Podcasts about freebsd journal

This week on the show, The story of SSH getting port 22, GGC using Clang, AuxRunner, Stabweek, Using a Kensington SlimBladePro on OpenBSD, and more... NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines The story of getting SSH port 22 (https://www.ssh.com/academy/ssh/port#the-story-of-getting-ssh-port-22) Can GCC use Clang as its assembler? (https://briancallahan.net/blog/20240122.html) News Roundup AUXrunner: a macOS QEMU-based app for running A/UX (https://mendelson.org/auxrunner.html) Stabweek (https://lists.freebsd.org/archives/freebsd-current/2024-February/005657.html) Using the Kensington SlimBlade Pro TrackBall with OpenBSD (https://www.tumfatig.net/2024/using-the-kensington-slimblade-pro-trackball-with-openbsd/) Running 9front on an emulated SGI Indy via MAME (https://posixcafe.org/blogs/2024/01/01/0/) Beastie Bits Huffman Codes – How Do They Work? (https://two-wrongs.com/huffman-codes-how-do-they-work) NetBSD 10.0_RC5 (https://mail-index.netbsd.org/source-changes/2024/02/27/msg150156.html) New code for SIGILL faults help identify misbranches (https://www.undeadly.org/cgi?action=article;sid=20240222183703) New Illumos telegram channel (https://t.me/illumosDistroes) The Jan Feb issues of the FreeBSD Journal is here (https://freebsdfoundation.org/blog/the-january-february-2024-issue-of-the-freebsd-journal-is-here/) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Join us and other BSD Fans in our BSD Now Telegram channel (https://t.me/bsdnow)

Nextcloud + OpenBSD =

Writing FreeBSD kernel modules in Rust, Details behind the FreeBSD aio LPE, Linux subsystem for FreeBSD, FreeBSD Journal: Science, Systems, and FreeBSD, NetBSD improves Amiga support, OpenBSD on Scaleway Elastic Metal, and more NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines Writing FreeBSD Kernel modules in Rust (https://research.nccgroup.com/2022/08/31/writing-freebsd-kernel-modules-in-rust/) Details behind the FreeBSD aio LPE (https://accessvector.net/2022/freebsd-aio-lpe) News Roundup Linux Subsystem for FreeBSD (https://medium.com/nttlabs/linux-subsystem-for-freebsd-500b9a88fda4) FreeBSD Journal: Science, Systems, and FreeBSD (https://freebsdfoundation.org/wp-content/uploads/2022/08/03ae2705ab4362602a6bb90c5b9628c595d8b4fa.2.pdf) NetBSD improves its support for the Commodore Amiga (https://thenewstrace.com/netbsd-an-operating-system-that-is-serious-about-being-cross-platform-now-improves-its-support-for-the-commodore-amiga-1985/243892/) Installing OpenBSD on Scaleway Elastic Metal (https://www.senzilla.io/blog/2022/08/10/installing-openbsd-scaleway-elastic-metal/) Beastie Bits /usr/games removed from the default $PATH (http://undeadly.org/cgi?action=article;sid=20220810120423) How to install and configure mDNSResponder (https://forums.FreeBSD.org/threads/how-to-install-and-configure-mdnsresponder.70713/) How to use consistent exit codes in shell scripts (https://sleeplessbeastie.eu/2022/08/12/how-to-use-consistent-exit-codes-in-shell-scripts) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions [TheHolm - zfs question)[https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/469/feedback/TheHolm%20-%20zfs%20question.md] *** Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) ***

Choosing The Right ZFS Pool Layout, changes in OpenBSD that make life better, GhostBSD 21.09.06 ISO's now available, Fair Internet bandwidth management with OpenBSD, NetBSD wifi router project update, NetBSD on the Apple M1, HardenedBSD August Status Report, FreeBSD Journal on Wireless and Desktop, and more. NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) Headlines Choosing The Right ZFS Pool Layout (https://klarasystems.com/articles/choosing-the-right-zfs-pool-layout/) Recent and not so recent changes in OpenBSD that make life better (and may turn up elsewhere too) (https://bsdly.blogspot.com/2021/08/recent-and-not-so-recent-changes-in.html) News Roundup GhostBSD 21.09.06 ISO's now available (https://www.ghostbsd.org/ghostbsd_21.09.06_iso_now_available) Fair Internet bandwidth management on a network using OpenBSD (https://dataswamp.org/~solene/2021-08-30-openbsd-qos-lan.html) NetBSD wifi router project update (https://blog.netbsd.org/tnf/entry/wifi_project_status_update) Bonus NetBSD Recent Developments: NetBSD on the Apple M1 (https://mobile.twitter.com/jmcwhatever/status/1431575270436319235) *** ### HardenedBSD August 2021 Status Report (https://hardenedbsd.org/article/shawn-webb/2021-08-31/hardenedbsd-august-2021-status-report) ### FreeBSD Journal July/August 2021: Desktop/Wireless (https://freebsdfoundation.org/past-issues/desktop-wireless/) *** ### Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions James - backup question (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/420/feedback/James%20-%20backup%20question.md) Jonathon - certifications (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/420/feedback/Jonathon%20-%20certifications.md) Marty - RPG CLI (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/420/feedback/Marty%20-%20RPG%20CLI.md) *** Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) ***

Distrowatch reviews FuryBSD, LLDB on i386 for NetBSD, wpa_supplicant as lower-class citizen, KDE on FreeBSD updates, Travel Grant for BSDCan open, ZFS dataset for testing iocage within a jail, and more. Headlines Distrowatch Fury BSD Review (https://distrowatch.com/weekly.php?issue=20200127#furybsd) FuryBSD is the most recent addition to the DistroWatch database and provides a live desktop operating system based on FreeBSD. FuryBSD is not entirely different in its goals from NomadBSD, which we discussed recently. I wanted to take this FreeBSD-based project for a test drive and see how it compares to NomadBSD and other desktop-oriented projects in the FreeBSD family. FuryBSD supplies hybrid ISO/USB images which can be used to run a live desktop. There are two desktop editions currently, both for 64-bit (x86_64) machines: Xfce and KDE Plasma. The Xfce edition is 1.4GB in size and is the flavour I downloaded. The KDE Plasma edition is about 3.0GB in size. My fresh install of FuryBSD booted to a graphical login screen. From there I could sign into my account, which brings up the Xfce desktop. The installed version of Xfce is the same as the live version, with a few minor changes. Most of the desktop icons have been removed with just the file manager launchers remaining. The Getting Started and System Information icons have been removed. Otherwise the experience is virtually identical to the live media. FuryBSD uses a theme that is mostly grey and white with creamy yellow folder icons. The application menu launchers tend to have neutral icons, neither particularly bright and detailed or minimal. LLDB now works on i386 (http://blog.netbsd.org/tnf/entry/lldb_now_works_on_i386) Upstream describes LLDB as a next generation, high-performance debugger. It is built on top of LLVM/Clang toolchain, and features great integration with it. At the moment, it primarily supports debugging C, C++ and ObjC code, and there is interest in extending it to more languages. In February 2019, I have started working on LLDB, as contracted by the NetBSD Foundation. So far I've been working on reenabling continuous integration, squashing bugs, improving NetBSD core file support, extending NetBSD's ptrace interface to cover more register types and fix compat32 issues, fixing watchpoint and threading support. The original NetBSD port of LLDB was focused on amd64 only. In January, I have extended it to support i386 executables. This includes both 32-bit builds of LLDB (running natively on i386 kernel or via compat32) and debugging 32-bit programs from 64-bit LLDB. News Roundup wpa_supplicant is definitely a lower-class citizen, sorry (https://marc.info/?l=openbsd-misc&m=158068418807352&w=2) wpa_supplicant is definitely a lower-class citizen, sorry. I increasingly wonder why this stuff matters; transit costs are so much lower than the period when eduroam was setup, and their reliance on 802.11x is super weird in a world where, for the most part + entire cities have open wifi in their downtown core + edu vs edu+transit split horizon problems have to be solved anyways + many universities have parallel open wifi + rate limiting / fare-share approaches for the open-net, on unmetered + flat-rate solves the problem + LTE hotspot off a phone isn't a rip off anymore + other open networks exist essentially no one else feels compelled to do use 802.11x for a so called "semi-open access network", so I think they've lost the plot on friction vs benefit. (we've held hackathons at EDU campus that are locked down like that, and in every case we've said no way, gotten a wire with open net, and built our own wifi. we will not subject our developers to that extra complexity). KDE FreeBSD Updates Feb 2020 (https://euroquis.nl/freebsd/2020/02/08/freebsd.html) Some bits and bobs from the KDE FreeBSD team in february 2020. We met at the FreeBSD devsummit before FOSDEM, along with other FreeBSD people. Plans were made, schemes were forged, and Groff the Goat was introduced to some new people. The big ticket things: Frameworks are at 5.66 Plasma is at 5.17.5 (the beta 5.18 hasn’t been tried) KDE release service has landed 19.12.2 (same day it was released) Developer-centric: KDevelop is at 5.5.0 KUserfeedback landed its 1.0.0 release CMake is 3.16.3 Applications: Musescore is at 3.4.2 Elisa now part of the KDE release service updates Fuure work: KIO-Fuse probably needs extra real-world testing on FreeBSD. I don’t have that kind of mounts (just NFS in /etc/fstab) so I’m not the target audience. KTextEditor is missing .editorconfig support. That can come in with the next frameworks update, when consumers update anyway. Chasing it in an intermediate release is a bit problematic because it does require some rebuilds of consumers. Travel Grant Application for BSDCan is now open (https://lists.freebsd.org/pipermail/freebsd-announce/2020-February/001929.html) Hi everyone, The Travel Grant Application for BSDCan 2020 is now open. The Foundation can help you attend BSDCan through our travel grant program. Travel grants are available to FreeBSD developers and advocates who need assistance with travel expenses for attending conferences related to FreeBSD development. BSDCan 2020 applications are due April 9, 2020. Find out more and apply at: https://www.freebsdfoundation.org/what-we-do/grants/travel-grants/ Did you know