team had developed several tools designed to automatically format text files for printing over the past year or so. They had done so to simplify the production of documentation for their pet project, but their tools had escaped and were being used by several researchers elsewhere on the top floor. At the same time, the legal department was prepared to spend a fortune on a mainframe program called “AstroText.” Catching wind of this, the Unix crew realized that they could, with only a little effort, upgrade the tools they had written for their own use into something that the legal department could use to prepare patent applications. The computer science department pitched lab management on the purchase of a DEC PDP-11 for document production purposes, and Max Mathews offered to pay for the machine out of the acoustics department budget. Finally, management gave in and purchased a computer for the Unix team to play with. Eventually, word leaked out about this operating system, and businesses and institutions with PDP-11s began contacting Bell Labs about their new operating system. The Labs made it available for free—requesting only the cost of postage and media from anyone who wanted a copy. The rest has quite literally made tech history. See the link for the rest of the article How to configure a network dump in FreeBSD? (https://www.oshogbo.vexillium.org/blog/68/) A network dump might be very useful for collecting kernel crash dumps from embedded machines and machines with a larger amount of RAM then available swap partition size. Besides net dumps we can also try to compress the core dump. However, often this may still not be enough swap to keep whole core dump. In such situation using network dump is a convenient and reliable way for collecting kernel dump. So, first, let’s talk a little bit about history. The first implementation of the network dumps was implemented around 2000 for the FreeBSD 4.x as a kernel module. The code was implemented in 2010 with the intention of being part of FreeBSD 9.0. However, the code never landed in FreeBSD. Finally, in 2018 with the commit r333283 by Mark Johnston the netdump client code landed in the FreeBSD. Subsequently, many other commitments were then implemented to add support for the different drivers (for example r333289). The first official release of FreeBSD, which support netdump is FreeBSD 12.0. Now, let’s get back to the main topic. How to configure the network dump? Two machines are needed. One machine is to collect core dump, let’s call it server. We will use the second one to send us the core dump - the client. See the link for the rest of the article Beastie Bits Sudo Mastery 2nd edition is not out (https://mwl.io/archives/4530) Empirical Notes on the Interaction Between Continuous Kernel Fuzzing and Development (http://users.utu.fi/kakrind/publications/19/vulnfuzz_camera.pdf) soso (https://github.com/ozkl/soso) GregKH - OpenBSD was right (https://youtu.be/gUqcMs0svNU?t=254) Game of Trees (https://gameoftrees.org/faq.html) Feedback/Questions BostJan - Another Question (http://dpaste.com/1ZPCCQY#wrap) Tom - PF (http://dpaste.com/3ZSCB8N#wrap) JohnnyK - Changing VT without keys (http://dpaste.com/3QZQ7Q5#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

NetBSD 9.0 release process has started, xargs, a tale of two spellcheckers, Adapting TriforceAFL for NetBSD, Exploiting a no-name freebsd kernel vulnerability, and more. Headlines NetBSD 9.0 release process has started (https://mail-index.netbsd.org/netbsd-announce/2019/07/31/msg000301.html) If you have been following source-changes, you may have noticed the creation of the netbsd-9 branch! It has some really exciting items that we worked on: + New AArch64 architecture support: + Symmetric and asymmetrical multiprocessing support (aka big.LITTLE) + Support for running 32-bit binaries + UEFI and ACPI support + Support for SBSA/SBBR (server-class) hardware. + The FDT-ization of many ARM boards: + the 32-bit GENERIC kernel lists 129 different DTS configurations + the 64-bit GENERIC64 kernel lists 74 different DTS configurations + All supported by a single kernel, without requiring per-board configuration. + Graphics driver update, matching Linux 4.4, adding support for up to Kaby Lake based Intel graphics devices. + ZFS has been updated to a modern version and seen many bugfixes. + New hardware-accelerated virtualization via NVMM. + NPF performance improvements and bug fixes. A new lookup algorithm, thmap, is now the default. + NVMe performance improvements + Optional kernel ASLR support, and partial kernel ASLR for the default configuration. + Kernel sanitizers: + KLEAK, detecting memory leaks + KASAN, detecting memory overruns + KUBSAN, detecting undefined behaviour + These have been used together with continuous fuzzing via the syzkaller project to find many bugs that were fixed. + The removal of outdated networking components such as ISDN and all of its drivers + The installer is now capable of performing GPT UEFI installations. + Dramatically improved support for userland sanitizers, as well as the option to build all of NetBSD's userland using them for bug-finding. + Update to graphics userland: Mesa was updated to 18.3.4, and llvmpipe is now available for several architectures, providing 3D graphics even in the absence of a supported GPU. We try to test NetBSD as best as we can, but your testing can help NetBSD 9.0 a great release. Please test it and let us know of any bugs you find. + Binaries are available at https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/ xargs wtf (https://medium.com/@aarontharris/xargs-wtf-34d2618286b7) xargs is probably one of the more difficult to understand of the unix command arsenal and of course that just means it’s one of the most useful too. I discovered a handy trick that I thought was worth a share. Please note there are probably other (better) ways to do this but I did my stackoverflow research and found nothing better. xargs — at least how I’ve most utilized it — is handy for taking some number of lines as input and doing some work per line. It’s hard to be more specific than that as it does so much else. It literally took me an hour of piecing together random man pages + tips from 11 year olds on stack overflow, but eventually I produced this gem: This is an example of how to find files matching a certain pattern and rename each of them. It sounds so trivial (and it is) but it demonstrates some cool tricks in an easy concept. News Roundup PkgSrc: A Tale of Two Spellcheckers (https://bentsukun.ch/posts/pkgsrccon-2019/) This is a transcript of the talk I gave at pkgsrcCon 2019 in Cambridge, UK. It is about spellcheckers, but there are much more general software engineering lessons that we can learn from this case study. The reason I got into this subject at all was my paternal leave last year, when I finally had some more time to spend working on pkgsrc. It was a tiny item in the enormous TODO file at the top of the source tree (“update enchant to version 2.2”) that made me go into this rabbit hole. Adapting TriforceAFL for NetBSD, Part 2 (https://blog.netbsd.org/tnf/entry/adapting_triforceafl_for_netbsd_part1) I have been working on adapting TriforceAFL for NetBSD kernel syscall fuzzing. This blog post summarizes the work done until the second evaluation. For work done during the first coding period, check out this post. Summary > So far, the TriforceNetBSDSyscallFuzzer has been made available in the form of a pkgsrc package with the ability to fuzz most of NetBSD syscalls. In the final coding period of GSoC. I plan to analyse the crashes that were found until now. Integrate sanitizers, try and find more bugs and finally wrap up neatly with detailed documentation. > Last but not least, I would like to thank my mentor, Kamil Rytarowski for helping me through the process and guiding me. It has been a wonderful learning experience so far! Exploiting a no-name freebsd kernel vulnerability (https://www.synacktiv.com/posts/exploit/exploiting-a-no-name-freebsd-kernel-vulnerability.html) A new patch has been recently shipped in FreeBSD kernels to fix a vulnerability (cve-2019-5602) present in the cdrom device. In this post, we will introduce the bug and discuss its exploitation on pre/post-SMEP FreeBSD revisions. > A closer look at the commit 6bcf6e3 shows that when invoking the CDIOCREADSUBCHANNEL_SYSSPACE ioctl, data are copied with bcopy instead of the copyout primitive. This endows a local attacker belonging to the operator group with an arbitrary write primitive in the kernel memory. [Allan and Benedicts Conference Gear Breakdown] Benedict’s Gear: GlocalMe G3 Mobile Travel HotSpot and Powerbank (https://www.glocalme.com/CA/en-US/cloudsim/g3) Mogics Power Bagel (http://www.mogics.com/3824-2) Charby Sense Power Cable (https://charbycharge.com/charby-sense-worlds-smartest-auto-cutoff-cable/) Allan’s Gear: Huawei E5770s-320 4G LTE 150 Mbps Mobile WiFi Pro (https://smile.amazon.com/gp/product/B013CEGGKI/) AOW Global Data SIM Card for On-Demand 4G LTE Mobile Data in Over 90 Countries (https://smile.amazon.com/dp/B071HJFX27/) All my devices charge from USB-C, so that is great More USB thumb drives than strictly necessary My Lenovo X270 laptop running FreeBSD 13-current My 2016 Macbook Pro (a prize from the raffle at vBSDCon 2017) that I use for email and video conferencing to preserve battery on my FreeBSD machine for work Beastie Bits Replacing the Unix tradition (Warning may be rage inducing) (https://www.youtube.com/watch?v=L9v4Mg8wi4U&feature=youtu.be) Installing OpenBSD over remote serial on the AtomicPI (https://www.thanassis.space/remoteserial.html#remoteserial) Zen 2 and DragonFly (https://www.dragonflydigest.com/2019/08/05/23294.html) Improve Docking on FreeBSD (https://blog.yukiisbo.red/posts/2019/05/improve-docking-on-freebsd/) Register for vBSDCon 2019, Sept 5-7 in Reston VA. Early bird ends August 15th. (https://vbsdcon.com/registration) Register for EuroBSDCon 2019, Sept 19-22 in Lillehammer, Norway (https://2019.eurobsdcon.org/registration/) Feedback/Questions JT - Congrats (http://dpaste.com/0D7Y31E#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

W piątym odcinku zastanowimy się jaka przyszłość stoi przed architekturą ARM. Przedstawiamy wam historię powstania firmy ARM Holdings, tłumaczymy dlaczego energooszczędność nigdy nie idzie w parze z wydajnością oraz dlaczego procesory ARM są wewnątrz bardzo podobne do procesorów Intel x86. Przy okazji wyjaśniamy dlaczego wydajność nie zależy od listy rozkazowej oraz dlaczego prawo Moore'a przestało obowiązywać. Główną osią odcinka jest jednak odwiecznie nurtujące nas pytanie: “Dlaczego architektura ARM nie gości (mimo wielkich wysiłków) na PC oraz na serwerach?”. Starając się odpowiedzieć na to pytanie dryfujemy w różnych kierunkach, od standaryzacji po globalną politykę na styku USA i Chin. Odcinek kończymy nieco żartobliwą dyskusją na temat RISC-V oraz odnosimy się do komentarza Linusa Torvaldsa.Prowadzący: Radosław Biernacki, Rafał Jaworowski, Maciej Czekaj, Marcin WojtasHashtag: ARM, AArch64, ARMv8, ARm on ARM, RISC-V### Plan odcinka# (0:50) Historia firmy ARM# (3:28) Czym wyróżnia się firma ARM# (7:42) Na czym zarabia ARM?# (8:17) Modele współpracy z firmą ARM (poziomy licencji)# (15:32) Wyzwania przy tworzeniu całkiem nowej architektury# (22:06) Mit energooszczędności ARM# (28:13) Co zużywa najwięcej energii w CPU?# (33:25) Dlaczego ARM nie istnieje w świecie PC?# (42:39) Próby stworzenia ARM PC# (44:27) Dlaczego firma ARM nie wspiera ARM PC# (46:40) Problem GPU na ARM (optional ROM)# (49:13) Problem kompatybilności SW na ARM# (53:14) Co jest potrzebne do adopcji ARM w serwerach# (54:46) Polityka globalna w HPC# (56:45) Wojna cenowa w HPC# (1:01:23) Problem standaryzacji w serwerach# (1:08:30) Dlaczego ARM nie wyprodukował CPU serwerowego?# (1:10:35) Poważne konsekwencje bierności ARM# (1:11:09) Czy w ogóle ARM chce wejść na rynek serwerowy?# (1:14:42) Procentowy udział ARM w rynkach procesorów# (1:16:54) Co przekonuje kupujących do zmiany?# (1:22:40) A może RISC V?# (1:30:12) A Linus powiedział że...Odnośniki(0:50) ARM Architecture history - https://en.wikipedia.org/wiki/ARM_architecture#History(1:14) ACorn - https://en.wikipedia.org/wiki/Acorn_Computers(1:30) BBC micro - https://en.wikipedia.org/wiki/BBC_Micro(1:59) VLSI - https://en.wikipedia.org/wiki/VLSI_Technology(2:35) 68000 - https://en.wikipedia.org/wiki/Motorola_68000(2:21) ARM 1 - https://en.wikichip.org/wiki/acorn/microarchitectures/arm1(4:24) Apple Newton - https://en.wikipedia.org/wiki/Apple_Newton(8:30) How ARM’s business model works - https://www.anandtech.com/show/7112/the-arm-diaries-part-1-how-arms-business-model-works/2(12:52) Atmel - Microchip - https://en.wikipedia.org/wiki/Atmel(13:47) Cortex - https://en.wikipedia.org/wiki/ARM_Cortex-A(14:35) Marvell - https://en.wikipedia.org/wiki/Marvell_Technology_Group(15:00) wersje ARM - https://www.cs.umd.edu/~meesh/cmsc411/website/proj01/arm/armchip.html(15:35) Polski Procesor D32PRO - https://pclab.pl/news65816.html(18:33) - przykład reverse engineer’ingu CPU do BLE - https://github.com/sylvek/itracing2/issues/5#issuecomment-226080683(19:39) Parallella - https://www.parallella.org/board/(21:38) Qualcomm Centriq - https://en.wikipedia.org/wiki/Qualcomm_Centriq(21:44) Cavium - Marvell Thunder - https://www.marvell.com/server-processors/thunderx-arm-processors/(21:46) APM X-Gene - https://www.apm.com/products/data-center/x-gene-family/x-gene/(21:49) Broadcomm Snapdragon - https://en.wikipedia.org/wiki/Qualcomm_Snapdragon(24:59) Arm Delivers on Cortex A76 Promises: What it Means for 2019 Devices - https://www.anandtech.com/show/13614/arm-delivers-on-cortex-a76-promises(28:25) Way-Predicting Set-Associative Cache for High Performance and Low Energy Consumption http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.135.5610&rep=rep1&type=pdf(29:12) Power Wall - 45-year CPU evolution: one law and two equations - https://arxiv.org/pdf/1803.00254.pdf(31:02) Static power loss - Leakage Current: Moore’s Law Meets Static Power - http://www.ruf.rice.edu/~mobile/elec518/readings/DevicesAndCircuits/kim03leakage.pdf(32:51) Cortex A73 overview - https://www.anandtech.com/show/10347/arm-cortex-a73-artemis-unveiled(35:30) Raspbian - https://www.raspberrypi.org/downloads/raspbian/(36:17) Cortex-A - https://developer.arm.com/ip-products/processors/cortex-a(36:20) ARM GIC - https://developer.arm.com/ip-products/system-ip/system-controllers/interrupt-controllers(37:05) SBSA - https://developer.arm.com/architectures/platform-design/server-systems(37:28) ACPI - http://uefi.org/sites/default/files/resources/ACPI_6_2.pdf(40:20) Macchiatobin - http://macchiatobin.net/(42:04) Arm on Arm - https://www.youtube.com/watch?v=rl0sls6vnmk(43:15) SocioNext SynQuacer - https://www.socionext.com/en/products/assp/SynQuacer/Edge/(45:30) ARM roadshow slides 2018 - https://www.arm.com/-/media/global/company/investors/PDFs/Arm_SBG_Q4_2018_Roadshow_Slides_FINAL.pdf?revision=ebab8585-b3df-4235-b515-c3ef20379baf&la=en(48:07) EDK2 - https://github.com/tianocore/edk2(48:12) x86 Option ROM for ARM - https://www.suse.com/c/revolutionizing-arm-technology-x86_64-option-rom-aarch64/(48:17) Commit do ARM GPU - https://github.com/tianocore/edk2-non-osi/commit/77b5eefd9(50:28) Open Compute Project - https://en.wikipedia.org/wiki/Open_Compute_Project(52:54) Stacja Robocza ThunderX - https://www.asacomputers.com/Cavium-ThunderX-ARM.html(55:00) Kumpeng 920 - https://www.servethehome.com/huawei-kunpeng-920-64-core-arm-server-cpu/(57:19) PowerPC - https://en.wikipedia.org/wiki/PowerPC(57:27) SPARC - https://en.wikipedia.org/wiki/SPARC(1:00:37) Linaro - https://en.wikipedia.org/wiki/Linaro(1:00:54) RAS - https://www.kernel.org/doc/html/v4.14/admin-guide/ras.html(1:04:37) Amazon Graviton - https://en.wikichip.org/wiki/annapurna_labs/alpine/al73400(1:05:00) Amazon EC2 - https://aws.amazon.com/ec2/instance-types/a1/(1:06:43) Jon Masters - https://www.linkedin.com/in/jonmasters/(1:07:48) Intel wpiera rozwój AI - https://software.intel.com/en-us/devcloud/datacenter(1:09:42) ARM roadshow slides 2018 - https://www.arm.com/-/media/global/company/investors/PDFs/Arm_SBG_Q4_2018_Roadshow_Slides_FINAL.pdf?revision=ebab8585-b3df-4235-b515-c3ef20379baf&la=en(1:10:47) Qualcomm zamyka dział serwerowy - https://www.tomshardware.com/news/qualcomm-server-chip-exit-china-centriq-2400,38223.html(1:13:22) Galileo, Edison, Julie, Curie - https://software.intel.com/en-us/iot/hardware/discontinued(1:15:02) ARM roadshow slides 2018 - https://www.arm.com/-/media/global/company/investors/PDFs/Arm_SBG_Q4_2018_Roadshow_Slides_FINAL.pdf?revision=ebab8585-b3df-4235-b515-c3ef20379baf&la=en(1:18:00) AARch64 virtualization - https://developer.arm.com/docs/100942/latest/aarch64-virtualization(1:18:31) Cavium ThunderX2 Review and Benchmarks a Real Arm Server Optionhttps://www.servethehome.com/cavium-thunderx2-review-benchmarks-real-arm-server-option/(1:19:22) SRIOV - https://en.wikipedia.org/wiki/Single-root_input/output_virtualization(1:21:25) Octeon TX - https://www.marvell.com/embedded-processors/infrastructure-processors/octeon-tx-multi-core-armv8-processors/index.jsp(1:22:58) RISC V - https://en.wikipedia.org/wiki/RISC-V(1:26:50) WD i RISC V - https://blog.westerndigital.com/risc-v-swerv-core-open-source/(1:29:04) ARM RISC-V FUD -https://github.com/arm-facts/arm-basics.com/blob/master/assets/img/riscv-basics.com-screenshot.jpg(1:30:16) Linus o ARM na serwerach - https://www.extremetech.com/computing/286311-linus-torvalds-claims-arm-wont-win-in-the-server-space(1:30:41) Packet.net - https://www.packet.com/(1:31:04) Amper eMAG - https://amperecomputing.com/wp-content/uploads/2019/01/eMAG8180_PB_v0.5_20180914.pdf

Have you ever paid attention to WHY something catches your eye? In today's episode, we discuss what designers, showroom folks (at all levels), manufacturers, and consumers need to know about the neuroscience of showrooms and how it can impact new product discovery. Guests: Suzanne DeRusha, Content and Design Manager for ACPI, and Robb Best, Senior Advisor of Cognitive Strategy, for Elkay Corporation

