POPULARITY
2 episodes with Broadwell
3 episodes with Broadwell
2 episodes with Broadwell
6 episodes with Broadwell
2 episodes with Broadwell
2 episodes with Broadwell
3 episodes with Broadwell
@1QLeadership Question: How can college athletics departments best support student-athletes in navigating the transition out of competitive sports, particularly in addressing the challenges of athlete identity and life after sports? Caitlin Broadwell, Athletics Case Manager at Long Beach State, discusses the curriculum used in a class for senior student-athletes on campus. The semester long class focuses on values, developing community, find hobbies away from sports, and other foundation building aspects that help athletes feel better prepared for retiring from competition and the inevitable "Athlete Identity Syndrome" that comes with retirement. Broadwell, on her way to becoming a Licensed Professional Clinical Counselor, developed the curriculum used in the semester-long class for senior student-athletes. She was a multi-school and multi-sport transfer, finishing her career as a beach volleyball player at LSU. With experience from playing, research, and practical knowledge, Broadwell brings passion and purpose to the mental health in athletics industry. - One Question Leadership Podcast - Tai M. Brown
What [is the meaning of] the Testimonies, Statutes, and Judgments?(Deuteronomy 6:20)
Caitlin Broadwell is the mental health case manager for Long Beach State University, helping athletes navigate through their career and connect with resources to support them in their journey. Having played volleyball in college and then transitioned to beach volleyball when she transferred for her last year of eligibility, she transitioned from her sport twice and knows how difficult that transition can be for athletes when they hang up the jersey. She has started the podcast Hanging Up The Jersey, giving athletes a platform to talk about transitioning out of sport in hopes that it will not only help athletes share their story, but help athletes transitioning know that there is hope: there is light at the end of that transition tunnel.
I think we can all agree that social media (and anything approaching it) was a mistake, but sometimes the internet decides to throw you a bone and you meet a NASA flight surgeon on Reddit. After some friendly chatting via email, Dr. Kim Broadwell was gracious enough to speak to me on the podcast. Let's hear what he has to say! Show notes: https://thespaceabove.us/episodes/ep187_interview_dr_kim_broadwell/ https://thespaceabove.us https://twitter.com/SpaceAboveUs
Hi everyone,In today's interview we continue our series of podcasts that give innovative entrepreneurs the opportunity to explain what they have created. Generally, I am featuring people who are working with a variety of "energy" therapies to improve our health. In this podcast, Mike Broadwell explains the crystal/light device he came up with. He explains its history, how it works and some interesting cases exploring its effectiveness. The future of medicine will only come from the understanding that our current biochemical model of life is fundamentally flawed. We are electric/energy beings and the sooner we orient our medicine around this fact, the sooner we will come to a medicine that heals and that does not just make people poorer and sicker, as is currently the case. You can find Mike's website here.I hope you enjoy this interview.Best,TomWebsiteshttps://drtomcowan.com/ https://www.drcowansgarden.com/ https://newbiologyclinic.com/ https://newbiologycurriculum.com/ Video Platforms YouTube: https://www.youtube.com/channel/UCzxdc2o0Q_XZIPwo07XCrNgBackup YouTube Channel https://www.youtube.com/channel/UCh4jE8jPfd9H02FCAtR0muwBitchute https://www.bitchute.com/channel/CivTSuEjw6Qp/ Odysee https://odysee.com/@Dr.TomCowan:8 Rumble https://rumble.com/c/DrTomCowan Twitch https://www.twitch.tv/drtomcowan Social Media Facebook https://www.facebook.com/DrTomCowan/ Facebook https://www.facebook.com/drcowansgarden/ Facebook https://www.facebook.com/newbiologyclinic Facebook https://www.facebook.com/newbiologycurriculum X https://twitter.com/drtomcowan Instagram https://www.instagram.com/talkinturkeywithtom/ Instagram https://www.instagram.com/drcowanspowders/ Instagram https://www.instagram.com/nSupport the showWebsites:https://drtomcowan.com/https://www.drcowansgarden.com/https://newbiologyclinic.com/https://newbiologycurriculum.com/Instagram: @TalkinTurkeywithTomFacebook: https://www.facebook.com/DrTomCowan/Bitchute: https://www.bitchute.com/channel/CivTSuEjw6Qp/YouTube: https://www.youtube.com/channel/UCzxdc2o0Q_XZIPwo07XCrNg
This week, Carmella will take us WAY BACK to the early 1900s with the tale of Lucina Broadwell. She was found partially clothed, face down in a field in Barre, Vermont. Was the murderer her husband, her lover, or an unknown person? This story has it all: a brothel, a madam, a horse-drawn hearse, love, betrayal, affairs, and more!Make sure your follow us on all the socials! We're on Facebook, insta, youtube, and tiktok, @truecrimestateofmind . And twitter and snapchat @ truecrimestate. You can also email us with any of your suggestions or questions at truecrimestateofmind@gmail.com.
Parity, baby.
Today, crystals are the basis for the cell phone, the computer, and even the transistor. However, in ancient times crystals and natural light were used for healing and wellness. Our guest today tapped into that ancient knowledge with a modern spin to create a crystal light therapy device.This is the Story of SolaraGem with Mike Broadwell.
“A well thought out estate plan is an act of love for yourself and your beneficiaries”. So says my guest Loulena Miles. In our conversation we cover the basics of estate planning, and the different main documents that are involved in an estate plan. We talk about how to refresh an estate plan and the hazards of do-it-yourself estate planning. We also spend some time talking about digital assets, and the importance of creating an advanced medical healthcare directive and thinking clearly about end of life care and beyond.This conversation was originally recorded as a live Zoom presentation to a small audience and Loulena provided 3 documents to accompany her talk. The documents are available by clicking on the links below and I encourage you to download and/or print item #2, the Podcast Handout, and have it available as you listen to the talk. Main Presentation Slides (simple)Podcast Handout (detailed)Biggest Mistakes People Make With Their Wills (WSJ - 2/16/2023)Loulena Miles has been practicing law as a licensed California Attorney since 2003. She began her career in public policy in Washington DC working for the Alliance for Nuclear Accountability. Following completion of her law degree, graduating in the top of her class at Golden Gate University, she worked as the Staff Attorney at Tri-Valley CAREs practicing environmental law and public policy. She then worked in private practice as an Associate Attorney at Adams, Broadwell, Joseph and Cardozo in South San Francisco with a focus on administrative law. Most recently, before forming Miles and Torres Associates, Loulena assisted senior citizens with legal issues including maintaining housing, healthcare and financial solvency. She is a Strauss Scholar and a New Voices Ford Foundation Fellow. She presented at the United Nations in New York and Geneva and the World Social Forum in Mumbai, India. She holds a certification in conflict resolution and mediation. She was awarded Witkin and Cali awards for top academic performance in Wills and Trusts, Criminal Law, Legal Research and Writing, Negotiations and Toxics Law and Policy. Loulena Miles is a member of East Bay Trust and Estate Lawyers and is currently serving on the nonprofit board of Tri-Valley CAREs.
https://amzn.to/3mxdCnS - Grab Brandon's NEW book 'Be Extraordinary'!https://www.bebetterindustries.com - Book Brandon to speak with your team!Your life doesn't need to revolve around fitness.And let's be real: with how busy you are, it's just not possible!However, small practices performed daily are all it takes to
It was May of 1919 in Barre, Vermont, when the body of Lucina Broadwell was found naked on her stomach, hands tied behind her back. To solve the crime, investigators must uncover a dark secret that the entire town is hiding. Learn more about your ad choices. Visit podcastchoices.com/adchoices
In today's interview, we are joined by Grand Forks Senior Center employees, Amanda Rengstorf, Public Relations Manager, & Becky Broadwell, Development Officer & Assistant Director. They talk about all the activities and events the Senior Center offers to assist the senior citizen community with. You can find information for how to donate and volunteer at the Grand Forks Senior Center at their website, http://www.gfseniorcenter.org/ or https://www.facebook.com/gfseniors Show is recorded at Grand Forks Best Source. For studio information, visit www.gfbestsource.com #seniorcenter #interview #GFBS #grandforksbestsource
How Logan hated woo-woo crap, but got turned around with gems because they work Forgot melatonin or CBD…try this instead for better sleep How ancient people used the healing power of gems along with sunlight How the different strobe (Hz) setting for different colors match up to different brain wave states Why the Spleen is important for energy, immunity and more How to stack SolaraGem with other technologies and methods The gem that Logan uses to make his meditations more peaceful Why light and frequencies are key to many health effects (despite how little attention is paid to this area) And much more Includes the best gems for: Pain Relief and Wound Healing Stress Sleep Energy Emotional Balance Mitigating Chemotherapy Nausea Avoiding Getting Sick Get your SolaraGem at https://healthsovereign.com/gem and use coupon code LOGAN for $100 off. More show notes available at https://healthsovereign.com/71
Eden vs. Babel: Two Visions of Technology
Digital Diet and Nutrition
Is Technology an Idol?
Social Media to God's Glory
I Will Not Be Mastered: Addiction to Screens
Not All Things Edify: The Irony of Social Media
Patrick is joined today by Becky Broadwell & Amanda Rengstorf, sharing the story of the Grand Forks Senior Center. What is the "Brighter Side of Sixty?" At the Grand Forks Senior Center, it is living life to the fullest. It is meeting new people. It is going to new places. It is trying new things. It is helping others. And, sometimes, it is receiving services that help you remain independent at home. The mission of the Grand Forks Senior Center is to provide opportunities for older adults to live to their full potential.Learn More About Grand Forks Senior Center: http://www.gfseniorcenter.org/Donate to Grand Forks Senior Center: http://www.gfseniorcenter.org/donatePhone Grand Forks Senior Center: 701-772-7245 Support This Podcast! Make a quick and easy donation here:https://www.patreon.com/dogoodbetterSpecial THANK YOU to our sponsors:Donor Dock - The best CRM system for your small to medium sized nonprofit, hands down! Visit www.DonorDock.com and use the Promo Code DOGOODBETTER for a FREE month!Brady Martz - The Nonprofit Audit Specialists! Visit www.BradyMartz.com to connect with folks to make your fiscal life a heckuvalot easier!About The Official Do Good Better Podcast:Each episode features (fundraising expert, speaker, event creator and author) Patrick Kirby interviewing leaders and champions of small & medium nonprofits to share their successes, their impact, and what makes them a unicorn in a field of horses. Patrick answers fundraising questions and (most importantly) showcases how you can support these small nonprofits doing great big things!iTunes: https://apple.co/3a3XenfSpotify: https://spoti.fi/2PlqRXsYouTube: https://bit.ly/3kaWYanTunein: http://tun.in/pjIVtStitcher: https://bit.ly/3i8jfDRFollow On Facebook: https://www.facebook.com/DoGoodBetterPodcast/Follow On Twitter: @consulting_do #fundraising #fundraiser #charity #nonprofit #donate #dogood #dogoodBETTER #fargo #fundraisingdadAbout Host Patrick Kirby:Email: Patrick@dogoodbetterconsulting.comLinkedIN: https://www.linkedin.com/in/fundraisingdad/Want more great advice? Buy Patrick's book! Now also available as an e-book!Fundraise Awesomer! A Practical Guide to Staying Sane While Doing GoodAvailable through Amazon Here: https://www.amazon.com/dp/1072070359
CHANGING THE GAME Through Real Estate ep 25This episode on the podcast Tyler Wynn and our new Podcast CoHost Rob Sembiante had the opportunity to talk to Bill Ham , Real estate Investor, COO of Broadwell Property Group, and author of Creative Cash and Real Estate RAW. He takes us through his journey of how he got started in real estate, a deep dive into the ins and out of buying real estate. He also discusses the best way of dealing with commercial brokers and something they don't tell you about commercial loans.FOR MORE INFO ABOUT US CHECK OUT: https://linktr.ee/Wynningteam757FEATURING: Bill Ham ( https://realestateraw.com/ )HOST: Tyler Wynn ( https://www.instagram.com/wynningteam757/?hl=en )CoHOST: Rob Sembiante ( https://www.instagram.com/rentreadyrob/?hl=en )MUSIC: King Reynard (https://www.instagram.com/kingreynard11/?hl=en )Intro – Tyler Bill Ham – Author of Real Estate Faw & Creative Cash Multifamily Investor (owner and operator) & COO of Broadwell Property GroupInterview Tyler· What's your backstory? Is this something you had ever seen yourself doing?· What's your “why” that drives you? · What is your favorite part about what you do?· In your book you used the conveyor belt illustration, can you explain that tactic?· Why is equity king, not clashflow?· How many deals do you typically analyze to find a good one?· Can you break down one of your deals for us?o How you found ito What did you look foro The strategy you usedo Exit plan?· (Add in any additional questions that come up and flow with the conversation)Rob· Where do you find the most deals?· If you were starting at square one again, how would you approach broker relations and prepare?· Has a bank ever blown up a deal for you and how did you resolve it?· Your time is highly sought after, what could someone do to attract your attention for a lunch meeting? · What is your end goal with business?· What's the most important lesson you've learned as an entrepreneur?· What advice do you have for someone starting out? · (Add in any additional questions that come up with the flow of the conversation)Wrap up – Tyler· Now tell us where we can find you (I.e.: Instagram, website, etc.)*****DISCLAIMER****I AM NOT A CPA, ATTORNEY, INSURANCE, CONTRACTOR, LENDER, OR FINANCIAL ADVISOR. THE CONTENT IN THESE VIDEOS SHALL NOT BE CONSTRUED AS TAX, LEGAL,INSURANCE, CONSTRUCTION, ENGINEERING, HEALTH OR SAFETY, ELECTRICAL, FINANCIAL ADVICE, OR OTHER AND MAY BE OUTDATED OR INACCURATE; IT IS YOUR RESPONSIBILITY TO VERIFY ALL INFORMATION YOURSELF. THIS IS A PODCAST AND YOUTUBE VIDEO FOR ENTERTAINMENT PURPOSES ONLY
After a first instalment packed with Snowdrops, Primulas and Cardamine, get ready for even more early-Spring inspiration from Organic Gardener Val Bourne, including Narcissi, Hamamelis, Hellebores and Hepaticas! In this episode we mention our https://www.getgardeningnow.co.uk/newsletter (new Newsletter). To sign up to it and read the first instlament which went out a few weeks ago, head here: https://www.getgardeningnow.co.uk/newsletter (https://www.getgardeningnow.co.uk/newsletter) PLANT LIST Narcissus 'Rijnveld's Early Sensation' Narcissus 'Candlepower' Narcissus 'Navarre' Narcissus 'Jumblie' Narcissus cyclamineus Chimonanthus praecox Hamamelis × intermedia 'Aurora' Hamamelis × intermedia 'Pallida' Prunus 'Kursar' Ribes laurifolium Galanthus 'South Hayes' Helleborus 'Penny's Pink' Helleborus 'Anna's Red' Polypodium cambricum Polypodium cambricum 'Richard Kayse' Hepatica 'Kilmeston Pink' Hepatica transsilvanica 'Elison Spence' Hepatica nobilis Hepatica x media 'Harvington Beauty' Hepatica transsilvanica Leucojum vernum var. vernum 'Green Lantern' Leucojum vernum var. vagneri 'Janus' Miersia chilensis Galanthus 'Bumblebee' Galanthus plicatus 'Diggory' Galanthus plicatus 'Golden Fleece' Galanthus 'Treasure Island' Galanthus gracilis Galanthus 'Little Dorrit' Galanthus 'Chantry Poppet' Galanthus 'Bambino' Galanthus 'Cherub' Galanthus nivalis 'Lady Putman' Cyclamen coum 'Tilebarn Elizabeth' Crocus heuffelianus Crocus rujanensis 'Belphoebe' Galanthus elwesii 'Broadwell'
On this weeks episode of The Beats with Kelly Kennedy, we with down with Mike Broadwell founder of Solaragem. In this episode we explore the power of light how it impacts the body, and why it is capable of having such an impact. As we move into a new era of healing, the tools that we can use in order to rebalance the body are not old yet are vast. We are grateful to have had Mike on the show this week to remind us all of the power of light. Mike Broadwell has specialized in crystal fusion light for over 10 years. He's worked with leading integrative practitioners across North America. In 2021 he introduced the SolaraGem crystal fusion light device. Show notes|| 0:00| Introduction 2:55| What is Mikes background? How did he get here? 7:28 | How did he get into energetic medicine? 9:55 | What is energy medicine? 12:15 | How does the energy of the body work? 16:35 | Why are we now rediscovering the power of light therapy? 25:30 | Does all light have the same impact on the body? 29:51 | What is the solaragem? 32:10 | Are gems woo? 41:20 | What is the key to life? 43:20 | The impact of light and environment on healing 45:55 | The power of light therapy that Mike has witnessed 1:00: 15 | Kelly's experience with solaragem 1:11:28 | How can you use solaragem? 1:12:45 | To understand how light therapy works you really need to experience it for yourself 1:16:30 | Experiencng glitching 1:18 :20 | What is Mike's secret for the world? * This video does suddenly end due to technical difficulties, don't worry you didn't miss anything!* Connect with Mike|| Mike@MikeBroadwell.com SolaraGem.com MikeBroadwell.com Resources Mentioned|| Ep.89 The Magic of Algae with Catharine Arnston Ep. 90 Living Pain Free with Tk Huynh The Emotion Code Lynn Taggart The Field Lynn Taggart The Intention Experiment Weber Watch Fritz Popp John Ott
You've never heard about optimizing your health like THIS. Tom Broadwell debunks common myths about your health, tells you what to avoid and shares SECRETS of the health industry that can help you heal MANY ailments you may be experiencing. Download Tom's Digital Book "Lazy F*cks Don't Live To 100" here
Many of our Bible studies are done in a group setting, whether in a church Bible class or small group study in a home. While offering a different dynamic than individual Bible study, studying with others in this setting is just as essential. What makes a good (or bad) Bible class? How do we make the best of these times, whether we're the teacher or student? Marty Broadwell shares advice from years of experience teaching teachers to teach. Music Credits "Faith" by Vibe Tracks "New Year" by Bad Snacks "The Starry Night" by John Tadlock
Mike Broadwell is the developer of the SolaraGem crystal fusion light device, and has specialized in this technology for the past decade. He's also created summits as well as in-person and online workshops in energy medicine, featuring the leading specialists in the field. Contact Mike Broadwell: Email broadwellmike@gmail.com Website SolaraGem.com Instagram @broadwell.mike Twitter MikeBroadwell.com --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app Support this podcast: https://anchor.fm/360wisdomspeaks/support
Kennedy Broadwell is a Digital Producer & On-Air Talent for Woodward Sports. She makes her Avenue debut to discuss females breaking into a male-dominated industry & much more!
Dr. Sharon Stills interviews Mike Broadwell on the healing properties of various crystals, and particularly how the synergistic effect of fusing light with crystals brings information into the body. In ancient times, healers would bring their patients into full sunlight and place various stones on parts of the body, knowing that the light would act as the facilitator of healing information. Mike Broadwell has harnessed this ancient wisdom with SolaraGem, which fuses light, precious gems, color, and frequency to help others feel their best. His mission in life is to educate practitioners, and make this therapy affordable to all! This fascinating subject is sure to motivate you to begin experimenting with crystals and their healing power!