the Foundation also provides grants for technical events not specifically focused on BSD? If you feel that your attendance at one of these events will benefit the FreeBSD Project and Community and you need assistance getting there, please fill out the general travel grant application. Your application must be received 7 weeks prior to the event. The general application can be found here: https://goo.gl/forms/QzsOMR8Jra0vqFYH2 Creating a ZFS dataset for testing iocage within a jail (https://dan.langille.org/2020/02/01/creating-a-zfs-dataset-for-testing-iocage-within-a-jail/) Be warned, this failed. I’m stalled and I have not completed this. I’m going to do jails within a jail. I already do that with poudriere in a jail but here I want to test an older version of iocage before upgrading my current jail hosts to a newer version. In this post: FreeBSD 12.1 py36-iocage-1.2_3 py36-iocage-1.2_4 This post includes my errors and mistakes. Perhaps you should proceed carefully and read it all first. Beastie Bits Reminder: the FreeBSD Journal is free! Check out these great articles (https://www.freebsdfoundation.org/journal/browser-based-edition/) Serenity GUI desktop running on an OpenBSD kernel (https://twitter.com/jcs/status/1224205573656322048) The Open Source Parts of MacOS (https://github.com/apple-open-source/macos) FOSDEM videos available (https://www.fosdem.org/2020/schedule/track/bsd/) Feedback/Questions Michael - Install with ZFS (http://dpaste.com/3WRC9CQ#wrap) Mohammad - Server Freeze (http://dpaste.com/3BYZKMS#wrap) Todd - ZFS Questions (http://dpaste.com/2J50HSJ#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

FreeBSD 11.3-beta 1 is out, BSDCan 2019 recap, OpenIndiana 2019.04 is out, Overview of ZFS Pools in FreeNAS, why open source firmware is important for security, a new Opnsense release, wireguard on OpenBSD, and more. Headlines FreeBSD 11.3-b1 is out BSDCan 2019 Recap We’re back from BSDCan and it was a packed week as always. It started with bhyvecon on Tuesday. Meanwhile, Benedict spent the whole day in productive meetings: annual FreeBSD Foundation board meeting and FreeBSD Journal editorial board meeting. On Wednesday, tutorials for BSDCan started as well as the FreeBSD Developer Summit. In the mornings, there were presentations in the big auditorium, while working groups about networking, failsafe bootcode, development web services, swap space management, and testing/CI were held. Friday had a similar format with an update from the FreeBSD core team and the “have, need, want” session for FreeBSD 13. In the afternoon, there were working groups about translation tools, package base, GSoC/Outreachy, or general hacking. Benedict held his Icinga tutorial in the afternoon with about 15 people attending. Devsummit presentation slides can be found on the wiki page and video recordings done by ScaleEngine are available on FreeBSD’s youtube channel. The conference program was a good mixture of sysadmin and tech talks across the major BSDs. Benedict saw the following talks: How ZFS snapshots really work by Matt Ahrens, 20 years in Jail by Michael W. Lucas, OpenZFS BOF session, the future of OpenZFS and FreeBSD, MQTT for system administrators by Jan-Piet Mens, and spent the rest of the time in between in the hallway track. Photos from the event are available on Ollivier Robert’s talegraph and Diane Bruce’s website for day 1, day 2, conference day 1, and conference day 2. Thanks to all the sponsors, supporters, organizers, speakers, and attendees for making this yet another great BSDCan. Next year’s BSDCan will be from June 2 - 6, 2020. OpenIndiana 2019.04 is out We have released a new OpenIndiana Hipster snapshot 2019.04. The noticeable changes: Firefox was updated to 60.6.3 ESR Virtualbox packages were added (including guest additions) Mate was updated to 1.22 IPS has received updates from OmniOS CE and Oracle IPS repos, including automatic boot environment naming Some OI-specific applications have been ported from Python 2.7/GTK 2 to Python 3.5/GTK 3 Quick Demo Video: https://www.youtube.com/watch?v=tQ0-fo3XNrg News Roundup Overview of ZFS Pools in FreeNAS FreeNAS uses the OpenZFS (ZFS) file system, which handles both disk and volume management. ZFS offers RAID options mirror, stripe, and its own parity distribution called RAIDZ that functions like RAID5 on hardware RAID. The file system is extremely flexible and secure, with various drive combinations, checksums, snapshots, and replication all possible. For a deeper dive on ZFS technology, read the ZFS Primer section of the FreeNAS documentation. SUGGEST LAYOUT attempts to balance usable capacity and redundancy by automatically choosing an ideal vdev layout for the number of available disks. The following vdev layout options are available when creating a pool: Stripe data is shared on two drives, similar to RAID0) Mirror copies data on two drives, similar to RAID1 but not limited to 2 disks) RAIDZ1 single parity similar to RAID5 RAIDZ2 double parity similar to RAID6 RAIDZ3 which uses triple parity and has no RAID equivalent Why OpenSource Firmware is Important for Security Roots of Trust The goal of the root of trust should be to verify that the software installed in every component of the hardware is the software that was intended. This way you can know without a doubt and verify if hardware has been hacked. Since we have very little to no visibility into the code running in a lot of places in our hardware it is hard to do this. How do we really know that the firmware in a component is not vulnerable or that is doesn’t have any backdoors? Well we can’t. Not unless it was all open source. Every cloud and vendor seems to have their own way of doing a root of trust. Microsoft has Cerberus, Google has Titan, and Amazon has Nitro. These seem to assume an explicit amount of trust in the proprietary code (the code we cannot see). This leaves me with not a great feeling. Wouldn’t it be better to be able to use all open source code? Then we could verify without a doubt that the code you can read and build yourself is the same code running on hardware for all the various places we have firmware. We could then verify that a machine was in a correct state without a doubt of it being vulnerable or with a backdoor. It makes me wonder what the smaller cloud providers like DigitalOcean or Packet have for a root of trust. Often times we only hear of these projects from the big three or five. OPNsense This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination. Here are the full patch notes: system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier) system: /etc/hosts generation without interfacehasgateway() system: show correct timestamp in config restore save message (contributed by nhirokinet) system: list the commands for the pluginctl utility when n+ argument is given system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly system: use absolute path in widget ACLs (reported by Netgate) system: RRD-related cleanups for less code exposure interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion) interfaces: replace legacygetallinterface_addresses() usage firewall: fix port validation in aliases with leading / trailing spaces firewall: fix outbound NAT translation display in overview page firewall: prevent CARP outgoing packets from using the configured gateway firewall: use CARP net.inet.carp.demotion to control current demotion in status page firewall: stop live log poller on error result dhcpd: change rule priority to 1 to avoid bogon clash dnsmasq: only admins may edit custom options field firmware: use insecure mode for base and kernel sets when package fingerprints are disabled firmware: add optional device support for base and kernel sets firmware: add Hostcentral mirror (HTTP, Melbourne, Australia) ipsec: always reset rightallowany to default when writing configuration lang: say "hola" to Spanish as the newest available GUI language lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese network time: only admins may edit custom options field openvpn: call openvpnrefreshcrls() indirectly via plugin_configure() for less code exposure openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette) openvpn: remove custom options field from wizard unbound: only admins may edit custom options field wizard: translate typehint as well plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86) plugins: os-nginx 1.12[2] plugins: os-theme-cicada 1.17 (contributed by Team Rebellion) plugins: os-theme-tukan 1.17 (contributed by Team Rebellion) src: timezone database information update[3] src: install(1) broken with partially matching relative paths[4] src: microarchitectural Data Sampling (MDS) mitigation[5] ports: carootnss 3.44 ports: php 7.2.18[6] ports: sqlite 3.28.0[7] ports: strongswan custom XAuth generic patch removed wiregaurd on OpenBSD Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current. Jason A. Donenfeld (WireGuard author) has worked to support OpenBSD in WireGuard and as such his post on ports@ last year got me interested in WireGuard, since then others have toyed with WireGuard on OpenBSD before and as such I've used Ted's article as a reference. Note however that some of the options mentioned there are no longer valid. Also, I'll be using two OpenBSD peers here. The setup will be as follows: two OpenBSD peers, of which we'll dub wg1 the server and wg2 the client. The WireGuard service on wg1 is listening on 100.64.4.3:51820. Conclusion WireGuard (cl)aims to be easier to setup and faster than OpenVPN and while I haven't been able to verify the latter, the first is certainly true...once you've figured it out. Most documentation out there is for Linux so I had to figure out the wireguardgo service and the tun parameters. But all in all, sure, it's easier. Especially the client configuration on iOS which I didn't cover here because it's essentially pkgadd libqrencode ; cat client.conf | qrencode -t ansiutf8, scan the code with the WireGuard app and you're good to go. What is particularly neat is that WireGuard on iOS supports Always-on. Beastie Bits Serenity OS vkernels vs pmap Brian Kernighan interviews Ken Thompson Improvements in forking, threading, and signal code DragonFly 5.4.3 NetBSD on the Odroid C2 Feedback/Questions Paulo - Laptops A Listener - Thanks Bostjan - Extend a pool and lower RAM footprint Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv Your browser does not support the HTML5 video tag.