FreeBSD 12.0 is finally here, partly-cloudy IPsec VPN, KLEAK with NetBSD, How to create synth repos, GhostBSD author interview, and more. ##Headlines FreeBSD 12.0 is available After a long release cycle, the wait is over: FreeBSD 12.0 is now officially available. We’ve picked a few interesting things to cover in the show, make sure to read the full Release Notes Userland: Group permissions on /dev/acpi have been changed to allow users in the operator GID to invoke acpiconf(8) to suspend the system. The default devfs.rules(5) configuration has been updated to allow mount_fusefs(8) with jail(8). The default PAGER now defaults to less(1) for most commands. The newsyslog(8) utility has been updated to reject configuration entries that specify setuid(2) or executable log files. The WITH_REPRODUCIBLE_BUILD src.conf(5) knob has been enabled by default. A new src.conf(5) knob, WITH_RETPOLINE, has been added to enable the retpoline mitigation for userland builds. Userland applications: The dtrace(1) utility has been updated to support if and else statements. The legacy gdb(1) utility included in the base system is now installed to /usr/libexec for use with crashinfo(8). The gdbserver and gdbtui utilities are no longer installed. For interactive debugging, lldb(1) or a modern version of gdb(1) from devel/gdb should be used. A new src.conf(5) knob, WITHOUT_GDB_LIBEXEC has been added to disable building gdb(1). The gdb(1) utility is still installed in /usr/bin on sparc64. The setfacl(1) utility has been updated to include a new flag, -R, used to operate recursively on directories. The geli(8) utility has been updated to provide support for initializing multiple providers at once when they use the same passphrase and/or key. The dd(1) utility has been updated to add the status=progress option, which prints the status of its operation on a single line once per second, similar to GNU dd(1). The date(1) utility has been updated to include a new flag, -I, which prints its output in ISO 8601 formatting. The bectl(8) utility has been added, providing an administrative interface for managing ZFS boot environments, similar to sysutils/beadm. The bhyve(8) utility has been updated to add a new subcommand to the -l and -s flags, help, which when used, prints a list of supported LPC and PCI devices, respectively. The tftp(1) utility has been updated to change the default transfer mode from ASCII to binary. The chown(8) utility has been updated to prevent overflow of UID or GID arguments where the argument exceeded UID_MAX or GID_MAX, respectively. Kernel: The ACPI subsystem has been updated to implement Device object types for ACPI 6.0 support, required for some Dell, Inc. Poweredge™ AMD® Epyc™ systems. The amdsmn(4) and amdtemp(4) drivers have been updated to attach to AMD® Ryzen 2™ host bridges. The amdtemp(4) driver has been updated to fix temperature reporting for AMD® 2990WX CPUs. Kernel Configuration: The VIMAGE kernel configuration option has been enabled by default. The dumpon(8) utility has been updated to add support for compressed kernel crash dumps when the kernel configuration file includes the GZIO option. See rc.conf(5) and dumpon(8) for additional information. The NUMA option has been enabled by default in the amd64 GENERIC and MINIMAL kernel configurations. Device Drivers: The random(4) driver has been updated to remove the Yarrow algorithm. The Fortuna algorithm remains the default, and now only, available algorithm. The vt(4) driver has been updated with performance improvements, drawing text at rates ranging from 2- to 6-times faster. Deprecated Drivers: The lmc(4) driver has been removed. The ixgb(4) driver has been removed. The nxge(4) driver has been removed. The vxge(4) driver has been removed. The jedec_ts(4) driver has been removed in 12.0-RELEASE, and its functionality replaced by jedec_dimm(4). The DRM driver for modern graphics chipsets has been marked deprecated and marked for removal in FreeBSD 13. The DRM kernel modules are available from graphics/drm-stable-kmod or graphics/drm-legacy-kmod in the Ports Collection as well as via pkg(8). Additionally, the kernel modules have been added to the lua loader.conf(5) module_blacklist, as installation from the Ports Collection or pkg(8) is strongly recommended. The following drivers have been deprecated in FreeBSD 12.0, and not present in FreeBSD 13.0: ae(4), de(4), ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4), vx(4), wb(4), xe(4) Storage: The UFS/FFS filesystem has been updated to support check hashes to cylinder-group maps. Support for check hashes is available only for UFS2. The UFS/FFS filesystem has been updated to consolidate TRIM/BIO_DELETE commands, reducing read/write requests due to fewer TRIM messages being sent simultaneously. TRIM consolidation support has been enabled by default in the UFS/FFS filesystem. TRIM consolidation can be disabled by setting the vfs.ffs.dotrimcons sysctl(8) to 0, or adding vfs.ffs.dotrimcons=0 to sysctl.conf(5). NFS: The NFS version 4.1 server has been updated to include pNFS server support. ZFS: ZFS has been updated to include new sysctl(8)s, vfs.zfs.arc_min_prefetch_ms and vfs.zfs.arc_min_prescient_prefetch_ms, which improve performance of the zpool(8) scrub subcommand. The new spacemap_v2 zpool feature has been added. This provides more efficient encoding of spacemaps, especially for full vdev spacemaps. The large_dnode zpool feature been imported, allowing better compatibility with pools created under ZFS-on-Linux 0.7.x Many bug fixes have been applied to the device removal feature. This feature allows you to remove a non-redundant or mirror vdev from a pool by relocating its data to other vdevs. Includes the fix for PR 229614 that could cause processes to hang in zil_commit() Boot Loader Changes: The lua loader(8) has been updated to detect a list of installed kernels to boot. The loader(8) has been updated to support geli(8) for all architectures and all disk-like devices. The loader(8) has been updated to add support for loading Intel® microcode updates early during the boot process. Networking: The pf(4) packet filter is now usable within a jail(8) using vnet(9). The pf(4) packet filter has been updated to use rmlock(9) instead of rwlock(9), resulting in significant performance improvements. The SO_REUSEPORT_LB option has been added to the network stack, allowing multiple programs or threads to bind to the same port, and incoming connections load balanced using a hash function. Again, read the release notes for a full list, check out the errata notices. A big THANKS to the entire release engineering team and all developers involved in the release, much appreciated! ###Abandon Linux. Move to FreeBSD or Illumos If you use GNU/Linux and you are only on opensource, you may be doing it wrong. Here’s why. Is your company based on opensource based software only? Do you have a bunch of developers hitting some kind of server you have installed for them to “do their thing”? Being it for economical reasons (remember to donate), being it for philosophycal ones, you may have skipped good alternatives. The BSD’s and Illumos. I bet you are running some sort of Debian, openSuSE or CentOS. It’s very discouraging having entered into the IT field recently and discover many of the people you meet do not even recognise the name BSD. Naming Solaris seems like naming the evil itself. The problem being many do not know why. They can’t point anything specific other than it’s fading out. This has recently shown strong when Oracle officials have stated development for new features has ceased and almost 90 % of developers for Solaris have been layed off. AIX seems alien to almost everybody unless you have a white beard. And all this is silly. And here’s why. You are certainly missing two important features that FreeBSD and Illumos derivatives are enjoying. A full virtualization technology, much better and fully developed compared to the LXC containers in the Linux world, such as Jails on BSD, Zones in Solaris/Illumos, and the great ZFS file system which both share. You have probably heard of a new Linux filesystem named Btrfs, which by the way, development has been dropped from the Red Hat side. Trying to emulate ZFS, Oracle started developing Btrfs file system before they acquired Sun (the original developer of ZFS), and SuSE joined the effort as well as Red Hat. It is not as well developed as ZFS and it hasn’t been tested in production environments as extensively as the former has. That leaves some uncertainty on using it or not. Red Hat leaving it aside does add some more. Although some organizations have used it with various grades of success. But why is this anyhow interesting for a sysadmin or any organization? Well… FreeBSD (descendant of Berkeley UNIX) and SmartOS (based on Illumos) aglutinate some features that make administration easier, safer, faster and more reliable. The dream of any systems administrator. To start, the ZFS filesystem combines the typical filesystem with a volume manager. It includes protection against corruption, snapshots and copy-on-write clones, as well as volume manager. Jails is another interesting piece of technology. Linux folks usually associate this as a sort of chroot. It isn’t. It is somehow inspired by it but as you may know you can escape from a chroot environment with a blink of an eye. Jails are not called jails casually. The name has a purpose. Contain processes and programs within a defined and totally controlled environment. Jails appeared first in FreeBSD in the year 2000. Solaris Zones debuted on 2005 (now called containers) are the now proprietary version of those. There are some other technologies on Linux such as Btrfs or Docker. But they have some caveats. Btrfs hasn’t been fully developed yet and it’s hasn’t been proved as much in production environments as ZFS has. And some problems have arisen recently although the developers are pushing the envelope. At some time they will match ZFS capabilities for sure. Docker is growing exponentially and it’s one of the cool technologies of modern times. The caveat is, as before, the development of this technology hasn’t been fully developed. Unlike other virtualization technologies this is not a kernel playing on top of another kernel. This is virtualization at the OS level, meaning differentiated environments can coexist on a single host, “hitting” the same unique kernel which controls and shares the resources. The problem comes when you put Docker on top of any other virtualization technology such as KVM or Xen. It breaks the purpose of it and has a performance penalty. I have arrived into the IT field with very little knowledge, that is true. But what I see strikes me. Working in a bank has allowed me to see a big production environment that needs the highest of the availability and reliability. This is, sometimes, achieved by bruteforce. And it’s legitime and adequate. Redundancy has a reason and a purpose for example. But some other times it looks, it feels, like killing flies with cannons. More hardware, more virtual machines, more people, more of this, more of that. They can afford it, so they try to maintain the cost low but at the end of the day there is a chunky budget to back operations. But here comes reality. You’re not a bank and you need to squeeze your investment as much as possible. By using FreeBSD jails you can avoid the performance penalty of KVM or Xen virtualization. Do you use VMWare or Hyper-V? You can avoid both and gain in performance. Not only that, control and manageability are equal as before, and sometimes easier to administer. There are four ways to operate them which can be divided in two categories. Hardcore and Human Being. For the Hardcore use the FreeBSD handbook and investigate as much as you can. For the Human Being way there are three options to use. Ezjail, Iocage and CBSD which are frameworks or programs as you may call to manage jails. I personally use Iocage but I have also used Ezjail. How can you use jails on your benefit? Ever tried to configure some new software and failed miserably? You can have three different jails running at the same time with different configurations. Want to try a new configuration in a production piece of hardware without applying it on the final users? You can do that with a small jail while the production environment is on in another bigger, chunkier jail. Want to divide the hardware as a replica of the division of the team/s you are working with? Want to sell virtual machines with bare metal performance? Do you want to isolate some piece of critical software or even data in a more controlled environment? Do you have different clients and you want to use the same hardware but you want to avoid them seeing each other at the same time you maintain performance and reliability? Are you a developer and you have to have reliable and portable snapshots of your work? Do you want to try new options-designs without breaking your previous work, in a timeless fashion? You can work on something, clone the jail and apply the new ideas on the project in a matter of seconds. You can stop there, export the filesystem snapshot containing all the environment and all your work and place it on a thumbdrive to later import it on a big production system. Want to change that image properties such as the network stack interface and ip? This is just one command away from you. But what properties can you assign to a jail and how can I manage them you may be wondering. Hostname, disk quota, i/o, memory, cpu limits, network isolation, network virtualization, snapshots and the manage of those, migration and root privilege isolation to name a few. You can also clone them and import and export them between different systems. Some of these things because of ZFS. Iocage is a python program to manage jails and it takes profit from ZFS advantages. But FreeBSD is not Linux you may say. No it is not. There are no run levels. The systemd factor is out of this equation. This is so since the begginning. Ever wondered where did vi come from? The TCP/IP stack? Your beloved macOS from Apple? All this is coming from the FreeBSD project. If you are used to Linux your adaptation period with any BSD will be short, very short. You will almost feel at home. Used to packaged software using yum or apt-get? No worries. With pkgng, the package management tool used in FreeBSD has almost 27.000 compiled packages for you to use. Almost all software found on any of the important GNU/Linux distros can be found here. Java, Python, C, C++, Clang, GCC, Javascript frameworks, Ruby, PHP, MySQL and the major forks, etc. All this opensource software, and much more, is available at your fingertips. I am a developer and… frankly my time is money and I appreciate both much more than dealing with systems configuration, etc. You can set a VM using VMWare or VirtualBox and play with barebones FreeBSD or you can use TrueOS (a derivative) which comes in a server version and a desktop oriented one. The latter will be easier for you to play with. You may be doing this already with Linux. There is a third and very sensible option. FreeNAS, developed by iXSystems. It is FreeBSD based and offers all these technologies with a GUI. VMWare, Hyper-V? Nowadays you can get your hands off the CLI and get a decent, usable, nice GUI. You say you play on the cloud. The major players already include FreeBSD in their offerings. You can find it in Amazon AWS or Azure (with official Microsoft support contracts too!). You can also find it in DigitalOcean and other hosting providers. There is no excuse. You can use it at home, at the office, with old or new hardware and in the cloud as well. You can even pay for a support contract to use it. Joyent, the developers of SmartOS have their own cloud with different locations around the globe. Have a look on them too. If you want the original of ZFS and zones you may think of Solaris. But it’s fading away. But it really isn’t. When Oracle bouth Sun many people ran away in an stampide fashion. Some of the good folks working at Sun founded new projects. One of these is Illumos. Joyent is a company formed by people who developed these technologies. They are a cloud operator, have been recently bought by Samsung and have a very competent team of people providing great tech solutions. They have developed an OS, called SmartOS (based on Illumos) with all these features. The source from this goes back to the early days of UNIX. Do you remember the days of OpenSolaris when Sun opensourced the crown jewels? There you have it. A modern opensource UNIX operating system with the roots in their original place and the head planted on today’s needs. In conclusion. If you are on GNU/Linux and you only use opensource software you may be doing it wrong. And missing goodies you may need and like. Once you put your hands on them, trust me, you won’t look back. And if you have some “old fashioned” admins who know Solaris, you can bring them to a new profitable and exciting life with both systems. Still not convinced? Would you have ever imagined Microsoft supporting Linux? Even loving it? They do love now FreeBSD. And not only that, they provide their own image in the Azure Cloud and you can get Microsoft support, payed support if you want to use the platform on Azure. Ain’t it… surprising? Convincing at all? PS: I haven’t mentioned both softwares, FreeBSD and SmartOS do have a Linux translation layer. This means you can run Linux binaries on them and the program won’t cough at all. Since the ABI stays stable the only thing you need to run a Linux binary is a translation between the different system calls and the libraries. Remember POSIX? Choose your poison and enjoy it. ###A partly-cloudy IPsec VPN Audience I’m assuming that readers have at least a basic knowledge of TCP/IP networking and some UNIX or UNIX-like systems, but not necessarily OpenBSD or FreeBSD. This post will therefore be light on details that aren’t OS specific and are likely to be encountered in normal use (e.g., how to use vi or another text editor.) For more information on these topics, read Absolute FreeBSD (3ed.) by Michael W. Lucas. Overview I’m redoing my DigitalOcean virtual machines (which they call droplets). My requirements are: VPN Road-warrior access, so I can use private network resources from anywhere. A site-to-site VPN, extending my home network to my VPSes. Hosting for public and private network services. A proxy service to provide a public IP address to services hosted at home. The last item is on the list because I don’t actually have a public IP address at home; my firewall’s external address is in the RFC 1918 space, and the entire apartment building shares a single public IPv4 address.1 (IPv6? Don’t I wish.) The end-state network will include one OpenBSD droplet providing firewall, router, and VPN services; and one FreeBSD droplet hosting multiple jailed services. I’ll be providing access via these droplets to a NextCloud instance at home. A simple NAT on the DO router droplet isn’t going to work, because packets going from home to the internet would exit through the apartment building’s connection and not through the VPN. It’s possible that I could do work around this issue with packet tagging using the pf firewall, but HAProxy is simple to configure and unlikely to result in hard-to-debug problems. relayd is also an option, but doesn’t have the TLS parsing abilities of HAProxy, which I’ll be using later on. Since this system includes jails running on a VPS, and they’ve got RFC 1918 addresses, I want them reachable from my home network. Once that’s done, I can access the private address space from anywhere through a VPN connection to the cloudy router. The VPN itself will be of the IPsec variety. IPsec is the traditional enterprise VPN standard, and is even used for classified applications, but has a (somewhat-deserved) reputation for complexity, but recent versions of OpenBSD turn down the difficulty by quite a bit. The end-state network should look like: https://d33wubrfki0l68.cloudfront.net/0ccf46fb057e0d50923209bb2e2af0122637e72d/e714e/201812-cloudy/endstate.svg This VPN both separates internal network traffic from public traffic and uses encryption to prevent interception or tampering. Once traffic has been encrypted, decrypting it without the key would, as Bruce Schneier once put it, require a computer built from something other than matter that occupies something other than space. Dyson spheres and a frakton of causality violation would possibly work, as would mathemagical technology that alters the local calendar such that P=NP.2 Black-bag jobs and/or suborning cloud provider employees doesn’t quite have that guarantee of impossibility, however. If you have serious security requirements, you’ll need to do better than a random blog entry. ##News Roundup KLEAK: Practical Kernel Memory Disclosure Detection Modern operating systems such as NetBSD, macOS, and Windows isolate their kernel from userspace programs to increase fault tolerance and to protect against malicious manipulations [10]. User space programs have to call into the kernel to request resources, via system calls or ioctls. This communication between user space and kernel space crosses a security boundary. Kernel memory disclosures - also known as kernel information leaks - denote the inadvertent copying of uninitialized bytes from kernel space to user space. Such disclosed memory may contain cryptographic keys, information about the kernel memory layout, or other forms of secret data. Even though kernel memory disclosures do not allow direct exploitation of a system, they lay the ground for it. We introduce KLEAK, a simple approach to dynamically detect kernel information leaks. Simply said, KLEAK utilizes a rudimentary form of taint tracking: it taints kernel memory with marker values, lets the data travel through the kernel and scans the buffers exchanged between the kernel and the user space for these marker values. By using compiler instrumentation and rotating the markers at regular intervals, KLEAK significantly reduces the number of false positives, and is able to yield relevant results with little effort. Our approach is practically feasible as we prove with an implementation for the NetBSD kernel. A small performance penalty is introduced, but the system remains usable. In addition to implementing KLEAK in the NetBSD kernel, we applied our approach to FreeBSD 11.2. In total, we detected 21 previously unknown kernel memory disclosures in NetBSD-current and FreeBSD 11.2, which were fixed subsequently. As a follow-up, the projects’ developers manually audited related kernel areas and identified dozens of other kernel memory disclosures. The remainder of this paper is structured as follows. Section II discusses the bug class of kernel memory disclosures. Section III presents KLEAK to dynamically detect instances of this bug class. Section IV discusses the results of applying KLEAK to NetBSD-current and FreeBSD 11.2. Section V reviews prior research. Finally, Section VI concludes this paper. ###How To Create Official Synth Repo System Environment Make sure /usr/dports is updated and that it contains no cruft (git pull; git status). Remove any cruft. Make sure your ‘synth’ is up-to-date ‘pkg upgrade synth’. If you already updated your system you may have to build synth from scratch, from /usr/dports/ports-mgmt/synth. Make sure /etc/make.conf is clean. Update /usr/src to the current master, make sure there is no cruft in it Do a full buildworld, buildkernel, installkernel and installworld Reboot After the reboot, before proceeding, run ‘uname -a’ and make sure you are now on the desired release or development kernel. Synth Environment /usr/local/etc/synth/ contains the synth configuration. It should contain a synth.ini file (you may have to rename the template), and you will have to create or edit a LiveSystem-make.conf file. System requirements are hefty. Just linking chromium alone eats at least 30GB, for example. Concurrent c++ compiles can eat up to 2GB per process. We recommend at least 100GB of SSD based swap space and 300GB of free space on the filesystem. synth.ini should contain this. Plus modify the builders and jobs to suit your system. With 128G of ram, 30/30 or 40/25 works well. If you have 32G of ram, maybe 8/8 or less. ; Take care when hand editing! [Global Configuration] profileselected= LiveSystem [LiveSystem] Operatingsystem= DragonFly Directorypackages= /build/synth/livepackages Directoryrepository= /build/synth/livepackages/All Directoryportsdir= /build/synth/dports Directoryoptions= /build/synth/options Directorydistfiles= /usr/distfiles Directorybuildbase= /build/synth/build Directorylogs= /build/synth/logs Directoryccache= disabled Directorysystem= / Numberofbuilders= 30 Maxjobsperbuilder= 30 Tmpfsworkdir= true Tmpfslocalbase= true Displaywithncurses= true leverageprebuilt= false LiveSystem-make.conf should contain one line to restrict licensing to only what is allowed to be built as a binary package: LICENSESACCEPTED= NONE Make sure there is no other cruft in /usr/local/etc/synth/ In the example above, the synth working dirs are in “/build/synth”. Make sure the base directories exist. Clean out any cruft for a fresh build from-scratch: rm -rf /build/synth/livepackages/* rm -rf /build/synth/logs mkdir /build/synth/logs Run synth everything. I recommend doing this in a ‘screen’ session in case you lose your ssh session (assuming you are ssh’d into the build machine). (optionally start a screen session) synth everything A full synth build takes over 24 hours to run on a 48-core box, around 12 hours to run on a 64-core box. On a 4-core/8-thread box it will take at least 3 days. There will be times when swap space is heavily used. If you have not run synth before, monitor your memory and swap loads to make sure you have configured the jobs properly. If you are overloading the system, you may have to ^C the synth run, reduce the jobs, and start it again. It will pick up where it left off. When synth finishes, let it rebuild the database. You then have a working binary repo. It is usually a good idea to run synth several times to pick up any stuff it couldn’t build the first time. Each of these incremental runs may take a few hours, depending on what it tries to build. ###Interview with founder and maintainer of GhostBSD, Eric Turgeon Thanks you Eric for taking part. To start off, could you tell us a little about yourself, just a bit of background? How did you become interested in open source? When and how did you get interested in the BSD operating systems? On your Twitter profile, you state that you are an automation engineer at iXsystems. Can you share what you do in your day-to-day job? You are the founder and project lead of GhostBSD. Could you describe GhostBSD to those who have never used it or never heard of it? Developing an operating system is not a small thing. What made you decide to start the GhostBSD project and not join another “desktop FreeBSD” related project, such as PC-BSD and DesktopBSD at the time? How did you get to the name GhostBSD? Did you consider any other names? You recently released GhostBSD 18.10? What’s new in that version and what are the key features? What has changed since GhostBSD 11.1? The current version is 18.10. Will the next version be 19.04 (like Ubuntu’s version numbering), or is a new version released after the next stable TrueOS release Can you tell us something about the development team? Is it yourself, or are there other core team members? I think I saw two other developers on your Github project page. How about the relationship with the community? Is it possible for a community member to contribute, and how are those contributions handled? What was the biggest challenge during development? If you had to pick one feature readers should check out in GhostBSD, what is it and why? What is the relationship between iXsystems and the GhostBSD project? Or is GhostBSD a hobby project that you run separately from your work at iXsystems? What is the relationship between GhostBSD and TrueOS? Is GhostBSD TrueOS with the MATE desktop on top, or are there other modifications, additions, and differences? Where does GhostBSD go from here? What are your plans for 2019? Is there anything else that wasn’t asked or that you want to share? ##Beastie Bits dialog(1) script to select audio output on FreeBSD Erlang otp on OpenBSD Capsicum https://blog.grem.de/sysadmin/FreeBSD-On-rpi3-With-crochet-2018-10-27-18-00.html Introduction to µUBSan - a clean-room reimplementation of the Undefined Behavior Sanitizer runtime pkgsrcCon 2018 in Berlin - Videos Getting started with drm-kmod ##Feedback/Questions Malcolm - Show segment idea Fraser - Question: FreeBSD official binary package options Harri - BSD Magazine Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