Our bodies have a natural, built-in ability to heal themselves. Every cell in the human body works tirelessly to keep us at a natural healthy balance. And these cells have the ability to heal or replace themselves, all to keep our bodies functioning at optimal levels. To create good health, from the inside out, we must remove the things that hinder that optimal performance. Stress is one of the main culprits that prevent us from being our best selves. Research has shown that emotional and physical stress is at the root of most diseases. Unless we address our stressors directly, how can we provide a healing outcome? In today's episode, Dr. Christine Schaffner talks with Mike Broadwell of Solara Gem. They discuss how crystals can support your body from pain and stress, how crystal fusion light works, and how it can help your wellness journey. Mike Broadwell has spent the last decade specializing in crystal fusion light therapy, working with leading specialists in integrative health and wellness. He offers training, consulting, and ongoing support for practitioners and individuals. He has recently launched his crystal fusion light device, called SolaraGem. To get the full version of the show notes - please visit, https://bit.ly/SOH-episode111
Scripture Readings – Psalm 95:1-7; Psalm 100 Come, let us sing for joy to the Lord; let us shout aloud to the Rock of our salvation. Let us come before him with thanksgiving and extol him with music and song. For the Lord is the great God, the great … Continue reading →
Scripture Readings : John 1:1-5, John 8:12, Matthew 5:14 The Word Became Flesh In the beginning was the Word, and the Word was with God, and the Word was God. He was in the beginning with God. All things came … Continue reading →
https://www.linkedin.com/in/billhamrealestate/ https://broadwellpropertygroup.com/
We review Meltdown and Spectre responses from various BSD projects, show you how to run CentOS with bhyve, GhostBSD 11.1 is out, and we look at the case against the fork syscall. This episode was brought to you by Headlines More Meltdown Much has been happened this week, but before we get into a status update of the various mitigations on the other BSDs, some important updates: Intel has recalled the microcode update they issued on January 8th. It turns out this update can cause Haswell and Broadwell based systems to randomly reboot, with some frequency. (https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/) AMD has confirmed that its processors are vulnerable to both variants of Spectre, and the the fix for variant #2 will require a forthcoming microcode update, in addition to OS level mitigations (https://www.amd.com/en/corporate/speculative-execution) Fujitsu has provided a status report for most of its products, including SPARC hardware (https://sp.ts.fujitsu.com/dmsp/Publications/public/Intel-Side-Channel-Analysis-Method-Security-Review-CVE2017-5715-vulnerability-Fujitsu-products.pdf) The Register of course has some commentary (https://www.theregister.co.uk/2018/01/12/intel_warns_meltdown_spectre_fixes_make_broadwells_haswells_unstable/) If new code is needed, Intel will need to get it right: the company already faces numerous class action lawsuits. Data centre operators already scrambling to conduct unplanned maintenance will not be happy about the fix reducing stability. AMD has said that operating system patches alone will address the Spectre bounds check bypass bug. Fixing Spectre's branch target injection flaw will require firmware fixes that AMD has said will start to arrive for Ryzen and EPYC CPUs this week. The Register has also asked other server vendors how they're addressing the bugs. Oracle has patched its Linux, but has told us it has “No comment/statement on this as of now” in response to our query about its x86 systems, x86 cloud, Linux and Solaris on x86. The no comment regarding Linux is odd as fixes for Oracle Linux landed here (https://linux.oracle.com/errata/ELSA-2018-4006.html) on January 9th. SPARC-using Fujitsu, meanwhile, has published advice (PDF) revealing how it will address the twin bugs in its servers and PCs, and also saying its SPARC systems are “under investigation”. Response from OpenBSD: (https://undeadly.org/cgi?action=article;sid=20180106082238) 'Meltdown, aka "Dear Intel, you suck"' (https://marc.info/?t=151521438600001&r=1&w=2) Theo de Raadt's response to Meltdown (https://www.itwire.com/security/81338-handling-of-cpu-bug-disclosure-incredibly-bad-openbsd-s-de-raadt.html) That time in 2007 when Theo talked about how Intel x86 had major design problems in their chips (https://marc.info/?l=openbsd-misc&m=118296441702631&w=2) OpenBSD gets a Microcode updater (https://marc.info/?l=openbsd-cvs&m=151570987406841&w=2) Response from Dragonfly BSD: (http://lists.dragonflybsd.org/pipermail/users/2018-January/313758.html) The longer response in four commits One (http://lists.dragonflybsd.org/pipermail/commits/2018-January/627151.html) Two (http://lists.dragonflybsd.org/pipermail/commits/2018-January/627152.html) Three (http://lists.dragonflybsd.org/pipermail/commits/2018-January/627153.html) Four (http://lists.dragonflybsd.org/pipermail/commits/2018-January/627154.html) Even more Meltdown (https://www.dragonflydigest.com/2018/01/10/20718.html) DragonflyBSD master now has full IBRS and IBPB support (http://lists.dragonflybsd.org/pipermail/users/2018-January/335643.html) IBRS (Indirect Branch Restricted Speculation): The x86 IBRS feature requires corresponding microcode support. It mitigates the variant 2 vulnerability. If IBRS is set, near returns and near indirect jumps/calls will not allow their predicted target address to be controlled by code that executed in a less privileged prediction mode before the IBRS mode was last written with a value of 1 or on another logical processor so long as all RSB entries from the previous less privileged prediction mode are overwritten. Speculation on Skylake and later requires these patches ("dynamic IBRS") be used instead of retpoline. If you are very paranoid or you run on a CPU where IBRS=1 is cheaper, you may also want to run in "IBRS always" mode. IBPB (Indirect Branch Prediction Barrier): Setting of IBPB ensures that earlier code's behavior does not control later indirect branch predictions. It is used when context switching to new untrusted address space. Unlike IBRS, IBPB is a command MSR and does not retain its state. DragonFlyBSD's Meltdown Fix Causing More Slowdowns Than Linux (https://www.phoronix.com/scan.php?page=article&item=dragonfly-bsd-meltdown&num=1) NetBSD HOTPATCH() (http://mail-index.netbsd.org/source-changes/2018/01/07/msg090945.html) NetBSD SVS (Separate Virtual Space) (http://mail-index.netbsd.org/source-changes/2018/01/07/msg090952.html) Running CentOS with Bhyve (https://www.daemon-security.com/2018/01/bhyve-centos-0110.html) With the addition of UEFI in FreeBSD (since version 11), users of bhyve can use the UEFI boot loader instead of the grub2-bhyve port for booting operating systems such as Microsoft Windows, Linux and OpenBSD. The following page provides information necessary for setting up bhyve with UEFI boot loader support: https://wiki.freebsd.org/bhyve/UEFI Features have been added to vmrun.sh to make it easier to setup the UEFI boot loader, but the following is required to install the UEFI firmware pkg: # pkg install -y uefi-edk2-bhyve With graphical support, you can use a vnc client like tigervnc, which can be installed with the following command: # pkg install -y tigervnc In the case of most corporate or government environments, the Linux of choice is RHEL, or CentOS. Utilizing bhyve, you can test and install CentOS in a bhyve VM the same way you would deploy a Linux VM in production. The first step is to download the CentOS iso (for this tutorial I used the CentOS minimal ISO): http://isoredirect.centos.org/centos/7/isos/x8664/CentOS-7-x8664-Minimal-1708.iso I normally use a ZFS Volume (zvol) when running bhyve VMs. Run the following commands to create a zvol (ensure you have enough disk space to perform these operations): # zfs create -V20G -o volmode=dev zroot/centos0 (zroot in this case is the zpool I am using) Similar to my previous post about vmrun.sh, you need certain items to be configured on FreeBSD in order to use bhyve. The following commands are necessary to get things running: ``` echo "vfs.zfs.vol.mode=2" >> /boot/loader.conf kldload vmm ifconfig tap0 create sysctl net.link.tap.uponopen=1 net.link.tap.uponopen: 0 -> 1 ifconfig bridge0 create ifconfig bridge0 addm em0 addm tap0 ifconfig bridge0 up ``` (replace em0 with whatever your physical interface is). There are a number of utilities that can be used to manage bhyve VMs, and I am sure there is a way to use vmrun.sh to run Linux VMs, but since all of the HowTos for running Linux use the bhyve command line, the following script is what I use for running CentOS with bhyve. ``` !/bin/sh General bhyve install/run script for CentOS Based on scripts from pr1ntf and lattera HOST="127.0.0.1" PORT="5901" ISO="/tmp/centos.iso" VMNAME="centos" ZVOL="centos0" SERIAL="nmda0A" TAP="tap1" CPU="1" RAM="1024M" HEIGHT="800" WIDTH="600" if [ "$1" == "install" ]; then Kill it before starting it bhyvectl --destroy --vm=$VMNAME bhyve -c $CPU -m $RAM -H -P -A -s 0,hostbridge -s 2,virtio-net,$TAP -s 3,ahci-cd,$ISO -s 4,virtio-blk,/dev/zvol/zroot/$ZVOL -s 29,fbuf,tcp=$HOST:$PORT,w=$WIDTH,h=$HEIGHT -s 30,xhci,tablet -s 31,lpc -l com1,/dev/$SERIAL -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd $VMNAME kill it after bhyvectl --destroy --vm=$VMNAME elif [ "$1" == "run" ]; then Kill it before starting it bhyvectl --destroy --vm=centos bhyve -c $CPU -m $RAM -w -H -s 0,hostbridge -s 2,virtio-net,$TAP -s 4,virtio-blk,/dev/zvol/zroot/$ZVOL -s 29,fbuf,tcp=$HOST:$PORT,w=$WIDTH,h=$HEIGHT -s 30,xhci,tablet -s 31,lpc -l com1,/dev/$SERIAL -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd $VMNAME & else echo "Please type install or run"; fi ``` The variables at the top of the script can be adjusted to fit your own needs. With the addition of the graphics output protocol in UEFI (or UEFI-GOP), a VNC console is launched and hosted with the HOST and PORT setting. There is a password option available for the VNC service, but the connection should be treated as insecure. It is advised to only listen on localhost with the VNC console and tunnel into the host of the bhyve VM. Now with the ISO copied to /tmp/centos.iso, and the script saved as centos.sh you can run the following command to start the install: # ./centos.sh install At this point, using vncviewer (on the local machine, or over an SSH tunnel), you should be able to bring up the console and run the CentOS installer as normal. The absolutely most critical item is to resolve an issue with the booting of UEFI after the installation has completed. Because of the path used in bhyve, you need to run the following to be able to boot CentOS after the installation: # cp -f /mnt/sysimage/boot/efi/EFI/centos/grubx64.efi /mnt/sysimage/boot/efi/EFI/BOOT With this setting changed, the same script can be used to launch your CentOS VM as needed: # ./centos.sh run If you are interested in a better solution for managing your Linux VM, take a look at the various bhyve management ports in the FreeBSD ports tree. Interview - newnix architect - @newnix (https://bsd.network/@newnix) News Roundup GhostBSD 11.1 - FreeBSD for the desktop (https://distrowatch.com/weekly.php?issue=20180108#ghostbsd) GhostBSD is a desktop oriented operating system which is based on FreeBSD. The project takes the FreeBSD operating system and adds a desktop environment, some popular applications, a graphical package manager and Linux binary compatibility. GhostBSD is available in two flavours, MATE and Xfce, and is currently available for 64-bit x86 computers exclusively. I downloaded the MATE edition which is available as a 2.3GB ISO file. Installing GhostBSD's system installer is a graphical application which begins by asking us for our preferred language, which we can select from a list. We can then select our keyboard's layout and our time zone. When it comes to partitioning we have three main options: let GhostBSD take over the entire disk using UFS as the file system, create a custom UFS layout or take over the entire disk using ZFS as the file system. UFS is a classic file system and quite popular, it is more or less FreeBSD's equivalent to Linux's ext4. ZFS is a more advanced file system with snapshots, multi-disk volumes and optional deduplication of data. I decided to try the ZFS option. Once I selected ZFS I didn't have many more options to go through. I was given the chance to set the size of my swap space and choose whether to set up ZFS as a plain volume, with a mirrored disk for backup or in a RAID arrangement with multiple disks. I stayed with the plain, single disk arrangement. We are then asked to create a password for the root account and create a username and password for a regular user account. The installer lets us pick our account's shell with the default being fish, which seemed unusual. Other shells, including bash, csh, tcsh, ksh and zsh are available. The installer goes to work copying files and offers to reboot our computer when it is done. Early impressions The newly installed copy of GhostBSD boots to a graphical login screen where we can sign into the account we created during the install process. Signing into our account loads the MATE 1.18 desktop environment. I found MATE to be responsive and applications were quick to open. Early on I noticed odd window behaviour where windows would continue to slide around after I moved them with the mouse, as if the windows were skidding on ice. Turning off compositing in the MATE settings panel corrected this behaviour. I also found the desktop's default font (Montserrat Alternates) to be hard on my eyes as the font is thin and, for lack of a better term, bubbly. Fonts can be easily adjusted in the settings panel. A few minutes after I signed into my account, a notification appeared in the system tray letting me know software updates were available. Clicking the update icon brings up a small window showing us a list of package updates and, if any are available, updates to the base operating system. FreeBSD, and therefore GhostBSD, both separate the core operating system from the applications (packages) which run on the operating system. This means we can update the core of the system separately from the applications. GhostBSD's core remains relatively static and minimal while applications are updated using a semi-rolling schedule. When we are updating the core operating system, the update manager will give us the option of rebooting the system to finish the process. We can dismiss this prompt to continue working, but the wording of the prompt may be confusing. When asked if we want to reboot to continue the update process, the options presented to us are "Continue" or "Restart". The Continue option closes the update manager and returns us to the MATE desktop. The update manager worked well for me and the only issue I ran into was when I dismissed the update manager and then wanted to install updates later. There are two launchers for the update manager, one in MATE's System menu and one in the settings panel. Clicking either of these launchers didn't accomplish anything. Running the update manager from the command line simply caused the process to lock up until killed. I found if I had dismissed the update manager once, I'd have to wait until I logged in again to use it. Alternatively, I could use a command line tool or use the OctoPkg package manager to install package updates. Conclusions Most of my time with GhostBSD, I was impressed and happy with the operating system. GhostBSD builds on a solid, stable FreeBSD core. We benefit from FreeBSD's performance and its large collection of open source software packages. The MATE desktop was very responsive in my trial and the system is relatively light on memory, even when run on ZFS which has a reputation for taking up more memory than other file systems. FreeBSD Looks At Making Wayland Support Available By Default (https://www.phoronix.com/scan.php?page=news_item&px=FreeBSD-Wayland-Availability) There's an active discussion this week about making Wayland support available by default on FreeBSD. FreeBSD has working Wayland support -- well, assuming you have working Intel / Radeon graphics -- and do have Weston and some other Wayland components available via FreeBSD Ports. FreeBSD has offered working Wayland support that is "quite usable" for more than one year. But, it's not too easy to get going with Wayland on FreeBSD. Right now those FreeBSD desktop users wanting to use/develop with Wayland currently need to rebuild the GTK3 tool-kit, Mesa, and other packages with Wayland support enabled. This call for action now is about allowing the wayland=on to be made the default. This move would then allow these dependencies to be built with Wayland support by default, but for the foreseeable future FreeBSD will continue defaulting to X.Org-based sessions. The FreeBSD developers mostly acknowledge that Wayland is the future and the cost of enabling Wayland support by default is just slightly larger packages, but that weight is still leaner than the size of the X.Org code-base and its dependencies. FreeBSD vote thread (https://lists.freebsd.org/pipermail/freebsd-ports/2017-December/111906.html) TrueOS Fliped the switch already (https://github.com/trueos/trueos-core/commit/f48dba9d4e8cefc45d6f72336e7a0b5f42a2f6f1) fork is not my favorite syscall (https://sircmpwn.github.io/2018/01/02/The-case-against-fork.html) This article has been on my to-write list for a while now. In my opinion, fork is one of the most questionable design choices of Unix. I don't understand the circumstances that led to its creation, and I grieve over the legacy rationale that keeps it alive to this day. Let's set the scene. It's 1971 and you're a fly on the wall in Bell Labs, watching the first edition of Unix being designed for the PDP-11/20. This machine has a 16-bit address space with no more than 248 kilobytes of memory. They're discussing how they're going to support programs that spawn new programs, and someone has a brilliant idea. “What if we copied the entire address space of the program into a new process running from the same spot, then let them overwrite themselves with the new program?” This got a rousing laugh out of everyone present, then they moved on to a better design which would become immortalized in the most popular and influential operating system of all time. At least, that's the story I'd like to have been told. In actual fact, the laughter becomes consensus. There's an obvious problem with this approach: every time you want to execute a new program, the entire process space is copied and promptly discarded when the new program begins. Usually when I complain about fork, this the point when its supporters play the virtual memory card, pointing out that modern operating systems don't actually have to copy the whole address space. We'll get to that, but first — First Edition Unix does copy the whole process space, so this excuse wouldn't have held up at the time. By Fourth Edition Unix (the next one for which kernel sources survived), they had wisened up a bit, and started only copying segments when they faulted. This model leads to a number of problems. One is that the new process inherits all of the parent's process descriptors, so you have to close them all before you exec another process. However, unless you're manually keeping tabs on your open file descriptors, there is no way to know what file handles you must close! The hack that solves this is CLOEXEC, the first of many hacks that deal with fork's poor design choices. This file descriptors problem balloons a bit - consider for example if you want to set up a pipe. You have to establish a piped pair of file descriptors in the parent, then close every fd but the pipe in the child, then dup2 the pipe file descriptor over the (now recently closed) file descriptor 1. By this point you've probably had to do several non-trivial operations and utilize a handful of variables from the parent process space, which hopefully were on the stack so that we don't end up copying segments into the new process space anyway. These problems, however, pale in comparison to my number one complaint with the fork model. Fork is the direct cause of the stupidest component I've ever heard of in an operating system: the out-of-memory (aka OOM) killer. Say you have a process which is using half of the physical memory on your system, and wants to spawn a tiny program. Since fork “copies” the entire process, you might be inclined to think that this would make fork fail. But, on Linux and many other operating systems since, it does not fail! They agree that it's stupid to copy the entire process just to exec something else, but because fork is Important for Backwards Compatibility, they just fake it and reuse the same memory map (except read-only), then trap the faults and actually copy later. The hope is that the child will get on with it and exec before this happens. However, nothing prevents the child from doing something other than exec - it's free to use the memory space however it desires! This approach now leads to memory overcommittment - Linux has promised memory it does not have. As a result, when it really does run out of physical memory, Linux will just kill off processes until it has some memory back. Linux makes an awfully big fuss about “never breaking userspace” for a kernel that will lie about memory it doesn't have, then kill programs that try to use the back-alley memory they were given. That this nearly 50 year old crappy design choice has come to this astonishes me. Alas, I cannot rant forever without discussing the alternatives. There are better process models that have been developed since Unix! The first attempt I know of is BSD's vfork syscall, which is, in a nutshell, the same as fork but with severe limitations on what you do in the child process (i.e. nothing other than calling exec straight away). There are loads of problems with vfork. It only handles the most basic of use cases: you cannot set up a pipe, cannot set up a pty, and can't even close open file descriptors you inherited from the parent. Also, you couldn't really be sure of what variables you were and weren't editing or allowed to edit, considering the limitations of the C specification. Overall this syscall ended up being pretty useless. Another model is posixspawn, which is a hell of an interface. It's far too complicated for me to detail here, and in my opinion far too complicated to ever consider using in practice. Even if it could be understood by mortals, it's a really bad implementation of the spawn paradigm — it basically operates like fork backwards, and inherits many of the same flaws. You still have to deal with children inheriting your file descriptors, for example, only now you do it in the parent process. It's also straight-up impossible to make a genuine pipe with posixspawn. (Note: a reader corrected me - this is indeed possible via posixspawnfileactionsadddup2.) Let's talk about the good models - rfork and spawn (at least, if spawn is done right). rfork originated from plan9 and is a beautiful little coconut of a syscall, much like the rest of plan9. They also implement fork, but it's a special case of rfork. plan9 does not distinguish between processes and threads - all threads are processes and vice versa. However, new processes in plan9 are not the everything-must-go