SCP client vulnerabilities, BSDs vs Linux benchmarks on a Tyan EPYC Server, fame for the Unix inventors, Die IPv4, GhostBSD 18.12 released, Unix in pictures, and more. ##Headlines ###scp client multiple vulnerabilities Overview SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output. Impact Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output. Details The discovered vulnerabilities, described in more detail below, enables the attack described here in brief. The attacker controlled server or Man-in-the-Middle(*) attack drops .bash_aliases file to victim’s home directory when the victim performs scp operation from the server. The transfer of extra files is hidden by sending ANSI control sequences via stderr. For example: user@local:~$ scp user@remote:readme.txt . readme.txt 100% 494 1.6KB/s 00:00 user@local:~$ Once the victim launches a new shell, the malicious commands in .bash_aliases get executed. *) Man-in-the-Middle attack does require the victim to accept the wrong host fingerprint. ###FreeBSD 12.0 vs. DragonFlyBSD 5.4 vs. TrueOS 18.12 vs. Linux On A Tyan EPYC Server Last month when running FreeBSD 12.0 benchmarks on a 2P EPYC server I wasn’t able to run any side-by-side benchmarks with the new DragonFlyBSD 5.4 as this BSD was crashing during the boot process on that board. But fortunately on another AMD EPYC server available, the EPYC 1P TYAN Transport SX TN70A-B8026, DragonFlyBSD 5.4.1 runs fine. So for this first round of BSD benchmarking in 2019 are tests of FreeBSD 11.2, FreeBSD 12.0, DragonFlyBSD 5.4.1, the new TrueOS 18.12, and a few Linux distributions (CentOS 7, Ubuntu 18.04.1 LTS, and Clear Linux) on this EPYC 7601 server in a variety of workloads. DragonFlyBSD 5.4.1 ran fine on this Tyan server and could boot fine unlike the issue encountered on the Dell PowerEdge R7425 for this particular BSD. But on the Tyan server, DragonFlyBSD 5.2.2 wouldn’t boot so only this latest DragonFlyBSD release series was used as part of the comparison. A summary of the operating systems tested for this EPYC 7601 OS benchmark comparison included: DragonFlyBSD 5.4.1 - The latest release of Matthew Dillon’s operating system while using the HAMMER2 file-system and GCC 8.1 compiler that is now the default system compiler for this BSD. FreeBSD 11.2 - The previous stable release of FreeBSD. Installed with a ZFS file-system. FreeBSD 12.0 - The latest stable release of FreeBSD and installed with its ZFS option. TrueOS 18.12 - The latest release of the iX systems’ FreeBSD derivative. TrueOS 18.12 is based on FreeBSD 13.0-CURRENT and uses ZFS by default and was using the Clang 7.0.1 compiler compared to Clang 6.0.1 on FreeBSD 12.0. CentOS Linux 7 - The latest EL7 operating system performance. Ubuntu 18.04.1 LTS - The latest Ubuntu Long Term Support release. Clear Linux 27120 - The latest rolling release as of testing out of Intel’s Open-Source Technology Center. Clear Linux often reflects as close to the gold standard for performance as possible with its insanely tuned software stack for offering optimal performance on x86_64 performance for generally showing best what the hardware is capable of. Throughout all of this testing, the Tyan 2U server was kept to its same configuration of an AMD EPYC 7601 (32 cores / 64 threads) at stock speeds, 8 x 16GB DDR4-2666 ECC memory, and 280GB Intel Optane 900p SSD benchmarks. ##News Roundup National Inventors Hall of Fame honors creators of Unix Dennis Ritchie (Posthumous) and Ken Thompson: UNIX Operating System Thompson and Ritchie’s creation of the UNIX operating system and the C programming language were pivotal developments in the progress of computer science. Today, 50 years after its beginnings, UNIX and UNIX-like systems continue to run machinery from supercomputers to smartphones. The UNIX operating system remains the basis of much of the world’s computing infrastructure, and C language – written to simplify the development of UNIX – is one of the most widely used languages today. ###Die IPV4, Die Imagine, it is 2019. Easy, ha? Imagine, it is 2019 and you want to turn off IPv4. Like, off off. Really off. Not disabling IPv6, but disabling IPv4. Two steps back You might be coming here wondering, why would anybody want to do what we are asking to be done. Well, it is dead simple: We are running data centers (like Data Center Light) with a lot of IPv6 only equipment. There simply is no need for IPv4. So why would we want to have it enabled? Also, here at ungleich, we defined 2019 as the year to move away from IPv4. The challenge Do you like puzzles? Competitions? Challenges? Hacking? Well. If ANY of this is of your interest, here is a real challenge for you: We offer a 100 CHF (roughly 100 USD) for anyone who can give us a detailed description of how to turn IPv4 completely off in an operating system and allowing it to communicate with IPv6 only. This should obviously include a tiny proof that your operating system is really unable to use IPv4 at all. Just flushing IPv4 addresses and keeping the IPv4 stack loaded, does not count. ###GhostBSD 18.12 released GhostBSD 18.12 is an updated iso of GhostBSD 18.10 with some little changes to the live DVD/USB and with updated packages. What has changed since 18.10 removed default call of kernel modules for AMD and Intel replaced octopkg by software-station added back gop hacks to the live system added ghostbsd-drivers and ghostbsd-utils we updated the packages to the latest build ###And Now for a laugh : #unixinpictures ##Beastie Bits We are now closer to the Y2038 bug than the Y2K bug OpenBSD Enterprise use AT&T Unix Books Process title and missing memory space The History of a Security Hole unbound-adblock: The ultimate network adblocker! FreeBSD’s name/value pairs library Pid Rollover Booting OpenBSD kernels in EFI mode with QEMU OpenBSD CVS commit: Make mincore lie BSDCan 2019 CfP ending January 19 - Submit! OpenZFS User Conference - April 18-19 FreeBSD Journal is a free publication now ##Feedback/Questions Chris - Boot environments and SSDs Jonathan - Bytes issued during a zpool scrub Bostjan - ZFS Record Size and my mistakes Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Fanless server setup with FreeBSD, NetBSD on pinebooks, another BSDCan trip report, transparent network audio, MirBSD's Korn Shell on Plan9, static site generators on OpenBSD, and more. ##Headlines Silent Fanless FreeBSD Desktop/Server Today I will write about silent fanless FreeBSD desktop or server computer … or NAS … or you name it, it can have multiple purposes. It also very low power solution, which also means that it will not overheat. Silent means no fans at all, even for the PSU. The format of the system should also be brought to minimum, so Mini-ITX seems best solution here. I have chosen Intel based solutions as they are very low power (6-10W), if you prefer AMD (as I often do) the closest solution in comparable price and power is Biostar A68N-2100 motherboard with AMD E1-2100 CPU and 9W power. Of course AMD has even more low power SoC solutions but finding the Mini-ITX motherboard with decent price is not an easy task. For comparison Intel has lots of such solutions below 6W whose can be nicely filtered on the ark.intel.com page. Pity that AMD does not provide such filtration for their products. I also chosen AES instructions as storage encryption (GELI on FreeBSD) today seems as obvious as HTTPS for the web pages. Here is how the system look powered up and working This motherboard uses Intel J3355 SoC which uses 10W and has AES instructions. It has two cores at your disposal but it also supports VT-x and EPT extensions so you can even run Bhyve on it. Components Now, an example system would look like that one below, here are the components with their prices. $49 CPU/Motherboard ASRock J3355B-ITX Mini-ITX $14 RAM Crucial 4 GB DDR3L 1.35V (low power) $17 PSU 12V 160W Pico (internal) $11 PSU 12V 96W FSP (external) $5 USB 2.0 Drive 16 GB ADATA $4 USB Wireless 802.11n $100 TOTAL The PSU 12V 160W Pico (internal) and PSU 12V 96W FSP can be purchased on aliexpress.com or ebay.com for example, at least I got them there. Here is the 12V 160W Pico (internal) PSU and its optional additional cables to power the optional HDDs. If course its one SATA power and one MOLEX power so additional MOLEX-SATA power adapter for about 1$ would be needed. Here is the 12V 96W FSP (external) PSU without the power cord. This gives as total silent fanless system price of about $120. Its about ONE TENTH OF THE COST of the cheapest FreeNAS hardware solution available – the FreeNAS Mini (Diskless) costs $1156 also without disks. You can put plain FreeBSD on top of it or Solaris/Illumos distribution OmniOSce which is server oriented. You can use prebuilt NAS solution based on FreeBSD like FreeNAS, NAS4Free, ZFSguru or even Solaris/Illumos based storage with napp-it appliance. ###An annotated look at a NetBSD Pinebook’s startup Pinebook is an affordable 64-bit ARM notebook. Today we’re going to take a look at the kernel output at startup and talk about what hardware support is available on NetBSD. Photo Pinebook comes with 2GB RAM standard. A small amount of this is reserved by the kernel and framebuffer. NetBSD uses flattened device-tree (FDT) to enumerate devices on all Allwinner based SoCs. On a running system, you can inspect the device tree using the ofctl(8) utility: Pinebook’s Allwinner A64 processor is based on the ARM Cortex-A53. It is designed to run at frequencies up to 1.2GHz. The A64 is a quad core design. NetBSD’s aarch64 pmap does not yet support SMP, so three cores are disabled for now. The interrupt controller is a standard ARM GIC-400 design. Clock drivers for managing PLLs, module clock dividers, clock gating, software resets, etc. Information about the clock tree is exported in the hw.clk sysctl namespace (root access required to read these values). # sysctl hw.clk.sun50ia64ccu0.mmc2 hw.clk.sun50ia64ccu0.mmc2.rate = 200000000 hw.clk.sun50ia64ccu0.mmc2.parent = pllperiph02x hw.clk.sun50ia64ccu0.mmc2.parent_domain = sun50ia64ccu0 Digital Ocean http://do.co/bsdnow ###BSDCan 2018 Trip Report: Mark Johnston BSDCan is a highlight of my summers: the ability to have face-to-face conversations with fellow developers and contributors is invaluable and always helps refresh my enthusiasm for FreeBSD. While in a perfect world we would all be able to communicate effectively over the Internet, it’s often noted that locking a group of developers together in a room can be a very efficient way to make progress on projects that otherwise get strung out over time, and to me this is one of the principal functions of BSD conferences. In my case I was able to fix some kgdb bugs that had been hindering me for months; get some opinions on the design of a feature I’ve been working on for FreeBSD 12.0; hear about some ongoing usage of code that I’ve worked on; and do some pair-debugging of an issue that has been affecting another developer. As is tradition, on Tuesday night I dropped off my things at the university residence where I was staying, and headed straight to the Royal Oak. This year it didn’t seem quite as packed with BSD developers, but I did meet several long-time colleagues and get a chance to catch up. In particular, I chatted with Justin Hibbits and got to hear about the bring-up of FreeBSD on POWER9, a new CPU family released by IBM. Justin was able to acquire a workstation based upon this CPU, which is a great motivator for getting FreeBSD into shape on that platform. POWER9 also has some promise in the server market, so it’s important for FreeBSD to be a viable OS choice there. Wednesday morning saw the beginning of the two-day FreeBSD developer summit, which precedes the conference proper. Gordon Tetlow led the summit and did an excellent job organizing things and keeping to the schedule. The first presentation was by Deb Goodkin of the FreeBSD Foundation, who gave an overview of the Foundation’s role and activities. After Deb’s presentation, present members of the FreeBSD core team discussed the work they had done over the past two years, as well as open tasks that would be handed over to