W pierwszym (testowym) odcinku naszego podcastu porozmawiamy o ostatnich odkryciach ujawnionych w artykule Bloomberga na temat instalowania implantów (backdoorów) sprzętowych w płytach głównych produkowanych przez Supermicro.Według źródła, odkryte miały zostać małe układy scalone, których rzekomym celem działania było wykradanie informacji z serwerów pracujących w amerykańskich sieciach telekomunikacyjnych oraz popularnych usługach chmurowych i sieciach społecznościowych.Ponieważ na co dzień zajmujemy się produkcją oprogramowania układowego (Firmware/BIOS), a tym samym posiadamy praktyczną wiedzę z zakresu budowy zarówno sprzętu jak i standardów dla oprogramowania embedded, postanowiliśmy przyjrzeć się tym rewelacjom i skonfrontować je z faktami.Na początku odcinka przekazujemy informacje ogólne na temat tematyki implantów (backdoorów) sprzętowych. Słuchacze bardziej biegli w temacie mogą od razu przejść do 15 minuty gdzie rozpoczynamy techniczną analizę prawdopodobnego scenariusza ataku, który pokrywałby się z informacjami przedstawionymi przez Bloomberga.Podczas naszej analizy odwołujemy się do standardów takich jak: BMC, IPMI, ACPI, UEFI, ATF, NC-SI, TPM. Jeżeli szukasz twardych technicznych dokumentów na te tematy koniecznie sprawdź linki poniżej.Prowadzący: Radosław Biernacki, Michał Stanek, Jan Dąbroś, Wojciech MacekLinki (chcesz wiedzieć więcej?):Hardware trojan:https://en.wikipedia.org/wiki/Hardware_TrojanBloomberg:https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companieshttps://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecomInne źródła na temat publikacji:https://www.servethehome.com/yossi-appleboum-disagrees-bloomberg-is-positioning-his-research-against-supermicro/https://www.servethehome.com/explaining-the-baseboard-management-controller-or-bmc-in-servers/https://securinghardware.com/articles/hardware-implants/IPMI - because ACPI and UEFI weren't terrifying enough:https://www.youtube.com/watch?v=GZeUntdObCABMC/IPMI:https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdfhttps://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/https://www.reddit.com/r/homelab/comments/74o47w/psa_do_not_connect_your_ipmi_to_outside_world/OpenBMC:https://www.youtube.com/watch?v=HO9qDPoWWrghttps://github.com/openbmc/openbmcUEFI:https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interfacehttps://github.com/tianocore/edk2ACPI:https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interfacehttp://www.uefi.org/sites/default/files/resources/ACPI_6_2.pdfhttps://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdfARM Trusted Firmware / UEFI Secure Boot:https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdfhttps://www.trustedfirmware.org/about/https://github.com/ARM-software/arm-trusted-firmwareNC-SI:https://en.wikipedia.org/wiki/NC-SIhttps://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdfhttps://sthbrx.github.io/blog/2017/09/22/ncsi-nice-network-youve-got-there/TPM:https://en.wikipedia.org/wiki/Trusted_Platform_Modulehttps://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=59565PUF:https://www.coursera.org/lecture/hardware-security/physical-unclonable-functions-puf-basics-Ab4sfhttp://cryptowiki.net/index.php?title=Physically_unclonable_functions_(PUF)HW Counterfeits:https://www.electronicsweekly.com/news/business/fbi-arrests-counterfeit-chip-traffickers-2015-12/https://www.netnames.com/insights/blog/2014/03/counterfeit-aircraft-parts-in-the-usa/https://zeptobars.com/en/read/Nordic-NRF24L01P-SI24R1-real-fake-copyps: już po naszej publikacji pojawił się poniższy art.https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/

OpenBSD on Microsoft Surface Go, FreeBSD Foundation August Update, What’s taking so long with Project Trident, pkgsrc config file versioning, and MacOS remnants in ZFS code. ##Headlines OpenBSD on the Microsoft Surface Go For some reason I like small laptops and the constraints they place on me (as long as they’re still usable). I used a Dell Mini 9 for a long time back in the netbook days and was recently using an 11" MacBook Air as my primary development machine for many years. Recently Microsoft announced a smaller, cheaper version of its Surface tablets called Surface Go which piqued my interest. Hardware The Surface Go is available in two hardware configurations: one with 4Gb of RAM and a 64Gb eMMC, and another with 8Gb of RAM with a 128Gb NVMe SSD. (I went with the latter.) Both ship with an Intel Pentium Gold 4415Y processor which is not very fast, but it’s certainly usable. The tablet measures 9.65" across, 6.9" tall, and 0.3" thick. Its 10" diagonal 3:2 touchscreen is covered with Gorilla Glass and has a resolution of 1800x1200. The bezel is quite large, especially for such a small screen, but it makes sense on a device that is meant to be held, to avoid accidental screen touches. The keyboard and touchpad are located on a separate, removable slab called the Surface Go Signature Type Cover which is sold separately. I opted for the “cobalt blue” cover which has a soft, cloth-like alcantara material. The cover attaches magnetically along the bottom edge of the device and presents USB-attached keyboard and touchpad devices. When the cover is folded up against the screen, it sends an ACPI sleep signal and is held to the screen magnetically. During normal use, the cover can be positioned flat on a surface or slightly raised up about 3/4" near the screen for better ergonomics. When using the device as a tablet, the cover can be rotated behind the screen which causes it to automatically stop sending keyboard and touchpad events until it is rotated back around. The keyboard has a decent amount of key travel and a good layout, with Home/End/Page Up/Page Down being accessible via Fn+Left/Right/Up/Down but also dedicated Home/End/Page Up/Page Down keys on the F9-F12 keys which I find quite useful since the keyboard layout is somewhat small. By default, the F1-F12 keys do not send F1-F12 key codes and Fn must be used, either held down temporarily or Fn pressed by itself to enable Fn-lock which annoyingly keeps the bright Fn LED illuminated. The keys are backlit with three levels of adjustment, handled by the keyboard itself with the F7 key. The touchpad on the Type Cover is a Windows Precision Touchpad connected via USB HID. It has a decent click feel but when the cover is angled up instead of flat on a surface, it sounds a bit hollow and cheap. Surface Go Pen The touchscreen is powered by an Elantech chip connected via HID-over-i2c, which also supports pen input. A Surface Pen digitizer is available separately from Microsoft and comes in the same colors as the Type Covers. The pen works without any pairing necessary, though the top button on it works over Bluetooth so it requires pairing to use. Either way, the pen requires an AAAA battery inside it to operate. The Surface Pen can attach magnetically to the left side of the screen when not in use. A kickstand can swing out behind the display to use the tablet in a laptop form factor, which can adjust to any angle up to about 170 degrees. The kickstand stays firmly in place wherever it is positioned, which also means it requires a bit of force to pull it out when initially placing the Surface Go on a desk. Along the top of the display are a power button and physical volume rocker buttons. Along the right side are the 3.5mm headphone jack, USB-C port, power port, and microSD card slot located behind the kickstand. Charging can be done via USB-C or the dedicated charge port, which accommodates a magnetically-attached, thin barrel similar to Apple’s first generation MagSafe adapter. The charging cable has a white LED that glows when connected, which is kind of annoying since it’s near the mid-line of the screen rather than down by the keyboard. Unlike Apple’s MagSafe, the indicator light does not indicate whether the battery is charged or not. The barrel charger plug can be placed up or down, but in either direction I find it puts an awkward strain on the power cable coming out of it due to the vertical position of the port. Wireless connectivity is provided by a Qualcomm Atheros QCA6174 802.11ac chip which also provides Bluetooth connectivity. Most of the sensors on the device such as the gyroscope and ambient light sensor are connected behind an Intel Sensor Hub PCI device, which provides some power savings as the host CPU doesn’t have to poll the sensors all the time. Firmware The Surface Go’s BIOS/firmware menu can be entered by holding down the Volume Up button, then pressing and releasing the Power button, and releasing Volume Up when the menu appears. Secure Boot as well as various hardware components can be disabled in this menu. Boot order can also be adjusted. A temporary boot menu can be brought up the same way but using Volume Down instead. ###FreeBSD Foundation Update, August 2018 MESSAGE FROM THE EXECUTIVE DIRECTOR Dear FreeBSD Community Member, It’s been a busy summer for the Foundation. From traveling around the globe spreading the word about FreeBSD to bringing on new team members to improve the Project’s Continuous Integration work, we’re very excited about what we’ve accomplished. Take a minute to check out the latest updates within our Foundation sponsored projects; read more about our advocacy efforts in Bangladesh and community building in Cambridge; don’t miss upcoming Travel Grant deadlines, and new Developer Summits; and be sure to find out how your support will ensure our progress continues into 2019. We can’t do this without you! Happy reading!! Deb August 2018 Development Projects Update Fundraising Update: Supporting the Project August 2018 Release Engineering Update BSDCam 2018 Recap October 2018 FreeBSD Developer Summit Call for Participation SANOG32 and COSCUP 2018 Recap MeetBSD 2018 Travel Grant Application Deadline: September 7 ##News Roundup Project Trident: What’s taking so long? What is taking so long? The short answer is that it’s complicated. Project Trident is quite literally a test of the new TrueOS build system. As expected, there have been quite a few bugs, undocumented features, and other optional bits that we discovered we needed that were not initially present. All of these things have to be addressed and retested in a constant back and forth process. While Ken and JT are both experienced developers, neither has done this kind of release engineering before. JT has done some release engineering back in his Linux days, but the TrueOS and FreeBSD build system is very different. Both Ken and JT are learning a completely new way of building a FreeBSD/TrueOS distribution. Please keep in mind that no one has used this new TrueOS build system before, so Ken and JT want to not only provide a good Trident release, but also provide a model or template for other potential TrueOS distributions too! Where are we now? Through perseverance, trial and error, and a lot of head-scratching we have reached the point of having successful builds. It took a while to get there, but now we are simply working out a few bugs with the new installer that Ken wrote as well as finding and fixing all the new Xorg configuration options which recently landed in FreeBSD. We also found that a number of services have been removed or replaced between TrueOS 18.03 and 18.06 so we are needing to adjust what we consider the “base” services for the desktop. All of these issues are being resolved and we are continually rebuilding and pulling in new patches from TrueOS as soon as they are committed. In the meantime we have made an early BETA release of Trident available to the users in our Telegram Channel for those who want to help out in testing these early versions. Do you foresee any other delays? At the moment we are doing many iterations of testing and tweaking the install ISO and package configurations in order to ensure that all the critical functionality works out-of-box (networking, sound, video, basic apps, etc). While we do not foresee any other major delays, sometimes things happen that our outside of our control. For an example, one of the recent delays that hit recently was completely unexpected: we had a hard drive failure on our build server. Up until recently, The aptly named “Poseidon” build server was running a Micron m500dc drive, but that drive is now constantly reporting errors. Despite ordering a replacement Western Digital Blue SSD several weeks ago, we just received it this past week. The drive is now installed with the builder back to full functionality, but we did lose many precious days with the delay. The build server for Project Trident is very similar to the one that JT donated to the TrueOS project. JT had another DL580 G7, so he donated one to the Trident Project for their build server. Poseidon also has 256GB RAM (64 x 4GB sticks) which is a smidge higher than what the TrueOS builder has. Since we are talking about hardware, we probably should address another question we get often, “What Hardware are the devs testing on?” So let’s go ahead and answer that one now. Developer Hardware JT: His main test box is a custom-built Intel i7 7700K system running 32GB RAM, dual Intel Optane 900P drives, and an Nvidia 1070 GTX with four 4K Acer Monitors. He also uses a Lenovo x250 ThinkPad alongside a desk full of x230t and x220 ThinkPads. One of which he gave away at SouthEast LinuxFest this year, which you can read about here. However it’s not done there, being a complete hardware hoarder, JT also tests on several Intel NUCs and his second laptop a Fujitsu t904, not to mention a Plethora of HP DL580 servers, a DL980 server, and a stack of BL485c, BL460c, and BL490c Blades in his HP c7000 and c3000 Bladecenter chassis. (Maybe it’s time for an intervention for his hardware collecting habits) Ken: For a laptop, he primarily uses a 3rd generation X1 Carbon, but also has an old Eee PC T101MT Netbook (dual core 1GHz, 2GB of memory) which he uses for verifying how well Trident works on low-end hardware. As far as workstations go, his office computer is an Intel i7 with an NVIDIA Geforce GTX 960 running three 4K monitors and he has a couple other custom-built workstations (1 AMD, 1 Intel+NVIDIA) at his home. Generally he assembled random workstations based on hardware that was given to him or that he could acquire cheap. Tim: is using a third gen X1 Carbon and a custom built desktop with an Intel Core i5-4440 CPU, 16 GiB RAM, Nvidia GeForce GTX 750 Ti, and a RealTek 8168 / 8111 network card. Rod: Rod uses… No one knows what Rod uses, It’s kinda like how many licks does it take to get to the center of a Tootsie-Roll Tootsie-Pop… the world may just never know. ###NetBSD GSoC: pkgsrc config file versioning A series of reports from the course of the summer on this Google Summer of Code project The goal of the project is to integrate with a VCS (Version Control System) to make managing local changes to config files for packages easier GSoC 2018 Reports: Configuration files versioning in pkgsrc, Part 1 Packages may install code (both machine executable code and interpreted programs), documentation and manual pages, source headers, shared libraries and other resources such as graphic elements, sounds, fonts, document templates, translations and configuration files, or a combination of them. Configuration files are usually the means through which the behaviour of software without a user interface is specified. This covers parts of the operating systems, network daemons and programs in general that don’t come with an interactive graphical or textual interface as the principal mean for setting options. System wide configuration for operating system software tends to be kept under /etc, while configuration for software installed via pkgsrc ends up under LOCALBASE/etc (e.g., /usr/pkg/etc). Software packaged as part of pkgsrc provides example configuration files, if any, which usually get extracted to LOCALBASE/share/examples/PKGBASE/. Don’t worry: automatic merging is disabled by default, set $VCSAUTOMERGE to enable it. In order to avoid breakage, installed configuration is backed up first in the VCS, separating user-modified files from files that have been already automatically merged in the past, in order to allow the administrator to easily restore the last manually edited file in case of breakage. VCS functionality only applies to configuration files, not to rc.d scripts, and only if the environment variable $NOVCS is unset. The version control system to be used as a backend can be set through $VCS. It default to RCS, the Revision Control System, which works only locally and doesn’t support atomic transactions. Other backends such as CVS are supported and more will come; these, being used at the explicit request of the administrator, need to be already installed and placed in a directory part of $PATH. GSoC 2018 Reports: Configuration files versioning in pkgsrc, part 2: remote repositories (git and CVS) pkgsrc is now able to deploy configuration from packages being installed from a remote, site-specific vcs repository. User modified files are always tracked even if automerge functionality is not enabled, and a new tool, pkgconftrack(1), exists to manually store user changes made outside of package upgrade time. Version Control software is executed as the same user running pkgadd or make install, unless the user is “root”. In this case, a separate, unprivileged user, pkgvcsconf, gets created with its own home directory and a working login shell (but no password). The home directory is not strictly necessary, it exists to facilitate migrations betweens repositories and vcs changes; it also serves to store keys used to access remote repositories. Using git instead of rcs is simply done by setting VCS=git in pkginstall.conf GSoC 2018 Reports: Configuration files versioning in pkgsrc, part 3: remote repositories (SVN and Mercurial) GSoC 2018 Reports: Configuration files versioning in pkgsrc, part 4: configuration deployment, pkgtools and future improvements Support for configuration tracking is in scripts, pkginstall scripts, that get built into binary packages and are run by pkgadd upon installation. The idea behind the proposal suggested that users of the new feature should be able to store revisions of their installed configuration files, and of package-provided default, both in local or remote repositories. With this capability in place, it doesn’t take much to make the scripts “pull” configuration from a VCS repository at installation time. That’s what setting VCSCONFPULL=yes in pkginstall.conf after having enabled VCSTRACKCONF does: You are free to use official, third party prebuilt packages that have no customization in them, enable these options, and point pkgsrc to a private conf repository. If it contains custom configuration for the software you are installing, an attempt will be made to use it and install it on your system. If it fails, pkginstall will fall back to using the defaults that come inside the package. RC scripts are always deployed from the binary package, if existing and PKGRCDSCRIPTS=yes in pkginstall.conf or the environment. This will be part of packages, not a separate solution like configuration management tools. It doesn’t support running scripts on the target system to customize the installation, it doesn’t come with its domain-specific language, it won’t run as a daemon or require remote logins to work. It’s quite limited in scope, but you can define a ROLE for your system in pkginstall.conf or in the environment, and pkgsrc will look for configuration you or your organization crafted for such a role (e.g., public, standalone webserver vs reverse proxy or node in a database cluster) ###A little bit of the one-time MacOS version still lingers in ZFS Once upon a time, Apple came very close to releasing ZFS as part of MacOS. Apple did this work in its own copy of the ZFS source base (as far as I know), but the people in Sun knew about it and it turns out that even today there is one little lingering sign of this hoped-for and perhaps prepared-for ZFS port in the ZFS source code. Well, sort of, because it’s not quite in code. Lurking in the function that reads ZFS directories to turn (ZFS) directory entries into the filesystem independent format that the kernel wants is the following comment: objnum = ZFSDIRENTOBJ(zap.zafirstinteger); / MacOS X can extract the object type here such as: * uint8t type = ZFSDIRENTTYPE(zap.zafirstinteger); */ Specifically, this is in zfsreaddir in zfsvnops.c . ZFS maintains file type information in directories. This information can’t be used on Solaris (and thus Illumos), where the overall kernel doesn’t have this in its filesystem independent directory entry format, but it could have been on MacOS (‘Darwin’), because MacOS is among the Unixes that support d_type. The comment itself dates all the way back to this 2007 commit, which includes the change ‘reserve bits in directory entry for file type’, which created the whole setup for this. I don’t know if this file type support was added specifically to help out Apple’s MacOS X port of ZFS, but it’s certainly possible, and in 2007 it seems likely that this port was at least on the minds of ZFS developers. It’s interesting but understandable that FreeBSD didn’t seem to have influenced them in the same way, at least as far as comments in the source code go; this file type support is equally useful for FreeBSD, and the FreeBSD ZFS port dates to 2007 too (per this announcement). Regardless of the exact reason that ZFS picked up maintaining file type information in directory entries, it’s quite useful for people on both FreeBSD and Linux that it does so. File type information is useful for any number of things and ZFS filesystems can (and do) provide this information on those Unixes, which helps make ZFS feel like a truly first class filesystem, one that supports all of the expected general system features. ##Beastie Bits Mac-like FreeBSD Laptop Syncthing on FreeBSD New ZFS Boot Environments Tool My system’s time was so wrong, that even ntpd didn’t work OpenSSH 7.8/7.8p1 (2018-08-24) EuroBSD (Sept 20-23rd) registration Early Bird Period is coming to an end MeetBSD (Oct 18-20th) is coming up fast, hurry up and register! AsiaBSDcon 2019 Dates ##Feedback/Questions Will - Kudos and a Question Peter - Fanless Computers Ron - ZFS disk clone or replace or something Bostjan - ZFS Record Size Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