fuckfest of your typical fork call. Instead, you specify exactly what the child should get from you. You can choose to include (or not include) your memory space, file descriptors, environment, or a number of other things specific to plan9. There's a cool flag that makes it so you don't have to reap the process, too, which is nice because reaping children is another really stupid idea. It still has some problems, mainly around creating pipes without tremendous file descriptor fuckery, but it's basically as good as the fork model gets. Note: Linux offers this via the clone syscall now, but everyone just fork+execs anyway. The other model is the spawn model, which I prefer. This is the approach I took in my own kernel for KnightOS, and I think it's also used in NT (Microsoft's kernel). I don't really know much about NT, but I can tell you how it works in KnightOS. Basically, when you create a new process, it is kept in limbo until the parent consents to begin. You are given a handle with which you can configure the process - you can change its environment, load it up with file descriptors to your liking, and so on. When you're ready for it to begin, you give the go-ahead and it's off to the races. The spawn model has none of the flaws of fork. Both fork and exec can be useful at times, but spawning is much better for 90% of their use-cases. If I were to write a new kernel today, I'd probably take a leaf from plan9's book and find a happy medium between rfork and spawn, so you could use spawn to start new threads in your process space as well. To the brave OS designers of the future, ready to shrug off the weight of legacy: please reconsider fork. Enable ld.lld as bootstrap linker by default on amd64 (https://svnweb.freebsd.org/changeset/base/327783) Enable ld.lld as bootstrap linker by default on amd64 For some time we have been planning to migrate to LLVM's lld linker. Having a man page was the last blocking issue for using ld.lld to link the base system kernel + userland, now addressed by r327770. Link the kernel and userland libraries and binaries with ld.lld by default, for additional test coverage. This has been a long time in the making. On 2013-04-13 I submitted an upstream tracking issue in LLVM PR 23214: [META] Using LLD as FreeBSD's system linker. Since then 85 individual issues were identified, and submitted as dependencies. These have been addressed along with two and a half years of other lld development and improvement. I'd like to express deep gratitude to upstream lld developers Rui Ueyama, Rafael Espindola, George Rimar and Davide Italiano. They put in substantial effort in addressing the issues we found affecting FreeBSD/amd64. To revert to using ld.bfd as the bootstrap linker, in /etc/src.conf set WITHOUTLLDBOOTSTRAP=yes If you need to set this, please follow up with a PR or post to the freebsd-toolchain mailing list explaining how default WITHLLDBOOTSTRAP failed for your use case. Note that GNU ld.bfd is still installed as /usr/bin/ld, and will still be used for linking ports. ld.lld can be installed as /usr/bin/ld by setting in /etc/src.conf WITH_LLD_IS_LLD=yes A followup commit will set WITHLLDIS_LD by default, possibly after Clang/LLVM/lld 6.0 is merged to FreeBSD. Release notes: Yes Sponsored by: The FreeBSD Foundation Followup: https://www.mail-archive.com/svn-src-all@freebsd.org/msg155493.html *** Beastie Bits BSDCAN2017 Interview with Peter Hessler, Reyk Floeter, and Henning Brauer (https://undeadly.org/cgi?action=article;sid=20171229080944) video (https://www.youtube.com/watch?v=e-Xim3_rJns) DSBMD (https://freeshell.de/~mk/projects/dsbmd.html) ccc34 talk - May contain DTraces of FreeBSD (https://media.ccc.de/v/34c3-9196-may_contain_dtraces_of_freebsd) [scripts to run an OpenBSD mirror, rsync and verify])(https://github.com/bluhm/mirror-openbsd) Old School PC Fonts (https://int10h.org/oldschool-pc-fonts/readme/) Feedback/Questions David - Approach and Tools for Snapshots and Remote Replication (http://dpaste.com/33HKKEM#wrap) Brian - Help getting my FreeBSD systems talking across the city (http://dpaste.com/3QWFEYR#wrap) Malcolm - First BSD Meetup in Stockholm happened and it was great (http://dpaste.com/1Z9Y8H1) Brad - Update on TrueOS system (http://dpaste.com/3EC9RGG#wrap) ***
We look at an OpenBSD setup on a new laptop, revel in BSDCan trip reports, and visit daemons and friendly ninjas. This episode was brought to you by Headlines OpenBSD and the modern laptop (http://bsdly.blogspot.de/2017/07/openbsd-and-modern-laptop.html) Peter Hansteen has a new blog post about OpenBSD (http://www.openbsd.org/) on laptops: Did you think that OpenBSD is suitable only for firewalls and high-security servers? Think again. Here are my steps to transform a modern mid to high range laptop into a useful Unix workstation with OpenBSD. One thing that never ceases to amaze me is that whenever I'm out and about with my primary laptop at conferences and elsewhere geeks gather, a significant subset of the people I meet have a hard time believing that my laptop runs OpenBSD, and that it's the only system installed. and then it takes a bit of demonstrating that yes, the graphics runs with the best available resolution the hardware can offer, the wireless network is functional, suspend and resume does work, and so forth. And of course, yes, I do use that system when writing books and articles too. Apparently heavy users of other free operating systems do not always run them on their primary workstations. Peter goes on to describe the laptops he's had over the years (all running OpenBSD) and after BSDCan 2017, he needed a new one due to cracks in the display. So the time came to shop around for a replacement. After a bit of shopping around I came back to Multicom, a small computers and parts supplier outfit in rural Åmli in southern Norway, the same place I had sourced the previous one. One of the things that attracted me to that particular shop and their own-branded offerings is that they will let you buy those computers with no operating system installed. That is of course what you want to do when you source your operating system separately, as we OpenBSD users tend to do. The last time around I had gone for a "Thin and lightweight" 14 inch model (Thickness 20mm, weight 2.0kg) with 16GB RAM, 240GB SSD for system disk and 1TB HD for /home (since swapped out for a same-size SSD, as the dmesg will show). Three years later, the rough equivalent with some added oomph for me to stay comfortable for some years to come ended me with a 13.3 inch model, 18mm and advertised as 1.3kg (but actually weighing in at 1.5kg, possibly due to extra components), 32GB RAM, 512GB SSD and 2TB harddisk. For now the specification can be viewed online here (https://www.multicom.no/systemconfigurator.aspx?q=st:10637291;c:100559;fl:0#4091-10500502-1;4086-10637290-1;4087-8562157-2;4088-9101982-1;4089-9101991-1) (the site language is Norwegian, but product names and units of measure are not in fact different). The OpenBSD installer is a wonder of straightforward, no-nonsense simplicity that simply gets the job done. Even so, if you are not yet familiar with OpenBSD, it is worth spending some time reading the OpenBSD FAQ's installation guidelines and the INSTALL.platform file (in our case, INSTALL.amd64) to familiarize yourself with the procedure. If you're following this article to the letter and will be installing a snapshot, it is worth reading the notes on following -current too. The main hurdle back when I was installing the 2014-vintage 14" model was getting the system to consider the SSD which showed up as sd1 the automatic choice for booting (I solved that by removing the MBR, setting the size of the MBR on the hard drive that showed up as sd0 to 0 and enlarging the OpenBSD part to fill the entire drive). + He goes on to explain the choices he made in the installer and settings made after the reboot to set up his work environment. Peter closes with: If you have any questions on running OpenBSD as a primary working environment, I'm generally happy to answer but in almost all cases I would prefer that you use the mailing lists such as misc@openbsd.org or the OpenBSD Facebook (https://www.facebook.com/groups/2210554563/) group so the question and hopefully useful answers become available to the general public. Browsing the slides for my recent OpenBSD and you (https://home.nuug.no/~peter/openbsd_and_you/) user group talk might be beneficial if you're not yet familiar with the system. And of course, comments on this article are welcome. BSDCan 2017 Trip Report: Roller Angel (https://www.freebsdfoundation.org/blog/2017-bsdcan-trip-report-roller-angel/) We could put this into next week's show, because we have another trip report already that's quite long. After dropping off my luggage, I headed straight over to the Goat BoF which took place at The Royal Oak. There were already a number of people there engaged in conversation with food and drink. I sat down at a table and was delighted that the people sitting with me were also into the BSD's and were happy to talk about it the whole time. I felt right at home from the start as people were very nice to me, and were interested in what I was working on. I honestly didn't know that I would fit in so well. I had a preconceived notion that people may be a bit hard to approach as they are famous and so technically advanced. At first, people seemed to only be working in smaller circles. Once you get more familiar with the faces, you realize that these circles don't always contain the same people and that they are just people talking about specific topics. I found that it was easy to participate in the conversation and also found out that people are happy to get your feedback on the subject as well. I was actually surprised how easily I got along with everyone and how included I felt in the activities. I volunteered to help wherever possible and got to work on the video crew that recorded the audio and slides of the talks. The people at BSDCan are incredibly easy to talk to, are actually interested in what you're doing with BSD, and what they can do to help. It's nice to feel welcome in the community. It's like going home. Dan mentioned in his welcome on the first day of BSDCan that the conference is like home for many in the community. The trip report is very detailed and chronicles the two days of the developer summit, and the two days of the conference There was some discussion about a new code of conduct by Benno Rice who mentioned that people are welcome to join a body of people that is forming that helps work out issues related to code of conduct and forwards their recommendations on to core. Next, Allan introduced the idea of creating a process for formally discussing big project changes or similar discussions that is going to be known as FCP or FreeBSD Community Proposal. In Python we have the Python Enhancement Proposal or PEP which is very similar to the idea of FCP. I thought this idea is a great step for FreeBSD to be implementing as it has been a great thing for Python to have. There was some discussion about taking non-code contributions from people and how to recognize those people in the project. There was a suggestion to have a FreeBSD Member status created that can be given to people whose non-code contributions are valuable to the project. This idea seemed to be on a lot of people's minds as something that should be in place soon. The junior jobs on the FreeBSD Wiki were also brought up as a great place to look for ideas on how to get involved in contributing to FreeBSD. Roller wasted no time, and started contributing to EdgeBSD at the conference. On the first day of BSDCan I arrived at the conference early to coordinate with the team that records the talks. We selected the rooms that each of us would be in to do the recording and set up a group chat via WhatsApp for coordination. Thanks to Roller, Patrick McAvoy, Calvin Hendryx-Parker, and all of the others who volunteered their time to run the video and streaming production at BSDCan, as well as all others who volunteered, even if it was just to carry a box. BSDCan couldn't happen without the army of volunteers. After the doc lounge, I visited the Hacker Lounge. There were already several tables full of people talking and working on various projects. In fact, there was a larger group of people who were collaborating on the new libtrue library that seemed to be having a great time. I did a little socializing and then got on my laptop and did some more work on the documentation using my new skills. I really enjoyed having a hacker lounge to go to at night. I want to give a big thank you to the FreeBSD Foundation for approving my travel grant. It was a great experience to meet the community and participate in discussions. I'm very grateful that I was able to attend my first BSDCan. After visiting the doc lounge a few times, I managed to get comfortable using the tools required to edit the documentation. By the end of the conference, I had submitted two documentation patches to the FreeBSD Bugzilla with several patches still in progress. Prior to the conference I expected that I would be spending a lot of time working on my Onion Omega and Edge Router Lite projects that I had with me, but I actually found that there was always something fun going on that I would rather do or work on. I can always work on those projects at home anyway. I had a good time working with the FreeBSD community and will continue working with them by editing the documentation and working with Bugzilla. One of the things I enjoy about these trip reports is when they help convince other people to make the trip to their first conference. Hopefully by sharing their experience, it will convince you to come to the next conference: vBSDCon in Virginia, USA: Sept 7-9 EuroBSDCon in Paris, France: Sept 21-24 BSDTW in Taipei, Taiwan: November 11-12 (CFP ends July 31st) *** BSDCan 2017 - Trip report double-p (http://undeadly.org/cgi?action=article&sid=20170629150641) Prologue Most overheard in Tokyo was "see you in Ottawaaaaah", so with additional "personal item" being Groff I returned home to plan the trip to BSDCan. Dan was very helpful with getting all the preparations (immigration handling), thanks for that. Before I could start, I had to fix something: the handling of the goat. With a nicely created harness, I could just hang it along my backpack. Done that it went to the airport of Hamburg and check-in for an itinerary of HAM-MUC-YUL. While the feeder leg was a common thing, boarding to YUL was great - cabin-crew likes Groff :) Arriving in Montreal was like entering a Monsoon zone or something, sad! After the night the weather was still rain-ish but improving and i shuttled to Dorval VIARail station to take me to Ottawa (ever avoid AirCanada, right?). Train was late, but the conductor (or so) was nice to talk to - and wanted to know about Groff's facebook page :-P. Picking a cab in Ottawa to take me to "Residence" was easy at first - just that it was the wrong one. Actually my fault and so I had a "nice, short" walk to the actual one in the rain with wrong directions. Eventually I made it and after unpacking, refreshment it was time to hit the Goat BOF! Day 1 Since this was my first BSDCan I didnt exactly knew what to expect from this BOF. But it was like, we (Keeper, Dan, Allan, ..) would talk about "who's next" and things like that. How mistaken I was :). Besides the sheer amount of BSD people entering the not-so-yuuge Oak some Dexter sneaked in camouflage. The name-giver got a proper position to oversee the mess and I was glad I did not leave him behind after almost too many Creemores. Day 2 Something happened it's crystal blue on the "roof" and sun is trying its best to wake me up. To start the day, I pick breakfast at 'Father+Sons' - I can really recommend that. Very nice home made fries (almost hashbrowns) and fast delivery! Stuffed up I trott along to get to phessler's tutorial about BGP-for-sysadmins-and-developers. Peter did a great job, but the "lab" couldn't happen, since - oh surprise - the wifi was sluggish as hell. Must love the first day on a conference every time. Went to Hackroom in U90 afterwards, just to fix stuff "at home". IPsec giving pains again. Time to pick food+beer afterwards and since it's so easy to reach, we went to the Oak again. Having a nice backyard patio experience it was about time to meet new people. Cheers to Tom, Aaron, Nick, Philip and some more, we'd an awesome night there. I also invited some not-really-computer local I know by other means who was completly overwhelmed by what kind of "nerds" gather around BSD. He planned to stay "a beer" - and it was rather some more and six hours. Looks like "we" made some impression on him :). Day 3 Easy day, no tutorials at hand, so first picking up breakfast at F+S again and moving to hackroom in U90. Since I promised phessler to help with an localized lab-setup, I started to hack on a quick vagrant/ansible setup to mimic his BGP-lab and went quickly through most of it. Plus some more IPsec debugging and finally fixing it, we went early in the general direction of the Red Lion to pick our registration pack. But before that could happen it was called to have shawarma at 3brothers along. Given a tight hangover it wasn't the brightest idea to order a poutine m-(. Might be great the other day, it wasn't for me at the very time and had to throw away most of it :(. Eventually passing on to the Red Lion I made the next failure with just running into the pub - please stay at the front desk until "seated". I never get used to this concept. So after being "properly" seated, we take our beers and the registration can commence after we had half of it. So I register myself; btw it's a great idea to grant "not needed" stuff to charity. So dont pick "just because", think about it if you really need this or that gadget. Then I register Groff - he really needs badges - just to have Dru coming back to me some minutes later one to hand me the badge for Henning. That's just "amazing"; I dont know IF i want to break this vicious circle the other day, since it's so funny. Talked to Theo about the ongoing IPsec problems and he taught me about utrace(2) which looks "complicated" but might be an end of the story the other day. Also had a nice talk to Peter (H.) about some other ideas along books. BTW, did I pay for ongoing beers? I think Tom did - what a guy :). Arriving at the Residence, I had to find my bathroom door locked (special thing).. crazy thing is they dont have a master key at the venue, but to have to call in one from elsewhere. Short night shortened by another 30minutes :(. Day 4 Weather is improving into beach+sun levels - and it's Conference Day! The opening keynote from Geist was very interesting ("citation needed"). Afterwards I went to zfs-over-ssh, nothing really new (sorry Allan). But then Jason had a super interesting talk on how about to apply BSD for the health-care system in Australia. I hope I can help him with the last bits (rdomain!) in the end. While lunch I tried to recall my memories about utrace(2) while talking to Theo. Then it was about to present my talk and I think it was well perceipted. One "not so good" feedback was about not taking the audience more into account. I think I was asking every other five slides or so - but, well. The general feedback (in spoken terms) was quite good. I was a bit "confused" and I did likely a better job in Tokyo, but well. Happened we ended up in the Oak again.. thanks to mwl, shirkdog, sng, pitrh, kurtm for having me there :) Day 5 While the weather had to decide "what next", I rushed to the venue just to gather Reyk's talk about vmd(8). Afterwards it was MSTP from Paeps which was very interesting and we (OpenBSD) should look into it. Then happened BUG BOF and I invite all "coastal Germans" to cbug.de :) I had to run off for other reasons and came back to Dave's talk which was AWESOME. Following was Rod's talk.. well. While I see his case, that was very poor. The auction into closing was awesome again, and I spend $50 on a Tshirt. :) + Epilogue I totally got the exit dates wrong. So first cancel a booking of an Hotel and then rebook the train to YUL. So I have plenty of time "in the morning" to get breakfast with the local guy. After that he drives me to VIARail station and I dig into "business" cussions. Well, see you in Ottawa - or how about Paris, Taipei? Bind Broker (http://www.tedunangst.com/flak/post/bind-broker) Ted Unangst writes about an interesting idea he has He has a single big server, and lots of users who would like to share it, many want to run web servers. This would be great, but alas, archaic decisions made long ago mean that network sockets aren't really files and there's this weird concept of privileged ports. Maybe we could assign each user a virtual machine and let them do whatever they want, but that seems wasteful. Think of the megabytes! Maybe we could setup nginx.conf to proxy all incoming connections to a process of the user's choosing, but that only works for web sites and we want to be protocol neutral. Maybe we could use iptables, but nobody wants to do that. What we need is a bind broker. At some level, there needs to be some kind of broker that assigns IPs to users and resolves conflicts. It should be possible to build something of this nature given just the existing unix tools we have, instead of changing system design. Then we can deploy our broker to existing systems without upgrading or disrupting their ongoing operation. The bind broker watches a directory for the creation, by users, of unix domain sockets. Then it binds to the TCP port of the same name, and transfers traffic between them. A more complete problem specification is as follows. A top level directory, which contains subdirectories named after IP addresses. Each user is assigned a subdirectory, which they have write permission to. Inside each subdirectory, the user may create unix sockets named according to the port they wish to bind to. We might assign user alice the IP 10.0.0.5 and the user bob the IP 10.0.0.10. Then alice could run a webserver by binding to net/10.0.0.5/80 and bob could run a mail server by binding to net/10.0.0.10/25. This maps IP ownership (which doesn't really exist in unix) to the filesystem namespace (which does have working permissions). So this will be a bit different than jails. The idea is to use filesystem permissions to control which users can bind to which IP addresses and ports The broker is responsible for watching each directory. As new sockets are created, it should respond by binding to the appropriate port. When a socket is deleted, the network side socket should be closed as well. Whenever a connection is accepted on the network side, a matching connection is made on the unix side, and then traffic is copied across. A full set of example code is provided There's no completely portable way to watch a directory for changes. I'm using a kevent extension. Otherwise we might consider a timeout and polling with fstat, or another system specific interface (or an abstraction layer over such an interface). Otherwise, if one of our mappings is ready to read (accept), we have a new connection to handle. The first half is straightforward. We accept the connection and make a matching connect call to the unix side. Then I broke out the big cheat stick and just spliced the sockets together. In reality, we'd have to set up a read/copy/write loop for each end to copy traffic between them. That's not very interesting to read though. The full code, below, comes in at 232 lines according