the new core team upon completion of the ongoing election. Finally, Marius Strobl rounded off the day’s presentations by discussing the state and responsibilities of FreeBSD’s release engineering team. One side discussion of interest to me was around the notion of tightening integration with our Bugzilla instance; at moment we do not have any good means to mark a given bug as blocking a release, making it easy for bugs to slip into releases and thus lowering our overall quality. With FreeBSD 12.0 upon us, I plan to help with the triage and fixes for known regressions before the release process begins. After a break, the rest of the morning was devoted to plans for features in upcoming FreeBSD releases. This is one of my favorite discussion topics and typically takes the form of have/need/want, where developers collectively list features that they’ve developed and intend to upstream (have), features that they are missing (need), and nice-to-have features (want). This year, instead of the usual format, we listed features that are intended to ship in FreeBSD 12.0. The compiled list ended up being quite ambitious given how close we are to the beginning of the release cycle, but many individual developers (including myself) have signed up to deliver work. I’m hopeful that most, if not all of it, will make it into the release. After lunch, I attended a discussion led by Matt Ahrens and Alexander Motin on OpenZFS. Of particular interest to me were some observations made regarding the relative quantity and quality of contributions made by different “camps” of OpenZFS users (illumos, FreeBSD and ZoL), and their respective track records of upstreaming enhancements to the OpenZFS project. In part due to the high pace of changes in ZoL, the definition of “upstream” for ZFS has become murky, and of late ZFS changes have been ported directly from ZoL. Alexander discussed some known problems with ZFS on FreeBSD that have been discovered through performance testing. While I’m not familiar with ZFS internals, Alexander noted that ZFS’ write path has poor SMP scalability on FreeBSD owing to some limitations in a certain kernel API called taskqueue(9). I would like to explore this problem further and perhaps integrate a relatively new alternative interface which should perform better. Friday and Saturday were, of course, taken up by BSDCan talks. Friday’s keynote was by Benno Rice, who provided some history of UNIX boot systems as a precursor to some discussion of systemd and the difficulties presented by a user and developer community that actively resist change. The rest of the morning was consumed by talks and passed by quickly. First was Colin Percival’s detailed examination of where the FreeBSD kernel spends time during boot, together with an overview of some infrastructure he added to track boot times. He also provided a list of improvements that have been made since he started taking measurements, and some areas we can further improve. Colin’s existing work in this area has already brought about substantial reductions in boot time; amusingly, one of the remaining large delays comes from the keyboard driver, which contains a workaround for old PS/2 keyboards. While there seems to be general agreement that the workaround is probably no longer needed on most systems, the lingering uncertainty around this prevents us from removing the workaround. This is, sadly, a fairly typical example of an OS maintenance burden, and underscores the need to carefully document hardware bug workarounds. After this talk, I got to see some rather novel demonstrations of system tracing using dwatch, a new utility by Devin Teske, which aims to provide a user-friendly interface to DTrace. After lunch, I attended talks on netdump, a protocol for transmitting kernel dumps over a network after the system has panicked, and on a VPC implementation for FreeBSD. After the talks ended, I headed yet again to the hacker lounge and had some fruitful discussions on early microcode loading (one of my features for FreeBSD 12.0). These led me to reconsider some aspects of my approach and saved me a lot of time. Finally, I continued my debugging session from Wednesday with help from a couple of other developers. Saturday’s talks included a very thorough account by Li-Wen Hsu of his work in organizing a BSD conference in Taipei last year. As one of the attendees, I had felt that the conference had gone quite smoothly and was taken aback by the number of details and pitfalls that Li-Wen enumerated during his talk. This was followed by an excellent talk by Baptiste Daroussin on the difficulties one encounters when deploying FreeBSD in new environments. Baptiste offered criticisms of a number of aspects of FreeBSD, some of which hit close to home as they involved portions of the system that I’ve worked on. At the conclusion of the talks, we all gathered in the main lecture hall, where Dan led a traditional and quite lively auction for charity. I managed to snag a Pine64 board and will be getting FreeBSD installed on it the first chance I get. At the end of the auction, we all headed to ByWard for dinner, concluding yet another BSDCan. Thanks to Mark for sharing his experiences at this years BSDCan ##News Roundup Transparent network audio with mpd & sndiod Landry Breuil (landry@ when wearing his developer hat) wrote in… I've been a huge fan of MPD over the years to centralize my audio collection, and i've been using it with the http output to stream the music as a radio on the computer i'm currently using… audio_output { type "sndio" name "Local speakers" mixer_type "software" } audio_output { type "httpd" name "HTTP stream" mixer_type "software" encoder "vorbis" port "8000" format "44100:16:2" } this setup worked for years, allows me to stream my home radio to $work by tunnelling the port 8000 over ssh via LocalForward, but that still has some issues: a distinct timing gap between the 'local output' (ie the speakers connected to the machine where MPD is running) and the 'http output' caused by the time it takes to reencode the stream, which is ugly when you walk through the house and have a 15s delay sometimes mplayer as a client doesn't detect the pauses in the stream and needs to be restarted i need to configure/start a client on each computer and point it at the sound server url (can do via gmpc shoutcast client plugin…) it's not that elegant to reencode the stream, and it wastes cpu cycles So the current scheme is: mpd -> http output -> network -> mplayer -> sndiod on remote machine | -> sndio output -> sndiod on soundserver Fiddling a little bit with mpd outputs and reading the sndio output driver, i remembered sndiod has native network support… and the mpd sndio output allows you to specify a device (it uses SIO_DEVANY by default). So in the end, it's super easy to: enable network support in sndio on the remote machine i want the audio to play by adding -L to sndiod_flags (i have two audio devices, with an input coming from the webcam): sndiod_flags="-L10.246.200.10 -f rsnd/0 -f rsnd/1" open pf on port 11025 from the sound server ip: pass in proto tcp from 10.246.200.1 to any port 11025 configure a new output in mpd: audio_output { type "sndio" name "sndio on renton" device "snd@10.246.200.10/0" mixer_type "software" } and enable the new output in mpd: $mpc enable 2 Output 1 (Local speakers) is disabled Output 2 (sndio on renton) is enabled Output 3 (HTTP stream) is disabled Results in a big win: no gap anymore with the local speakers, no reencoding, no need to configure a client to play the stream, and i can still probably reproduce the same scheme over ssh from $work using a RemoteForward. mpd -> sndio output 2 -> network -> sndiod on remote machine | -> sndio output 1 -> sndiod on soundserver Thanks ratchov@ for sndiod :) ###MirBSD’s Korn Shell on Plan9 Jehanne Let start by saying that I’m not really a C programmer. My last public contribution to a POSIX C program was a little improvement to the Snort’s react module back in 2008. So while I know the C language well enough, I do not know anything about the subtleness of the standard library and I have little experience with POSIX semantics. This is not a big issue with Plan 9, since the C library and compiler are not standard anyway, but with Jehanne (a Plan 9 derivative of my own) I want to build a simple, loosely coupled, system that can actually run useful free software ported from UNIX. So I ported RedHat’s newlib to Jehanne on top of a new system library I wrote, LibPOSIX, that provides the necessary emulations. I wrote several test, checking they run the same on Linux and Jehanne, and then I begun looking for a real-world, battle tested, application to port first. I approached MirBSD’s Korn Shell for several reason: it is simple, powerful and well written it has been ported to several different operating systems it has few dependencies it’s the default shell in Android, so it’s really battle tested I was very confident. I had read the POSIX standard after all! And I had a test suite! I remember, I thought “Given newlib, how hard can it be?” The porting begun on September 1, 2017. It was completed by tg on January 5, 2018. 125 nights later. Turn out, my POSIX emulation was badly broken. Not just because of the usual bugs that any piece of C can have: I didn’t understood most POSIX semantics at all! iXsystems ###Static site generator with rsync and lowdown on OpenBSD ssg is a tiny POSIX-compliant shell script with few dependencies: lowdown(1) to parse markdown, rsync(1) to copy temporary files, and entr(1) to watch file changes. It generates Markdown articles to a static website. It copies the current directory to a temporary on in /tmp skipping .* and _*, renders all Markdown articles to HTML, generates RSS feed based on links from index.html, extracts the first tag from every article to generate a sitemap and use it as a page title, then wraps articles with a single HTML template, copies everything from the temporary directory to $DOCS/ Why not Jekyll or “$X”? ssg is one hundred times smaller than Jekyll. ssg and its dependencies are about 800KB combined. Compare that to 78MB of ruby with Jekyll and all the gems. So ssg can be installed in just few seconds on almost any Unix-like operating system. Obviously, ssg is tailored for my needs, it has all features I need and only those I use. Keeping ssg helps you to master your Unix-shell skills: awk, grep, sed, sh, cut, tr. As a web developer you work with lots of text: code and data. So you better master these wonderful tools. Performance 100 pps. On modern computers ssg generates a hundred pages per second. Half of a time for markdown rendering and another half for wrapping articles into the template. I heard good static site generators work—twice as fast—at 200 pps, so there’s lots of performance that can be gained. ;) ###Why does FreeBSD have virtually no (0%) desktop market share? Because someone made a horrible design decision back in 1984. In absolute fairness to those involved, it was an understandable decision, both from a research perspective, and from an economic perspective, although likely not, from a technology perspective. Why and what. The decision was taken because the X Window System was intended to run on cheap hardware, and, at the time, that meant reduced functionality in the end-point device with the physical display attached to it. At the same time, another force was acting to also limit X displays to display services only, rather than rolling in both window management and specific widget instances for common operational paradigms. Mostly, common operational paradigms didn’t really exist for windowing systems because they also simply didn’t exist at the time, and no one really knew how people were going to use the things, and so researchers didn’t want to commit future research to a set of hard constraints. So a decision was made: separate the display services from the application at the lowest level of graphics primitives currently in use at the time. The ramifications of this were pretty staggering. First, it guaranteed that all higher level graphics would live