DragonflyBSD’s hammer1 encrypted master/slave setup, second part of our BSDCan recap, NomadBSD 1.1-RC1 available, OpenBSD adds an LDAP client to base, FreeBSD gets pNFS support, Intel FPU Speculation Vulnerability confirmed, and what some Unix command names mean. ##Headlines DragonflyBSD: Towards a HAMMER1 master/slave encrypted setup with LUKS I just wanted to share my experience with setting up DragonFly master/slave HAMMER1 PFS’s on top of LUKS So after a long time using an Synology for my NFS needs, I decided it was time to rethink my setup a little since I had several issues with it : You cannot run NFS on top of encrypted partitions easily I suspect I am having some some data corruption (bitrot) on the ext4 filesystem the NIC was stcuk to 100 Mbps instead of 1 Gbps even after swapping cables, switches, you name it It’s proprietary I have been playing with DragonFly in the past and knew about HAMMER, now I just had the perfect excuse to actually use it in production :) After setting up the OS, creating the LUKS partition and HAMMER FS was easy : kdload dm cryptsetup luksFormat /dev/serno/ cryptsetup luksOpen /dev/serno/ fort_knox newfs_hammer -L hammer1_secure_master /dev/mapper/fort_knox cryptsetup luksFormat /dev/serno/ cryptsetup luksOpen /dev/serno/ fort_knox_slave newfs_hammer -L hammer1_secure_slave /dev/mapper/fort_knox_slave Mount the 2 drives : mount /dev/mapper/fort_knox /fort_knox mount /dev/mapper_fort_know_slave /fort_knox_slave You can now put your data under /fort_knox Now, off to setting up the replication, first get the shared-uuid of /fort_knox hammer pfs-status /fort_knox Create a PFS slave “linked” to the master hammer pfs-slave /fort_knox_slave/pfs/slave shared-uuid=f9e7cc0d-eb59-10e3-a5b5-01e6e7cefc12 And then stream your data to the slave PFS ! hammer mirror-stream /fort_knox /fort_knox_slave/pfs/slave After that, setting NFS is fairly trivial even though I had problem with the /etc/exports syntax which is different than Linux There’s a few things I wish would be better though but nothing too problematic or without workarounds : Cannot unlock LUKS partitions at boot time afaik (Acceptable tradeoff for the added security LUKS gives me vs my old Synology setup) but this force me to run a script to unlock LUKS, mount hammer and start mirror-stream at each boot No S1/S3 sleep so I made a script to shutdown the system when there’s no network neighborgs to serve the NFS As my system isn’t online 24/7 for energy reasons, I guess will have to run hammer cleanup myself from time to time Some uncertainty because hey, it’s kind of exotic but exciting too :) Overall, I am happy, HAMMER1 and PFS are looking really good, DragonFly is a neat Unix and the community is super friendly (Matthew Dillon actually provided me with a kernel patch to fix the broken ACPI on the PC holding this setup, many thanks!), the system is still a “work in progress” but it is already serving my files as I write this post. Let’s see in 6 months how it goes in the longer run ! Helpful resources : https://www.dragonflybsd.org/docs/how_to_implement_hammer_pseudo_file_system__40___pfs___41___slave_mirroring_from_pfs_master/ ###BSDCan 2018 Recap As promised, here is our second part of our BSDCan report, covering the conference proper. The last tutorials/devsummit of that day lead directly into the conference, as people could pick up their registration packs at the Red Lion and have a drink with fellow BSD folks. Allan and I were there only briefly, as we wanted to get back to the “Newcomers orientation and mentorship” session lead by Michael W. Lucas. This session is intended for people that are new to BSDCan (maybe their first BSD conference ever?) and may have questions. Michael explained everything from the 6-2-1 rule (hours of sleep, meals per day, and number of showers that attendees should have at a minimum), to the partner and widowers program (lead by his wife Liz), to the sessions that people should not miss (opening, closing, and hallway track). Old-time BSDCan folks were asked to stand up so that people can recognize them and ask them any questions they might have during the conferences. The session was well attended. Afterwards, people went for dinner in groups, a big one lead by Michael Lucas to his favorite Shawarma place, followed by gelato (of course). This allowed newbies to mingle over dinner and ice cream, creating a welcoming atmosphere. The next day, after Dan Langille opened the conference, Benno Rice gave the keynote presentation about “The Tragedy of Systemd”. Benedict went to the following talks: “Automating Network Infrastructures with Ansible on FreeBSD” in the DevSummit track. A good talk that connected well with his Ansible tutorial and even allowed some discussions among participants. “All along the dwatch tower”: Devin delivered a well prepared talk. I first thought that the number of slides would not fit into the time slot, but she even managed to give a demo of her work, which was well received. The dwatch tool she wrote should make it easy for people to get started with DTrace without learning too much about the syntax at first. The visualizations were certainly nice to see, combining different tools together in a new way. ZFS BoF, lead by Allan and Matthew Ahrens SSH Key Management by Michael W. Lucas. Yet another great talk where I learned a lot. I did not get to the SSH CA chapter in the new SSH Mastery book, so this was a good way to wet my appetite for it and motivated me to look into creating one for the cluster that I’m managing. The rest of the day was spent at the FreeBSD Foundation table, talking to various folks. Then, Allan and I had an interview with Kirk McKusick for National FreeBSD Day, then we had a core meeting, followed by a core dinner. Day 2: “Flexible Disk Use in OpenZFS”: Matthew Ahrens talking about the feature he is implementing to expand a RAID-Z with a single disk, as well as device removal. Allan’s talk about his efforts to implement ZSTD in OpenZFS as another compression algorithm. I liked his overview slides with the numbers comparing the algorithms for their effectiveness and his personal story about the sometimes rocky road to get the feature implemented. “zrepl - ZFS replication” by Christian Schwarz, was well prepared and even had a demo to show what his snapshot replication tool can do. We covered it on the show before and people can find it under sysutils/zrepl. Feedback and help is welcome. “The Evolution of FreeBSD Governance” by Kirk McKusick was yet another great talk by him covering the early days of FreeBSD until today, detailing some of the progress and challenges the project faced over the years in terms of leadership and governance. This is an ongoing process that everyone in the community should participate in to keep the project healthy and infused with fresh blood. Closing session and auction were funny and great as always. All in all, yet another amazing BSDCan. Thank you Dan Langille and your organizing team for making it happen! Well done. Digital Ocean ###NomadBSD 1.1-RC1 Released The first – and hopefully final – release candidate of NomadBSD 1.1 is available! Changes The base system has been upgraded to FreeBSD 11.2-RC3 EFI booting has been fixed. Support for modern Intel GPUs has been added. Support for installing packages has been added. Improved setup menu. More software packages: benchmarks/bonnie++ DSBDisplaySettings DSBExec DSBSu mail/thunderbird net/mosh ports-mgmt/octopkg print/qpdfview security/nmap sysutils/ddrescue sysutils/fusefs-hfsfuse sysutils/fusefs-sshfs sysutils/sleuthkit www/lynx x11-wm/compton x11/xev x11/xterm Many improvements and bugfixes The image and instructions can be found here. ##News Roundup LDAP client added to -current CVSROOT: /cvs Module name: src Changes by: reyk@cvs.openbsd.org 2018/06/13 09:45:58 Log message: Import ldap(1), a simple ldap search client. We have an ldapd(8) server and ypldap in base, so it makes sense to have a simple LDAP client without depending on the OpenLDAP package. This tool can be used in an ssh(1) AuthorizedKeysCommand script. With feedback from many including millert@ schwarze@ gilles@ dlg@ jsing@ OK deraadt@ Status: Vendor Tag: reyk Release Tags: ldap_20180613 N src/usr.bin/ldap/Makefile N src/usr.bin/ldap/aldap.c N src/usr.bin/ldap/aldap.h N src/usr.bin/ldap/ber.c N src/usr.bin/ldap/ber.h N src/usr.bin/ldap/ldap.1 N src/usr.bin/ldap/ldapclient.c N src/usr.bin/ldap/log.c N src/usr.bin/ldap/log.h No conflicts created by this import ###Intel® FPU Speculation Vulnerability Confirmed Earlier this month, Philip Guenther (guenther@) committed (to amd64 -current) a change from lazy to semi-eager FPU switching to mitigate against rumored FPU state leakage in Intel® CPUs. Theo de Raadt (deraadt@) discussed this in his BSDCan 2018 session. Using information disclosed in Theo’s talk, Colin Percival developed a proof-of-concept exploit in around 5 hours. This seems to have prompted an early end to an embargo (in which OpenBSD was not involved), and the official announcement of the vulnerability. FPU change in FreeBSD Summary: System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process. Systems using Intel® Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel. Description: System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value. · CVSS - 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Affected Products: Intel® Core-based microprocessors. Recommendations: If an XSAVE-enabled feature is disabled, then we recommend either its state component bitmap in the extended control register (XCR0) is set to 0 (e.g. XCR0[bit 2]=0 for AVX, XCR0[bits 7:5]=0 for AVX512) or the corresponding register states of the feature should be cleared prior to being disabled. Also for relevant states (e.g. x87, SSE, AVX, etc.), Intel recommends system software developers utilize Eager FP state restore in lieu of Lazy FP state restore. Acknowledgements: Intel would like to thank Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH (https://www.cyberus-technology.de/), Zdenek Sojka from SYSGO AG (http://sysgo.com), and Colin Percival for reporting this issue and working with us on coordinated disclosure. iXsystems iX Ad Spot iX Systems - BSDCan 2018 Recap ###FreeBSD gets pNFS support Merge the pNFS server code from projects/pnfs-planb-server into head. This code merge adds a pNFS service to the NFSv4.1 server. Although it is a large commit it should not affect behaviour for a non-pNFS NFS server. Some documentation on how this works can be found at: Merge the pN http://people.freebsd.org/~rmacklem/pnfs-planb-setup.txt and will hopefully be turned into a proper document soon. This is a merge of the kernel code. Userland and man page changes will come soon, once the dust settles on this merge. It has passed a "make universe", so I hope it will not cause build problems. It also adds NFSv4.1 server support for the "current stateid". Here is a brief overview of the pNFS service: A pNFS service separates the Read/Write operations from all the other NFSv4.1 Metadata operations. It is hoped that this separation allows a pNFS service to be configured that exceeds the limits of a single NFS server for either storage capacity and/or I/O bandwidth. It is possible to configure mirroring within the data servers (DSs) so that the data storage file for an MDS file will be mirrored on two or more of the DSs. When this is used, failure of a DS will not stop the pNFS service and a failed DS can be recovered once repaired while the pNFS service continues to operate. Although two way mirroring would be the norm, it is possible to set a mirroring level of up to four or the number of DSs, whichever is less. The Metadata server will always be a single point of failure, just as a single NFS server is. A Plan B pNFS service consists of a single MetaData Server (MDS) and K Data Servers (DS), all of which are recent FreeBSD systems. Clients will mount the MDS as they would a single NFS server. When files are created, the MDS creates a file tree identical to what a single NFS server creates, except that all the regular (VREG) files will be empty. As such, if you look at the exported tree on the MDS directly on the MDS server (not via an NFS mount), the files will all be of size 0. Each of these files will also have two extended attributes in the system attribute name space: pnfsd.dsfile - This extended attrbute stores the information that the MDS needs to find the data storage file(s) on DS(s) for this file. pnfsd.dsattr - This extended attribute stores the Size, AccessTime, ModifyTime and Change attributes for the file, so that the MDS doesn't need to acquire the attributes from the DS for every Getattr operation. For each regular (VREG) file, the MDS creates a data storage file on one (or more if mirroring is enabled) of the DSs in one of the "dsNN" subdirectories. The name of this file is the file handle of the file on the MDS in hexadecimal so that the name is unique. The DSs use subdirectories named "ds0" to "dsN" so that no one directory gets too large. The value of "N" is set via the sysctl vfs.nfsd.dsdirsize on the MDS, with the default being 20. For production servers that will store a lot of files, this value should probably be much larger. It can be increased when the "nfsd" daemon is not running on the MDS, once the "dsK" directories are created. For pNFS aware NFSv4.1 clients, the FreeBSD server will return two pieces of information to the client that allows it to do I/O directly to the DS. DeviceInfo - This is relatively static information that defines what a DS is. The critical bits of information returned by the FreeBSD server is the IP address of the DS and, for the Flexible File layout, that NFSv4.1 is to be used and that it is "tightly coupled". There is a "deviceid" which identifies the DeviceInfo. Layout - This is per file and can be recalled by the server when it is no longer valid. For the FreeBSD server, there is support for two types of layout, call File and Flexible File layout. Both allow the client to do I/O on the DS via NFSv4.1 I/O operations. The Flexible File layout is a more recent variant that allows specification of mirrors, where the client is expected to do writes to all mirrors to maintain them in a consistent state. The Flexible File layout also allows the client to report I/O errors for a DS back to the MDS. The Flexible File layout supports two variants referred to as "tightly coupled" vs "loosely coupled". The FreeBSD server always uses the "tightly coupled" variant where the client uses the same credentials to do I/O on the DS as it would on the MDS. For the "loosely coupled" variant, the layout specifies a synthetic user/group that the client uses to do I/O on the DS. The FreeBSD server does not do striping and always returns layouts for the entire file. The critical information in a layout is Read vs Read/Writea and DeviceID(s) that identify which DS(s) the data is stored on. At this time, the MDS generates File Layout layouts to NFSv4.1 clients that know how to do pNFS for the non-mirrored DS case unless the sysctl vfs.nfsd.default_flexfile is set non-zero, in which case Flexible File layouts are generated. The mirrored DS configuration always generates Flexible File layouts. For NFS clients that do not support NFSv4.1 pNFS, all I/O operations are done against the MDS which acts as a proxy for the appropriate DS(s). When the MDS receives an I/O RPC, it will do the RPC on the DS as a proxy. If the DS is on the same machine, the MDS/DS will do the RPC on the DS as a proxy and so on, until the machine runs out of some resource, such as session slots or mbufs. As such, DSs must be separate systems from the MDS. *** ###[What does {some strange unix command name} stand for?](http://www.unixguide.net/unix/faq/1.3.shtml) + awk = "Aho Weinberger and Kernighan" + grep = "Global Regular Expression Print" + fgrep = "Fixed GREP". + egrep = "Extended GREP" + cat = "CATenate" + gecos = "General Electric Comprehensive Operating Supervisor" + nroff = "New ROFF" + troff = "Typesetter new ROFF" + tee = T + bss = "Block Started by Symbol + biff = "BIFF" + rc (as in ".cshrc" or "/etc/rc") = "RunCom" + Don Libes' book "Life with Unix" contains lots more of these tidbits. *** ##Beastie Bits + [RetroBSD: Unix for microcontrollers](http://retrobsd.org/wiki/doku.php) + [On the matter of OpenBSD breaking embargos (KRACK)](https://marc.info/?l=openbsd-tech&m=152910536208954&w=2) + [Theo's Basement Computer Paradise (1998)](https://zeus.theos.com/deraadt/hosts.html) + [Airport Extreme runs NetBSD](https://jcs.org/2018/06/12/airport_ssh) + [What UNIX shell could have been](https://rain-1.github.io/shell-2.html) *** Tarsnap ad *** ##Feedback/Questions + We need more feedback and questions. Please email feedback@bsdnow.tv + Also, many of you owe us BSDCan trip reports! We have shared what our experience at BSDCan was like, but we want to hear about yours. What can we do better next year? What was it like being there for the first time? + [Jason writes in](https://slexy.org/view/s205jU58X2) + https://www.wheelsystems.com/en/products/wheel-fudo-psm/ + [June 19th was National FreeBSD Day](https://twitter.com/search?src=typd&q=%23FreeBSDDay) *** - Send questions, comments, show ideas/topics, or stories you want mentioned on the show to [feedback@bsdnow.tv](mailto:feedback@bsdnow.tv) ***