to wc. Minus includes, blank lines, and lines consisting of nothing but braces, it's 148 lines of stuff that actually gets executed by the computer. Add some error handling, and working read/write code, and 200 lines seems about right. A very interesting idea. I wonder about creating a virtual file system that would implement this and maybe do a bit more to fully flesh out this idea. What do you think? *** News Roundup Daemons and friendly Ninjas (https://euroquis.nl/bobulate/?p=1600) There's quite a lot of software that uses CMake as a (meta-)buildsystem. A quick count in the FreeBSD ports tree shows me 1110 ports (over a thousand) that use it. CMake generates buildsystem files which then direct the actual build — it doesn't do building itself. There are multiple buildsystem-backends available: in regular usage, CMake generates Makefiles (and does a reasonable job of producing Makefiles that work for GNU Make and for BSD Make). But it can generate Ninja, or Visual Studio, and other buildsystem files. It's quite flexible in this regard. Recently, the KDE-FreeBSD team has been working on Qt WebEngine, which is horrible. It contains a complete Chromium and who knows what else. Rebuilding it takes forever. But Tobias (KDE-FreeBSD) and Koos (GNOME-FreeBSD) noticed that building things with the Ninja backend was considerably faster for some packages (e.g. Qt WebEngine, and Evolution data-thingy). Tobias wanted to try to extend the build-time improvements to all of the CMake-based ports in FreeBSD, and over the past few days, this has been a success. Ports builds using CMake now default to using Ninja as buildsystem-backend. Here's a bitty table of build-times. These are one-off build times, so hardly scientifically accurate — but suggestive of a slight improvement in build time. Name Size GMake Ninja liblxt 50kB 0:32 0:31 llvm38 1655kB * 19:43 musescore 47590kB 4:00 3:54 webkit2-gtk3 14652kB 44:29 37:40 Or here's a much more thorough table of results from tcberner@, who did 5 builds of each with and without ninja. I've cut out the raw data, here are just the average-of-five results, showing usually a slight improvement in build time with Ninja. Name av make av ninj Delta D/Awo compiler-rt 00:08 00:07 -00:01 -14% openjpeg 00:06 00:07 +00:01 +17% marble 01:57 01:43 -00:14 -11% uhd 01:49 01:34 -00:15 -13% opencacscade 04:08 03:23 -00:45 -18% avidemux 03:01 02:49 -00:12 – 6% kdevelop 01:43 01:33 -00:10 – 9% ring-libclient 00:58 00:53 -00:05 – 8% Not everything builds properly with Ninja. This is usually due to missing dependencies that CMake does not discover; this shows up when foo depends on bar but no rule is generated for it. Depending on build order and speed, bar may be there already by the time foo gets around to being built. Doxygen showed this, where builds on 1 CPU core were all fine, but 8 cores would blow up occasionally. In many cases, we've gone and fixed the missing implicit dependencies in ports and upstreams. But some things are intractable, or just really need GNU Make. For this, the FreeBSD ports infrastructure now has a knob attached to CMake for switching a port build to GNU Make. Normal: USES=cmake Out-of-source: USES=cmake:outsource GNU Make: USES=cmake:noninja gmake OoS, GMake: USES=cmake:outsource,noninja gmake Bad: USES=cmake gmake For the majority of users, this has no effect, but for our package-building clusters, and for KDE-FreeBSD developers who build a lot of CMake-buildsystem software in a day it may add up to an extra coffee break. So I'll raise a shot of espresso to friendship between daemons and ninjas. Announcing the pkgsrc-2017Q2 release (http://mail-index.netbsd.org/pkgsrc-users/2017/07/10/msg025237.html) For the 2017Q2 release we welcome the following notable package additions and changes to the pkgsrc collection: Firefox 54 GCC 7.1 MATE 1.18 Ruby 2.4 Ruby on Rails 4.2 TeX Live 2017 Thunderbird 52.1 Xen 4.8 We say goodbye to: Ruby 1.8 Ruby 2.1 The following infrastructure changes were introduced: Implement optional new pkgtasks and init infrastructure for pkginstall. Various enhancements and fixes for building with ccache. Add support to USE_LANGUAGES for newer C++ standards. Enhanced support for SSP, FORTIFY, and RELRO. The GitHub mirror has migrated to https://github.com/NetBSD/pkgsrc In total, 210 packages were added, 43 packages were removed, and 1,780 package updates were processed since the pkgsrc-2017Q1 release. *** OpenBSD changes of note 624 (http://www.tedunangst.com/flak/post/openbsd-changes-of-note-624) There are a bunch, but here are a few that jump out: Start plugging some leaks. Compile kernels with umask 007. Install them minus read permissions. Pure preprocessor implementation of the roff .ec and .eo requests, though you are warned that very bad things will happen to anybody trying to use these macros in OpenBSD manuals. Random linking for arm64. And octeon. And alpha. And hppa. There's some variation by platform, because every architecture has the kernel loaded with different flavors of initial physical and virtual mappings. And landisk. And loongson. And sgi. And macppc. And a gap file for sparc64, but nobody yet dares split locore. And arm7. Errata for perl File::Path race condition. Some fixes for potential link attacks against cron. Add pledge violations to acct reporting. Take random linking to the next stage. More about KARL - kernel address randomized link. As noted, a few difficulties with hibernate and such, but the plan is coming together. Add a new function reorder_kernel() that relinks and installs the new kernel in the background on system startup. Add support for the bootblocks to detect hibernate and boot the previous kernel. Remove the poorly described “stuff” from ksh. Replace usage of TIOCSTI in csh using a more common IO loop. Kind of like the stuff in ksh, but part of the default command line editing and parsing code, csh would read too many characters, then send the ones it didn't like back into the terminal. Which is weird, right? Also, more importantly, eliminating the code that uses TIOCSTI to inject characters into ttys means that maybe TIOCSTI can be removed. Revamp some of the authentication logging in ssh. Add a verbose flag to rm so you can panic immediately upon seeing it delete the wrong file instead of waiting to discover your mistake after the fact. Update libexpat to version 2.2.1 which has some security fixes. Never trust an expat, that's my motto. Update inteldrm to code based on Linux 4.4.70. This brings us support for Skylake and Cherryview and better support for Broadwell and Valleyview. Also adds MST support. Fun times for people with newish laptops. *** OPNsense 17.1.9 released (https://opnsense.org/opnsense-17-1-9-released/) firewall: move gateway switching from system to firewall advanced settings firewall: keep category selection when changing tabs firewall: do not skip gateway switch parsing too early (contributed by Stephane Lesimple) interfaces: show VLAN description during edit firmware: opnsense-revert can now handle multiple packages at once firmware: opnsense-patch can now handle permission changes from patches dnsmasq: use canned –bogus-priv for noprivatereverse dnsmasq: separate log file, ACL and menu entries dynamic dns: fix update for IPv6 (contributed by Alexander Leisentritt) dynamic dns: remove usage of CURLAUTH_ANY (contributed by Alexander Leisentritt) intrusion detection: suppress “fast mode available” boot warning in PCAP mode openvpn: plugin framework adaption unbound: add local-zone type transparent for PTR zone (contributed by Davide Gerhard) unbound: separate log file, ACL and menu entries wizard: remove HTML from description strings mvc: group relation to something other than uuid if needed mvc: rework “item in” for our Volt templates lang: Czech to 100% translated (contributed by Pavel Borecki) plugins: zabbix-agent 1.1 (contributed by Frank Wall) plugins: haproxy 1.16 (contributed by Frank Wall) plugins: acme-client 1.8 (contributed by Frank Wall) plugins: tinc fix for switch mode (contributed by Johan Grip) plugins: monit 1.3 (contributed by Frank Brendel) src: support dhclient supersede statement for option 54 (contributed by Fabian Kurtz) src: add Intel Atom Cherryview SOC HSUART support src: add the ID for the Huawei ME909S LTE modem src: HardenedBSD Stack Clash mitigations[1] ports: sqlite 3.19.3[2] ports: openvpn 2.4.3[3] ports: sudo 1.8.20p2[4] ports: dnsmasq 2.77[5] ports: openldap 2.4.45[6] ports: php 7.0.20[7] ports: suricata 3.2.2[8] ports: squid 3.5.26[9] ports: carootnss 3.31 ports: bind 9.11.1-P2[10] ports: unbound 1.6.3[11] ports: curl 7.54.1[12] *** Beastie Bits Thinkpad x230 - trying to get TrackPoint / Touchpad working in X (http://lists.dragonflybsd.org/pipermail/users/2017-July/313519.html) FreeBSD deprecates all r-cmds (rcp, rlogin, etc.) (http://marc.info/?l=freebsd-commits-all&m=149918307723723&w=2) Bashfill - art for your terminal (https://max.io/bash.html) Go 1.9 release notes: NetBSD support is broken, please help (https://github.com/golang/go/commit/32002079083e533e11209824bd9e3a797169d1c4) Jest, A ReST api for creating and managing FreeBSD jails written in Go (https://github.com/altsrc-io/Jest) *** Feedback/Questions John - zfs send/receive (http://dpaste.com/3ANETHW#wrap) Callum - laptops (http://dpaste.com/11TV0BJ) & An update (http://dpaste.com/3A14BQ6#wrap) Lars - Snapshot of VM datadisk (http://dpaste.com/0MM37NA#wrap) Daryl - Jail managers (http://dpaste.com/0CDQ9EK#wrap) ***
Today on BSD Now, the latest Dragonfly BSD release, RaidZ performance, another OpenSSL Vulnerability, and more; all this week on BSD Now. This episode was brought to you by Headlines DragonFly BSD 4.8 is released (https://www.dragonflybsd.org/release48/) Improved kernel performance This release further localizes cache lines and reduces/removes cache ping-ponging on globals. For bulk builds on many-cores or multi-socket systems, we have around a 5% improvement, and certain subsystems such as namecache lookups and exec()s see massive focused improvements. See the corresponding mailing list post with details. Support for eMMC booting, and mobile and high-performance PCIe SSDs This kernel release includes support for eMMC storage as the boot device. We also sport a brand new SMP-friendly, high-performance NVMe SSD driver (PCIe SSD storage). Initial device test results are available. EFI support The installer can now create an EFI or legacy installation. Numerous adjustments have been made to userland utilities and the kernel to support EFI as a mainstream boot environment. The /boot filesystem may now be placed either in its own GPT slice, or in a DragonFly disklabel inside a GPT slice. DragonFly, by default, creates a GPT slice for all of DragonFly and places a DragonFly disklabel inside it with all the standard DFly partitions, such that the disk names are roughly the same as they would be in a legacy system. Improved graphics support The i915 driver has been updated to match the version found with the Linux 4.6 kernel. Broadwell and Skylake processor users will see improvements. Other user-affecting changes Kernel is now built using -O2. VKernels now use COW, so multiple vkernels can share one disk image. powerd() is now sensitive to time and temperature changes. Non-boot-filesystem kernel modules can be loaded in rc.conf instead of loader.conf. *** #8005 poor performance of 1MB writes on certain RAID-Z configurations (https://github.com/openzfs/openzfs/pull/321) Matt Ahrens posts a new patch for OpenZFS Background: RAID-Z requires that space be allocated in multiples of P+1 sectors,because this is the minimum size block that can have the required amount of parity. Thus blocks on RAIDZ1 must be allocated in a multiple of 2 sectors; on RAIDZ2 multiple of 3; and on RAIDZ3 multiple of 4. A sector is a unit of 2^ashift bytes, typically 512B or 4KB. To satisfy this constraint, the allocation size is rounded up to the proper multiple, resulting in up to 3 "pad sectors" at the end of some blocks. The contents of these pad sectors are not used, so we do not need to read or write these sectors. However, some storage hardware performs much worse (around 1/2 as fast) on mostly-contiguous writes when there are small gaps of non-overwritten data between the writes. Therefore, ZFS creates "optional" zio's when writing RAID-Z blocks that include pad sectors. If writing a pad sector will fill the gap between two (required) writes, we will issue the optional zio, thus doubling performance. The gap-filling performance improvement was introduced in July 2009. Writing the optional zio is done by the io aggregation code in vdevqueue.c. The problem is that it is also subject to the limit on the size of aggregate writes, zfsvdevaggregationlimit, which is by default 128KB. For a given block, if the amount of data plus padding written to a leaf device exceeds zfsvdevaggregation_limit, the optional zio will not be written, resulting in a ~2x performance degradation. The solution is to aggregate optional zio's regardless of the aggregation size limit. As you can see from the graphs, this can make a large difference in performance. I encourage you to read the entire commit message, it is well written and very detailed. *** Can you spot the OpenSSL vulnerability (https://guidovranken.wordpress.com/2017/01/28/can-you-spot-the-vulnerability/) This code was introduced in OpenSSL 1.1.0d, which was released a couple of days ago. This is in the server SSL code, ssl/statem/statemsrvr.c, sslbytestocipherlist()), and can easily be reached remotely. Can you spot the vulnerability? So there is a loop, and within that loop we have an ‘if' statement, that tests a number of conditions. If any of those conditions fail, OPENSSLfree(raw) is called. But raw isn't the address that was allocated; raw is increment every loop. Hence, there is a remote invalid free vulnerability. But not quite. None of those checks in the ‘if' statement can actually fail; earlier on in the function, there is a check that verifies that the packet contains at least 1 byte, so PACKETget1 cannot fail. Furthermore, earlier in the function it is verified that the packet length is a multiple of 3, hence PACKETcopybytes and PACKET_forward cannot fail. So, does the code do what the original author thought, or expected it to do? But what about the next person that modifies that code, maybe changing or removing one of the earlier checks, allowing one of those if conditions to fail, and execute the bad code? Nonetheless OpenSSL has acknowledged that the OPENSSL_free line needs a rewrite: Pull Request #2312 (https://github.com/openssl/openssl/pull/2312) PS I'm not posting this to ridicule the OpenSSL project or their programming skills. I just like reading code and finding corner cases that impact security, which is an effort that ultimately works in everybody's best interest, and I like to share what I find. Programming is a very difficult enterprise and everybody makes mistakes. Thanks to Guido Vranken for the sharp eye and the blog post *** Research Debt (http://distill.pub/2017/research-debt/) I found this article interesting as it relates to not just research, but a lot of technical areas in general Achieving a research-level understanding of most topics is like climbing a mountain. Aspiring researchers must struggle to understand vast bodies of work that came before them, to learn techniques, and to gain intuition. Upon reaching the top, the new researcher begins doing novel work, throwing new stones onto the top of the mountain and making it a little taller for whoever comes next. People expect the climb to be hard. It reflects the tremendous progress and cumulative effort that's gone into the research. The climb is seen as an intellectual pilgrimage, the labor a rite of passage. But the climb could be massively easier. It's entirely possible to build paths and staircases into these mountains. The climb isn't something to be proud of. The climb isn't progress: the climb is a mountain of debt. Programmers talk about technical debt: there are ways to write software that are faster in the short run but problematic in the long run. Poor Exposition – Often, there is no good explanation of important ideas and one has to struggle to understand them. This problem is so pervasive that we take it for granted and don't appreciate how much better things could be. Undigested Ideas – Most ideas start off rough and hard to understand. They become radically easier as we polish them, developing the right analogies, language, and ways of thinking. Bad abstractions and notation – Abstractions and notation are the user interface of research, shaping how we think and communicate. Unfortunately, we often get stuck with the first formalisms to develop even when they're bad. For example, an object with extra electrons is negative, and pi is wrong Noise – Being a researcher is like standing in the middle of a construction site. Countless papers scream for your attention and there's no easy way to filter or summarize them. We think noise is the main way experts experience research debt. There's a tradeoff between the energy put into explaining an idea, and the energy needed to understand it. On one extreme, the explainer can painstakingly craft a beautiful explanation, leading their audience to understanding without even realizing it could have been difficult. On the other extreme, the explainer can do the absolute minimum and abandon their audience to struggle. This energy is called interpretive labor Research distillation is the opposite of research debt. It can be incredibly satisfying, combining deep scientific understanding, empathy, and design to do justice to our research and lay bare beautiful insights. Distillation is also hard. It's tempting to think of explaining an idea as just putting a layer of polish on it, but good explanations often involve transforming the idea. This kind of refinement of an idea can take just as much effort and deep understanding as the initial discovery. + The distillation can often times require an entirely different set of skills than the original creation of the idea. Almost all of the BSD projects have some great ideas or subsystems that just need distillation into easy to understand and use platforms or tools. Like the theoretician, the experimentalist or the research engineer, the research distiller is an integral role for a healthy research community. Right now, almost no one is filling it. Anyway, if that bit piqued your interest, go read the full article and the suggested further reading. *** News Roundup And then the murders began. (https://blather.michaelwlucas.com/archives/2902) A whole bunch of people have pointed me at articles like this one (http://thehookmag.com/2017/03/adding-murders-began-second-sentence-book-makes-instantly-better-125462/), which claim that you can improve almost any book by making the second sentence “And then the murders began.” It's entirely possible they're correct. But let's check, with a sampling of books. As different books come in different tenses and have different voices, I've made some minor changes. “Welcome to Cisco Routers for the Desperate! And then the murders begin.” — Cisco Routers for the Desperate, 2nd ed “Over the last ten years, OpenSSH has become the standard tool for remote management of Unix-like systems and many network devices. And then the murders began.” — SSH Mastery “The Z File System, or ZFS, is a complicated beast, but it is also the most powerful tool in a sysadmin's Batman-esque utility belt. And then the murders begin.” — FreeBSD Mastery: Advanced ZFS “Blood shall rain from the sky, and great shall be the lamentation of the Linux fans. And then, the murders will begin.” — Absolute FreeBSD, 3rd Ed Netdata now supports FreeBSD (https://github.com/firehol/netdata) netdata is a system for distributed real-time performance and health monitoring. It provides unparalleled insights, in real-time, of everything happening on the system it runs (including applications such as web and database servers), using modern interactive web dashboards. From the release notes: apps.plugin ported for FreeBSD Check out their demo sites (https://github.com/firehol/netdata/wiki) *** Distrowatch Weekly reviews RaspBSD (https://distrowatch.com/weekly.php?issue=20170220#raspbsd) RaspBSD is a FreeBSD-based project which strives to create a custom build of FreeBSD for single board and hobbyist computers. RaspBSD takes a recent snapshot of FreeBSD and adds on additional components, such as the LXDE desktop and a few graphical applications. The RaspBSD project currently has live images for Raspberry Pi devices, the Banana Pi, Pine64 and BeagleBone Black & Green computers. The default RaspBSD system is quite minimal, running a mere 16 processes when I was logged in. In the background the operating system runs cron, OpenSSH, syslog and the powerd power management service. Other than the user's shell and terminals, nothing else is running. This means RaspBSD uses little memory, requiring just 16MB of active memory and 31MB of wired or kernel memory. I made note of a few practical differences between running RaspBSD on the Pi verses my usual Raspbian operating system. One minor difference is RaspBSD turns off the Pi's external power light after booting. Raspbian leaves the light on. This means it looks like the Pi is off when it is running RaspBSD, but it also saves a little electricity. Conclusions: Apart from these little differences, running RaspBSD on the Pi was a very similar experience to running Raspbian and my time with the operating system was pleasantly trouble-free. Long-term, I think applying source updates to the base system might be tedious and SD disk operations were slow. However, the Pi usually is not utilized for its speed, but rather its low cost and low-energy usage. For people who are looking for a small home server or very minimal desktop box, RaspBSD running on the Pi should be suitable. Research UNIX V8, V9 and V10 made public by Alcatel-Lucent (https://media-bell-labs-com.s3.amazonaws.com/pages/20170327_1602/statement%20regarding%20Unix%203-7-17.pdf) Alcatel-Lucent USA Inc. (“ALU-USA”), on behalf of itself and Nokia Bell Laboratories agrees, to the extent of its ability to do so, that it will not assert its copyright rights with respect to any non-commercial copying, distribution, performance, display or creation of derivative works of Research Unix®1 Editions 8, 9, and 10. Research Unix is a term used to refer to versions of the Unix operating system for DEC PDP-7, PDP-11, VAX and Interdata 7/32 and 8/32 computers, developed in the Bell Labs Computing Science Research Center. The version breakdown can be viewed on its Wikipedia page (https://en.wikipedia.org/wiki/Research_Unix) It only took 30+ years, but now they're public You can grab them from here (http://www.tuhs.org/Archive/Distributions/Research/) If you're wondering what happened with Research Unix, After Version 10, Unix development at Bell Labs was stopped in favor of a successor system, Plan 9 (http://plan9.bell-labs.com/plan9/); which itself was succeeded by Inferno (http://www.vitanuova.com/inferno/). *** Beastie Bits The BSD Family Tree (https://github.com/freebsd/freebsd/blob/master/share/misc/bsd-family-tree) Unix Permissions Calculator (http://permissions-calculator.org/) NAS4Free release 11.0.0.4 now available (https://sourceforge.net/projects/nas4free/files/NAS4Free-11.0.0.4/11.0.0.4.4141/) Another BSD Mag released for free downloads (https://bsdmag.org/download/simple-quorum-drive-freebsd-ctl-ha-beast-storage-system/) OPNsense 17.1.4 released (https://forum.opnsense.org/index.php?topic=4898.msg19359) *** Feedback/Questions gozes asks via twitter about how get involved in FreeBSD (https://twitter.com/gozes/status/846779901738991620) ***