on the host side of the X protocol, instead of on the display device side of the protocol. Despite a good understanding of Moore’s law, and the fact that, since no X Terminals existed at the time as hardware, but were instead running as emulations on workstations that had sufficient capability, this put the higher level GUI object libraries — referred to as “widgets” — in host libraries linked into the applications. Second, it guaranteed that display organization and management paradigms would also live on the host side of the protocol — assumed, in contradiction to the previous decision, to be running on the workstation. But, presumably, at some point, as lightweight X Terminals became available, to migrate to a particular host computer managing compute resource login/access services. Between these early decisions reigned chaos. Specifically, the consequences of these decisions have been with us ever since: Look-and-feel are a consequence of the toolkit chosen by the application programmer, rather than a user decision which applies universally to all applications. You could call this “lack of a theme”, and — although I personally despise the idea of customizing or “theming” desktops — this meant that one paradigm chosen by the user would not apply universally across all applications, no matter who had written them. Window management style is a preference. You could call this a more radical version of “theming” — which you will remember, I despise — but a consequence to this is that training is not universal across personnel using such systems, nor is it transferrable. In other words, I can’t send someone to a class, and have them come back and use the computers in the office as a tool, with the computer itself — and the elements not specific to the application itself — disappearing into the background. Both of these ultimately render an X-based system unsuitable for desktops. I can’t pay once for training. Training that I do pay for does not easily and naturally translate between applications. Each new version may radically alter the desktop management paradigm into unrecognizability. Is there hope for the future? Well, the Linux community has been working on something called Wayland, and it is very promising… …In the same way X was “very promising” in 1984, because, unfortunately, they are making exactly the same mistakes X made in 1984, rather than correcting them, now that we have 20/20 hindsight, and know what a mature widget library should look like. So Wayland is screwing up again. But hey, it only took us, what, 25 years to get from X in 1987 to Wayland in in 2012. Maybe if we try again in 2037, we can get to where Windows was in 1995. ##Beastie Bits New washing machine comes with 7 pages of open source licenses! BSD Jobs Site FreeBSD Foundation Update, May 2018 FreeBSD Journal looking for book reviewers zedenv ZFS Boot Environment Manager Tarsnap ##Feedback/Questions Wouter - Feedback Efraim - OS Suggestion kevr - Raspberry Pi2/FreeBSD/Router on a Stick Vanja - Interview Suggestion Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

OpenBSD firewalling Windows 10, NetBSD’s return to ptrace, TCP Alternative Backoff, the BSD Poetic license, and AsiaBSDcon 2018 videos available. RSS Feeds: MP3 Feed | iTunes Feed | HD Vid Feed | HD Torrent Feed Become a supporter on Patreon: - Show Notes: - Headlines Preventing Windows 10 and untrusted software from having full access to the internet using OpenBSD Whilst setting up one of my development laptops to port some software to Windows I noticed Windows 10 doing crazy things like installing or updating apps and games by default after initial setup. The one I noticed in particular was Candy Crush Soda Saga which for those who don't know of it is some cheesy little puzzle game originally for consumer devices. I honestly did not want software like this near to a development machine. It has also been reported that Windows 10 now also updates core system software without notifying the user. Surely this destroys any vaguely deterministic behaviour, in my opinion making Windows 10 by default almost useless for development testbeds. Deciding instead to start from scratch but this time to set the inbuilt Windows Firewall to be very restrictive and only allow a few select programs to communicate. In this case all I really needed to be online was Firefox, Subversion and Putty. To my amusement (and astonishment) I found out that the Windows firewall could be modified to give access very easily by programs during installation (usually because this task needs to be done with admin privileges). It also seems that Windows store Apps can change the windows firewall settings at any point. One way to get around this issue could be to install a 3rd party firewall that most software will not have knowledge about and thus not attempt to break through. However the only decent firewall I have used was Sygate Pro which unfortunately is no longer supported by recent operating systems. The last supported versions was 2003, XP and 2000. In short, I avoid 3rd party firewalls. Instead I decided to trap Windows 10 (and all of it's rogue updaters) behind a virtual machine running OpenBSD. This effectively provided me with a full blown firewall appliance. From here I could then allow specific software I trusted through the firewall (via a proxy) in a safe, controlled and deterministic manner. For other interested developers (and security conscious users) and for my own reference, I have listed the steps taken here: 1) First and foremost disable the Windows DHCP service - this is so no IP can be obtained on any interface. This effectively stops any communication with any network on the host system. This can be done by running services.msc with admin privileges and stopping and disabling the service called DHCP Client. 2) Install or enable your favorite virtualization software - I have tested this with both VirtualBox and Hyper-V. Note that on non-server versions of Windows, in order to get Hyper-V working, your processor also needs to support SLAT which is daft so to avoid faffing about, I recommend using VirtualBox to get round this seemingly arbitrary restriction. 3) Install OpenBSD on the VM - Note, if you decide to use Hyper-V, its hardware support isn't 100% perfect to run OpenBSD and you will need to disable a couple of things in the kernel. At the initial boot prompt, run the following commands. config -e -o /bsd /bsd disable acpi disable mpbios 4) Add a host only virtual adapter to the VM - This is the one which we are going to connect through the VM with. Look at the IP that VirtualBox assigns this in network manager on the host machine. Mine was [b]192.168.56.1[/b]. Set up the adapter in the OpenBSD VM to have a static address on the same subnet. For example [b]192.168.56.2[/b]. If you are using Hyper-V and OpenBSD, make sure you add a "Legacy Interface" because no guest additions are available. Then set up a virtual switch which is host only. 5) Add a bridged adapter to the VM - then assign it to whichever interface you wanted to connect to the external network with. Note that if using Wireless, set the bridged adapters MAC address to the same as your physical device or the access point will reject it. This is not needed (or possible) on Hyper-V because the actual device is "shared" rather than bridged so the same MAC address is used. Again, if you use Hyper-V, then add another virtual switch and attach it to your chosen external interface. VMs in Hyper-V "share" an adapter within a virtual switch and there is the option to also disable the hosts ability to use this interface at the same time which is fine for an additional level of security if those pesky rogue apps and updaters can also enable / disable DHCP service one day which wouldn't be too surprising. 6) Connect to your network in the host OS - In case of Wireless, select the correct network from the list and type in a password if needed. Windows will probably say "no internet available", it also does not assign an IP address which is fine. 7) Install the Squid proxy package on the OpenBSD guest and enable the daemon ``` pkg_add squid echo 'squid_flags=""' >> /etc/rc.conf.local /etc/rc.d/squid start ``` We will use this service for a limited selection of "safe and trusted" programs to connect to the outside world from within the Windows 10 host. You can also use putty on the host to connect to the VM via SSH and create a SOCKS proxy which software like Firefox can also use to connect externally. 8) Configure the software you want to be able to access the external network with Firefox - go to the connection settings and specify the VMs IP address for the proxy. Subversion - modify the %HOME%AppDataRoamingSubversionservers file and change the HTTP proxy field to the VMs IP. This is important to communicate with GitHub via https:// (Yes, GitHub also supports Subversion). For svn:// addresses you can use Putty to port forward. Chromium/Chrome - unfortunately uses the global Windows proxy settings which defeats much of the purpose of this exercise if we were going to allow all of Windows access to the internet via the proxy. It would become mayhem again. However we can still use Putty to create a SOCKS proxy and then launch the browser with the following flags: --proxy-server="socks5://:" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE " 9) Congratulations, you are now done - Admittedly this process can be a bit fiddly to set up but it completely prevents Windows 10 from making a complete mess. This solution is probably also useful for those who like privacy or don't like the idea of their software "phoning home". Hope you find this useful and if you have any issues, please feel free to leave questions in the comments. LLDB restoration and return to ptrace(2) I've managed to unbreak the LLDB debugger as much as possible with the current kernel and hit problems with ptrace(2) that are causing issues with further work on proper NetBSD support. Meanwhile, I've upstreamed all the planned NetBSD patches to sanitizers and helped other BSDs to gain better or initial support. LLDB Since the last time I worked on LLDB, we have introduced many changes to the kernel interfaces (most notably related to signals) that apparently fixed some bugs in Go and introduced regressions in ptrace(2). Part of the regressions were noted by the existing ATF tests. However, the breakage was only marked as a new problem to resolve. For completeness, the ptrace(2) code was also cleaned up by Christos Zoulas, and we fixed some bugs with compat32. I've fixed a crash in *NetBSD::Factory::Launch(), triggered on startup of the lldb-server application. Here is the commit message: ``` We cannot call process_up->SetState() inside the NativeProcessNetBSD::Factory::Launch function because it triggers a NULL pointer deference. The generic code for launching a process in: GDBRemoteCommunicationServerLLGS::LaunchProcess sets the mdebuggedprocessup pointer after a successful call to mprocessfactory.Launch(). If we attempt to call processup->SetState() inside a platform specific Launch function we end up dereferencing a NULL pointer in NativeProcessProtocol::GetCurrentThreadID(). Use the proper call processup->SetState(,false) that sets notifydelegates to false. ``` Sanitizers I suspended development of new features in sanitizers last month, but I was still in the process of upstreaming of local patches. This process was time-consuming as it required rebasing patches, adding dedicated tests, and addressing all other requests and comments from the upstream developers. I'm not counting hot fixes, as some changes were triggering build or test issues on !NetBSD hosts. Thankfully all these issues were addressed quickly. The final result is a reduction of local delta size of almost 1MB to less than 100KB (1205 lines of diff). The remaining patches are rescheduled for later, mostly because they depend on extra work with cross-OS tests and prior integration of sanitizers with the basesystem distribution. I didn't want to put extra work here in the current state of affairs and, I've registered as a mentor