Papers we love: ARC by Bryan Cantrill, SSD caching adventures with ZFS, OpenBSD full disk encryption setup, and a Perl5 Slack Syslog BSD daemon. This episode was brought to you by Headlines Papers We Love: ARC: A Self-Tuning, Low Overhead Replacement Cache (https://www.youtube.com/watch?v=F8sZRBdmqc0&feature=youtu.be) Ever wondered how the ZFS ARC (Adaptive Replacement Cache) works? How about if Bryan Cantrill presented the original paper on its design? Today is that day. Slides (https://www.slideshare.net/bcantrill/papers-we-love-arc-after-dark) It starts by looking back at a fundamental paper from the 40s where the architecture of general-purpose computers are first laid out The main is the description of memory hierarchies, where you have a small amount of very fast memory, then the next level is slower but larger, and on and on. As we look at the various L1, L2, and L3 caches on a CPU, then RAM, then flash, then spinning disks, this still holds true today. The paper then does a survey of the existing caching policies and tries to explain the issues with each. This includes ‘MIN', which is the theoretically optimal policy, which requires future knowledge, but is useful for setting the upper bound, what is the best we could possibly do. The paper ends up showing that the ARC can end up being better than manually trying to pick the best number for the workload, because it adapts as the workload changes At about 1:25 into the video, Bryan start talking about the practical implementation of the ARC in ZFS, and some challenges they have run into recently at Joyent. A great discussion about some of the problems when ZFS needs to shrink the ARC. Not all of it applies 1:1 to FreeBSD because the kernel and the kmem implementation are different in a number of ways There were some interesting questions asked at the end as well *** How do I use man pages to learn how to use commands? (https://unix.stackexchange.com/a/193837) nwildner on StackExchange has a very thorough answer to the question how to interpret man pages to understand complicated commands (xargs in this case, but not specifically). Have in mind what you want to do. When doing your research about xargs you did it for a purpose, right? You had a specific need that was reading standard output and executing commands based on that output. But, when I don't know which command I want? Use man -k or apropos (they are equivalent). If I don't know how to find a file: man -k file | grep search. Read the descriptions and find one that will better fit your needs. Apropos works with regular expressions by default, (man apropos, read the description and find out what -r does), and on this example I'm looking for every manpage where the description starts with "report". Always read the DESCRIPTION before starting Take a time and read the description. By just reading the description of the xargs command we will learn that: xargs reads from STDIN and executes the command needed. This also means that you will need to have some knowledge of how standard input works, and how to manipulate it through pipes to chain commands The default behavior is to act like /bin/echo. This gives you a little tip that if you need to chain more than one xargs, you don't need to use echo to print. We have also learned that unix filenames can contain blank and newlines, that this could be a problem and the argument -0 is a way to prevent things explode by using null character separators. The description warns you that the command being used as input needs to support this feature too, and that GNU find support it. Great. We use a lot of find with xargs. xargs will stop if exit status 255 is reached. Some descriptions are very short and that is generally because the software works on a very simple way. Don't even think of skipping this part of the manpage ;) Other things to pay attention... You know that you can search for files using find. There is a ton of options and if you only look at the SYNOPSIS, you will get overwhelmed by those. It's just the tip of the iceberg. Excluding NAME, SYNOPSIS, and DESCRIPTION, you will have the following sections: When this method will not work so well... + Tips that apply to all commands Some options, mnemonics and "syntax style" travel through all commands making you buy some time by not having to open the manpage at all. Those are learned by practice and the most common are: Generally, -v means verbose. -vvv is a variation "very very verbose" on some software. Following the POSIX standard, generally one dash arguments can be stacked. Example: tar -xzvf, cp -Rv. Generally -R and/or -r means recursive. Almost all commands have a brief help with the --help option. --version shows the version of a software. -p, on copy or move utilities means "preserve permissions". -y means YES, or "proceed without confirmation" in most cases. Default values of commands. At the pager chunk of this answer, we saw that less -is is the pager of man. The default behavior of commands are not always shown at a separated section on manpages, or at the section that is most top placed. You will have to read the options to find out defaults, or if you are lucky, typing /pager will lead you to that info. This also requires you to know the concept of the pager(software that scrolls the manpage), and this is a thing you will only acquire after reading lots of manpages. And what about the SYNOPSIS syntax? After getting all the information needed to execute the command, you can combine options, option-arguments and operands inline to make your job done. Overview of concepts: Options are the switches that dictates a command behavior. "Do this" "don't do this" or "act this way". Often called switches. Check out the full answer and see if it helps you better grasp the meaning of a man page and thus the command. *** My adventure into SSD caching with ZFS (Home NAS) (https://robertputt.co.uk/my-adventure-into-ssd-caching-with-zfs-home-nas.html) Robert Putt as written about his adventure using SSDs for caching with ZFS on his home NAS. Recently I decided to throw away my old defunct 2009 MacBook Pro which was rotting in my cupboard and I decided to retrieve the only useful part before doing so, the 80GB Intel SSD I had installed a few years earlier. Initially I thought about simply adding it to my desktop as a bit of extra space but in 2017 80GB really wasn't worth it and then I had a brainwave… Lets see if we can squeeze some additional performance out of my HP Microserver Gen8 NAS running ZFS by installing it as a cache disk. I installed the SSD to the cdrom tray of the Microserver using a floppy disk power to SATA power converter and a SATA cable, unfortunately it seems the CD ROM SATA port on the motherboard is only a 3gbps port although this didn't matter so much as it was an older 3gbps SSD anyway. Next I booted up the machine and to my suprise the disk was not found in my FreeBSD install, then I realised that the SATA port for the CD drive is actually provided by the RAID controller, so I rebooted into intelligent provisioning and added an additional RAID0 array with just the 1 disk to act as my cache, in fact all of the disks in this machine are individual RAID0 arrays so it looks like just a bunch of disks (JBOD) as ZFS offers additional functionality over normal RAID (mainly scrubbing, deduplication and compression). Configuration Lets have a look at the zpool before adding the cache drive to make sure there are no errors or uglyness: Now lets prep the drive for use in the zpool using gpart. I want to split the SSD into two seperate partitions, one for L2ARC (read caching) and one for ZIL (write caching). I have decided to split the disk into 20GB for ZIL and 50GB for L2ARC. Be warned using 1 SSD like this is considered unsafe because it is a single point of failure in terms of delayed writes (a redundant configuration with 2 SSDs would be more appropriate) and the heavy write cycles on the SSD from the ZIL is likely to kill it over time. Now it's time to see if adding the cache has made much of a difference. I suspect not as my Home NAS sucks, it is a HP Microserver Gen8 with the crappy Celeron CPU and only 4GB RAM, anyway, lets test it and find out. First off lets throw fio at the mount point for this zpool and see what happens both with the ZIL and L2ARC enabled and disabled. Observations Ok, so the initial result is a little dissapointing, but hardly unexpected, my NAS sucks and there are lots of bottle necks, CPU, memory and the fact only 2 of the SATA ports are 6gbps. There is no real difference performance wise in comparison between the results, the IOPS, bandwidth and latency appear very similar. However lets bare in mind fio is a pretty hardcore disk benchmark utility, how about some real world use cases? Next I decided to test a few typical file transactions that this NAS is used for, Samba shares to my workstation. For the first test I wanted to test reading a 3GB file over the network with both the cache enabled and disabled, I would run this multiple times to ensure the data is hot in the L2ARC and to ensure the test is somewhat repeatable, the network itself is an uncongested 1gbit link and I am copying onto the secondary SSD in my workstation. The dataset for these tests has compression and deduplication disabled. Samba Read Test Not bad once the data becomes hot in the L2ARC cache reads appear to gain a decent advantage compared to reading from the disk directly. How does it perform when writing the same file back accross the network using the ZIL vs no ZIL. Samba Write Test Another good result in the real world test, this certainately helps the write transfer speed however I do wonder what would happen if you filled the ZIL transferring a very large file, however this is unlikely with my use case as I typically only deal with a couple of files of several hundred megabytes at any given time so a 20GB ZIL should suit me reasonably well. Is ZIL and L2ARC worth it? I would imagine with a big beefy ZFS server running in a company somewhere with a large disk pool and lots of users with multiple enterprise level SSD ZIL and L2ARC would be well worth the investment, however at home I am not so sure. Yes I did see an increase in read speeds with cached data and a general increase in write speeds however it is use case dependant. In my use case I rarely access the same file frequently, my NAS primarily serves as a backup and for archived data, and although the write speeds are cool I am not sure its a deal breaker. If I built a new home NAS today I'd probably concentrate the budget on a better CPU, more RAM (for ARC cache) and more disks. However if I had a use case where I frequently accessed the same files and needed to do so in a faster fashion then yes, I'd probably invest in an SSD for caching. I think if you have a spare SSD lying around and you want something fun todo with it, sure chuck it in your ZFS based NAS as a cache mechanism. If you were planning on buying an SSD for caching then I'd really consider your needs and decide if the money can be spent on alternative stuff which would improve your experience with your NAS. I know my NAS would benefit more from an extra stick of RAM and a more powerful CPU, but as a quick evening project with some parts I had hanging around adding some SSD cache was worth a go. More Viewer Interview Questions for Allan News Roundup Setup OpenBSD 6.2 with Full Disk Encryption (https://blog.cagedmonster.net/setup-openbsd-with-full-disk-encryption/) Here is a quick way to setup (in 7 steps) OpenBSD 6.2 with the encryption of the filesystem. First step: Boot and start the installation: (I)nstall: I Keyboard Layout: ENTER (I'm french so in my case I took the FR layout) Leave the installer with: ! Second step: Prepare your disk for encryption. Using a SSD, my disk is named : sd0, the name may vary, for example : wd0. Initiating the disk: Configure your volume: Now we'll use bioctl to encrypt the partition we created, in this case : sd0a (disk sd0 + partition « a »). Enter your passphrase. Third step: Let's resume the OpenBSD's installer. We follow the install procedure Fourth step: Partitioning of the encrypted volume. We select our new volume, in this case: sd1 The whole disk will be used: W(hole) Let's create our partitions: NB: You are more than welcome to create multiple partitions for your system. Fifth step: System installation It's time to choose how we'll install our system (network install by http in my case) Sixth step: Finalize the installation. Last step: Reboot and start your system. Put your passphrase. Welcome to OpenBSD 6.2 with a full encrypted file system. Optional: Disable the swap encryption. The swap is actually part of the encrypted filesystem, we don't need OpenBSD to encrypt it. Sysctl is giving us this possibility. Step-by-Step FreeBSD installation with ZFS and Full Disk Encryption (https://blog.cagedmonster.net/step-by-step-freebsd-installation-with-full-disk-encryption/) 1. What do I need? For this tutorial, the installation has been made on a Intel Core i7 - AMD64 architecture. On a USB key, you would probably use this link : ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-mini-memstick.img If you can't do a network installation, you'd better use this image : ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-memstick.img You can write the image file on your USB device (replace XXXX with the name of your device) using dd : # dd if=FreeBSD-11.1-RELEASE-amd64-mini-memstick.img of=/dev/XXXX bs=1m 2. Boot and install: Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F1.png) 3. Configure your keyboard layout: Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F2.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F3.png) 4. Hostname and system components configuration : Set the name of your machine: [Screenshot](https://blog.cagedmonster.net/content/images/2017/09/F4.png_ What components do you want to install? Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F5.png) 5. Network configuration: Select the network interface you want to configure. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F6.png) First, we configure our IPv4 network. I used a static adress so you can see how it works, but you can use DHCP for an automated configuration, it depends of what you want to do with your system (desktop/server) Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F7.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F7-1.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F8.png) IPv6 network configuration. Same as for IPv4, you can use SLAAC for an automated configuration. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F9.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F10-1.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F10-2.png) Here, you can configure your DNS servers, I used the Google DNS servers so you can use them too if needed. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F11.png) 6. Select the server you want to use for the installation: I always use the IPv6 mirror to ensure that my IPv6 network configuration is good.Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F12.png) 7. Disk configuration: As we want to do an easy full disk encryption, we'll use ZFS. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F13.png) Make sure to select the disk encryption :Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F14.png) Launch the disk configuration :Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F15.png) Here everything is normal, you have to select the disk you'll use :Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F16.png) I have only one SSD disk named da0 :Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F17.png) Last chance before erasing your disk :Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F18.png) Time to choose the password you'll use to start your system : Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F19.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F20.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F21.png) 8. Last steps to finish the installation: The installer will download what you need and what you selected previously (ports, src, etc.) to create your system: Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F22.png) 8.1. Root password: Enter your root password: Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F22-1.png) 8.2. Time and date: Set your timezone, in my case: Europe/France Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F22-2.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F23.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F23-1.png) Make sure the date and time are good, or you can change them :Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F24.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F25.png) 8.3. Services: Select the services you'll use at system startup depending again of what you want to do. In many cases powerd and ntpd will be useful, sshd if you're planning on using FreeBSD as a server. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26.png) 8.4. Security: Security options you want to enable. You'll still be able to change them after the installation with sysctl. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-1.png) 8.5. Additionnal user: Create an unprivileged system user: Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-2.png) Make sure your user is in the wheel group so he can use the su command. Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-3.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-4.png) 8.6. The end: End of your configuration, you can still do some modifications if you want : Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-5.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-6.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F26-7.png) 9. First boot: Enter the passphrase you have chosen previously : Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F27.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F28.png) & Screenshot (https://blog.cagedmonster.net/content/images/2017/09/F29.png) Welcome to Freebsd 11.1 with full disk encryption! *** The anatomy of ldd program on OpenBSD (http://nanxiao.me/en/the-anatomy-of-ldd-program-on-openbsd/) In the past week, I read the ldd (https://github.com/openbsd/src/blob/master/libexec/ld.so/ldd/ldd.c) source code on OpenBSD to get a better understanding of how it works. And this post should also be a reference for other*NIX OSs. The ELF (https://en.wikipedia.org/wiki/Executable_and_Linkable_Format) file is divided into 4 categories: relocatable, executable, shared, and core. Only the executable and shared object files may have dynamic object dependencies, so the ldd only check these 2 kinds of ELF file: (1) Executable. ldd leverages the LD_TRACE_LOADED_OBJECTS environment variable in fact, and the code is as following: if (setenv("LD_TRACE_LOADED_OBJECTS", "true", 1) < 0) err(1, "setenv(LD_TRACE_LOADED_OBJECTS)"); When LDTRACELOADED_OBJECTS is set to 1 or true, running executable file will show shared objects needed instead of running it, so you even not needldd to check executable file. See the following outputs: $ /usr/bin/ldd usage: ldd program ... $ LD_TRACE_LOADED_OBJECTS=1 /usr/bin/ldd Start End Type Open Ref GrpRef Name 00000b6ac6e00000 00000b6ac7003000 exe 1 0 0 /usr/bin/ldd 00000b6dbc96c000 00000b6dbcc38000 rlib 0 1 0 /usr/lib/libc.so.89.3 00000b6d6ad00000 00000b6d6ad00000 rtld 0 1 0 /usr/libexec/ld.so (2) Shared object. The code to print dependencies of shared object is as following: if (ehdr.e_type == ET_DYN && !interp) { if (realpath(name, buf) == NULL) { printf("realpath(%s): %s", name, strerror(errno)); fflush(stdout); _exit(1); } dlhandle = dlopen(buf, RTLD_TRACE); if (dlhandle == NULL) { printf("%sn", dlerror()); fflush(stdout); _exit(1); } _exit(0); } Why the condition of checking a ELF file is shared object or not is like this: if (ehdr.e_type == ET_DYN && !interp) { ...... } That's because the file type of position-independent executable (PIE) is the same as shared object, but normally PIE contains a interpreter program header since it needs dynamic linker to load it while shared object lacks (refer this article). So the above condition will filter PIE file. The dlopen(buf, RTLD_TRACE) is used to print dynamic object information. And the actual code is like this: if (_dl_traceld) { _dl_show_objects(); _dl_unload_shlib(object); _dl_exit(0); } In fact, you can also implement a simple application which outputs dynamic object information for shared object yourself: # include int main(int argc, char **argv) { dlopen(argv[1], RTLD_TRACE); return 0; } Compile and use it to analyze /usr/lib/libssl.so.43.2: $ cc lddshared.c $ ./a.out /usr/lib/libssl.so.43.2 Start End Type Open Ref GrpRef Name 000010e2df1c5000 000010e2df41a000 dlib 1 0 0 /usr/lib/libssl.so.43.2 000010e311e3f000 000010e312209000 rlib 0 1 0 /usr/lib/libcrypto.so.41.1 The same as using ldd directly: $ ldd /usr/lib/libssl.so.43.2 /usr/lib/libssl.so.43.2: Start End Type Open Ref GrpRef Name 00001d9ffef08000 00001d9fff15d000 dlib 1 0 0 /usr/lib/libssl.so.43.2 00001d9ff1431000 00001d9ff17fb000 rlib 0 1 0 /usr/lib/libcrypto.so.41.1 Through the studying of ldd source code, I also get many by-products: such as knowledge of ELF file, linking and loading, etc. So diving into code is a really good method to learn *NIX deeper! Perl5 Slack Syslog BSD daemon (https://clinetworking.wordpress.com/2017/10/13/perl5-slack-syslog-bsd-daemon/) So I have been working on my little Perl daemon for a week now. It is a simple syslog daemon that listens on port 514 for incoming messages. It listens on a port so it can process log messages from my consumer Linux router as well as the messages from my server. Messages that are above alert are sent, as are messages that match the regex of SSH or DHCP (I want to keep track of new connections to my wifi). The rest of the messages are not sent to slack but appended to a log file. This is very handy as I can get access to info like failed ssh logins, disk failures, and new devices connecting to the network all on my Android phone when I am not home. Screenshot (https://clinetworking.files.wordpress.com/2017/10/screenshot_2017-10-13-23-00-26.png) The situation arose today that the internet went down and I thought to myself what would happen to all my important syslog messages when they couldn't be sent? Before the script only ran an eval block on the botsend() function. The error was returned, handled, but nothing was done and the unsent message was discarded. So I added a function that appended unsent messengers to an array that are later sent when the server is not busy sending messages to slack. Slack has a limit of one message per second. The new addition works well and means that if the internet fails my server will store these messages in memory and resend them at a rate of one message per second when the internet connectivity returns. It currently sends the newest ones first but I am not sure if this is a bug or a feature at this point! It currently works with my Linux based WiFi router and my FreeBSD server. It is easy to scale as all you need to do is send messages to syslog to get them sent to slack. You could sent CPU temp, logged in users etc. There is a github page: https://github.com/wilyarti/slackbot Lscpu for OpenBSD/FreeBSD (http://nanxiao.me/en/lscpu-for-openbsdfreebsd/) Github Link (https://github.com/NanXiao/lscpu) There is a neat command, lscpu, which is very handy to display CPU information on GNU/Linux OS: $ lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 32 On-line CPU(s) list: 0-31 Thread(s) per core: 2 Core(s) per socket: 8 Socket(s): 2 But unfortunately, the BSD OSs lack this command, maybe one reason is lscpu relies heavily on /proc file system which BSD don't provide, :-). TakeOpenBSD as an example, if I want to know CPU information, dmesg should be one choice: $ dmesg | grep -i cpu cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz, 2527.35 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM, PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR cpu0: 3MB 64b/line 8-way L2 cache cpu0: apic clock running at 266MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE But the output makes me feeling messy, not very clear. As for dmidecode, it used to be another option, but now can't work out-of-box because it will access /dev/mem which for security reason, OpenBSD doesn't allow by default (You can refer this discussion): $ ./dmidecode $ dmidecode 3.1 Scanning /dev/mem for entry point. /dev/mem: Operation not permitted Based on above situation, I want a specified command for showing CPU information for my BSD box. So in the past 2 weeks, I developed a lscpu program for OpenBSD/FreeBSD, or more accurately, OpenBSD/FreeBSD on x86 architecture since I only have some Intel processors at hand. The application getsCPU metrics from 2 sources: (1) sysctl functions. The BSD OSs provide sysctl interface which I can use to get general CPU particulars, such as how many CPUs the system contains, the byte-order of CPU, etc. (2) CPUID instruction. For x86 architecture, CPUID instruction can obtain very detail information of CPU. This coding work is a little tedious and error-prone, not only because I need to reference both Intel and AMD specifications since these 2 vendors have minor distinctions, but also I need to parse the bits of register values. The code is here (https://github.com/NanXiao/lscpu), and if you run OpenBSD/FreeBSD on x86 processors, please try it. It will be better you can give some feedback or report the issues, and I appreciate it very much. In the future if I have other CPUs resource, such as ARM or SPARC64, maybe I will enrich this small program. *** Beastie Bits OpenBSD Porting Workshop - Brian Callahan will be running an OpenBSD porting workshop in NYC for NYC*BUG on December 6, 2017. (http://daemonforums.org/showthread.php?t=10429) Learn to tame OpenBSD quickly (http://www.openbsdjumpstart.org/#/) Detect the operating system using UDP stack corner cases (https://gist.github.com/sortie/94b302dd383df19237d1a04969f1a42b) *** Feedback/Questions Awesome Mike - ZFS Questions (http://dpaste.com/1H22BND#wrap) Michael - Expanding a file server with only one hard drive with ZFS (http://dpaste.com/1JRJ6T9) - information based on Allan's IRC response (http://dpaste.com/36M7M3E) Brian - Optimizing ZFS for a single disk (http://dpaste.com/3X0GXJR#wrap) ***