This week on BSDNow! We've got Netflix + FreeBSD news to discuss, always a crowd pleaser, that plus EuroBSDCon is just around the corner. Stick around for your place This episode was brought to you by Headlines Protecting Netflix Viewing Privacy at Scale, with FreeBSD (http://techblog.netflix.com/search/label/FreeBSD) This blog post from Netflix tells the story of how Netflix developed in-kernel TLS to speed up delivery of video via HTTPS Since the beginning of the Open Connect program we have significantly increased the efficiency of our OCAs - from delivering 8 Gbps of throughput from a single server in 2012 to over 90 Gbps from a single server in 2016. We contribute to this effort on the software side by optimizing every aspect of the software for our unique use case - in particular, focusing on the open source FreeBSD operating system and the NGINX web server that run on the OCAs. In the modern internet world, we have to focus not only on efficiency, but also security. There are many state-of-the-art security mechanisms in place at Netflix, including Transport Level Security (TLS) encryption of customer information, search queries, and other confidential data. We have always relied on pre-encoded Digital Rights Management (DRM) to secure our video streams. Over the past year, we've begun to use Secure HTTP (HTTP over TLS or HTTPS) to encrypt the transport of the video content as well. This helps protect member privacy, particularly when the network is insecure - ensuring that our members are safe from eavesdropping by anyone who might want to record their viewing habits. The goal is to ensure that your government, ISP, and wifi sniffing neighbour cannot tell which Netflix videos you are watching Netflix Open Connect serves over 125 million hours of content per day, all around the world. Given our scale, adding the overhead of TLS encryption calculations to our video stream transport had the potential to greatly reduce the efficiency of our global infrastructure. We evaluated available and applicable ciphers and decided to primarily use the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM), available starting in TLS 1.2. We chose AES-GCM over the Cipher Block Chaining (CBC) method, which comes at a higher computational cost. The AES-GCM cipher algorithm encrypts and authenticates the message simultaneously - as opposed to AES-CBC, which requires an additional pass over the data to generate keyed-hash message authentication code (HMAC). CBC can still be used as a fallback for clients that cannot support the preferred method. All revisions of Open Connect Appliances also have Intel CPUs that support AES-NI, the extension to the x86 instruction set designed to improve encryption and decryption performance. We needed to determine the best implementation of AES-GCM with the AES-NI instruction set, so we investigated alternatives to OpenSSL, including BoringSSL and the Intel Intelligent Storage Acceleration Library (ISA-L). Netflix and NGINX had previously worked together to improve our HTTP client request and response time via the use of sendfile calls to perform a zero-copy data flow from storage (HDD or SSD) to network socket, keeping the data in the kernel memory address space and relieving some of the CPU burden. The Netflix team specifically added the ability to make the sendfile calls asynchronous - further reducing the data path and enabling more simultaneous connections. However, TLS functionality, which requires the data to be passed to the application layer, was incompatible with the sendfile approach. To retain the benefits of the sendfile model while adding TLS functionality, we designed a hybrid TLS scheme whereby session management stays in the application space, but the bulk encryption is inserted into the sendfile data pipeline in the kernel. This extends sendfile to support encrypting data for TLS/SSL connections. We tested the BoringSSL and ISA-L AES-GCM implementations with our sendfile improvements against a baseline of OpenSSL (with no sendfile changes), under typical Netflix traffic conditions on three different OCA hardware types. Our changes in both the BoringSSL and ISA-L test situations significantly increased both CPU utilization and bandwidth over baseline - increasing performance by up to 30%, depending on the OCA hardware version. We chose the ISA-L cipher implementation, which had slightly better results. With these improvements in place, we can continue the process of adding TLS to our video streams for clients that support it, without suffering prohibitive performance hits. If you would like more detail, check out the papers from AsiaBSDCon 2015 (https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf) and the updated one from 2016 (https://people.freebsd.org/~rrs/asiabsd_tls_improved.pdf) *** OpenBSD on HP Stream 7 (http://www.tedunangst.com/flak/post/OpenBSD-on-HP-Stream-7) Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but with free space requirements such that it's nigh impossible to install on cheap 32GB eMMC equipped devices such as the HP Stream series, leaving users searching for a new lightweight operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7. The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they're real boys, er PCs, with Intel Atom CPUs. To install OpenBSD on such a device, we need a few parts. Obviously, the tablet itself. There's a dearth of ports on these things, but there is a micro USB port. Attaching anything useful requires an OTG “on the go” cable that creates a type A port. Attaching more than one useful thing requires a mini hub. And completing the install requires one each USB stick, keyboard, and network adapter. First, we need to prep the machine to boot from USB. Actually, before doing anything, make sure you have a full charge. It's going to be battery only from here on out. Plug everything in. Flash drive, keyboard, and network into the hub, hub into the OTG cable, cable into the port on top of the Stream. Turn on the machine while holding the volume down button. This launches a mini menu from which we can enter the BIOS. There's a little on screen keyboard in the corner, so this can be done even without a keyboard attached, but the USB keyboard should work. We need to change two settings in the boot section. First, turn off secure boot. Second, switch boot order to prefer USB. Save and exit. The first reboot reveals a confirmation screen checking that we really want to disable secure boot. We must enter a PIN and press enter. Enter the PIN shown on the screen and press enter. And we are go. Then boot up OpenBSD from the USB drive Ted then works there a number of kernel panics and device driver issues, but after disabling ACPI and IntelDRM, the device boots OpenBSD. Of course, there's no X at this point. And definitely no touch screen. And no internal networking. However, by keeping our USB hub attached, we can drive the console and access the network. At least until the battery is depleted, even if we have no way of knowing how long that will be since we disabled all the ACPI devices, which also means no suspend or resume. With some xorg.conf hacking, he did get Xorg working *** DragonflyBSD steps towards base LibreSSL (http://lists.dragonflybsd.org/pipermail/commits/2016-September/624493.html) Project: DragonFlyBSD / Switch base to use private LibreSSL libraries (http://freshbsd.org/commit/dfbsd/304ca408000cd34559ef5319b4b5a6766d6eb35b) DragonFly BSD adopts uses of LibreSSL (http://undeadly.org/cgi?action=article&sid=20160911231651) The number of projects beginning to switch over to LibreSSL is growing and it appears we can now throw DragonFly into that camp. Following something that sounds vaguely familiar (Allan!) DFLY is now creating “private” LibreSSL libraries which are only linked against by base system binaries. For the moment OpenSSL is still built, primarily so that various ports and 3rd party apps can continue to function as before. A NO_OPENSSL option has also been added, but doesn't really do much (yet), since it'll still build and install headers / libraries even if set. *** OpenBSD g2k16 Hackathon g2k16 Hackathon Report: Antoine Jacoutot on Binary Patches (http://undeadly.org/cgi?action=article&sid=20160911012316) g2k16 Hackathon Report: Matthieu Herrb on xenodm (http://undeadly.org/cgi?action=article&sid=20160911231712) g2k16 Hackathon Report: Vincent Gross on iked(8), armv7 and sys/netinet[6] (http://undeadly.org/cgi?action=article&sid=20160911000337) g2k16 Hackathon Report: Florian Obser on httpd, networking, acme-client, and more (http://undeadly.org/cgi?action=article&sid=20160911000052) g2k16 Hackathon Report: Jasper Lievisse Adriaanse on ddb(4) and more (http://undeadly.org/cgi?action=article&sid=20160909012520) g2k16 Hackathon Report: Christian Weisgerber on gettext progress, RTC work, removing kernel cruft (http://undeadly.org/cgi?action=article&sid=20160908002430) g2k16 Hackathon Report: Brent Cook on Chromebooks, crypto, and more (http://undeadly.org/cgi?action=article&sid=20160907131655) g2k16 Hackathon Report: Ted Unangst on doas, signify, code removal (http://undeadly.org/cgi?action=article&sid=20160906230610) g2k16 Hackathon Report: Marc Espie on package signing evolution (http://undeadly.org/cgi?action=article&sid=20160905235911) g2k16 Hackathon Report: Adam Wolk on ports, wireless drivers and more (http://undeadly.org/cgi?action=article&sid=20160906004915) g2k16 Hackathon Report: Mike Larkin on vmm + vmd progress (http://undeadly.org/cgi?action=article&sid=20160905134009&mode=expanded) *** News Roundup OpenBSD (with encrypted softraid) on the Chromebook Pixel (https://jcs.org/notaweblog/2016/08/26/openbsd_chromebook/) Looking for a Laptop to make your OpenBSD road-warrior? If so, we have a great blog tutorial on getting OpenBSD setup on the Chromebook Pixel with encrypted softraid! Author Joshua Stein gives us a very verbose look at how to install and dial-in the laptop perfectly. But first for those wondering about the hardware in the pixel: The Chromebook Pixel LS (2015) has an Intel Core i7 processor (Broadwell) at 2.4Ghz, 16Gb of RAM, a 2560x1700 400-nit IPS screen (239ppi), and Intel 802.11ac wireless. It has a Kingston 64Gib flash chip, of which about 54Gib can be used by OpenBSD when dual-booting with a 1Gb Chrome OS partition. Due to this being a chromebook with seaBIOS, some manual key-press trickery will be required to initially get the OpenBSD Installer up and running. From here you'll want to pay special close attention to the disk partitioning. In particular Joshua will show us how to shrink the existing encrypted /home that ChromeOS uses, keeping the dual-boot intact. This will become important if you ever plan on updating the device. From here, we move back to a more traditional setup, but with the added bonus of doing a soft-raid setup. But the fun isn't over yet! If you want to make OpenBSD the default boot, that'll require cracking the lid on the device and removing a special pink write-protect screw. And of course if you want to remove the default splash-screen image, Joshua has you covered as well, although some flashrom magic will be required. At this point you are nearly done. Final details on enabling specific bits of hardware are discussed. Most things work, apart from Audio and Bluetooth as of right now. *** doas mastery (http://www.tedunangst.com/flak/post/doas-mastery) “doas” mastery - Paging MWL! Our buddy Ted Unangst has written up a great ‘mastery' guide of the doas command, which can come in handy if you are among the un-initiated in doas land. UNIX systems have two classes of user, the super user and regular users. The super user is super, and everybody else is not. This concentration of power keeps things simple, but also means that often too much power is granted. Usually we only need super user powers to perform one task. We would rather not have such power all the time. Think of the responsibility that would entail! Like the sudo command, doas allows for subdivision of super user privileges, granting them only for specific tasks. He starts with the basic doas.conf setup, which starts with an empty config file The doas config is much like a pf ruleset, the default is to block everything > We add the root rule second because doas evaluates rules in a last match manner. root is in the wheel group, so the first rule will match, and then we need to override that with a second rule. Remember to always start with general rules, then make them more specific. *** iXsystems iXsystems to host MeetBSD (https://www.ixsystems.com/blog/ixsystems-host-meetbsd-california-2016-uc-berkeley/) FreeBSD Foundation Welcomes New Board Members New Board Members (https://www.freebsdfoundation.org/blog/freebsd-foundation-welcomes-new-board-members/) The FreeBSD Foundation has added two new board members Interview with Kylie Liang (https://www.freebsdfoundation.org/blog/new-board-member-interview-kylie-liang/) Kylie will focus on representing FreeBSD at conferences and businesses in China I live in China. There, I can act as a bridge between Chinese companies and the FreeBSD community to help drive FreeBSD adoption. Through my leadership role in the FreeBSD Foundation, I will help promote FreeBSD in China and also represent the Foundation at conferences and events in my region. Kylie leads the team the ensures FreeBSD runs well on Hyper-V and Azure, including providing commercial support for customers who run FreeBSD or FreeBSD based appliances on the Azure Cloud I joined Microsoft and started to lead the project called FreeBSD Integration Service to get FreeBSD running well on Hyper-V and Azure. To promote our work and to understand the FreeBSD ecosystem, I started to participate in FreeBSD events where I was inspired by this technical community. Interview with Philip Paeps (https://www.freebsdfoundation.org/blog/new-board-member-interview-philip-paeps/) Philip started with FreeBSD in the early 2000s and got his commit bit in 2004 The patches I submitted to make ACPI and input devices work on that laptop led to a src commit bit in 2004. While I haven't worked on ACPI or input devices since, I have been contributing to different areas of the kernel. Taking up maintainership of some ports I cared about also got me a ports commit bit after some time. Philip will continue to help run EuroBSDCon, but is also spreading the word about FreeBSD in India and Africa Primarily, I think I can be useful! I attend (and organize) a number of conferences around the world every year, particularly in regions that have a mostly “stealthy” FreeBSD community. While I clearly don't need to be on the FreeBSD Foundation board to advocate for FreeBSD, joining as a director will provide an additional asset when working in areas of the world where organizational affiliations are meaningful. Philip has also developed network drivers and various other bits and pieces, and has extensive experience working with and for hardware vendors and appliance vendors Despite intending to eventually contribute their code to the FreeBSD Project as open source, many hardware vendors still find it very difficult to engage directly with the FreeBSD development community. The Foundation helps bridge that gap and helps facilitate collaboration between commercial vendors and the FreeBSD community. I hope to make FreeBSD more visible in regions of the world where it is historically under-represented. I expect I will be attending even more conferences and getting myself invited to even more organizations. more, less, and a story of typical Unix fossilization (https://utcc.utoronto.ca/~cks/space/blog/unix/MoreAndUnixFossilization) Chris Siebenmann from the University of Toronto digs into the history of the difference between ‘less' and ‘more' In the beginning, by which we mean V7, Unix didn't have a pager at all. That was okay; Unix wasn't very visual in those days, partly because it was still sort of the era of the hard copy terminal. Then along came Berkeley and BSD. People at Berkeley were into CRT terminals, and so BSD Unix gave us things like vi and the first pager program, more (which showed up quite early, in 3BSD, although this isn't as early as vi, which appears in 2BSD). Calling a pager more is a little bit odd but it's a Unix type of name and from the beginning more prompted you with '--More--' at the bottom of the screen. All of the Unix vendors that based their work on BSD Unix (like Sun and DEC) naturally shipped versions of more along with the rest of the BSD programs, and so more spread around the BSD side of things. However, more was by no means the best pager ever; as you might expect, it was actually a bit primitive and lacking in features. So fairly early on Mark Nudelman wrote a pager with somewhat more features and it wound up being called less as somewhat of a joke. In a sane world, Unix vendors would have either replaced their version of more with the clearly superior less or at least updated their version of more to the 4.3 BSD version. Maybe less wouldn't have replaced more immediately, but certainly over say the next five years, when it kept on being better and most people kept preferring it when they had a choice.” + “This entire history has led to a series of vaguely absurd outcomes on various modern Unixes. On Solaris derivatives more is of course the traditional version with source code that can probably trace itself all the way back to 3BSD, carefully updated to SUS compliance. Solaris would never dream of changing what more is, not even if the replacement is better. Why, it might disturb someone. Oddly, FreeBSD has done the most sensible thing; they've outright replaced more with less. There is a /usr/bin/more but it's the same binary as less and as you can see the more manpage is just the less manpage. OpenBSD has done the same thing but has a specific manpage for more instead of just giving you the less manpage. So, now you can see why I say that less is more, or more, or both, at several levels. less is certainly more than more, and sometimes less literally is more (or rather more is less, to put it the right way around). Beastie Bits PC-BSD listed in the top 8 'best' alternatives to Windows 10 (http://www.computerworlduk.com/galleries/operating-systems/-free-alternatives-windows-10-3639433/) Creating a quick DNS server with a Rapsberry Pi2 and FreeBSD 11.0-RC1 (http://bsdimp.blogspot.co.uk/2016/08/creating-quick-dns-server-with.html) Dual Boot OpenBSD and Linux + UEFI (https://bsdlaptops.wordpress.com/2016/03/07/vaio-pro-11-part-2/) DesktopBSD 2.0 various versions available (Gnome, Lumina, KDE, LXDE) (http://desktopbsd.boards.net/board/10/announcements) FreeBSD gets new ZFS features including: Compressed ARC (https://svnweb.freebsd.org/base?view=revision&revision=305323) and ZFS Allocation Throttle (https://svnweb.freebsd.org/base?view=revision&revision=305331) One Floppy NetBSD Distribution (https://github.com/user340/fdgw2) A Compendium of BUGs (https://github.com/q5sys/BUGtracker) Feedback/Questions Galahad - OpenBSD X setup (http://pastebin.com/b7W6NHqs) Tang - Subtitles (http://pastebin.com/P4MUs3Pa) Ivan - Zpool Options (http://pastebin.com/LQ8yTp0G) Brad - Replication Issue (http://pastebin.com/XTK5gXMU) MJ - HBA (http://pastebin.com/TdYTMSj9) ***
Who: Mike Broadwell - Joint Venture Marketing Expert What We Talked About: How to make the right partnerships to promote your business. What should you look for in a cross promotion partnership and how should approach people? We also discussed how to find your core message and Mike delivered one powerhouse exercise that will help you to sell yourself on your own business. Why I Like Mike: Mike is the man behind the scenes quietly doing his job, working with some of the biggest names in the niche of energy healing, and making it look effortless. He knows what it takes to make a marketing campaign or joint venture successful. He's the guy you want on your side. Great Line: You can put your core message on a napkin and be successful if you've got it right. Where to Learn More: http://www.breakthroughfactory.com http://www.themindawareshow.com