for Google Summer of Code for the NetBSD Foundation and prepared Software Quality improvement tasks in order to outsource part of the labour. Userland changes I've also improved documentation for some of the features of NetBSD, described in man-pages. These pieces of information were sometimes wrong or incomplete, and this makes covering the NetBSD system with features such as sanitizers harder as there is a mismatch between the actual code and the documented code. Some pieces of software also require better namespacing support, these days mostly for the POSIX standard. I've fixed few low-hanging fruits there and requested pullups to NetBSD-8(BETA). I thank the developers for improving the landed code in order to ship the best solutions for users. BSD collaboration in LLVM A One-man-show in human activity is usually less fun and productive than collaboration in a team. This is also true in software development. Last month I was helping as a reviewer to port LLVM features to FreeBSD and when possible to OpenBSD. This included MSan/FreeBSD, libFuzzer/FreeBSD, XRay/FreeBSD and UBSan/OpenBSD. I've landed most of the submitted and reviewed code to the mainstream LLVM tree. Part of the code also verified the correctness of NetBSD routes in the existing porting efforts and showed new options for improvement. This is the reason why I've landed preliminary XRay/NetBSD code and added missing NetBSD bits to ToolChain::getOSLibName(). The latter produced setup issues with the prebuilt LLVM toolchain, as the directory name with compiler-rt goodies were located in a path like ./lib/clang/7.0.0/lib/netbsd8.99.12 with a varying OS version. This could stop working after upgrades, so I've simplified it to "netbsd", similar to FreeBSD and Solaris. Prebuilt toolchain for testers I've prepared a build of Clang/LLVM with LLDB and compiler-rt features prebuilt on NetBSD/amd64 v. 8.99.12: llvm-clang-compilerrt-lldb-7.0.0beta_2018-02-28.tar.bz2 Plan for the next milestone With the approaching NetBSD 8.0 release I plan to finish backporting a few changes there from HEAD: Remove one unused feature from ptrace(2), PTSETSIGMASK & PTGETSIGMASK. I've originally introduced these operations with criu/rr-like software in mind, but they are misusing or even abusing ptrace(2) and are not regular process debuggers. I plan to remove this operation from HEAD and backport this to NetBSD-8(BETA), before the release, so no compat will be required for this call. Future ports of criu/rr should involve dedicated kernel support for such requirements. Finish the backport of UCMACHINE_FP() to NetBSD-8. This will allow use of the same code in sanitizers in HEAD and NetBSD-8.0. By popular demand, improve the regnsub(3) and regasub(3) API, adding support for more or less substitutions than 10. Once done, I will return to ptrace(2) debugging and corrections. DigitalOcean Working with the NetBSD kernel Overview When working on complex systems, such as OS kernels, your attention span and cognitive energy are too valuable to be wasted on inefficiencies pertaining to ancillary tasks. After experimenting with different environmental setups for kernel debugging, some of which were awkward and distracting from my main objectives, I have arrived to my current workflow, which is described here. This approach is mainly oriented towards security research and the study of kernel internals. Before delving into the details, this is the general outline of my environment: My host system runs Linux. My target system is a QEMU guest. I’m tracing and debugging on my host system by attaching GDB (with NetBSD x86-64 ABI support) to QEMU’s built-in GDB server. I work with NetBSD-current. All sources are built on my host system with the cross-compilation toolchain produced by build.sh. I use NFS to share the source tree and the build artifacts between the target and the host. I find IDEs awkward, so for codebase navigation I mainly rely on vim, tmux and ctags. For non-intrusive instrumentation, such as figuring out control flow, I’m using dtrace. Preparing the host system QEMU GDB NFS Exports Building NetBSD-current A word of warning Now is a great time to familiarize yourself with the build.sh tool and its options. Be especially carefull with the following options: -r Remove contents of TOOLDIR and DESTDIR before building. -u Set MKUPDATE=yes; do not run "make clean" first. Without this, everything is rebuilt, including the tools. Chance are, you do not want to use these options once you’ve successfully built the cross-compilation toolchain and your entire userland, because building those takes time and there aren’t many good reasons to recompile them from scratch. Here’s what to expect: On my desktop, running a quad-core Intel i5-3470 at 3.20GHz with 24GB of RAM and underlying directory structure residing on a SSD drive, the entire process took about 55 minutes. I was running make with -j12, so the machine was quite busy. On an old Dell D630 laptop, running Intel Core 2 Duo T7500 at 2.20GHz with 4GB of RAM and a slow hard drive (5400RPM), the process took approximatelly 2.5 hours. I was running make with -j4. Based on the temperature alerts and CPU clock throttling messages, it was quite a struggle. Acquiring the sources Compiling the sources Preparing the guest system Provisioning your guest Pkgin and NFS shares Tailoring the kernel for debugging Installing the new kernel Configuring DTrace Debugging the guest’s kernel News Roundup Add support for the experimental Internet-Draft "TCP Alternative Backoff” ``` Add support for the experimental Internet-Draft "TCP Alternative Backoff with ECN (ABE)" proposal to the New Reno congestion control algorithm module. ABE reduces the amount of congestion window reduction in response to ECN-signalled congestion relative to the loss-inferred congestion response. More details about ABE can be found in the Internet-Draft: https://tools.ietf.org/html/draft-ietf-tcpm-alternativebackoff-ecn The implementation introduces four new sysctls: net.inet.tcp.cc.abe defaults to 0 (disabled) and can be set to non-zero to enable ABE for ECN-enabled TCP connections. net.inet.tcp.cc.newreno.beta and net.inet.tcp.cc.newreno.betaecn set the multiplicative window decrease factor, specified as a percentage, applied to the congestion window in response to a loss-based or ECN-based congestion signal respectively. They default to the values specified in the draft i.e. beta=50 and betaecn=80. net.inet.tcp.cc.abe_frlossreduce defaults to 0 (disabled) and can be set to non-zero to enable the use of standard beta (50% by default) when repairing loss during an ECN-signalled congestion recovery episode. It enables a more conservative congestion response and is provided for the purposes of experimentation as a result of some discussion at IETF 100 in Singapore. The values of beta and betaecn can also be set per-connection by way of the TCPCCALGOOPT TCP-level socket option and the new CCNEWRENOBETA or CCNEWRENOBETA_ECN CC algo sub-options. Submitted by: Tom Jones tj@enoti.me Tested by: Tom Jones tj@enoti.me, Grenville Armitage garmitage@swin.edu.au Relnotes: Yes Differential Revision: https://reviews.freebsd.org/D11616 ``` Meltdown-mitigation syspatch/errata now available The recent changes in -current mitigating the Meltdown vulnerability have been backported to the 6.1 and 6.2 (amd64) releases, and the syspatch update (for 6.2) is now available. 6.1 ``` Changes by: bluhm@cvs.openbsd.org 2018/02/26 05:36:18 Log message: Implement a workaround against the Meltdown flaw in Intel CPUs. The following changes have been backported from OpenBSD -current. Changes by: guenther@cvs.openbsd.org 2018/01/06 15:03:13 Log message: Handle %gs like %[def]s and reset set it in cpu_switchto() instead of on every return to userspace. Changes by: mlarkin@cvs.openbsd.org 2018/01/06 18:08:20 Log message: Add identcpu.c and specialreg.h definitions for the new Intel/AMD MSRs that should help mitigate spectre. This is just the detection piece, these features are not yet used. Part of a larger ongoing effort to mitigate meltdown/spectre. i386 will come later; it needs some machdep.c cleanup first. Changes by: mlarkin@cvs.openbsd.org 2018/01/07 12:56:19 Log message: remove all PG_G global page mappings from the kernel when running on Intel CPUs. Part of an ongoing set of commits to mitigate the Intel "meltdown" CVE. This diff does not confer any immunity to that vulnerability - subsequent commits are still needed and are being worked on presently. ok guenther, deraadt Changes by: mlarkin@cvs.openbsd.org 2018/01/12 01:21:30 Log message: IBRS -> IBRS,IBPB in identifycpu lines Changes by: guenther@cvs.openbsd.org 2018/02/21 12:24:15 Log message: Meltdown: implement user/kernel page table separation. On Intel CPUs which speculate past user/supervisor page permission checks, use a separate page table for userspace with only the minimum of kernel code and data required for the transitions to/from the kernel (still marked as supervisor-only, of course): - the IDT (RO) - three pages of kernel text in the .kutext section for interrupt, trap, and syscall trampoline code (RX) - one page of kernel data in the .kudata section for TLB flush IPIs (RW) - the lapic page (RW, uncachable) - per CPU: one page for the TSS+GDT (RO) and one page for trampoline stacks (RW) When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread's real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace. mlarkin@ implemented the pmap bits and did 90% of the debugging, diagnosing issues on MP in particular, and drove the final push to completion. Many rounds of testing by naddy@, sthen@, and others Thanks to Alex Wilson from Joyent for early discussions about trampolines and their data requirements. Per-CPU page layout mostly inspired by DragonFlyBSD. ok mlarkin@ deraadt@ Changes by: bluhm@cvs.openbsd.org 2018/02/22 13:18:59 Log message: The GNU assembler does not understand 1ULL, so replace the constant with 1. Then it compiles with gcc, sign and size do not matter here. Changes by: bluhm@cvs.openbsd.org 2018/02/22 13:27:14 Log message: The compile time assertion for cpu info did not work with gcc. Rephrase the condition in a way that both gcc and clang accept it. Changes by: guenther@cvs.openbsd.org 2018/02/22 13:36:40 Log message: Set the PG_G (global) bit on the special page table entries that are shared between the u-k and u+k tables, because they're actually in all tables. OpenBSD 6.1 errata 037 ``` 6.2 ``` Changes by: bluhm@cvs.openbsd.org 2018/02/26 05:29:48 Log message: Implement a workaround against the Meltdown flaw in Intel CPUs. The following changes have been backported from OpenBSD -current. Changes by: guenther@cvs.openbsd.org 2018/01/06 15:03:13 Log message: Handle %gs like %[def]s and reset set it in cpu_switchto() instead of on every return to userspace. Changes by: mlarkin@cvs.openbsd.org 2018/01/06 18:08:20 Log message: Add identcpu.c and specialreg.h definitions for the new Intel/AMD MSRs that should help mitigate spectre. This is just the detection piece, these features are not yet used. Part of a larger ongoing effort to mitigate meltdown/spectre. i386 will come later; it needs some machdep.c cleanup first. Changes by: mlarkin@cvs.openbsd.org 2018/01/07 12:56:19 Log message: remove all PG_G global page mappings from the kernel when running on Intel CPUs. Part of an ongoing set of commits to mitigate the Intel "meltdown" CVE. This diff does not confer any immunity to that vulnerability - subsequent commits are still needed and are being worked on presently. Changes by: mlarkin@cvs.openbsd.org 2018/01/12 01:21:30 Log message: IBRS -> IBRS,IBPB in identifycpu lines Changes by: guenther@cvs.openbsd.org 2018/02/21 12:24:15 Log message: Meltdown: implement user/kernel page table separation. On Intel CPUs which speculate past user/supervisor page permission checks, use a separate page table for userspace with only the minimum of kernel code and data required for the transitions to/from the kernel (still marked as supervisor-only, of course): - the IDT (RO) - three pages of kernel text in the .kutext section for interrupt, trap, and syscall