Cuando instalas 2 distros Linux compartiendo disco duro y partición Swap, y la segunda te cambia el UUID de la Swap, la primera distro se suele enfadar yal no encontrar su UUID de la Swap suele iniciar bastante lenta. Te traigo la solución.Debemos configurar estos dos archivos./etc/fstab/etc/default/grubMúsica: http://freemusicarchive.org/ACPI Error: Una tontería de GNU/Linux que me ha vuelto loco: http://quijotelibre.com/2017/10/12/acpi-error-una-tonteria-de-gnulinux-que-me-ha-vuelto-loco/

This week on BSDNow! We've got Netflix + FreeBSD news to discuss, always a crowd pleaser, that plus EuroBSDCon is just around the corner. Stick around for your place This episode was brought to you by Headlines Protecting Netflix Viewing Privacy at Scale, with FreeBSD (http://techblog.netflix.com/search/label/FreeBSD) This blog post from Netflix tells the story of how Netflix developed in-kernel TLS to speed up delivery of video via HTTPS Since the beginning of the Open Connect program we have significantly increased the efficiency of our OCAs - from delivering 8 Gbps of throughput from a single server in 2012 to over 90 Gbps from a single server in 2016. We contribute to this effort on the software side by optimizing every aspect of the software for our unique use case - in particular, focusing on the open source FreeBSD operating system and the NGINX web server that run on the OCAs. In the modern internet world, we have to focus not only on efficiency, but also security. There are many state-of-the-art security mechanisms in place at Netflix, including Transport Level Security (TLS) encryption of customer information, search queries, and other confidential data. We have always relied on pre-encoded Digital Rights Management (DRM) to secure our video streams. Over the past year, we've begun to use Secure HTTP (HTTP over TLS or HTTPS) to encrypt the transport of the video content as well. This helps protect member privacy, particularly when the network is insecure - ensuring that our members are safe from eavesdropping by anyone who might want to record their viewing habits. The goal is to ensure that your government, ISP, and wifi sniffing neighbour cannot tell which Netflix videos you are watching Netflix Open Connect serves over 125 million hours of content per day, all around the world. Given our scale, adding the overhead of TLS encryption calculations to our video stream transport had the potential to greatly reduce the efficiency of our global infrastructure. We evaluated available and applicable ciphers and decided to primarily use the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM), available starting in TLS 1.2. We chose AES-GCM over the Cipher Block Chaining (CBC) method, which comes at a higher computational cost. The AES-GCM cipher algorithm encrypts and authenticates the message simultaneously - as opposed to AES-CBC, which requires an additional pass over the data to generate keyed-hash message authentication code (HMAC). CBC can still be used as a fallback for clients that cannot support the preferred method. All revisions of Open Connect Appliances also have Intel CPUs that support AES-NI, the extension to the x86 instruction set designed to improve encryption and decryption performance. We needed to determine the best implementation of AES-GCM with the AES-NI instruction set, so we investigated alternatives to OpenSSL, including BoringSSL and the Intel Intelligent Storage Acceleration Library (ISA-L). Netflix and NGINX had previously worked together to improve our HTTP client request and response time via the use of sendfile calls to perform a zero-copy data flow from storage (HDD or SSD) to network socket, keeping the data in the kernel memory address space and relieving some of the CPU burden. The Netflix team specifically added the ability to make the sendfile calls asynchronous - further reducing the data path and enabling more simultaneous connections. However, TLS functionality, which requires the data to be passed to the application layer, was incompatible with the sendfile approach. To retain the benefits of the sendfile model while adding TLS functionality, we designed a hybrid TLS scheme whereby session management stays in the application space, but the bulk encryption is inserted into the sendfile data pipeline in the kernel. This extends sendfile to support encrypting data for TLS/SSL connections. We tested the BoringSSL and ISA-L AES-GCM implementations with our sendfile improvements against a baseline of OpenSSL (with no sendfile changes), under typical Netflix traffic conditions on three different OCA hardware types. Our changes in both the BoringSSL and ISA-L test situations significantly increased both CPU utilization and bandwidth over baseline - increasing performance by up to 30%, depending on the OCA hardware version. We chose the ISA-L cipher implementation, which had slightly better results. With these improvements in place, we can continue the process of adding TLS to our video streams for clients that support it, without suffering prohibitive performance hits. If you would like more detail, check out the papers from AsiaBSDCon 2015 (https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf) and the updated one from 2016 (https://people.freebsd.org/~rrs/asiabsd_tls_improved.pdf) *** OpenBSD on HP Stream 7 (http://www.tedunangst.com/flak/post/OpenBSD-on-HP-Stream-7) Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but with free space requirements such that it's nigh impossible to install on cheap 32GB eMMC equipped devices such as the HP Stream series, leaving users searching for a new lightweight operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7. The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they're real boys, er PCs, with Intel Atom CPUs. To install OpenBSD on such a device, we need a few parts. Obviously, the tablet itself. There's a dearth of ports on these things, but there is a micro USB port. Attaching anything useful requires an OTG “on the go” cable that creates a type A port. Attaching more than one useful thing requires a mini hub. And completing the install requires one each USB stick, keyboard, and network adapter. First, we need to prep the machine to boot from USB. Actually, before doing anything, make sure you have a full charge. It's going to be battery only from here on out. Plug everything in. Flash drive, keyboard, and network into the hub, hub into the OTG cable, cable into the port on top of the Stream. Turn on the machine while holding the volume down button. This launches a mini menu from which we can enter the BIOS. There's a little on screen keyboard in the corner, so this can be done even without a keyboard attached, but the USB keyboard should work. We need to change two settings in the boot section. First, turn off secure boot. Second, switch boot order to prefer USB. Save and exit. The first reboot reveals a confirmation screen checking that we really want to disable secure boot. We must enter a PIN and press enter. Enter the PIN shown on the screen and press enter. And we are go. Then boot up OpenBSD from the USB drive Ted then works there a number of kernel panics and device driver issues, but after disabling ACPI and IntelDRM, the device boots OpenBSD. Of course, there's no X at this point. And definitely no touch screen. And no internal networking. However, by keeping our USB hub attached, we can drive the console and access the network. At least until the battery is depleted, even if we have no way of knowing how long that will be since we disabled all the ACPI devices, which also means no suspend or resume. With some xorg.conf hacking, he did get Xorg working *** DragonflyBSD steps towards base LibreSSL (http://lists.dragonflybsd.org/pipermail/commits/2016-September/624493.html) Project: DragonFlyBSD / Switch base to use private LibreSSL libraries (http://freshbsd.org/commit/dfbsd/304ca408000cd34559ef5319b4b5a6766d6eb35b) DragonFly BSD adopts uses of LibreSSL (http://undeadly.org/cgi?action=article&sid=20160911231651) The number of projects beginning to switch over to LibreSSL is growing and it appears we can now throw DragonFly into that camp. Following something that sounds vaguely familiar (Allan!) DFLY is now creating “private” LibreSSL libraries which are only linked against by base system binaries. For the moment OpenSSL is still built, primarily so that various ports and 3rd party apps can continue to function as before. A NO_OPENSSL option has also been added, but doesn't really do much (yet), since it'll still build and install headers / libraries even if set. *** OpenBSD g2k16 Hackathon g2k16 Hackathon Report: Antoine Jacoutot on Binary Patches (http://undeadly.org/cgi?action=article&sid=20160911012316) g2k16 Hackathon Report: Matthieu Herrb on xenodm (http://undeadly.org/cgi?action=article&sid=20160911231712) g2k16 Hackathon Report: Vincent Gross on iked(8), armv7 and sys/netinet[6] (http://undeadly.org/cgi?action=article&sid=20160911000337) g2k16 Hackathon Report: Florian Obser on httpd, networking, acme-client, and more (http://undeadly.org/cgi?action=article&sid=20160911000052) g2k16 Hackathon Report: Jasper Lievisse Adriaanse on ddb(4) and more (http://undeadly.org/cgi?action=article&sid=20160909012520) g2k16 Hackathon Report: Christian Weisgerber on gettext progress, RTC work, removing kernel cruft (http://undeadly.org/cgi?action=article&sid=20160908002430) g2k16 Hackathon Report: Brent Cook on Chromebooks, crypto, and more (http://undeadly.org/cgi?action=article&sid=20160907131655) g2k16 Hackathon Report: Ted Unangst on doas, signify, code removal (http://undeadly.org/cgi?action=article&sid=20160906230610) g2k16 Hackathon Report: Marc Espie on package signing evolution (http://undeadly.org/cgi?action=article&sid=20160905235911) g2k16 Hackathon Report: Adam Wolk on ports, wireless drivers and more (http://undeadly.org/cgi?action=article&sid=20160906004915) g2k16 Hackathon Report: Mike Larkin on vmm + vmd progress (http://undeadly.org/cgi?action=article&sid=20160905134009&mode=expanded) *** News Roundup OpenBSD (with encrypted softraid) on the Chromebook Pixel (https://jcs.org/notaweblog/2016/08/26/openbsd_chromebook/) Looking for a Laptop to make your OpenBSD road-warrior? If so, we have a great blog tutorial on getting OpenBSD setup on the Chromebook Pixel with encrypted softraid! Author Joshua Stein gives us a very verbose look at how to install and dial-in the laptop perfectly. But first for those wondering about the hardware in the pixel: The Chromebook Pixel LS (2015) has an Intel Core i7 processor (Broadwell) at 2.4Ghz, 16Gb of RAM, a 2560x1700 400-nit IPS screen (239ppi), and Intel 802.11ac wireless. It has a Kingston 64Gib flash chip, of which about 54Gib can be used by OpenBSD when dual-booting with a 1Gb Chrome OS partition. Due to this being a chromebook with seaBIOS, some manual key-press trickery will be required to initially get the OpenBSD Installer up and running. From here you'll want to pay special close attention to the disk partitioning. In particular Joshua will show us how to shrink the existing encrypted /home that ChromeOS uses, keeping the dual-boot intact. This will become important if you ever plan on updating the device. From here, we move back to a more traditional setup, but with the added bonus of doing a soft-raid setup. But the fun isn't over yet! If you want to make OpenBSD the default boot, that'll require cracking the lid on the device and removing a special pink write-protect screw. And of course if you want to remove the default splash-screen image, Joshua has you covered as well, although some flashrom magic will be required. At this point you are nearly done. Final details on enabling specific bits of hardware are discussed. Most things work, apart from Audio and Bluetooth as of right now. *** doas mastery (http://www.tedunangst.com/flak/post/doas-mastery) “doas” mastery - Paging MWL! Our buddy Ted Unangst has written up a great ‘mastery' guide of the doas command, which can come in handy if you are among the un-initiated in doas land. UNIX systems have two classes of user, the super user and regular users. The super user is super, and everybody else is not. This concentration of power keeps things simple, but also means that often too much power is granted. Usually we only need super user powers to perform one task. We would rather not have such power all the time. Think of the responsibility that would entail! Like the sudo command, doas allows for subdivision of super user privileges, granting them only for specific tasks. He starts with the basic doas.conf setup, which starts with an empty config file The doas config is much like a pf ruleset, the default is to block everything > We add the root rule second because doas evaluates rules in a last match manner. root is in the wheel group, so the first rule will match, and then we need to override that with a second rule. Remember to always start with general rules, then make them more specific. *** iXsystems iXsystems to host MeetBSD (https://www.ixsystems.com/blog/ixsystems-host-meetbsd-california-2016-uc-berkeley/) FreeBSD Foundation Welcomes New Board Members New Board Members (https://www.freebsdfoundation.org/blog/freebsd-foundation-welcomes-new-board-members/) The FreeBSD Foundation has added two new board members Interview with Kylie Liang (https://www.freebsdfoundation.org/blog/new-board-member-interview-kylie-liang/) Kylie will focus on representing FreeBSD at conferences and businesses in China I live in China. There, I can act as a bridge between Chinese companies and the FreeBSD community to help drive FreeBSD adoption. Through my leadership role in the FreeBSD Foundation, I will help promote FreeBSD in China and also represent the Foundation at conferences and events in my region. Kylie leads the team the ensures FreeBSD runs well on Hyper-V and Azure, including providing commercial support for customers who run FreeBSD or FreeBSD based appliances on the Azure Cloud I joined Microsoft and started to lead the project called FreeBSD Integration Service to get FreeBSD running well on Hyper-V and Azure. To promote our work and to understand the FreeBSD ecosystem, I started to participate in FreeBSD events where I was inspired by this technical community. Interview with Philip Paeps (https://www.freebsdfoundation.org/blog/new-board-member-interview-philip-paeps/) Philip started with FreeBSD in the early 2000s and got his commit bit in 2004 The patches I submitted to make ACPI and input devices work on that laptop led to a src commit bit in 2004. While I haven't worked on ACPI or input devices since, I have been contributing to different areas of the kernel. Taking up maintainership of some ports I cared about also got me a ports commit bit after some time. Philip will continue to help run EuroBSDCon, but is also spreading the word about FreeBSD in India and Africa Primarily, I think I can be useful! I attend (and organize) a number of conferences around the world every year, particularly in regions that have a mostly “stealthy” FreeBSD community. While I clearly don't need to be on the FreeBSD Foundation board to advocate for FreeBSD, joining as a director will provide an additional asset when working in areas of the world where organizational affiliations are meaningful. Philip has also developed network drivers and various other bits and pieces, and has extensive experience working with and for hardware vendors and appliance vendors Despite intending to eventually contribute their code to the FreeBSD Project as open source, many hardware vendors still find it very difficult to engage directly with the FreeBSD development community. The Foundation helps bridge that gap and helps facilitate collaboration between commercial vendors and the FreeBSD community. I hope to make FreeBSD more visible in regions of the world where it is historically under-represented. I expect I will be attending even more conferences and getting myself invited to even more organizations. more, less, and a story of typical Unix fossilization (https://utcc.utoronto.ca/~cks/space/blog/unix/MoreAndUnixFossilization) Chris Siebenmann from the University of Toronto digs into the history of the difference between ‘less' and ‘more' In the beginning, by which we mean V7, Unix didn't have a pager at all. That was okay; Unix wasn't very visual in those days, partly because it was still sort of the era of the hard copy terminal. Then along came Berkeley and BSD. People at Berkeley were into CRT terminals, and so BSD Unix gave us things like vi and the first pager program, more (which showed up quite early, in 3BSD, although this isn't as early as vi, which appears in 2BSD). Calling a pager more is a little bit odd but it's a Unix type of name and from the beginning more prompted you with '--More--' at the bottom of the screen. All of the Unix vendors that based their work on BSD Unix (like Sun and DEC) naturally shipped versions of more along with the rest of the BSD programs, and so more spread around the BSD side of things. However, more was by no means the best pager ever; as you might expect, it was actually a bit primitive and lacking in features. So fairly early on Mark Nudelman wrote a pager with somewhat more features and it wound up being called less as somewhat of a joke. In a sane world, Unix vendors would have either replaced their version of more with the clearly superior less or at least updated their version of more to the 4.3 BSD version. Maybe less wouldn't have replaced more immediately, but certainly over say the next five years, when it kept on being better and most people kept preferring it when they had a choice.” + “This entire history has led to a series of vaguely absurd outcomes on various modern Unixes. On Solaris derivatives more is of course the traditional version with source code that can probably trace itself all the way back to 3BSD, carefully updated to SUS compliance. Solaris would never dream of changing what more is, not even if the replacement is better. Why, it might disturb someone. Oddly, FreeBSD has done the most sensible thing; they've outright replaced more with less. There is a /usr/bin/more but it's the same binary as less and as you can see the more manpage is just the less manpage. OpenBSD has done the same thing but has a specific manpage for more instead of just giving you the less manpage. So, now you can see why I say that less is more, or more, or both, at several levels. less is certainly more than more, and sometimes less literally is more (or rather more is less, to put it the right way around). Beastie Bits PC-BSD listed in the top 8 'best' alternatives to Windows 10 (http://www.computerworlduk.com/galleries/operating-systems/-free-alternatives-windows-10-3639433/) Creating a quick DNS server with a Rapsberry Pi2 and FreeBSD 11.0-RC1 (http://bsdimp.blogspot.co.uk/2016/08/creating-quick-dns-server-with.html) Dual Boot OpenBSD and Linux + UEFI (https://bsdlaptops.wordpress.com/2016/03/07/vaio-pro-11-part-2/) DesktopBSD 2.0 various versions available (Gnome, Lumina, KDE, LXDE) (http://desktopbsd.boards.net/board/10/announcements) FreeBSD gets new ZFS features including: Compressed ARC (https://svnweb.freebsd.org/base?view=revision&revision=305323) and ZFS Allocation Throttle (https://svnweb.freebsd.org/base?view=revision&revision=305331) One Floppy NetBSD Distribution (https://github.com/user340/fdgw2) A Compendium of BUGs (https://github.com/q5sys/BUGtracker) Feedback/Questions Galahad - OpenBSD X setup (http://pastebin.com/b7W6NHqs) Tang - Subtitles (http://pastebin.com/P4MUs3Pa) Ivan - Zpool Options (http://pastebin.com/LQ8yTp0G) Brad - Replication Issue (http://pastebin.com/XTK5gXMU) MJ - HBA (http://pastebin.com/TdYTMSj9) ***