Coming up this week, we will be talking to John Marino about his work on the ports-mgmt utility “Synth” and the cross-pollination between DragonFly and FreeBSD. That plus the latest news and your email here on This episode was brought to you by Headlines glibc and the BSDs (https://blog.des.no/2016/02/freebsd-and-cve-2015-7547/) You have likely already heard about CVE-2015-7547 (https://access.redhat.com/security/cve/cve-2015-7547) “A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library.” “Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.” More details from Google's Online Security team blog (https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html) “Naturally, people have started asking whether FreeBSD is affected. The FreeBSD Security Officer has not yet released an official statement, but in the meantime, here is a brief look at the issue as far as FreeBSD is concerned.” “First of all: neither FreeBSD itself nor native FreeBSD applications are affected. While the resolver in FreeBSD's libc and GNU libc share a common parentage, the bug was introduced when the latter was rewritten to send A and AAAA queries in parallel rather than sequentially when the application requests both.” The same most likely applies to the other BSDs “However, Linux applications running under emulation on a FreeBSD system use the GNU libc and are therefore vulnerable unless patched.” A patch to update emulation/linux_base-c6 has been prepared and should be committed soon Running ‘pkg audit' will list any known vulnerable packages installed on your system “The issue can be mitigated by only using resolvers you trust, and configuring them to avoid sending responses which can trigger the bug.” “If you already have your own resolvers, you can configure them to avoid sending UDP responses larger than 2048 bytes. If the response does not fit in 2048 bytes, the server will send a truncated response, and the client should retry using TCP. While a similar bug exists in the code path for TCP requests, I believe that it can only be exploited by a malicious resolver, and interposing your own resolver will protect affected Linux systems and applications.” Dag-Erling's blog post also includes instructions and configuration examples for locking down your resolver, or setting up your own resolver if you don't have one already *** OpenBSD Foundation - 2016 Fundraising Campaign (http://www.openbsdfoundation.org/campaign2016.html) The OpenBSD foundation has announced their 2016 fundraising campaign, and set the goal of raising $250k for the year. While they mention that fundraising for 2015 didn't hit 2014's blockbuster numbers, it still exceeded the goal set, with an almost equal mix of corporate and community donors. ‘Our goal for 2016 is to increase the amount of support we offer for development, without compromising our regular support for the projects. We would like to: Plan and support more developer events (hackathons), and allow for more developers to attend these events. Continue to improve the project infrastructure. Fund more dedicated developer time for targeted development of specific projects.‘ To give you an idea of how much OpenBSD technology is used around the world, they broke it down this way: If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal. If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal. If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal. Getting Started with ION-DTN 3.4.0 on FreeBSD (https://sgeos.github.io/freebsd/ion/dtn/2016/02/07/getting-started-with-ion-dtn-3-4-0-on-freebsd.html) “The Interplanetary Overlay Network (ION) software distribution is an implementation of Delay-Tolerant Networking (DTN) architecture as described in Internet RFC 4838, suitable for use in spacecraft” This tutorial covers setting up ION 3.4.0 on FreeBSD The tutorial starts by downloading the ION software, and installing the relevant build tools The instructions allow ION to be installed system-wide, or for a specific user The each host is configured Then pings are traded between the hosts to ensure everything works Then a web page is served over the interplanetary network Sadly I don't have any hosts on other planets to test with. The tutorial also includes a troubleshooting guide *** Open Storage Issue – New BSD Mag is Out! (https://bsdmag.org/download/open_storage/) The next issue of BSDMag (The Open Storage Issue) just landed which features an interview with Matt Olander of iXsystems. During the interview, Matt talks about the culture of support for open-source down at iX, not only FreeNAS and PC-BSD, but the FreeBSD foundation, Slackware and more. He also gets to extol the virtues of the open-source development model itself, why it tends to lead to better code overall. In addition to the lead interview with Matt, this issue also features some other great interviews with Open Source storage vendors, and even some ZFS howto's about setting up your ZIL devive *** Interview - John Marino - marino@freebsd.org (mailto:marino@freebsd.org) FreeNAS with FreeBSD as its base helped save taxpayers $36,000 for a small public school district (https://www.ixsystems.com/whats-new/2016/02/11/january-missioncomplete-best-story/) News Roundup Getting Started With Tor Hidden Services on FreeBSD (https://sgeos.github.io/tor/freebsd/nc/curl/2016/02/06/getting-started-with-tor-hidden-services-on-freebsd.html) Ever wondered how to setup and use a Tor hidden service? We have a walkthrough posted over on github.io which details how to do that on a FreeBSD -CURRENT system. The basics are pretty simple, installing security/tor is the first step (although, he is using portmaster, you may wish to just ‘pkg install security/tor') The walkthrough provides an example server hosting just the date/time on port 8080, which you can use as an example and to verify it works, before serving anything real. Once a local server is ready to serve something, the Tor setup is pretty quick, basically just two lines of config in torrc: HiddenServiceDir /usr/home/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:8080 After starting the service, the walkthrough will show you how to get the new hostname for this hidden service and verify its functionality. ZFS Remote Mirrors for Home Use (https://github.com/hughobrien/zfs-remote-mirror) A recently updated tutorial on remotely mirroring your ZFS files Using a spare old computer, or a SBC like a Raspberry Pi, and an (external) hard drive It covers installing and configuring FreeBSD for both sides of the remote replication The new appendix covers the creation of a Raspberry Pi image, although a prebuilt one is also provided The setup uses GELI to ensure the data is encrypted at-rest Updating and maintaining both systems is covered in detail The article is very detailed, and covers pretty much every aspect of the setup, including suggestions on where to physically locate the remote system, and configuration tips to reduce the chance that local intervention will be required Most importantly, it covers the disaster recovery steps. How to get your files back when bad things happen *** Lumina Desktop 0.8.8 Released (http://lumina-desktop.org/lumina-desktop-0-8-8-released/) PC-BSD's very own Lumina desktop has issued a new release, 0.8.8 Notable in this release is support for NetBSD out of box, improvements to the start menu, and ability to change monitor resolutions in the X configuration tool. (Also the desktop font colors look better!) 0.8.8 is now available in PC-BSD via pkg, and FreeBSD ports/pkg system as well. Lumina Desktop aims for v1.0 in July 2016 (http://fossforce.com/2016/02/lumina-desktop-getting-ready-freebsd-11-0/) We also have a blog post from Larry over at FossForce, highlighting that 1.0 of Lumina is still targeted for July(ish) *** NetBSD on Google's Compute Engine (http://www.feyrer.de/NetBSD/bx/blosxom.cgi/nb_20160213_1951.html) A NetBSD developer has gotten NetBSD running on Google Compute Engine, a service somewhat similar to Amazon's EC2, and Microsoft's Azure Support is still being worked on, but I imagine it will land in NetBSD before too long NetBSD on GCE dmesg (http://dmesgd.nycbug.org/index.cgi?action=dmesgd&do=view&id=2900) OpenBSD on GCE (http://marc.info/?l=openbsd-misc&m=138610199311393&w=2) FreeBSD on GCE (https://github.com/swills/FreeBSD-gcloud) *** BeastieBits htop 2.0 released - an interactive process viewer for Unix (including FreeBSD and OpenBSD) (http://hisham.hm/htop/) Full set of binary packages for 7.0 released for ARM v6 and v7 (hf) (http://mail-index.netbsd.org/port-arm/2016/01/31/msg003648.html) DragonFly 4.4.2 released (https://www.dragonflybsd.org/release44/) LibertyBSD 5.8 has been released (http://libertybsd.net/) Broadwell systems may want to take advantage of the patch by Imre Vadasz (http://lists.dragonflybsd.org/pipermail/commits/2016-January/459239.html) Finding the hard-to-spot bugs in FreeBSD (http://www.viva64.com/en/b/0377/) Feedback/Questions Johnny - The Daily Show (http://slexy.org/view/s21dwzoXRn) Randy - Let it BSD (http://slexy.org/view/s2Hmmu5pUr) Miguel - NullFS (http://slexy.org/view/s20tOLsHHj) Jaek - PC-BSD Hardware (http://slexy.org/view/s2N9wQ1n5X) ***
This week on the show, we will be talking to FreeBSD developer and former core-team member John Baldwin about a variety of topics, including running a DevSummit, everything you needed or wanted to know. Coming up right now on BSDNow, the place to B...SD. This episode was brought to you by Headlines FreeBSD server retired after almost 19 years (http://www.theregister.co.uk/2016/01/14/server_retired_after_18_years_and_ten_months_beat_that_readers/) We've heard stories about this kind of thing before, that box that often sits under-appreciated, but refuses to die. Well the UK register has picked up on a story of a FreeBSD server finally being retired after almost 19 years of dedicated service. “In its day, it was a reasonable machine - 200MHz Pentium, 32MB RAM, 4GB SCSI-2 drive,” Ross writes. “And up until recently, it was doing its job fine.” Of late, however the “hard drive finally started throwing errors, it was time to retire it before it gave up the ghost!” The drive's a Seagate, for those of you looking to avoid drives that can't deliver more than 19 years of error-free operations. This system in particular had been running FreeBSD 2.2.1 over the years. Why not upgrade you ask? Ross has an answer for that: “It was heavily firewalled and only very specific services were visible to anyone, and most only visible to our directly connected customers,” Ross told Vulture South. “By the time it was probably due for a review, things had moved so far that all the original code was so tightly bound to the operating system itself, that later versions of the OS would have (and ultimately, did) require substantial rework. While it was running and not showing any signs of stress, it was simply expedient to leave sleeping dogs lie.” All in all, an amazing story of the longevity of a system and its operating system. Do you have a server with a similar or even greater uptime? Let us know so we can try and top this story. *** Roundup of all the BSDs (https://www.linuxvoice.com/group-test-bsd-distros/) The magazine LinuxVoice recently did a group test of a variety of “BSD Distros”. Included in their review were Free/Open/Net/Dragon/Ghost/PC It starts with a pretty good overview of BSD in general, its starts and the various projects / forks that spawned from it, such as FreeNAS / Junos / Playstation / PFSense / etc The review starts with a look at OpenBSD, and the consensus reached is that it is good, but does require a bit more manual work to run as a desktop. (Most of the review focuses on desktop usage). It ends up with a solid ⅘ stars though. Next it moves into GhostBSD, discusses it being a “Live” distro, which can optionally be installed to disk. It loses a few points for lacking a graphical package management utility, and some bugs during the installation, but still earns a respectable ⅗ stars. Dragonfly gets the next spin and gets praise for its very-up to date video driver support and availability of the HAMMER filesystem. It also lands at ⅗ stars, partly due to the reviewer having to use the command-line for management. (Notice a trend here?) NetBSD is up next, and gets special mention for being one of the only “distros” that doesn't do frequent releases. However that doesn't mean you can't have updated packages, since the review mentions pkgsrc and pkg as both available to customize your desktop. The reviewer was slightly haunted by having to edit files in /etc by hand to do wireless, but still gives NetBSD a ⅗ overall. Last up are FreeBSD and PC-BSD, which get a different sort of head-to-head review. FreeBSD goes first, with mention that the text-install is fairly straight-forward and most configuration will require being done by hand. However the reviewer must be getting use to the command-line at this point, because he mentions: “This might sound cumbersome, but is actually pretty straightforward and at the end produces a finely tuned aerodynamic system that does exactly what you want it to do and nothing else.” He does mention that FreeBSD is the ultimate DIY system, even to the point of not having the package management tools provided out of box. PC-BSD ultimately gets a lot of love in this review, again with it being focused on desktop usage this follows. Particularly popular are all the various tools written to make PC-BSD easier to use, such as Life-Preserver, Warden, the graphical installer and more. (slight mistake though, Life-Preserver does not use rsync to backup to FreeNAS, it does ZFS replication) In the end he rates FreeBSD ⅘ and PC-BSD a whopping 5/5 for this roundup. While reviews may be subjective to the particular use-case being evaluated for, it is still nice to see BSD getting some press and more interest from the Linux community in general. *** OpenBSD Laptops (http://www.tedunangst.com/flak/post/openbsd-laptops) Our buddy Ted Unangst has posted a nice “planning ahead” guide for those thinking of new laptops for 2016 and the upcoming OpenBSD 5.9 He starts by giving us a status update on several of the key driver components that will be in 5.9 release“5.9 will be the first release to support the graphics on Broadwell CPUs. This is anything that looks like i5-5xxx. There are a few minor quirks, but generally it works well. There's no support for the new Skylake models, however. They'll probably work with the VESA driver but minus suspend/resume/acceleration (just as 5.8 did with Broadwell).” He then goes on to mention that the IWM driver works well with most of the revisions (7260, 7265, and 3160) that ship with broadwell based laptops, however the newer skylake series ships with the 8260, which is NOT yet supported. He then goes on to list some of the more common makes and models to look for, starting with the broadwell based X1 carbons which work really well (Kris gives +++), but make sure its not the newer skylake model just yet. The macbook gets a mention, but probably should be avoided due to broadcom wifi The Dell XPS he mentions as a good choice for a powerful (portable) desktops *** Significant changes from NetBSD 7.0 to 8.0 (https://www.netbsd.org/changes/changes-8.0.html) Updated to GCC 4.8.5 Imported dhcpcd and replaced rtsol and rtsold gpt(8) utility gained the ability to resize partitions and disks, as well as change the type of a partition OpenSSH 7.1 and OpenSSL 1.0.1q FTP client got support for SNI for https Imported dtrace from FreeBSD Add syscall support Add lockstat support *** Interview - John Baldwin - jhb@freebsd.org (mailto:jhb@freebsd.org) / @BSDHokie (https://twitter.com/BSDHokie) FreeBSD Kernel Debugging News Roundup Dragonfly Mail Agent spreads to FreeBSD and NetBSD (https://www.dragonflydigest.com/2016/01/18/17508.html) DMA, the Dragonfly Mail Agent is now available not only in Dragonfly's dports, but also FreeBSD ports, and NetBSD pkgsrc “dma is a small Mail Transport Agent (MTA), designed for home and office use. It accepts mails from locally installed Mail User Agents (MUA) and delivers the mails either locally or to a remote destination. Remote delivery includes several features like TLS/SSL support and SMTP authentication. dma is not intended as a replacement for real, big MTAs like sendmail(8) or postfix(1). Consequently, dma does not listen on port 25 for incoming connections.” There was a project looking at importing DMA into the FreeBSD base system to replace sendmail, I wonder of the port signals that some of the blockers have been fixed *** ZFS UEFI Support has landed! (https://svnweb.freebsd.org/base?view=revision&revision=294068) Originally started by Eric McCorkle Picked up by Steven Hartland Including modularizing the existing UFS boot code, and adding ZFS boot code General improvements to the EFI loader including using more of libstand instead of containing its own implementations of many common functions Thanks to work by Toomas Soome, there is now a Beastie Menu as part of the EFI loader, similar to the regular loader As soon as this was committed, I added a few lines to it to connect the ZFS BE Menu to it, thanks to all of the above, without whom my work wouldn't be usable It should be relatively easy to hook my GELI boot stuff in as a module, and possibly just stack the UFS and ZFS modules on top of it I might try to redesign the non-EFI boot code to use a similar design instead of what I have now *** How three BSD OSes compare to ten Linux Distros (http://www.phoronix.com/scan.php?page=article&item=3bsd-10linux) After benchmarking 10 of the latest Linux distros, Phoronix took to benchmarking 3 of the big BSDs DragonFlyBSD 4.4.1 - The latest DragonFly release with GCC 5.2.1 and the HAMMER file-system. OpenBSD 5.8 - OpenBSD 5.8 with GCC 4.2.1 as the default compiler and FFS file-system. PC-BSD 10.2 - Derived off FreeBSD 10.2, the defaults were the Clang 3.4.1 compiler and ZFS file-system. In the SQLite test, PCBSD+ZFS won out over all of the Linux distros, including those that were also using ZFS In the first compile benchmark, PCBSD came second only to Intel's Linux distro, Clear Linux. OpenBSD can last, although it is not clear if the benchmark was just comparing the system compiler, which would be unfair to OpenBSD In Disk transaction performance, against ZFS won the day, with PCBSD edging out the Linux distros. OpenBSD's older ffs was hurt by the lack of soft updates, and DragonFly's Hammer did not perform well. Although in an fsync() heavy test, safety is more important that speed As with all benchmarks, these obviously need to be taken with a grain of salt In some of them you can clearly see that the ‘winner' has a much higher standard error, suggesting that the numbers are quite variable *** OPNSense 15.7.24 Released (https://opnsense.org/opnsense-15-7-24-released/) We are just barely into the new year and OPNSense has dropped a new release on us to play with. This new version, 15.7.24 brings a bunch of notable changes, which includes improvements to the firewall UI and a plugin management section of the firmware page. Additionally better signature verification using PKG's internal verification mechanisms was added for kernel and world updates. The announcement contains the full rundown of changes, including the suricata, openvpn and ntp got package bumps as well. *** Beastie Bits A FreeBSD 10 Desktop How-to (https://cooltrainer.org/a-freebsd-desktop-howto/) (A bit old, but still one of the most complete walkthroughs of a desktop FreeBSD setup from scratch) BSD and Scale 14 (http://fossforce.com/2016/01/bsd-ready-scale-14x/) Xen support enabled in OpenBSD -current (http://undeadly.org/cgi?action=article&sid=20160114113445&mode=expanded) Feedback/Questions Matt - Zil Sizes (http://slexy.org/view/s20a0mLaAv) Drin - IPSEC (http://slexy.org/view/s21qpiTF8h) John - ZFS + UEFI (http://slexy.org/view/s2HCq0r0aD) Jake - ZFS Cluster SAN (http://slexy.org/view/s2VORfyqlS) Phillip - Media Server (http://slexy.org/view/s20ycRhUkM) ***
This week on the show, we will be interviewing Alex Rosenberg, to This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Life with an OpenBSD Laptop: A UNIX-lover's tale of migrating away from the Mac. The Good, The Bad, The Ugly (http://www.nycbug.org/event/10356/openbsd_laptop_nycbug_2015.pdf) OpenBSD user Isaac (.ike) Levy details his switch from a Mac to an OpenBSD laptop He covers a bit about selecting hardware and dealing with wifi Talks about binary packages and system upgrades Talks about power management, suspend/resume, battery life Show screenshots of some of his favourite window managers Browsers and email clients are also discussed Things he found missing in OpenBSD: A journaling file system, every unclean shutdown means a full fsck(1) UTF-8/unicode was not everywhere Syncing pictures and contacts to his phone Drawing tools *** DragonFlyBSD matches its Intel kernel graphics driver against Linux 4.0 (http://lists.dragonflybsd.org/pipermail/commits/2015-December/459067.html) The DragonFlyBSD DRM stack continues to rapidly advance, now bringing in support from Linux 4.0! Some of the notable features: Basic Skylake support Panel Self-Refresh (PSR) now supported on Valleyview and Cherryview Preparations for atomic display updates Performance improvements on various GPU families, including Cherryview, Broadwell and Haswell GPU frequencies are now kept at a minimum of 450MHz when possible on Haswell and Broadwell, ensuring a minimum experience level for various types of workloads Improved reset support for gen3/4 GPUs, which should fix some OpenGL crashes on Core 2 and pre-2012 Atom machine Better sound/graphics driver synchronization for audio over hdmi support As usual, small bugfixes and stability improvements here and there *** A BSD Wish List for 2016 (http://fossforce.com/2015/12/bsd-wish-list-2016/) Larry over at Foss Force brings us his wish list for BSD support in 2016. Since he has converted most of his daily desktop usage to PC-BSD, he is specifically wanting support for some desktop applications. Namely Google hangouts and Spotify. This is something which has come up periodically among the PC-BSD community. At the moment most users are dual-booting or using alternatives, like WebRTC. However the Google Hangouts plugin is available for Linux, and perhaps this will encourage some developers to see if we can get it running with the newer Linux stack on -CURRENT. Spotify also has a native Linux version, which may need testing on FreeBSD - CURRENT. It may be closer now, and should be updated on the Wanted Ports Page https://wiki.freebsd.org/WantedPorts *** Hard Float API coming soon by default to armv6 (http://bsdimp.blogspot.com/2015/12/hard-float-api-coming-soon-by-default.html) Warner Losh talks about upcoming changes to armv6 on FreeBSD “All the CPUs that FreeBSD supports have hard floating point in them. We've supported hard float for quite some time in the FreeBSD kernel. However, by default, we still use a soft-float ABI.” First, “A new armv6hf (architecture) was created, but that caused some issues with some ports, and the meaning of 'soft float' sadly was ambiguous between the soft-float ABI, and the soft-float libraries that implement floating point when there's no hardware FPU” “Over the spring and summer, I fixed ld.so so that it can load both soft ABI and hard ABI libraries on the same system, depending on markings in the binaries themselves. Soft float ABI and hard float ABI binaries have different flags in the ELF headers, so it is relatively straightforward to know which is which.” “So, in the coming days, I'll commit the first set of changes to move to armv6 as a hard float ABI by default. The kernel doesn't care: it can execute both. The new ld.so will allow you to transition through this change by allowing old, compat soft ABI libraries to co-exist on the system with new hard ABI libraries. This change alone isn't enough, but it will be good to get it out into circulation.” “armv6hf will be removed before FreeBSD 11” A LIBSOFT will be created, similar in concept to the LIB32 available on AMD64 *** Interview - Alex Rosenberg - alexr@leftfield.org (mailto:alexr@leftfield.org) / @alexr (https://twitter.com/alexr) Former Manager of Platform Architecture at Sony *** Beastie Bits Tuesday, Dec 20, 2005 was the release date of the very first bsdtalkpodcast (http://bsdtalk.blogspot.com/2005/12/bsdtalk001-intro-to-bsd.html) Patch: Server side support for TCP FastOpen (https://reviews.freebsd.org/D4350) Learn to tame OpenBSD quickly (http://www.openbsdjumpstart.org/) Hardware Accerated iSCSI lands in FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=292740) Settings for full HD resolution on DragonFlyBSD under QEMU/KVM, thanks to reddit user Chapo_Rouge (https://www.reddit.com/r/dragonflybsd/comments/3x4n7u/psa_1920x1080_on_dragonflybsd_44_under_qemukvm/) Patch: An IllumOS developer has been porting the FreeBSD boot loader to replace their old version of GRUB. In doing so, he has also made improvements to the block caching in the boot loader (https://reviews.freebsd.org/D4713) A FreeBSD user working at Microsoft talks about Microsoft's shift to Open Source (http://blog.teleri.net/open-microsoft/) BSDCG Exam Session at FOSDEM'16 (https://fosdem.org/2016/schedule/event/cert_bsdcg/) Schedule for the BSD devroom at FOSDEM'16 (https://fosdem.org/2016/schedule/track/bsd/) OpenBSD snapshots are now 5.9 (http://marc.info/?l=openbsd-cvs&m=145055446007162&w=2) Notes on making BSD grep faster (http://blog.erratasec.com/2015/12/some-notes-on-fast-grep.html#.VoQKD1JSRhx) Intel's Platform Application Engineering (PAE) group within the Networking Division (ND) is looking for a Network Software Engineer (https://www-ssl.intel.com/content/www/us/en/jobs/job-search/js2.html?job=782165&src=ML-12080) Did you watch Die Hard at Christmas? Get the Die Hard FreeBSD boot screen: install this file in /boot and set loader_logo="tribute" in /boot/loader.conf (http://locheil.shxd.cx/logo-tribute.4th) Feedback/Questions Jeremy - ZFS without root (http://slexy.org/view/s20CTqtEan) Dan - Getting PC-BSD Media (http://slexy.org/view/s20sNPoDm5) Chris - VMs and FreeBSD (http://slexy.org/view/s2hjsVgGBK) Ben - Haswell and IRC (http://slexy.org/view/s21pwYOTHi) Instructions for trying the Haswell patch (https://wiki.freebsd.org/Graphics/Update%20i915%20GPU%20driver%20to%20Linux%203.8) Matt - Donation to foundation (http://slexy.org/view/s20vifHCyc) ***