trampoline code (RX) - one page of kernel data in the .kudata section for TLB flush IPIs (RW) - the lapic page (RW, uncachable) - per CPU: one page for the TSS+GDT (RO) and one page for trampoline stacks (RW) When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread's real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace. mlarkin@ implemented the pmap bits and did 90% of the debugging, diagnosing issues on MP in particular, and drove the final push to completion. Many rounds of testing by naddy@, sthen@, and others Thanks to Alex Wilson from Joyent for early discussions about trampolines and their data requirements. Per-CPU page layout mostly inspired by DragonFlyBSD. Changes by: bluhm@cvs.openbsd.org 2018/02/22 13:18:59 Log message: The GNU assembler does not understand 1ULL, so replace the constant with 1. Then it compiles with gcc, sign and size do not matter here. Changes by: bluhm@cvs.openbsd.org 2018/02/22 13:27:14 Log message: The compile time assertion for cpu info did not work with gcc. Rephrase the condition in a way that both gcc and clang accept it. Changes by: guenther@cvs.openbsd.org 2018/02/22 13:36:40 Log message: Set the PG_G (global) bit on the special page table entries that are shared between the u-k and u+k tables, because they're actually in all tables. OpenBSD 6.2 errata 009 ``` syspatch iXsystems a2k18 Hackathon Report: Ken Westerback on dhclient and more Ken Westerback (krw@) has sent in the first report from the (recently concluded) a2k18 hackathon: YYZ -> YVR -> MEL -> ZQN -> CHC -> DUD -> WLG -> AKL -> SYD -> BNE -> YVR -> YYZ For those of you who don’t speak Airport code: Toronto -> Vancouver -> Melbourne -> Queenstown -> Christchurch -> Dunedin Then: Dunedin -> Wellington -> Auckland -> Sydney -> Brisbane -> Vancouver -> Toronto ``` Whew. Once in Dunedin the hacking commenced. The background was a regular tick of new meltdown diffs to test in addition to whatever work one was actually engaged in. I was lucky (?) in that none of the problems with the various versions cropped up on my laptop. ``` ``` I worked with rpe@ and tb@ to make the install script create the 'correct' FQDN when dhclient was involved. I worked with tb@ on some code cleanup in various bits of the base. dhclient(8) got some nice cleanup, further pruning/improving log messages in particular. In addition the oddball -q option was flipped into the more normal -v. I.e. be quiet by default and verbose on request. More substantially the use of recorded leases was made less intrusive by avoiding continual reconfiguration of the interface with the same information. The 'request', 'require' and 'ignore' dhclient.conf(5) statement were changed so they are cumulative, making it easier to build longer lists of affected options. I tweaked softraid(4) to remove a handrolled version of duid_format(). I sprinkled a couple of M_WAITOK into amd64 and i386 mpbios to document that there is really no need to check for NULL being returned from some malloc() calls. I continued to help test the new filesystem quiescing logic that deraadt@ committed during the hackathon. I only locked myself out of my room once! Fueled by the excellent coffee from local institutions The Good Earth Cafe and The Good Oil Cafe, and the excellent hacking facilities and accommodations at the University of Otago it was another enjoyable and productive hackathon south of the equator. And I even saw penguins. Thanks to Jim Cheetham and the support from the project and the OpenBSD Foundation that made it all possible ``` Poetic License I found this when going through old documents. It looks like I wrote it and never posted it. Perhaps I didn’t consider it finished at the time. But looking at it now, I think it’s good enough to share. It’s a redrafting of the BSD licence, in poetic form. Maybe I had plans to do other licences one day; I can’t remember. I’ve interleaved it with the original license text so you can see how true, or otherwise, I’ve been to it. Enjoy :-) ``` Copyright (c) , All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ``` You may redistribute and use – as source or binary, as you choose, and with some changes or without – this software; let there be no doubt. But you must meet conditions three, if in compliance you wish to be. 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. The first is obvious, of course – To keep this text within the source. The second is for binaries Place in the docs a copy, please. A moral lesson from this ode – Don’t strip the copyright on code. The third applies when you promote: You must not take, from us who wrote, our names and make it seem as true we like or love your version too. (Unless, of course, you contact us And get our written assensus.) THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. One final point to be laid out (You must forgive my need to shout): THERE IS NO WARRANTY FOR THIS WHATEVER THING MAY GO AMISS. EXPRESS, IMPLIED, IT’S ALL THE SAME – RESPONSIBILITY DISCLAIMED. WE ARE NOT LIABLE FOR LOSS NO MATTER HOW INCURRED THE COST THE TYPE OR STYLE OF DAMAGE DONE WHATE’ER THE LEGAL THEORY SPUN. THIS STILL REMAINS AS TRUE IF YOU INFORM US WHAT YOU PLAN TO DO. When all is told, we sum up thus – Do what you like, just don’t sue us. Beastie Bits AsiaBSDCon 2018 Videos The January/February 2018 FreeBSD Journal is Here Announcing the pkgsrc-2017Q4 release (2018-01-04) BSD Hamburg Event ZFS User conference Unreal Engine 4 Being Brought Natively To FreeBSD By Independent Developer Tarsnap ad Feedback/Questions Philippe - I heart FreeBSD and other questions Cyrus - BSD Now is excellent Architect - Combined Feedback Dale - ZFS on Linux moving to ZFS on FreeBSD Tommi - New BUG in Finland Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

We talk about our recent trip to FOSDEM, we discuss the pros and cons of permissive licensing, cover the installation of OpenBSD on a dedibox with full-disk encryption, the new Lumina guide repository, and we explain ZFS vs. OpenZFS. This episode was brought to you by Headlines [FOSDEM Trip report] Your BSDNow hosts were both at FOSDEM in Brussels, Belgium over the weekend. On the friday before FOSDEM, we held a FreeBSD devsummit (3rd consecutive year), sponsored by the FreeBSD Foundation and organized by Benedict (with the help from Kristof Provost, who did it in previous years but could not make it this year). We had 21 people attend, a good mixture of FreeBSD committers (mostly ports) and guests. After introductions, we collected topics and discussed various topics, including a new plan for a future FreeBSD release roadmap (more frequent releases, so that features from HEAD can be tried out earlier in RELEASES). The devsummit concluded with a nice dinner in a nearby restaurant. On Saturday, first day of FOSDEM, we set up the FreeBSD Foundation table with flyers, stickers, FreeBSD Journal print editions, and a small RPI 3 demo system that Deb Goodkin brought. Our table was located next to the Illumos table like last year. This allowed us to continue the good relationship that we have with the Illumos people and Allan helped a little bit getting bhyve to run on Illumos with UEFI. Meanwhile, our table was visited by a lot of people who would ask questions about FreeBSD, take info material, or talk about their use cases. We were busy refilling the table throughout the day and luckily, we had many helpers at the table. Some items we had ran out in the early afternoon, an indicator of how popular they were. Saturday also featured a BSD devroom (https://twitter.com/fosdembsd), organized by Rodrigo Osorio. You can find the list of talks and the recordings on the BSD Devroom schedule (https://fosdem.org/2018/schedule/track/bsd/). The room was very crowded and popular. Deb Goodkin gave the opening talk with an overview of what the Foundation is doing to change the world. Other speakers from various BSD projects presented their talks after that with a range of topics. Among them, Allan gave his talk about ZFS: Advanced Integration (https://fosdem.org/2018/schedule/event/zfs_advanced_integration/), while Benedict presented his Reflections on Teaching a Unix Class With FreeBSD (https://fosdem.org/2018/schedule/event/reflections_on_reaching_unix_class_with_freebsd/). Sunday was just as busy on the FreeBSD table as Saturday and we finally ran out of stickers and some other goodies. We were happy with the results of the two days. Some very interesting conversations at the table about FreeBSD took place, some of which we're going to follow up afterwards. Check out the FOSDEM schedule as many talk recordings are already available, and especially the ones from the BSD devroom if you could not attend the conference. We would like to thank everyone who attended the FreeBSD devsummit, who helped out at the FreeBSD table and organized the BSD devroom. Also, thanks to all the speakers, organizers, and helping hands making FOSDEM another success this year. *** NetBSD kernel wscons IOCTL vulnerable bug class (http://blog.infosectcbr.com.au/2018/01/netbsd-kernel-wscons-ioctl-vulnerable.html) I discovered this bug class during the InfoSect public code review session we ran looking specifically at the NetBSD kernel. I found a couple of these bugs and then after the session was complete, I went back and realised the same bug was scattered in other drivers. In total, 17 instances of this vulnerability and its variants were discovered. In all fairness, I came across this bug class during my kernel audits in 2002 and most instances were patched. It just seems there are more bugs now in NetBSD while OpenBSD and FreeBSD have practically eliminated them. See slide 41 in http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-cesare.pdf (http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-cesare.pdf) for exactly the same bug (class) 16 years ago. The format of the this blog post is as follows: Introduction Example of the Bug Class How to Fix How to Detect Automatically with Coccinelle More Bugs Conclusion These source files had bugs ./dev/tc/tfb.c ./dev/ic/bt485.c ./dev/pci/radeonfb.c ./dev/ic/sti.c ./dev/sbus/tcx.c ./dev/tc/mfb.c ./dev/tc/sfb.c ./dev/tc/stic.c ./dev/tc/cfb.c ./dev/tc/xcfb.c ./dev/tc/sfbplus.c ./arch/arm/allwinner/awin_debe.c ./arch/arm/iomd/vidcvideo.c ./arch/pmax/ibus/pm.c ./dev/ic/igfsb.c ./dev/ic/bt463.c ./arch/luna68k/dev/lunafb.c Reporting of the bugs was easy. In less than a week from reporting the specific instances of each bug, patches were committed into the mainline kernel. Thanks to Luke Mewburn from NetBSD for coming to the code review session at InfoSect and coordinating with the NetBSD security team. The patches to fix these issues are in NetBSD: https://mail-index.netbsd.org/source-changes/2018/01/24/msg091428.html (https://mail-index.netbsd.org/source-changes/2018/01/24/msg091428.html) "Permissive licensing is wrong!” – Is it? (https://eerielinux.wordpress.com/2017/11/25/permissive-licensing-is-wrong-is-it-1-2/) A few weeks ago I've been attacked by some GNU zealots on a German tech site after speaking in favor of permissive licenses. Unfortunately a discussion was not possible there because that would require the will to actually communicate instead of simply accusing the other side of vile motives. Since I actually do care about this topic and a reader asked for a post about it in comments a while ago, here we go. This first part tries to sum up the most important things around the topic. I deliberately aim for an objective overview that tries not to be one-sided. The second part will then contain my points in defence of permissive licensing. Why license software at all? Licenses exist for reasons of protection. If you're the author/inventor of some software, a story or whatever product, you get to decide what to do with it. You can keep it for yourself or you can give it away. If you decide for the latter, you have to decide who may use it and in which way(s). In case you intend to give it to a (potentially) large group of people, you may not want to be asked for permission to xyz by everybody. That's when you decide to write a license which states what you are allowing and explicitly disallowing. Most of the well-known commercial licenses focus on what you're not allowed to do (usually things like copying, disassembling, etc.). Open source licenses on the other hand are meant to grant the user rights (e.g. the right to distribute) while reserving some rights or only giving permission under certain conditions – and they usually make you claim responsibility for using the software. For these reasons licenses can actually be a good thing! If you got an unlicensed piece of code, you're not legally allowed to do anything with it without getting the author's permission first. And even if you got that permission, your project would be risky, since the author can withdraw it later. A proper license protects both parties. The author doesn't get his mail account full of email asking for permission, he's save from legal trouble if his code breaks anything for you and at the same time you have legal certainty when you decide to put the code to long-term use. Permissive vs. Copyleft (in a nutshell) In short terms, permissive licensing usually goes like this: “Here you are, have fun. Oh, and don't sue me if it does something else than what you expect!” Yes, it's that easy and there's little to dispute over. Copyleft on the other side sounds like this (if you ask somebody in favor of Copyleft): “Sure, you can use it, it's free. Just keep it free, ok?”