This week on BSDNow, we are going to be talking to Ken Moore about the Lumina desktop environment, where it stands now & looking ahead. Then Allan turns the tables & interviews both Kris & Ken about new ongoings in PC-BSD land. Stay tuned, lots of exciting show is coming your way right now on BSDNow, the place to B...SD! This episode was brought to you by Headlines Linuxvoice reviews six NAS designed OSes and states that FreeNAS has the largest amount of features (https://www.linuxvoice.com/group-test-nas-distros/) The review compares the features of: FreeNAS, NAS4Free, Open Media Vault, Openfiler Community Edition, EasyNAS, and Turnkey Linux File Server “Many NAS solutions can do a lot more than just back up and restore files – you can extend them with plugins to do a variety of tasks. Some enable you to stream media to computers and others devices. Others can hook up with apps and services and allow them to use the NAS for storing and retrieving data” Open Media Vault: 4/5, “A feature-rich NAS distro that's easy to deploy and manage”. Many plugins, good UI Turnkey Linux File Server: 2/5, “A no-fuss distro that'll set up a fully functional file sharing server in no time”. No RAID, LVM must be down manually Openfiler Community Edition: 1/5, “There is a target segment for Openfiler, but we can't spot it”. In the middle of rebasing on CentOS, lacking documentation, confusing UI EasyNAS: 3/5, “A simple NAS distro that balances the availability of features with reasonable assumptions”. Major updates require reinstall, lacks advanced features and advanced protocols FreeNAS: 3/5, “FreeNAS The most feature-rich NAS distribution requires some getting used to”. Best documentation, best snapshot management, most plugins, jailed plugins, most enterprise features NAS4Free: 3/5, “NAS4Free An advanced NAS distro that's designed for advanced users”, additional flexibility with disk layout (partition the first disk to install the OS there, use remaining space for data storage) “If we had to award this group test to the distro with the biggest number of features then the top two challengers would have been FreeNAS and its protegée NAS4Free. While both of these solutions pitch themselves to users outside the corporate environment, they'd simply be overkill for most home users. Furthermore, their FreeBSD base and the ZFS filesystem, while a boon to enterprise users, virtually makes them alien technology to the average Linux household.” It is not clear why they gave NAS4Free and FreeNAS the same score when they wrote a list of reasons why FreeNAS was better. It seems the goal of their rundown was to find the best Linux NAS, not the best NAS. *** FreeBSD based Snort IPS (http://www.unixmen.com/freebsd-snort-ips/) UnixMen.com provides a new tutorial on setting up Snort, the IPS (Intrusion Prevention system) on FreeBSD Install Apache, PHP, and MySQL, then Snort Download the latest Snort rules from the official website Disable the Packet Filter on the USB interfaces to avoid issues with Snort Install oinkmaster and barnyard2, and configure them Then install the Snorby WEB interface, which will give you a nice overview of the data generated by the IPS Then install SnortSAM, and connect it to ipfw Now when Snort detects a potential intrusion, it will be displayed in Snorby, and automatically blocked with IPFW *** Opensource.com features two BSD developers as examples of how open source can help your career (https://opensource.com/life/16/1/3-new-open-source-contributors-share-their-experiences) “When contributing to open source projects and communities, one of the many benefits is that you can improve your tech skills. In this article, hear from three contributors on how their open source helped them get a job or improved their career.” Alexander Yurchenko, an OpenBSD developer who now works at Yandex says: “Participating in such a project yields colossal experience. A good, large open source project has everything that is typically required from a developer at job interviews: good planning, good coding, use of versioning systems and bug trackers, peer reviews, teamwork, and such. So, after stewing in such an environment for a year or two, you have a good opportunity to grow to a senior developer level.” “That is, in fact, what happened to me. I was hired as a senior developer without having any formal work experience on my service record. After the first week, my probation period was reduced from three months to zero.” While you may not have “formal work experience”, you do have a body of work, a (code/documentation/etc) portfolio, you can point to Having spent a year working somewhere may say something about you, but showing some code you wrote that other people use every day, is usually more valuable Alexander Polyakov, a DragonFly contributor, worked on updating support for other languages and on ACPI. “I even made some money in the process—a customer found me via git log. He wanted to use DragonFlyBSD in production and needed better ACPI support and some RAID driver or something.” “In a nutshell, contributing to various open source projects is how you gain great experience. Don't be afraid to send in bad code (happens to the best of us), keep calm (while being scolded for sending in that bad code), and choose projects you are really interested in. Then you'll both gain experience and have fun while you doing it.” Kirill Gorkunov talks about his experience with turning open source into a career: “For a few years, I've been fixing the code, sending patches, getting scolded for bad code and complimented for good code. That experience was priceless. And you can be sure that as soon as you get good at it, job offers will follow. This is, in fact, how I met the kernel developers working on OpenVZ. Together, we decided to continue working on the OpenVZ kernel and related stuff as well” When you contribute to open source, you end up being the person who wrote “Foo”, and this can often turn into work, when someone wants to build something with “Foo”, or like “Foo” This same point was focus of a panel the FreeBSD Foundation organized at the womENcourage conference in Sweden last year: Open Source as a Career Path (https://www.youtube.com/watch?v=p7PW1E3IJvY) *** FreeBSD, LibreSSL and LetsEncrypt oh my! (https://wiki.freebsd.org/BernardSpil/LetsEncrypt) Over on the FreeBSD Wiki, Bernard Spil (whom we've interviewed before) has started a walkthrough talking about how he uses LibreSSL and LetsEncrypt, without using the heavy python client The article provides detailed instructions on prepping the system and automating the process of updating the SSL certificates If you've used the “official” letsencrypt client in the past, you'll note some differences in his method, which keeps all the ‘acme-challenge' files in a single-directory, which is aliased into domains. Using this method also drops the requirement to run the letsencrypt auth as root, and allows you to run it as the unprivileged “letsencrypt” user instead. He mentions that the bash/zsh scripts used may be added to ports at some point as well *** Interview - Ken Moore & Kris Moore - ken@pcbsd.org (mailto:ken@pcbsd.org) / @pcbsdkris (https://twitter.com/pcbsdkris) PC-BSD's new SysAdm Project and Lumina Update *** News Roundup DragonFly Intel i915 support to match what's in the Linux 4.1 kernel (http://lists.dragonflybsd.org/pipermail/commits/2016-January/459241.html) In DragonFly's ongoing quest for DRM awesomeness, they have now merged changes to bring them up to Linux 4.1 kernel features. Some of the notables include that “Valleyview” support is greatly improved, and not considered preliminary anymore Skylake got some support improvements as well, including runtime power management, and that turbo and sleep states should be functional. Some great improvements to power usage have been added, such as setting GPU frequencies to hardware minimum and enabling of DRRS (Dynamic Refresh Rate Switching) being enabled by default They've even begun importing some of the prelim work for Broxton, the upcoming Atom SOC *** FreeNAS Home Server Build (https://ramsdenj.github.io/server/2016/01/01/FreeNAS-Server-Build.html) We have a nice article to share with you this week by John Ramsden, which walks us through his home-brew FreeNAS server setup. As is typical with most home users, he will be using the system to both serve media, and as a backup target for other systems. His hardware setup is pretty impressive for a home-brew, made up of the following: Fractal Design Node 804 Chassis Supermicro X10SL7-F Motherboard Xeon E3-1231 v3 CPU 4x Samsung DDR3 1.35v-1600 M391B1G73QH0 RAM 2x 32GB SATA III SMC DOM Boot Drive SeaSonic G-550 Power Supply Cyberpower CP1500PFCLCD 1500VA 900W PFC UPS 6x Western Digital 6TB Red HDD 2 x ENERMAX T.B. Silence UCTB12P Case Fan 3x Noctua NF-P14s redux-1200 Case Fan The SATA DOM was neat to see in use, in his case in a mirror He then walks us through his burn-in process, which involved memory testing for 46 hours, and then disk testing with the smartctl long tests. There is even details on how the fan thresholds were set up, which may be of use to other DiY'ers out there. The SATA DOM was neat to see in use, in his case in a mirror He then walks us through his burn-in process, which involved memory testing for 46 hours, and then disk testing with the smartctl long tests. There is even details on how the fan thresholds were set up, which may be of use to other DiY'ers out there. claviger manages your SSH authorized_keys files for you (https://github.com/bwesterb/claviger) An application to manage your SSH authorized_keys files for you Make a list of your keys (laptop, desktop, work) Then a list of your ssh accounts List which keys should be present, and which should be absent Optional setting to keep all “other” keys, such as those added by other users Optional list of specific “other” keys to allow (does not add them, but does not remove them if they are present) You say say ‘server2 like server1', and it will inherit all of the settings from that server There is a “default” server, that all others inherit *** FreeBSD 9.2 x64 OpenVPN AD authentication with crypt (http://www.unixmen.com/openvpn-ad-authentication-with-crypt/) A few days back unixmen.com posted a nice tutorial walkthrough of a OpenVPN setup on FreeBSD 9.2 using Active Directory for auth In this particular setup, FreeBSD is running the gateway / OpenVPN server, the client desktops are running Windows 7 and domain controller on Windows 2008 The setup on FreeBSD pretty straightforward, thanks to the openvpn-auth-ldap port. (Unknown why they didn't use the package) In addition to showing the details on how configuration was done on BSD, what makes this walkthrough nice is the addition of so many screenshots of how the windows configuration was done. Part of the walkthrough will also detail how they created their .ovpn files for importing on the OpenVPN clients. *** Beastie Bits dtrace included by default in NetBSD (http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.own.mk.diff?r1=1.883&r2=1.884&only_with_tag=MAIN&f=h) FOSDEM16 is approaching, get ready to follow the BSD devroom (https://fosdem.org/2016/schedule/track/bsd/) Call for testing: Concurrent: malloc(3) calls (to speed up Firefox) (http://undeadly.org/cgi?action=article&sid=20160123165549) "With the PV drivers in -CURRENT, it is now possible to run OpenBSD within AWS." (http://daemonforums.org/showthread.php?p=57767) PC-BSD Handbook in Spanish (http://www.pcbsd.org/doc-archive/10.2/html-es/pcbsd.html) Feedback/Questions Clint - ZIL on Partition (http://pastebin.com/WLpHzz3F) Federico - LibreSSL and DMA (http://pastebin.com/1QFZU2Bz) Ghislain - FreeBSD vs Linux vs Illumos (http://pastebin.com/aesVaKG4) Cary - ZFS - Caching - Replication (http://pastebin.com/x4DRHP0i) ***

This week on BSDNow, we are going to be talking to Pawel about how his This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Note the recent passing of 2 members of the BSD community Juergen Lock / Nox (https://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributors/contrib-develinmemoriam.html) Benjamin Perrault / creepingfur (https://twitter.com/michaeldexter/status/676290499389485057) Memories from Michael Dexter (http://pastebin.com/4BQ5uVsT) Additional Memories (http://www.filis.org/rip_ben.txt) Benjamin and Allan at Ben's local bar (http://www.allanjude.com/bsd/bp/IMG_20151101_161727-auto.jpg) Benjamin treated Allan and Michael Dexter to their first ever Bermese food (http://www.allanjude.com/bsd/bp/IMG_20151101_191344-auto.jpg) Benjamin enjoying the hallway track at EuroBSDCon 2015 (http://www.allanjude.com/bsd/bp/IMG_20151003_105457-auto.jpg) *** NGINX as Reverse Proxy for Apache on FreeBSD 10.2 (http://linoxide.com/linux-how-to/install-nginx-reverse-proxy-apache-freebsd-10-2/) A tutorial on setting up NGINX as a reverse proxy for Apache Sometimes your users or application require some feature of Apache, that cannot be easily replicated in NGINX, like .htaccess files or a custom apache module In addition, because the default worker model in Apache does not accept new work until it is finished sending the request, a user with a slow connection can tie down that worker for a long time With NGINX as a reverse proxy, it will receive the data from the Apache worker over localhost, freeing that worker to answer the next request, while NGINX takes care of sending the data to the user The tutorial walks through the setup, which is very easy on modern FreeBSD One could also add mod_rpaf2 to the Apache, to securely pass through the users' real IP address for use by Apache's logging and the PHP scripts *** FreeBSD and FreeNAS in Business by Randy Westlund (http://bsdmag.org/freebsd_freenas/) The story of how a Tent & Awning company switched from managing orders with paper, to a computerized system backed by a FreeNAS “At first, I looked at off-the-shelf solutions. I found a number of cloud services that were like Dropbox, but with some generic management stuff layered on top. Not only did these all feel like a poor solution, they were very expensive. If the provider were to go out of business, what would happen to my dad's company?” “Fortunately, sourcing the hardware and setting up the OS was the easiest part; I talked to iXsystems. I ordered a FreeNAS Mini and a nice workstation tower” “I have r2d2 (the tower, which hosts the database) replicating ZFS snapshots to c3po (the FreeNAS mini), and the data is backed up off-site regularly. This data is absolutely mission-critical, so I can't take any risks. I'm glad I have ZFS on my side.” “I replaced Dropbox with Samba on c3po, and the Windows machines in the office now store important data on the NAS, rather than their local drives.” “I also replaced their router with an APU board running pfSense and replaced their PPTP VPN with OpenVPN and certificate authorization.” “FreeBSD (in three different incarnations) helped me focus on improving the company's workflow without spending much time on the OS. And now there's an awning company that is, in a very real sense, powered by FreeBSD.” *** Tutorial, Windows running under bhyve (http://pr1ntf.xyz/windowsunderbhyve.html) With the recent passing of the world's foremost expert on running Windows under bhyve on FreeBSD, this tutorial will help you get up to speed “The secret sauce to getting Windows running under bhyve is the new UEFI support. This is pretty great news, because when you utilize UEFI in bhyve, you don't have to load the operating system in bhyveload or grub-bhyve first.” The author works on iohyve, and wanted to migrate away from VirtualBox, the only thing stopping that was support for Windows Guests iohyve now has support for managing Windows VMs The tutorial uses a script to extract the Windows Server 2008 ISO and set up AutoUnattend.xml to handle the installation of Windows, including setting the default administrator password, this is required because there is no graphical console yet The AutoUnattended setup also includes setting the IP address, laying out the partitions, and configuring the serial console A second script is then used to make a new ISO with the modifications The user is directed to fetch the UEFI firmware and some other bits Then iohyve is used to create the Windows VM The first boot uses the newly created ISO to install Windows Server 2008 Subsequent boots start Windows directly from the virtual disk Remote Desktop is enabled, so the user can manage the Windows Server graphically, using FreeRDP or a Windows client iohyve can then be used to take snapshots of the machine, and clone it *** BSD Router Project has released 1.58 (http://sourceforge.net/projects/bsdrp/files/BSD_Router_Project/1.58/) The BSD Router project has announced the release of version 1.58 with some notable new features Update to FreeBSD 10.2-RELEASE-p8 Disabled some Chelsio Nic features not used by a router Added new easy installation helper option, use with “system install ” Added the debugging symbols for userland Includes the iperf package, and flashrom package, which allows updating system BIOS on supported boxes IMPORTANT: Corrects an important UFS label bug introduced on 1.57. If you are running 1.57, you will need to fetch their fixlabel.sh script before upgrading to 1.58 *** OPNsense 15.7.22 Released (https://opnsense.org/opnsense-15-7-22-released/) An update to OPNsense has landed this week which includes the important updates to OpenSSL 1.0.2e and LibreSSL 2.2.5 A long-standing annoying bug with filter reload timeouts has finally been identified and sorted out as well, allowing the functionality to run quickly and “glitch free” again. Some newer ports for curl (7.46), squid (3.5.12) and lighttpd (1.4.38) have also been thrown in for good measure Some other minor UI fixes have also been included as well With the holidays coming up, if you are still running a consumer router, this may be a good time to convert over to a OPNsense or PFsense box and get yourself ready for the new year. *** iXsystems iXSystems releases vCenter Web Client Plug-in for TrueNAS (https://www.ixsystems.com/whats-new/2015/12/vcenter-web-client-plug-in-for-truenas-now-available/) Interview - Pawel Jakub Dawidek - pjd@FreeBSD.org (mailto:pjd@FreeBSD.org) News Roundup Developer claims the PS4 has been jail-broken (http://www.networkworld.com/article/3014714/security/developer-claims-ps4-officially-jailbroken.html) While not exactly a well-kept secret, the PS4's proprietary “OrbOS” is FreeBSD based. Using this knowledge and a Kernel exploit, developer CTurt (https://twitter.com/CTurtE/) claims he was able jailbreak a WebKit process and gain access to the system. He has posted a small tease to GitHub, detailing some of the information gleaned from the exploit, such as PID list and root FS dump As such with these kinds of jailbreaks, he already requested that users stop sending him requests about game piracy, but the ability to hack on / run homebrew apps on the PS4 seems intriguing *** Sepherosa Ziehau is looking for testers if you have a em(4), emx(4), or igb(4) Intel device (http://lists.dragonflybsd.org/pipermail/users/2015-December/228461.html) DragonFly Testers wanted! Sephe has posted a request for users of the em(4), emx(4) and igb(4) intel drivers to test his latest branch and report back results He mentions that he has tested the models 82571, 82574 and 82573 (em/emx); 82575, 82576, 82580 and i350 specifically, so if you have something different, I'm sure he would be much appreciative of the help. It looks like the em(4) driver has been updated to 7.5.2, and igb(4) 2.4.3, and adds support for the I219-LM and I219-V NICS. *** OpenBSD Xen Support (https://marc.info/?l=openbsd-tech&m=144933933119525&w=2) Filed under the “Ohh, look what's coming soon” section, it appears that patches are starting to surface for OpenBSD Xen DOMU support. For those who aren't up on their Xen terminology, DomU is the unprivileged domain (I.E. Guest mode) Right now the patch exists at the link above, and adds a new (commented out) device to the GENERIC kernel, but this gives Xen users something new to watch for updates to. *** Thinkpad Backlit Keyboard support being worked on (http://freshbsd.org/commit/openbsd/b355449caa22e7bb6c460f7a647874836ef604f0) Another reason why Lenovo / ThinkPads are some of the best laptops currently to use with BSD, the kettenis over at the OpenBSD project has committed a patch to enable support for the “ThinkLight” For those who don't know, this is the little light that helps illuminate the laptop's keyboard under low-light situations. While the initial patch only supports the “real-deal” ThinkLight, he does mention that support will be added soon for the others on ThinkPads No sysctl's to fiddle with, this works directly with the ACPI / keyboard function keys directly, nice! *** Deadline is approaching for Submissions of Tutorial Proposals for AsiaBSDCon 2016 (https://2016.asiabsdcon.org/cfp.html) Call for Papers for BSDCAN 2016 now open (http://www.bsdcan.org/2016/papers.php) + The next two major BSD conferences both have their CFP up right now. First up is AsiaBSDCon in Tokyo from March 10th-13th, followed by BSDCan in Ottawa, June 8th-11th. + If you are working on anything interesting in the BSD community, this is a good way to get the word out about your project, plus the conference pays for Hotel / Travel. + If you can make it to both, DO SO, you won't regret it. Both Allan and Kris will be attending and we would look forward to meeting you. iohyve lands in ports (https://github.com/pr1ntf/iohyve) (http://www.freshports.org/sysutils/iohyve/) + Something we've mentioned in passing has taken its first steps in becoming reality for users! “iohyve” has now landed in the FreeBSD ports tree + While it shares a similar name to “iocage” its not directly related, different developers and such. However it does share a very similar syntax and some principles of ZFS usage + The current version is 0.7, but it already has a rather large feature set + Among the current features are ISO Management, resource management, snapshot support (via ZFS), and support for OpenBSD, NetBSD and Linux (Using grub-bhyve port) BeastieBits hammer mount is forced noatime by default (http://lists.dragonflybsd.org/pipermail/users/2015-November/228445.html) Show your support for FreeBSD (http://freebsdfoundation.blogspot.com/2015/12/show-your-support-for-freebsd.html) OpenBSD running in an Amazon EC2 t2.micro (https://gist.github.com/reyk/e23fde95354d4bc35a40) NetBSD's 2015Q4 Package freeze is coming (http://mail-index.netbsd.org/tech-pkg/2015/12/05/msg016059.html) ‘Screenshots from Developers' that we covered previously from 2002, updated for 2015 (https://anders.unix.se/2015/12/10/screenshots-from-developers--2002-vs.-2015/) Feedback/Questions (slexy was down when I made these, I only did 3, since the last is really long, save rest for next week) Mark - BSD laptops (http://pastebin.com/g0DnFG95) Jamie - zxfer (http://pastebin.com/BNCmDgTe) Anonymous - Long Story (http://pastebin.com/iw0dXZ9P) ***

This episode is brought to you by renice, which allows you to alter the priority of running processes. The renice utility appeared in 4.0BSD.Interview with Mike Larkin. We talk about ACPI and OpenBSD.Note: Shortly after recording this, OpenBSD added support for the "machdep.lidsuspend" sysctl. By setting this to "1", your machine should suspend automatically when the lid is closed. By default, OpenBSD will always resume when the lid is opened. This sysctl works for most ACPI machines that have a "LID" ACPI object.File Info: 19Min, 9MB.Ogg Link:https://archive.org/download/bsdtalk195/bsdtalk195.ogg