Purchasing real estate investment properties can be a long and tedious process. Finding properties, researching the potential investment and calculating the profitability are all initial steps that currently require investors to use multiple databases and take time. Realty Pilot looks to systemize the real estate investment market and connect buyers with sellers with real-time offer information. The platform was built to integrate other systems and databases and give users access to multiple reports from a single interface. The system currently has 10,000 users per month and is set to grow in the near future, as additional data is added. Key Takeaways: [1:52] Breaking down Realty Pilot's structure [3:05] Back office management tools, which use centralized data [4:22] The real estate market is changing towards a decrease in cash offers [6:21] Real-time real estate trends [9:50] Value versus volume [11:19] Specific growth markets [13:27] 10,000 offers per month [15:36] API connects into multiple systems [17:01] Additional systems can log in-house data [18:18] Real estate professionals and homeowners are both notified when an offer is made [21:10] The value disposition service, available in 2016 [22:48] Two different types of offers: soft and hard [24:32] Regulations make buying a home, a 3-week process Mentions: Realty Pilot Offer Runway Concourse 360 zipLogix Realstir Hartman Media
It's already our two-year anniversary! This time on the show, we'll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year's vBSDCon. What's it have to offer in an already-crowded BSD conference space? We'll find out. This episode was brought to you by Headlines OpenBSD hypervisor coming soon (https://www.marc.info/?l=openbsd-tech&m=144104398132541&w=2) Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output (http://pastebin.com/raw.php?i=F2Qbgdde) on Twitter recently From what little he revealed at the time (https://twitter.com/mlarkin2012/status/638265767864070144), it appeared to be a new hypervisor (https://en.wikipedia.org/wiki/Hypervisor) (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm" Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on *** Why FreeBSD should not adopt launchd (http://blog.darknedgy.net/technology/2015/08/26/0/) Last week (http://www.bsdnow.tv/episodes/2015_08_26-beverly_hills_25519) we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned) In this article, the author talks about why he thinks this is a bad idea He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities Reddit had quite a bit (https://www.reddit.com/r/BSD/comments/3ilhpk) to say (https://www.reddit.com/r/freebsd/comments/3ilj4i) about this one, some in agreement and some not *** DragonFly graphics improvements (http://lists.dragonflybsd.org/pipermail/commits/2015-August/458108.html) The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs You should also see some power management improvements, longer battery life and various other bug fixes If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around *** OpenBSD tames the userland (https://www.marc.info/?l=openbsd-tech&m=144070638327053&w=2) Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff) Some classic utilities are even being reworked to make taming them easier - the "w" command (https://www.marc.info/?l=openbsd-cvs&m=144103945031253&w=2), for example The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse) More discussion can be found on HN (https://news.ycombinator.com/item?id=10135901), as one might expect If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release *** Interview - Scott Courtney - vbsdcon@verisign.com (mailto:vbsdcon@verisign.com) / @verisign (https://twitter.com/verisign) vBSDCon (http://vbsdcon.com/) 2015 News Roundup OPNsense, beyond the fork (https://opnsense.org/opnsense-beyond-the-fork) We first heard about (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits This is their first big status update, covering some of the things that've happened since the project was born There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything *** LibreSSL nukes SSLv3 (http://undeadly.org/cgi?action=article&sid=20150827112006) With their latest release, LibreSSL began to turn off SSLv3 (http://disablessl3.com) support, starting with the "openssl" command At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example) They've now flipped the switch, and the process of complete removal has started From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!" With this change and a few more to follow shortly, LibreSSL won't actually support SSL anymore - time to rename it "LibreTLS" *** FreeBSD MPTCP updated (http://caia.swin.edu.au/urp/newtcp/mptcp/tools/v05/mptcp-readme-v0.5.txt) For anyone unaware, Multipath TCP (https://en.wikipedia.org/wiki/Multipath_TCP) is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy." There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start *** UEFI and GPT in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=144092912907778&w=2) There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently Some support (https://github.com/yasuoka/openbsd-uefi) for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review This comes along with a number (https://www.marc.info/?l=openbsd-cvs&m=143732984925140&w=2) of (https://www.marc.info/?l=openbsd-cvs&m=144088136200753&w=2) other (https://www.marc.info/?l=openbsd-cvs&m=144046793225230&w=2) commits (https://www.marc.info/?l=openbsd-cvs&m=144045760723039&w=2) related to GPT, much of which is being refactored and slowly reintroduced Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in) The UEFI bootloader support has been committed (https://www.marc.info/?l=openbsd-cvs&m=144115942223734&w=2), so stay tuned for more updates (http://undeadly.org/cgi?action=article&sid=20150902074526&mode=flat) as further (https://twitter.com/kotatsu_mi/status/638909417761562624) progress (https://twitter.com/yojiro/status/638189353601097728) is made *** Feedback/Questions John writes in (http://slexy.org/view/s2sIWfb3Qh) Mason writes in (http://slexy.org/view/s2Ybrx00KI) Earl writes in (http://slexy.org/view/s20FpmR7ZW) ***
Coming up this week, we'll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like "what would you like to see in FreeBSD?" and hundreds of responses, well, we've got a lot to cover... This episode was brought to you by Headlines OpenBSD, from distribution to project (http://www.tedunangst.com/flak/post/from-distribution-to-project) Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through It's the third part of his ongoing (http://www.openbsd.org/papers/pruning.html) series (http://www.tedunangst.com/flak/post/out-with-the-old-in-with-the-less) of posts about OpenBSD removing large bits of code in favor of smaller replacements In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..) After importing new updates every release cycle, they eventually hit a transitional phase - things were updated, but nothing new was imported When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons More discussion on HN (https://news.ycombinator.com/item?id=9980373) and reddit (https://www.reddit.com/r/openbsd/comments/3f9o19/from_distribution_to_project/) *** Remote ZFS mirrors, the hard way (https://github.com/hughobrien/zfs-remote-mirror) Backups to "the cloud" have become a hot topic in recent years, but most of them require trade-offs between convenience and security You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren't without some compromise As the author puts it: "We don't need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we'll-deletes, or any of the noise that comes with using someone else's infrastructure." This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself The end result is an automatic system for incremental backups that's backed (pun intended) by ZFS If you're serious about keeping your important data safe and sound, you'll want to give this one a read - lots of detailed instructions *** Various DragonFlyBSD updates (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419064.html) The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree Intel ValleyView graphics support was finally committed to the main repository While on the topic of graphics, they've also issued a call for testing (http://lists.dragonflybsd.org/pipermail/users/2015-July/207923.html) for a DRM update (matching Linux 3.16's and including some more Broadwell fixes) Their base GCC compiler is also now upgraded to version 5.2 (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419045.html) If your hardware supports it, DragonFly will now use an accelerated console by default (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419070.html) *** QuakeCon runs on OpenBSD (https://youtu.be/mOv62lBdlXU?t=292) QuakeCon (https://en.wikipedia.org/wiki/QuakeCon), everyone's favorite event full of rocket launchers, recently gave a mini-tour of their network setup For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution There's also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff Follow-up questions can be asked in this reddit thread (https://www.reddit.com/r/BSD/comments/3f43fh/bsd_runs_quakecon/) The host doesn't seem to be that familiar with the topics at hand, mentioning "OpenPF" multiple times among other things, so our listeners should get a kick out of it *** Interview - Adrian Chadd - adrian@freebsd.org (mailto:adrian@freebsd.org) / @erikarn (https://twitter.com/erikarn) Rethinking ways to improve FreeBSD (https://www.reddit.com/r/freebsd/comments/3d80vt) News Roundup CII contributes to OpenBSD (http://undeadly.org/cgi?action=article&sid=20150804161939) If you recall back to when we talked to the OpenBSD foundation (http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2), one of the things Ken mentioned was the Core Infrastructure Initiative (https://www.coreinfrastructure.org) In a nutshell (https://www.coreinfrastructure.org/faq), it's an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers) To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they've just made a large donation to the foundation - this makes them the first (http://www.openbsdfoundation.org/contributors.html) "platinum" level donor as well While the exact amount wasn't disclosed, it was somewhere between $50,000 and $100,000 The donation comes less than a month after Microsoft's big donation (http://undeadly.org/cgi?action=article&sid=20150708134520), so it's good to see these large organizations helping out important open source projects that we depend on every day *** Another BSDCan report (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-mark-linimon.html) The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon In his report, he mainly covers the devsummit and some discussion with the portmgr team One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch - Mark talks a bit about this as well He also gives his thoughts on using QEMU for cross-compiling packages (http://www.bsdnow.tv/episodes/2015_03_04-just_add_qemu) and network performance testing *** Lumina 0.8.6 released (http://blog.pcbsd.org/2015/08/lumina-desktop-0-8-6-released/) The PC-BSD team has released another version of Lumina (http://www.lumina-desktop.org/), their BSD-licensed desktop environment This is mainly a bugfix and performance improvement release, rather than one with lots of new features The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc) Lots of non-English translation updates and assorted fixes are included as well If you haven't given it a try yet, or maybe you're looking for a new window manager, Lumina runs on all the BSDs *** More c2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150730180506) Even more reports from OpenBSD's latest hackathon are starting to pour in The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle) He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD Second up is Andrew Fresh (http://undeadly.org/cgi?action=article&sid=20150731191156&mode=flat), who went without any specific plans, but still ended up getting some UTF8 work done On the topic of ARMv7, "I did enjoy being there when things weren't working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn't much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon." Florian Obser sent in a report that includes a little bit of everything (http://undeadly.org/cgi?action=article&sid=20150805151453): setting up the hackathon's network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food Paul Irofti wrote in as well (http://undeadly.org/cgi?action=article&sid=20150801100002&mode=flat) about his activities, which were mainly focused on the Octeon CPU architecture He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices) *** Feedback/Questions Hamza writes in (http://slexy.org/view/s205kqTEIj) Florian writes in (http://slexy.org/view/s2ogIP6cEf) Dominik writes in (http://slexy.org/view/s214xE9ulK) ***
This week we'll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we'll hear about how the recent porting efforts have been since. This episode was brought to you by Headlines OpenBSD presents tame (https://www.marc.info/?l=openbsd-tech&m=143725996614627&w=2) Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops." Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously) Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation) Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc. This is an initial work-in-progress version of tame, so there may be more improvements or further (https://www.marc.info/?l=openbsd-tech&m=143740834710502&w=2) control (https://www.marc.info/?l=openbsd-tech&m=143741052411159&w=2) options added before it hits a release (very specific access policies can sometimes backfire (https://forums.grsecurity.net/viewtopic.php?f=7&t=2522), however) The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it) Kernel bits are in the tree now (https://www.marc.info/?l=openbsd-cvs&m=143727335416513&w=2), with userland changes starting to trickle in too Combined with a myriad of memory protections (http://www.bsdnow.tv/episodes/2015_05_13-exclusive_disjunction), tight privilege separation and (above all else (https://en.wikipedia.org/wiki/OpenBSD_security_features)) good coding practices, tame should further harden the OpenBSD security fortress Further discussion (https://news.ycombinator.com/item?id=9928221) can (https://www.reddit.com/r/programming/comments/3dsr0t) be (http://undeadly.org/cgi?action=article&sid=20150719000800&mode=flat) found (https://news.ycombinator.com/item?id=9909429) in (https://www.reddit.com/r/linux/comments/3ds66o) the (https://lobste.rs/s/tbbtfs) usual (https://www.reddit.com/r/openbsd/comments/3ds64c) places (https://www.reddit.com/r/BSD/comments/3ds681) you'd expect *** Using Docker on FreeBSD (https://wiki.freebsd.org/Docker) With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up This docker is "the real thing," and isn't using a virtual machine as the backend - as such, it has some limitations The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support) For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally) Give it a try, let us know how you find it to be compared to other solutions *** OpenBSD imports doas, removes sudo (http://www.tedunangst.com/flak/post/doas) OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot) Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary? After the initial import, a number of developers began reviewing and improving various bits here and there You can check out the code (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/) now if you're interested Command usage (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1) and config syntax (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/doas.conf.5) seem pretty straightforward More discussion (https://news.ycombinator.com/item?id=9914693) on HN *** What would you like to see in FreeBSD (https://www.reddit.com/r/freebsd/comments/3d80vt/what_would_you_like_to_see_in_freebsd/) Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you're interested in more The top comment says things don't "just work," citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now - should they be removed, and more focus put into ipfw? Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD - similar comments were made about wireless chipsets as well Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more At least one user suggested better "marketing" for FreeBSD, with more advocacy and (hopefully) more business adoption That one really applies to all the BSDs, and regular users (that's you listening to this) can help make it happen for whichever ones you use right now Maybe Adrian can singlehandedly do all the work and make all the users happy *** Interview - Ryan Lortie & Baptiste Daroussin Porting the latest GNOME code to FreeBSD News Roundup Introducing resflash (http://stable.rcesoftware.com/resflash/) If you haven't heard of resflash before, it's "a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way" One of the major benefits to images like this is the read-only filesystem, so there's no possibility of filesystem corruption if power is lost There's an optional read-write partition as well, used for any persistent changes you want to make You can check out the source code on Github (https://github.com/bconway/resflash) or read the main site for more info *** Jails with iocage (http://pid1.com/posts/post10.html) There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others After looking at all the different choices, the author of this blog post eventually settled on iocage (https://github.com/iocage/iocage) for the job The post walks you through the basic configuration and usage of iocage for creating managing jails If you've been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration) *** DragonFly GPU improvements (http://lists.dragonflybsd.org/pipermail/users/2015-July/207892.html) DragonFlyBSD continues to up their graphics game, this time with Intel's ValleyView series of CPUs These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones A git branch was created to hold the fixes for now while the last remaining bugs get fixed Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing *** Branchless development (http://www.tedunangst.com/flak/post/branchless-development) Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once "For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I'm running OpenBSD, but that's kind of a lie. I'm actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can't have teduBSD because I'm selfish. I'm also lazy, and only inclined to make my changes work for me, not everyone else." The solution, according to him, is bringing all the code the developers are using closer together One big benefit is that WIP code gets tested much faster (and bugs get fixed early on) *** Feedback/Questions Matthew writes in (http://slexy.org/view/s21yQtBCCK) Chris writes in (http://slexy.org/view/s21oFA80kY) Anonymous writes in (http://slexy.org/view/s2JYvTlJlm) Bill writes in (http://slexy.org/view/s21LXvk53z) ***
Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Out with the old, in with the less (http://www.tedunangst.com/flak/post/out-with-the-old-in-with-the-less) Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions" "Instead of trying to fix known bugs, we're trying to fix unknown bugs. It's not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs." In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers "Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver." In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness) He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it." Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it (https://marc.info/?l=openbsd-ports&m=143481227122523&w=2), called "doas" There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing (http://www.openbsd.org/papers/pruning.html)" talk is good complementary reading material *** More OpenZFS and BSDCan videos (https://www.youtube.com/channel/UC0IK6Y4Go2KtRueHDiQcxow/videos) We mentioned last week (http://www.bsdnow.tv/episodes/2015_06_24-bitrot_group_therapy) that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more Matt Ahrens did a Q&A session (https://www.youtube.com/watch?v=I6fXZ_6OT5c) and talked about ZFS send and receive (https://www.youtube.com/watch?v=iY44jPMvxog), as well as giving an overview of OpenZFS (https://www.youtube.com/watch?v=RQlMDmnty80) George Wilson talked about a performance retrospective (https://www.youtube.com/watch?v=KBI6rRGUv4E) Toshiba (https://www.youtube.com/watch?v=sSi47-k78IM), Syneto (https://www.youtube.com/watch?v=Hhje5KEF5cE) and HGST (https://www.youtube.com/watch?v=aKgxXipss8k) also gave some talks about their companies and how they're using ZFS As for BSDCan, more of their BSD presentations have been uploaded too... Ryan Stone, PCI SR-IOV on FreeBSD (https://www.youtube.com/watch?v=INeMd-i5jzM) George Neville-Neil, Measure Twice, Code Once (https://www.youtube.com/watch?v=LE4wMsP7zeA) Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD (https://www.youtube.com/watch?v=qNYXqpJiFN0) Warner Losh, I/O Scheduling in CAM (https://www.youtube.com/watch?v=3WqOLolj5EU) Kirk McKusick, An Introduction to the Implementation of ZFS (https://www.youtube.com/watch?v=l-RCLgLxuSc) Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support (https://www.youtube.com/watch?v=zZXvjhWcg_4) Baptiste Daroussin, Packaging FreeBSD's (https://www.youtube.com/watch?v=Br6izhH5P1I) base system (https://www.youtube.com/watch?v=v7px6ktoDAI) Matt Ahrens, New OpenZFS features supporting remote replication (https://www.youtube.com/watch?v=UOX7WDAjqso) Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities (https://www.youtube.com/watch?v=SVdF84x1EdA) The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here (http://www.bsdcan.org/2015/audio/mandoc.mp3), and the slides are here (http://www.openbsd.org/papers/bsdcan15-mandoc.pdf) *** SMP steroids for PF (https://www.marc.info/?l=openbsd-tech&m=143526329006942&w=2) An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review Attached to the mail was what may be the beginnings of making native PF SMP-aware Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle The initial response (https://www.marc.info/?l=openbsd-tech&m=143532243322281&w=2) has been quite positive though, with some back and forth (https://www.marc.info/?l=openbsd-tech&m=143532963824548&w=2) between developers and the submitter For now, let's be patient and see what happens *** DragonFly 4.2.0 released (http://www.dragonflybsd.org/release42/) DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page (http://www.dragonflybsd.com/docs/docs/newhandbook/mta/) about configuring it They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement There was also some hacker news discussion (https://news.ycombinator.com/item?id=9797932) you can check out, as well as upgrade instructions (http://lists.dragonflybsd.org/pipermail/users/2015-June/207801.html) *** OpenSMTPD 5.7.1 released (https://opensmtpd.org/announces/release-5.7.1.txt) The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default The long-awaited filter API is now enabled by default, though still considered slightly experimental Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones) Many more small additions and bugfixes were made, so check the changelog for the full list Starting with 5.7.1, releases are now cryptographically (https://twitter.com/OpenSMTPD/status/613257722574839808) signed (https://www.opensmtpd.org/archives/opensmtpd-5.7.1.sum.sig) to ensure integrity This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server (https://twitter.com/OpenSMTPD/status/608399272447471616) with thousands of emails per second, even offering prizes (https://twitter.com/OpenSMTPD/status/608235180839567360) to whoever can DDoS them the hardest OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately Let's all encourage (mailto:feedback@bsdnow.tv) Kris to stop procrastinating on switching from Postfix *** Interview - Jun Ebihara (蛯原純) - jun@netbsd.org (mailto:jun@netbsd.org) / @ebijun (https://twitter.com/ebijun) Lesser-known CPU architectures, embedded NetBSD devices News Roundup FreeBSD foundation at BSDCan (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-steven-douglas.html) The FreeBSD foundation has posted a few BSDCan summaries on their blog The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people." He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily Their second (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-ahmed-kamal.html) trip report is from Ahmed Kamal, who flew in all the way from Egypt A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD There are also two more wrap-ups from Zbigniew Bodek (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-zbigniew-bodek.html) and Vsevolod Stakhov (http://freebsdfoundation.blogspot.com/2015/06/bsdcan-2015-trip-report-vsevolod-stakhov.html), so you've got plenty to read *** OpenBSD from a veteran Linux user perspective (http://cfenollosa.com/blog/openbsd-from-a-veteran-linux-user-perspective.html) In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time "For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration." The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless." He also goes through some of the basics, installing and updating software, following different branches It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern." *** FreeBSD on the desktop, am I crazy (http://sysconfig.org.uk/freebsd-on-the-desktop-am-i-crazy.html) Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think." With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too *** OpenIKED and Cisco CSR 1000v IPSEC (https://www.netflask.net/ipsec-ikev2-cisco-csr1000v-openiked/) This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be *** HardenedBSD improves stack randomization (https://github.com/HardenedBSD/hardenedBSD/commit/bd5cecb4dc7947a5e214fc100834399b4bffdee8) The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well They're now stacking the new on top of the old as well, with the goal being even more entropy This change triggered an ABI and API incompatibility, so their major version has been bumped *** OpenSSH 6.9 released (https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-July/000121.html) The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments One very notable change is that the default cipher has changed as of this release The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits Many small bugs fixes and improvements were also made, so check the announcement for everything else The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon *** Feedback/Questions Brad writes in (http://slexy.org/view/s2Ws6Y2rZy) Mason writes in (http://slexy.org/view/s21GvZ5xbs) Jochen writes in (http://slexy.org/view/s209TrPK4e) Simon writes in (http://slexy.org/view/s21TQjUjxv) ***
This week on the show, we'll be chatting with Marc Espie. He's recently added some additional security measures to dpb, OpenBSD's package building tool, and we'll find out why they're so important. We've also got all this week's news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2015 videos (https://www.bsdcan.org/2015/schedule/) BSDCan just ended last week, but some of the BSD-related presentation videos are already online Allan Jude, UCL for FreeBSD (https://www.youtube.com/watch?v=8l6bhKIDecg) Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon? (https://www.youtube.com/watch?v=XDIcD4LR5HE) Andy Tanenbaum, A reimplementation of NetBSD (https://www.youtube.com/watch?v=0pebP891V0c) using a MicroKernel (https://www.youtube.com/watch?v=Bu1JuwVfYTc) Brooks Davis, CheriBSD: A research fork of FreeBSD (https://www.youtube.com/watch?v=DwCg-51vFAs) Giuseppe Lettieri, Even faster VM networking with virtual passthrough (https://www.youtube.com/watch?v=Lo6wDCapo4k) Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD (https://www.youtube.com/watch?v=K2pnf1YcMTY) Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet (https://www.youtube.com/watch?v=6jhSvdnu4k0) Peter Hessler, Using routing domains / routing tables in a production network (https://www.youtube.com/watch?v=BizrC8Zr-YY) Ryan Lortie, a stitch in time: jhbuild (https://www.youtube.com/watch?v=YSVFnM3_2Ik) Ted Unangst, signify: Securing OpenBSD From Us To You (https://www.youtube.com/watch?v=9R5s3l-0wh0) Many more still to come... *** Documenting my BSD experience (http://pid1.com/posts/post1.html) Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in." In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that) You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon His second post (http://pid1.com/posts/post2.html) explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve *** PC-BSD tries HardenedBSD builds (https://github.com/pcbsd/hardenedBSD-stable) The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that (https://hardenedbsd.org/article/shawn-webb/2015-05-08/hardenedbsd-teams-opnsense) a few weeks ago - but this might open the door for more projects to give it a try as well With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have Time will tell if more projects and products like FreeNAS might be interested too *** C-states in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=143423172522625&w=2) People who run BSD on their notebooks, you'll want to pay attention to this one OpenBSD has recently committed some ACPI improvements for deep C-states (http://www.hardwaresecrets.com/article/Everything-You-Need-to-Know-About-the-CPU-C-States-Power-Saving-Modes/611), enabling the processor to enter a low-power mode According (https://twitter.com/StevenUniq/status/610586711358316545) to a (https://www.marc.info/?l=openbsd-misc&m=143430996602802&w=2) few users (https://www.marc.info/?l=openbsd-misc&m=143429914700826&w=2) so far (https://www.marc.info/?l=openbsd-misc&m=143425943026225&w=2), the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back (https://www.marc.info/?l=openbsd-misc&m=143423391222952&w=2) with your findings *** NetBSD at Open Source Conference 2015 Hokkaido (https://mail-index.netbsd.org/netbsd-advocacy/2015/06/13/msg000687.html) The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time) We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms *** Interview - Marc Espie - espie@openbsd.org (mailto:espie@openbsd.org) / @espie_openbsd (https://twitter.com/espie_openbsd) Recent (https://www.marc.info/?l=openbsd-ports&m=143051151521627&w=2) improvements (https://www.marc.info/?l=openbsd-ports&m=143151777209226&w=2) to OpenBSD's dpb (http://www.bsdnow.tv/tutorials/dpb) tool News Roundup Introducing xhyve, bhyve on OS X (https://github.com/mist64/xhyve/blob/master/README.md) We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS As the name "xhyve" might imply, it's a port of bhyve to Mac OS X Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer There are also a few examples (http://www.pagetable.com/?p=831) on how to use it *** 4K displays on DragonFlyBSD (http://www.dragonflybsd.org/docs/newhandbook/docs/newhandbook/4KDisplays/) If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas Some GUI applications might look weird on such a huge resolution, HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience *** Sandboxing port daemons on OpenBSD (http://coderinaworldofcode.blogspot.com/2015/06/chrooting-mumble-server-on-openbsd.html) We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots *** SmallWall 1.8.2 released (http://smallwall.freeforums.net/thread/44/version-1-8-2-released) SmallWall is a relatively new BSD-based project that we've never covered before It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits They've just released the first official version (http://www.smallwall.org/download.html), so you can give it a try now If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... *** Feedback/Questions David writes in (http://slexy.org/view/s21gRTNnk7) Brian writes in (http://slexy.org/view/s2DdiMvELg) Dan writes in (http://slexy.org/view/s2h4ZS6SMd) Joel writes in (http://slexy.org/view/s20kA1jeXY) Steve writes in (http://slexy.org/view/s2wJ9HP1bs) ***
This time on the show, we'll be talking with Ed Schouten about CloudABI. It's a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week's BSD news and answers to your emails, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2015-01-2015-03.html) The FreeBSD team has posted a report of the activities that went on between January and March of this year As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc) The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code Lots of activity is happening in bhyve, some of which we've covered recently (http://www.bsdnow.tv/episodes/2015_04_29-on_the_list), and a number of improvements were made this quarter Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already ASLR work (http://www.bsdnow.tv/episodes/2014_08_27-reverse_takeover) is still being done by the HardenedBSD guys, and their next aim is position-independent executable The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) *** OpenBSD 5.7 released (http://www.openbsd.org/57.html) OpenBSD has formally released another new version, complete with the giant changelog we've come to expect In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs If you're using one of the Soekris boards, there's even a new driver (http://bodgitandscarper.co.uk/openbsd/further-soekris-net6501-improvements-for-openbsd/) to manipulate the GPIO and LEDs on them - this has some fun possibilities Some new security improvements include: SipHash (https://en.wikipedia.org/wiki/SipHash) being sprinkled in some areas to protect hashing functions, big W^X improvements (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2) in the kernel space, static PIE (http://www.bsdnow.tv/episodes/2015_04_15-pie_in_the_sky) on all architectures, deterministic "random" functions being replaced (https://www.marc.info/?l=openbsd-tech&m=141807224826859&w=2) with strong randomness, and support for remote logging over TLS The entire source tree has also been audited to use reallocarray (http://lteo.net/blog/2014/10/28/reallocarray-in-openbsd-integer-overflow-detection-for-free/), which unintentionally saved (https://splone.com/blog/2015/3/11/integer-overflow-prevention-in-c) OpenBSD's libc from being vulnerable to earlier attacks (https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/) affecting other BSDs' implementations Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL) Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon Speaking of httpd, it's gotten a number of new (http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf) features (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/httpd.conf.5), and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc (http://www.bsdnow.tv/episodes/2014_11_12-a_mans_man) Check the errata page (http://www.openbsd.org/errata57.html) for any post-release fixes, and the upgrade guide (http://www.openbsd.org/faq/upgrade57.html) for specific instructions on updating from 5.6 Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases There's a song and artwork (http://www.openbsd.org/lyrics.html#57) to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week Consider picking one up (https://www.openbsdstore.com) to support the project (and it's the only way to get puffy stickers) For those of you paying close attention, the banner image (http://www.openbsd.org/images/puffy57.gif) for this release just might remind you of a certain special episode (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time) of BSD Now... *** Tor-BSD diversity project (https://torbsd.github.io/) We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now) A new initiative has started to do just that, called the Tor-BSD diversity project "Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity." In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy There's an additional progress report (http://trac.haqistan.net/blog/tor-browser-ports-progress) for that part specifically, and it looks like most of the work is done now Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list If you've been considering running a node to help out, there's always our handy tutorial (http://www.bsdnow.tv/tutorials/tor) on getting set up *** PC-BSD 10.1.2-RC1 released (http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-rc1-now-available/) If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab This quarterly update includes a number of new features, improvements and even some additional utilities PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network IPFW is now the default firewall, offering improved VIMAGE capabilities The life preserver backup tool now allows for bare-metal restores via the install CD ISC's NTP daemon has been replaced with OpenNTPD (http://www.bsdnow.tv/episodes/2015_02_11-time_for_a_change), and OpenSSL has been replaced with LibreSSL (http://www.bsdnow.tv/episodes/2015_03_25-ssl_in_the_wild) It also includes the latest Lumina (http://www.bsdnow.tv/episodes/2014_09_10-luminary_environment) desktop, and there's another post dedicated to that (http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-rc1-lumina-desktop-0-8-4-released/) Binary packages have also been updated to fresh versions from the ports tree More details, including upgrade instructions, can be found in the linked blog post *** Interview - Ed Schouten - ed@freebsd.org (mailto:ed@freebsd.org) / @edschouten (https://twitter.com/edschouten) CloudABI (https://www.bsdcan.org/2015/schedule/track/Security/524.en.html) News Roundup Open Household Router Contraption (http://code.saghul.net/index.php/2015/05/01/announcing-the-open-household-router-contraption/) This article introduces OpenHRC, the "Open Household Router Contraption" In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation All the code is open source and on Github (https://github.com/ioc32/openhrc), so you can read through what's actually being changed and put in place There's also a video guide (https://www.youtube.com/watch?v=LZeKDM5jc90) to the entire process, if you're more of a visual person *** OPNsense 15.1.10 released (https://forum.opnsense.org/index.php?topic=365.0) Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well Version 15.1.10.1 (https://twitter.com/opnsense/status/596009164746432512) was released shortly thereafter, including a hotfix for VLANs *** IBM Workpad Z50 and NetBSD (https://www.ibm.com/developerworks/community/blogs/hpcgoulash/entry/ibm_workpad_z50_netbsd_an_interesting_combination1?lang=en) Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same Back in 1999, they released the Workpad Z50 (http://www.hpcfactor.com/reviews/hardware/ibm/workpad-z50/) with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display You can probably tell where this is going... the article is about installing NetBSD it "What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running" The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern He's also got a couple (https://www.youtube.com/watch?v=hSLVnSZKB9I) videos (https://www.youtube.com/watch?v=mIA-NWEHLM4) of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) *** FreeBSD from the trenches (http://freebsdfoundation.blogspot.com/2015/04/from-trenches-tips-tricks-edition.html) The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually Each command is explained, and he walks you through the process of doing an encrypted installation (http://www.bsdnow.tv/tutorials/fde) on your root zpool *** Broadwell in DragonFly (http://lists.dragonflybsd.org/pipermail/users/2015-May/207671.html) DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being *** Feedback/Questions Bostjan writes in (http://slexy.org/view/s216QQcHyX) Hunter writes in (http://slexy.org/view/s21hGSk3c0) Hrishi writes in (http://slexy.org/view/s20JwPw9Je) Clint writes in (http://slexy.org/view/s2x1GYr7y6) Sergei writes in (http://slexy.org/view/s2swXxr2PX) *** Mailing List Gold How did you guess (https://lists.freebsd.org/pipermail/freebsd-advocacy/2015-May/004541.html) ***
Coming up this time on the show, we'll be chatting with Antoine Jacoutot about how M:Tier uses BSD in their business. After that, we'll be discussing the different release models across the BSDs, and which style we like the most. As always, answers to your emails and all the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Optimizing TLS for high bandwidth applications (https://people.freebsd.org/~rrs/asiabsd_2015_tls.pdf) Netflix has released a report on some of their recent activities, pushing lots of traffic through TLS on FreeBSD TLS has traditionally had too much overhead for the levels of bandwidth they're using, so this pdf outlines some of their strategy in optimizing it The sendfile() syscall (which nginx uses) isn't available when data is encrypted in userland To get around this, Netflix is proposing to add TLS support to the FreeBSD kernel Having encrypted movie streams would be pretty neat *** Crypto in unexpected places (https://www.marc.info/?l=openbsd-cvs&m=142944822223482&w=2) OpenBSD is somewhat known for its integrated cryptography, right down to strong randomness in every place you could imagine (process IDs, TCP initial sequence numbers, etc) One place you might not expect crypto to be used (or even needed) is in the "ping" utility, right? Well, think again David Gwynne recently committed (https://www.marc.info/?l=openbsd-cvs&m=142944754923359&w=2) a change that adds MAC (https://en.wikipedia.org/wiki/Message_authentication_code) to the ping timestamp payload By default, it'll be filled with a ChaCha stream instead of an unvarying payload, and David says "this lets us have some confidence that the timestamp hasn't been damaged or tampered with in transit" Not only is this a security feature, but it should also help detect dodgy or malfunctioning network equipment going forward Maybe we can look forward to a cryptographically secure "echo" command next... *** Broadwell in DragonFly (http://www.dragonflybsd.org/docs/newhandbook/docs/newhandbook/BroadwellBoxes/) The DragonFlyBSD guys have started a new page on their wiki to discuss Broadwell hardware and its current status Matt Dillon, the project lead, recently bought some hardware with this chipset, and lays out what works and what doesn't work The two main show-stoppers right now are the graphics and wireless, but they have someone who's already making progress with the GPU support Wireless support will likely have to wait until FreeBSD gets it, then they'll port it back over None of the BSDs currently have full Broadwell support, so stay tuned for further updates *** DIY NAS software roundup (http://blog.brianmoses.net/2015/04/diy-nas-software-roundup.html) In this blog post, the author compares a few different software solutions for a network attached storage device He puts FreeNAS, one of our favorites, up against a number of opponents - both BSD and Linux-based NAS4Free gets an honorable mention as well, particularly for its lower hardware requirements and sleek interface If you've been thinking about putting together a NAS, but aren't quite comfortable enough to set it up by yourself yet, this article should give you a good view of the current big names Some competition is always good, gotta keep those guys on their toes *** Interview - Antoine Jacoutot - ajacoutot@openbsd.org (mailto:ajacoutot@openbsd.org) / @ajacoutot (https://twitter.com/ajacoutot) OpenBSD at M:Tier (http://www.mtier.org/about-us/), business adoption of BSD, various topics News Roundup OpenBSD on DigitalOcean (http://www.tubsta.com/2015/04/openbsd-on-digital-ocean/) When DigitalOcean rolled out initial support for FreeBSD, it was a great step in the right direction - we hoped that all the other BSDs would soon follow This is not yet the case, but a blog article here has details on how you can install OpenBSD (and likely the others too) on your VPS Using a -current snapshot and some swapfile trickery, it's possible to image an OpenBSD ramdisk installer onto an unmounted portion of the virtual disk After doing so, you just boot from their web UI-based console and can perform a standard installation You will have to pay special attention to some details of the disk layout, but this article takes you through the entire process step by step *** Initial ARM64 support lands in FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=281494) The ARM64 architecture, sometimes called ARMv8 or AArch64 (https://wiki.freebsd.org/arm64), is a new generation of CPUs that will mostly be in embedded devices FreeBSD has just gotten support for this platform in the -CURRENT branch Previously, it was only the beginnings of the kernel and enough bits to boot in QEMU - now a full build (https://lists.freebsd.org/pipermail/freebsd-testing/2015-April/000918.html) is possible Work should now start happening in the main source code tree, and hopefully they'll have full support in a branch soon *** Scripting with least privilege (http://shill.seas.harvard.edu/) A new scripting language with a focus on privilege separation and running with only what's absolutely needed has been popular in the headlines lately Shell scripts are used everywhere today: startup scripts, orchestration scripts for mass deployment, configuring and compiling software, etc. Shill aims to answer the questions "how do we limit the authority of scripts" and "how do we determine what authority is necessary" by including a declarative security policy that's checked and enforced by the language runtime If used on FreeBSD, Shill will use Capsicum for sandboxing You can find some more of the technical information in their documentation pdf (http://shill.seas.harvard.edu/shill-osdi-2014.pdf) or watch their USENIX presentation (https://2459d6dc103cb5933875-c0245c5c937c5dedcca3f1764ecc9b2f.ssl.cf2.rackcdn.com/osdi14/moore.mp4) video Hacker News also had some discussion (https://news.ycombinator.com/item?id=9328277) on the topic *** OpenBSD first impressions (http://blog.greduan.com/2015-04-19-mstobfi.html) A brand new BSD user has started documenting his experience through a series of blog posts Formerly a Linux guy, he's tried out FreeBSD and OpenBSD so far, and is currently working on an OpenBSD desktop The first post goes into why he chose BSD at all, why he's switching away from Linux, how the initial transition has been, what you'll need to relearn and what he's got planned going forward He's only been using OpenBSD for a few days as of the time this was written - we don't usually get to hear from people this early in on their BSD journey, so it offers a unique perspective *** PCBSD and 4K oh my! (http://blog.pcbsd.org/2015/04/pc-bsd-and-4k-oh-my/) Yesterday, Kris got ahold of some 4K monitor hardware to test PC-BSD out The short of it - It works great! Minor tweaks being made to some of the PC-BSD defaults to better accommodate 4K out of box This particular model monitor ships with DisplayPort set to 1.1 mode only, switching it to 1.2 mode enables 60Hz properly *** Feedback/Questions Darin writes in (http://slexy.org/view/s21kFuvAFs) Mitch writes in (http://slexy.org/view/s2nf4o9p4E) *** Discussion Comparison of BSD release cycles FreeBSD (https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/introduction.html#idp55486416), OpenBSD (http://www.openbsd.org/faq/faq5.html#Flavors), NetBSD (https://www.netbsd.org/releases/release-map.html) and DragonFlyBSD (https://www.dragonflybsd.org/releases/) ***
Anand Shimpi, Brian Klug & Dr. Ian Cutress discuss the rumors surrounding Intel's Broadwell being available onlyl in a BGA package and the future of the DIY desktop PC industry. Brian Klug updates us on Qualcomm's next-generation Krait 300 core.
© 2020-2025 Ivy Podcast Discovery LLC