This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up. This episode was brought to you by Headlines FreeBSD on Olimex RT5350F-OLinuXino (https://www.bidouilliste.com/blog/2015/07/22/FreeBSD-on-Olimex-RT5350F-OLinuXino) If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it) It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment In part two of the series (https://www.bidouilliste.com/blog/2015/07/24/FreeBSD-on-Olimex-RT5350F-OLinuXino-Part-2), he talks about the GPIO and how you can configure it Part three is still in the works, so check the site later on for further progress and info *** The modern OpenBSD home router (https://www.azabani.com/2015/08/06/modern-openbsd-home-router.html) In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway (http://www.bsdnow.tv/tutorials/openbsd-router) for his home network "It's no secret that most consumer routers ship with software that's flaky at best, and prohibitively insecure at worst" Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless This guide also covers PPP and IPv6, in case you have those requirements In a similar but unrelated series (http://jaytongarnett.blogspot.com/2015/07/openbsd-router-bt-home-hub-5-replacement.html), another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge He also has a separate post (http://jaytongarnett.blogspot.com/2015/08/openbsd-l2tpipsec-vpn-works-with.html) for setting up an IPSEC VPN on the router *** NetBSD at Open Source Conference 2015 Kansai (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/10/msg000691.html) The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it And what conference would be complete without an LED-powered towel *** OpenSSH 7.0 released (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034289.html) The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now If you're using an older configuration file, the "without-password" option still works, so no change is required You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications Various bug fixes and documentation improvements are also included Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled *** Interview - Peter Toth - peter.toth198@gmail.com (mailto:peter.toth198@gmail.com) / @pannonp (https://twitter.com/pannonp) Containment with iocage (https://github.com/iocage/iocage) News Roundup More c2k15 reports (http://undeadly.org/cgi?action=article&sid=20150809105132) A few more hackathon reports from c2k15 in Calgary are still slowly trickling in Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things) He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging Renato Westphal sent in a report (http://undeadly.org/cgi?action=article&sid=20150811171006) of his very first hackathon He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network Philip Guenther also wrote in (http://undeadly.org/cgi?action=article&sid=20150809165912), getting some very technical and low-level stuff done at the hackathon His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well *** FreeBSD jails, the hard way (https://clinta.github.io/freebsd-jails-the-hard-way) As you learned from our interview this week, there's quite a selection of tools available to manage your jails This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf Unlike with iocage, ZFS isn't actually a requirement for this method If you are using it, though, you can make use of snapshots for making template jails *** OpenSSH hardware tokens (http://www.tancsa.com/mdtblog/?p=73) We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server? This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too *** LibreSSL 2.2.2 released (http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.2-relnotes.txt) The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well *** Feedback/Questions James writes in (http://slexy.org/view/s216lrsVVd) Stuart writes in (http://slexy.org/view/s20uGUHWLr) ***

We've finally reached a hundred episodes, and this week we'll be talking to Sebastian Wiedenroth about pkgsrc. Though originally a NetBSD project, now it runs pretty much everywhere, and he even runs a conference about it! This episode was brought to you by Headlines Remote DoS in the TCP stack (https://blog.team-cymru.org/2015/07/another-day-another-patch/) A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely This problem has a slightly confusing history that involves different fixes at different points in time from different people Juniper originally discovered the bug and announced a fix (https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10686) for their proprietary networking gear on June 8th On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch (https://svnweb.freebsd.org/base/head/sys/netinet/tcp_output.c?view=patch&r1=284941&r2=284940&pathrev=284941), but did not issue a security notice or MFC the fix back to the -stable branches On July 13th, two weeks later, OpenBSD fixed the issue (https://www.marc.info/?l=openbsd-cvs&m=143682919807388&w=2) in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found Immediately afterwards, they merged it back to -stable and issued an errata notice (http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/010_tcp_persist.patch.sig) for 5.7 and 5.6 On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix (https://svnweb.freebsd.org/base/head/sys/netinet/tcp_output.c?view=patch&r1=285777&r2=285776&pathrev=285777) and issued a security notice (https://lists.freebsd.org/pipermail/freebsd-announce/2015-July/001655.html) for the problem (which didn't include the first fix) After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way NetBSD confirmed they were vulnerable too, and applied another completely different fix (http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_output.c.diff?r1=1.183&r2=1.184&only_with_tag=MAIN) to -current on July 24th, but haven't released a security notice yet DragonFly is also investigating the issue now to see if they're affected as well *** c2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150721180312&mode=flat) Reports from OpenBSD's latest hackathon (http://www.openbsd.org/hackathons.html), held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these) The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?" With mandoc's new internal jump targets, this is a problem of the past now Jasper also sent in a report (http://undeadly.org/cgi?action=article&sid=20150723124332&mode=flat), doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information) Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!) Antoine Jacoutot gave a report (http://undeadly.org/cgi?action=article&sid=20150722205349&mode=flat) on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services) It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool") He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example) His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades Foundation director Ken Westerback was also there (http://undeadly.org/cgi?action=article&sid=20150722105658&mode=flat), getting some disk-related and laptop work done He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say (http://undeadly.org/cgi?action=article&sid=20150722182236&mode=flat) about the hackathon and what he did there (and even sent in his write-up before he got home) He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report) Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year." Jeremy Evans wrote in (http://undeadly.org/cgi?action=article&sid=20150725180527&mode=flat) to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon Rafael Zalamena, who got commit access at the event, gives his very first report (http://undeadly.org/cgi?action=article&sid=20150725183439&mode=flat) on his networking-related hackathon activities With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS (https://en.wikipedia.org/wiki/Virtual_Private_LAN_Service) Jonathan Gray got a lot done (http://undeadly.org/cgi?action=article&sid=20150728184743&mode=flat) in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix) Martin Pieuchot gave an write-up (http://undeadly.org/cgi?action=article&sid=20150724183210&mode=flat) on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did." He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle We're still eagerly awaiting a report from one of OpenBSD's newest developers (https://twitter.com/phessler/status/623291827878137856), Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes) OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint (https://www.marc.info/?l=openbsd-cvs&m=143766883514831&w=2)," so that may mean more big changes are still to come... *** FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2015-04-2015-06.html) FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012) The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon) ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though) The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more *** The OpenSSH bug that wasn't (http://bsdly.blogspot.com/2015/07/the-openssh-bug-that-wasnt.html) There's been a lot of discussion (https://www.marc.info/?t=143766048000005&r=1&w=2) about a supposed flaw (https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/) in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even) There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-July/034209.html) FreeBSD in its default configuration, with PAM (https://en.wikipedia.org/wiki/Pluggable_authentication_module) and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH (https://www.marc.info/?l=openbsd-misc&m=143767296016252&w=2), nor any of the other BSDs, and not even the majority of Linux distros If you disable all forms of authentication except public keys, like you're supposed to (https://stribika.github.io/2015/01/04/secure-secure-shell.html), then this is also not a big deal for FreeBSD systems Realistically speaking, it's more of a PAM bug (https://www.marc.info/?l=openbsd-misc&m=143782167322500&w=2) than anything else OpenSSH added an additional check (https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab) for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update (https://lists.freebsd.org/pipermail/freebsd-security-notifications/2015-July/000248.html)) *** Interview - Sebastian Wiedenroth - wiedi@netbsd.org (mailto:wiedi@netbsd.org) / @wied0r (https://twitter.com/wied0r) pkgsrc (https://en.wikipedia.org/wiki/Pkgsrc) and pkgsrcCon (http://pkgsrc.org/pkgsrcCon/) News Roundup Now served by OpenBSD (https://tribaal.io/this-now-served-by-openbsd.html) We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it The use case for the author was for a webserver, so he decided to try out the httpd in base Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting TLS 1.2 by default, strong ciphers with LibreSSL and HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) combined give you a pretty secure web server *** FreeBSD laptop playbooks (https://github.com/sean-/freebsd-laptops) A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops" It's based on ansible, and uses the playbook format for automatic set up and configuration Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop *** NetBSD on the NVIDIA Jetson TK1 (https://blog.netbsd.org/tnf/entry/netbsd_on_the_nvidia_jetson) If you've never heard of the Jetson TK1 (https://developer.nvidia.com/jetson-tk1), we can go ahead and spoil the secret here: NetBSD runs on it As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything) You can even run X11 on it, pretty sweet *** DragonFly power mangement options (http://lists.dragonflybsd.org/pipermail/users/2015-July/207911.html) DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well He also did some testing with each of them and gave his findings about power saving If you've been thinking about running DragonFly on a laptop, this would be a good one to read *** OpenBSD router under FreeBSD bhyve (https://www.quernus.co.uk/2015/07/27/openbsd-as-freebsd-router/) If one BSD just isn't enough for you, and you've only got one machine, why not run two at once This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware The author also includes a little bit of history on how he got into both operating systems There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research Of course, the next logical step is to put that bhyve host under Xen on NetBSD... *** Feedback/Questions Kevin writes in (http://slexy.org/view/s2yPVV5Wyp) Logan writes in (http://slexy.org/view/s21zcz9rut) Peter writes in (http://slexy.org/view/s21CRmiPwK) Randy writes in (http://slexy.org/view/s211zfIXff) ***

This week on the show, we'll be chatting with Marc Espie. He's recently added some additional security measures to dpb, OpenBSD's package building tool, and we'll find out why they're so important. We've also got all this week's news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 videos (https://www.bsdcan.org/2015/schedule/) BSDCan just ended last week, but some of the BSD-related presentation videos are already online Allan Jude, UCL for FreeBSD (https://www.youtube.com/watch?v=8l6bhKIDecg) Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon? (https://www.youtube.com/watch?v=XDIcD4LR5HE) Andy Tanenbaum, A reimplementation of NetBSD (https://www.youtube.com/watch?v=0pebP891V0c) using a MicroKernel (https://www.youtube.com/watch?v=Bu1JuwVfYTc) Brooks Davis, CheriBSD: A research fork of FreeBSD (https://www.youtube.com/watch?v=DwCg-51vFAs) Giuseppe Lettieri, Even faster VM networking with virtual passthrough (https://www.youtube.com/watch?v=Lo6wDCapo4k) Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD (https://www.youtube.com/watch?v=K2pnf1YcMTY) Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet (https://www.youtube.com/watch?v=6jhSvdnu4k0) Peter Hessler, Using routing domains / routing tables in a production network (https://www.youtube.com/watch?v=BizrC8Zr-YY) Ryan Lortie, a stitch in time: jhbuild (https://www.youtube.com/watch?v=YSVFnM3_2Ik) Ted Unangst, signify: Securing OpenBSD From Us To You (https://www.youtube.com/watch?v=9R5s3l-0wh0) Many more still to come... *** Documenting my BSD experience (http://pid1.com/posts/post1.html) Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in." In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that) You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon His second post (http://pid1.com/posts/post2.html) explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve *** PC-BSD tries HardenedBSD builds (https://github.com/pcbsd/hardenedBSD-stable) The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that (https://hardenedbsd.org/article/shawn-webb/2015-05-08/hardenedbsd-teams-opnsense) a few weeks ago - but this might open the door for more projects to give it a try as well With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have Time will tell if more projects and products like FreeNAS might be interested too *** C-states in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=143423172522625&w=2) People who run BSD on their notebooks, you'll want to pay attention to this one OpenBSD has recently committed some ACPI improvements for deep C-states (http://www.hardwaresecrets.com/article/Everything-You-Need-to-Know-About-the-CPU-C-States-Power-Saving-Modes/611), enabling the processor to enter a low-power mode According (https://twitter.com/StevenUniq/status/610586711358316545) to a (https://www.marc.info/?l=openbsd-misc&m=143430996602802&w=2) few users (https://www.marc.info/?l=openbsd-misc&m=143429914700826&w=2) so far (https://www.marc.info/?l=openbsd-misc&m=143425943026225&w=2), the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back (https://www.marc.info/?l=openbsd-misc&m=143423391222952&w=2) with your findings *** NetBSD at Open Source Conference 2015 Hokkaido (https://mail-index.netbsd.org/netbsd-advocacy/2015/06/13/msg000687.html) The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time) We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms *** Interview - Marc Espie - espie@openbsd.org (mailto:espie@openbsd.org) / @espie_openbsd (https://twitter.com/espie_openbsd) Recent (https://www.marc.info/?l=openbsd-ports&m=143051151521627&w=2) improvements (https://www.marc.info/?l=openbsd-ports&m=143151777209226&w=2) to OpenBSD's dpb (http://www.bsdnow.tv/tutorials/dpb) tool News Roundup Introducing xhyve, bhyve on OS X (https://github.com/mist64/xhyve/blob/master/README.md) We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS As the name "xhyve" might imply, it's a port of bhyve to Mac OS X Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer There are also a few examples (http://www.pagetable.com/?p=831) on how to use it *** 4K displays on DragonFlyBSD (http://www.dragonflybsd.org/docs/newhandbook/docs/newhandbook/4KDisplays/) If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas Some GUI applications might look weird on such a huge resolution, HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience *** Sandboxing port daemons on OpenBSD (http://coderinaworldofcode.blogspot.com/2015/06/chrooting-mumble-server-on-openbsd.html) We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots *** SmallWall 1.8.2 released (http://smallwall.freeforums.net/thread/44/version-1-8-2-released) SmallWall is a relatively new BSD-based project that we've never covered before It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits They've just released the first official version (http://www.smallwall.org/download.html), so you can give it a try now If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... *** Feedback/Questions David writes in (http://slexy.org/view/s21gRTNnk7) Brian writes in (http://slexy.org/view/s2DdiMvELg) Dan writes in (http://slexy.org/view/s2h4ZS6SMd) Joel writes in (http://slexy.org/view/s20kA1jeXY) Steve writes in (http://slexy.org/view/s2wJ9HP1bs) ***

This time on the show, we'll be talking with George Neville-Neil about the brand new FreeBSD Journal and what it's all about. After that, we've got a tutorial on how to track the -stable and -current branches of OpenBSD. Answers to all your BSD questions and the latest headlines, only on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://lists.freebsd.org/pipermail/freebsd-stable/2014-January/077085.html) Gabor Pali sent out the October-December 2013 status report to get everyone up to date on what's going on The report contains 37 entries and is very very long... various reports from all the different teams under the FreeBSD umbrella, probably too many to even list in the show notes Lots of work going on in the ARM world, EC2/Xen and Google Compute Engine are also improving Secure boot support hopefully coming by mid-year (www.itwire.com/business-it-news/open-source/62855-freebsd-to-support-secure-boot-by-mid-year) There's quite a bit going on in the FreeBSD world, many projects happening at the same time *** n2k14 OpenBSD Hackathon Report (http://undeadly.org/cgi?action=article&sid=20140124142027) Recently, OpenBSD held one of their hackathons (http://www.openbsd.org/hackathons.html) in New Zealand 15 developers gathered there to sit in a room and write code for a few days Philip Guenther brings back a nice report of the event If you've been watching the -current CVS logs, you've seen the flood of commits just from this event alone Fixes with threading, Linux compat, ACPI, and various other things - some will make it into 5.5 and others need more testing Another report from Theo (http://undeadly.org/cgi?action=article&sid=20140127083112) details his work Updates to the random subsystem, some work-in-progress pf fixes, suspend/resume fixes and more signing stuff *** Four new NetBSD releases (https://blog.netbsd.org/tnf/entry/netbsd_6_1_3_netbsd) NetBSD released versions 6.1.3, 6.0.4, 5.2.2 and 5.1.4 These updates include lots of bug fixes and some security updates, not focused on new features You can upgrade depending on what branch you're currently on Confused about the different branches? See this graph. (https://www.netbsd.org/releases/release-map.html#graph1) *** The future of open source ZFS development (http://sites.ieee.org/scv-cs/archives/openzfs-future-open-source-zfs-development) On February 11, 2014, Matt Ahrens will be giving a presentation about ZFS The talk will be about the future of ZFS and the open source development since Oracle closed the code It's in San Jose, California - go if you can! *** Interview - George Neville-Neil - gnn@freebsd.org (mailto:gnn@freebsd.org) / @gvnn3 (https://twitter.com/gvnn3) The FreeBSD Journal (http://freebsdjournal.com/) Tutorial Tracking -STABLE and -CURRENT (OpenBSD) (http://www.bsdnow.tv/tutorials/stable-current-obsd) News Roundup pfSense news and 2.1.1 snapshots (https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes) pfSense has some snapshots available for the upcoming 2.1.1 release They include FreeBSD security fixes as well as some other updates There are recordings posted (https://blog.pfsense.org/?p=1198) of some of the previous hangouts Unfortunately they're only for subscribers, so you'll have to wait until next month when we have Chris on the show to talk about pfSense! *** FreeBSD on Google Compute Engine (https://groups.google.com/forum/#!msg/gce-discussion/YWoa3Aa_49U/FYAg9oiRlLUJ) Recently we mentioned some posts about getting OpenBSD to run on GCE, here's the FreeBSD version Nice big fat warning: "The team has put together a best-effort posting that will get most, if not all, of you up and running. That being said, we need to remind you that FreeBSD is being supported on Google Compute Engine by the community. The instructions are being provided as-is and without warranty." Their instructions are a little too Linuxy (assuming wget, etc.) for our taste, someone should probably get it updated! Other than that it's a pretty good set of instructions on how to get up and running *** Dragonfly ACPI update (http://www.shiningsilence.com/dbsdlog/2014/01/22/13225.html) Sascha Wildner committed some new ACPI code (http://lists.dragonflybsd.org/pipermail/commits/2014-January/199071.html) There's also a "heads up" to update your BIOS (http://lists.dragonflybsd.org/pipermail/users/2014-January/090504.html) if you experience problems Check the mailing list post for all the details *** PCBSD weekly digest (http://blog.pcbsd.org/2014/01/pc-bsd-weekly-feature-digest-6/) 10.0-RC4 users need to upgrade all their packages for 10.0-RC5 PBIs needed to be rebuilt.. actually everything did Help test GNOME 3 so we can get it in the official ports tree By the way, I think Kris has an announcement - PCBSD 10.0 is out! *** Feedback/Questions Tony writes in (http://slexy.org/view/s21ZlfOdTt) Jeff writes in (http://slexy.org/view/s2BFZ68Na5) Remy writes in (http://slexy.org/view/s20epArsQI) Nils writes in (http://slexy.org/view/s213CoNvLt) Solomon writes in (http://slexy.org/view/s21XWnThNS) ***

Interview with Haiku contributor and freelance Ruby developer Ryan Leavengood

Asiat: - Ensimmäinen osa avoimen lähdekoodin ja vapaiden ohjelmistojen -lakiasioita käsittelevästä julkaisusta on nyt ilmestynyt. - Debian siirtyy aikaperustaisiin julkaisuihin - Shuttleworth vihjailee antamassaan haastattelussa, että seuraava LTS-versiota saatetaan viivästyttään yhdellä julkaisulla. - Ubuntun OpenJDK 6 Java läpäisi TCK-testit, joilla testataan noudattaako Java-toteutus Java-spesifikaatioita. - Launchpad sorsattu - Microsoft julkaisi GPL2 lisenssillä 20.000 riviä koodia (3 ajuria) Linux-yhteisön käytettäväksi - Adobelta kaksi avoimen lähdekoodin projektia - Red Hat jatkaa eniten Linux kerneliä kehittävänä yrityksenä - Google julkaisi avoimen lähdekoodin NX serverin - Intel on aloittanut ACPI:n korvaajan kehittämisen pieniin laitteisiin. - MontaVista demosi sekunnissa toimintakuntoon käynnistyvää MontaVista Linux distroaan - Joukko avoimen lähdekoodin tukijoita vie avointa lähdekoodia USA:n - Netscapesta kertova elokuva on julkaistu vapaaseen levitykseen - Debconf9 käynnissä - Gran Canaria Desktop Summit-videot nyt jaossa - OpenOffice Renaissance on julkaissut testattavan prototyypin tulevan OpenOfficen käyttöliittymästä Puhumassa: - Henrik - Ninnnu - Sakari Nylund - Vpv - Ape - Sandcrab - Juha