. Also quite simple. And not too bad, eh? Other people however read the same thing like this: “Yes, you're free to use it. Just read these ten pages of legalese and be dead certain that you comply. If you got something wrong, we will absolutely make you regret it.” The GNU Public license (GPL) The most popular copyleft license in use is the GPL (in various versions) (https://www.gnu.org/licenses/gpl.html). It got more and more complex with each version – and to be fair, it had to, because it was necessary to react to new threats and loop holes that were found later. The GNU project states that they are committed to protect what they call the four freedoms of free software: the freedom to use the software for any purpose the freedom to change the software to suit your needs the freedom to share the software with your friends and neighbors the freedom to share the changes you make These are freedoms that every supporter of open source software should be able to agree with. So what's the deal with all the hostility and fighting between the two camps? Let's take a look at a permissive license, too. The BSD license Unlike the GPL, the BSD family of licenses begun with a rather simple license that span four rules (“original BSD license”). It was later revised and reduced to three (“modified BSD license”). And the modern BSD license that e.g. FreeBSD uses is even just two (“simplified BSD license”). Did you read the GPLv3 that I linked to above? If you are using GPL'd code you really should. In case you don't feel like reading all of it, at least take a look and grasp how long that text is. Now compare it to the complete modern BSD license (https://opensource.org/licenses/bsd-license.php). What's the problem? There are essentially two problems that cause all the trouble. The first one is the question of what should be subject to the freedom that we're talking about. And closely related, the second one is where that freedom needs to end. Ironically both camps claim that freedom is the one important thing and it must not be restricted. The GPL is meant to protect the freedom of the software and enforces the availability of the source code, hence limiting the freedom of actual persons. BSD on the other hand is meant to protect the freedom of human beings who should be able to use the software as they see fit – even if that means closing down former open source code! The GNU camp taunts permissive licenses as being “lax” for not providing the protection that they want. The other camp points out that the GPL is a complex monster and that it is virulent in nature: Since it's very strict in a lot of areas, it's incompatible with many other licenses. This makes it complicated to mix GPL and non-GPL code and in the cases where it's legally possible, the GPL's terms will take precedence and necessarily be in effect for the whole combined work. Who's right? That totally depends on what you want to achieve. There are pros and cons to both – and in fact we're only looking at the big picture here. There's also e.g. the Apache license which is often deemed as kind of middle ground. Then you may want to consider the difference between weak (e.g. LGPL) as well as strong copyleft (GPL). Licensing is a potentially huge topic. But let's keep it simple here because the exact details are actually not necessary to understand the essence of our topic. In the next post I'll present my stance on why permissive licensing is a good thing and copyleft is more problematic than many people may think. “Permissive licensing is wrong?” – No it's not! (https://eerielinux.wordpress.com/2018/01/25/permissive-licensing-is-wrong-no-its-not-2-2/) The previous post gave a short introduction into the topic of software licenses, focusing on the GPL vs. BSD discussion. This one is basically my response to some typical arguments I've seen from people who seem to loathe permissive licensing. I'll write this in dialog style, hoping that this makes it a little lighter to read. Roundup Install OpenBSD on dedibox with full-disk encryption (https://poolp.org/posts/2018-01-29/install-openbsd-on-dedibox-with-full-disk-encryption/) TL;DR: I run several "dedibox" servers at online.net, all powered by OpenBSD. OpenBSD is not officially supported so you have to work-around. Running full-disk encrypted OpenBSD there is a piece of cake. As a bonus, my first steps within a brand new booted machine ;-) Step #0: choosing your server OpenBSD is not officially supported, I can't guarantee that this will work for you on any kind of server online.net provides, however I've been running https://poolp.org on OpenBSD there since 2008, only switching machines as they were getting a bit old and new offers came up. Currently, I'm running two SC 2016 (SATA) and one XC 2016 (SSD) boxes, all three running OpenBSD reliably ever since I installed them. Recently I've been willing to reinstall the XC one after I did some experiments that turned it into a FrankenBSD, so this was the right occasion to document how I do it for future references. I wrote an article similar to this a few years ago relying on qemu to install to the disk, since then online.net provided access to a virtual serial console accessed within the browser, making it much more convenient to install without the qemu indirection which hid the NIC devices and disks duid and required tricks. The method I currently use is a mix and adaptation from the techniques described in https://www.2f30.org/guides/openbsd-dedibox.html to boot the installer, and the technique described in https://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption.html to setup the crypto slice. Step #1: boot to rescue mode Step #2: boot to the installer Step #3: prepare softraid Step #4: reboot to encrypted OpenBSD system Bonus: further tightening your system enable doas disable the root account update system with syspatch add my ssh public key to my ~/.ssh/authorized_keys disable password authentication within ssh reboot so you boot on a brand new up-to-date system with latest stable kernel VOILA ! January 2018 Development Projects Update (https://www.freebsdfoundation.org/blog/january-2018-development-projects-update/) Spectre and Meltdown in FreeBSD Issues affecting most CPUs used in servers, desktops, laptops, and mobile devices are in the news. These hardware vulnerabilities, known by the code-names “Meltdown” and “Spectre”, allow malicious programs to read data to which they should not have access. This potentially includes credentials, cryptographic material, or other secrets. They were originally identified by a researcher from Google's Project Zero, and were also independently discovered by researchers and academics from Cyberus Technology, Graz University of Technology, the University of Pennsylvania, the University of Maryland, Rambus, the University of Adelaide and Data61. These vulnerabilities affect many CPU architectures supported by FreeBSD, but the 64-bit x86 family of processors from Intel and AMD are the most widely used, and are a high priority for software changes to mitigate the effects of Meltdown and Spectre. In particular, the Meltdown issue affects Intel CPUs and may be used to extract secret data from the running kernel, and therefore, is the most important issue to address. The FreeBSD Foundation collaborates with Intel, and under this relationship participated in a briefing to understand the details of these issues and plan the mitigations to be applied to the x86 architectures supported by FreeBSD. We also made arrangements to have FreeBSD's security officer join me in the briefing. It is through the generous support of the Foundation's donors that we are able to dedicate resources to focus on these issues on demand as they arise. Foundation staff member Konstantin (Kostik) Belousov is an expert on FreeBSD's Virtual Memory (VM) system as well as low-level x86 details, and is developing the x86 kernel mitigations for FreeBSD. The mitigation for Meltdown is known as Page Table Isolation (PTI). Kostik created a PTI implementation which was initially committed in mid-January and is available in the FreeBSD-CURRENT development repository. This is the same approach used by the Linux kernel to mitigate Meltdown. One of the drawbacks of the PTI mitigation is that it incurs a performance regression. Kostik recently reworked FreeBSD's use of Process-Context Identifiers (PCID) in order to regain some of the performance loss incurred by PTI. This change is also now available in FreeBSD-CURRENT. The issue known as Spectre comes in two variants, and variant 2 is the more troubling and pressing one. It may be mitigated in one of two ways: by using a technique called “retpoline” in the compiler, or by making use of a CPU feature introduced in a processor microcode update. Both options are under active development. Kostik's change to implement the CPU-based mitigation is currently in review. Unfortunately, it introduces a significant performance penalty and alternatives are preferred, if available. For most cases, the compiler-based retpoline mitigation is likely to be the chosen mitigation. Having switched to the Clang compiler for the base system and most of the ports collection some years ago, FreeBSD is well-positioned to deploy Clang-based mitigations. FreeBSD developer Dimitry Andric is spearheading the update of Clang/LLVM in FreeBSD to version 6.0 in anticipation of its official release; FreeBSD-CURRENT now includes an interim snapshot. I have been assisting with the import, particularly with respect to LLVM's lld linker, and will support the integration of retpoline. This support is expected to be merged into FreeBSD in the coming weeks. The Foundation's co-op students have also participated in the response to these vulnerabilities. Mitchell Horne developed the patch to control the PTI mitigation default setting, while Arshan Khanifar benchmarked the performance impact of the in-progress mitigation patches. In addition, Arshan and Mitchell each developed changes to FreeBSD's tool chain to support the full set of mitigations that will be applied. These mitigations will continue be tested, benchmarked, and refined in FreeBSD-CURRENT before being merged into stable branches and then being made available as updates to FreeBSD releases. Details on the timing of these merges and releases will be shared as they become available. I would like to acknowledge all of those in the FreeBSD community who have participated in FreeBSD's response to Meltdown and Spectre, for testing, reviewing, and coordinating x86 mitigations, for developing mitigations for other processor architectures and for the Bhyve hypervisor, and for working on the toolchain-based mitigations. Guides: Getting Started & Lumina Theme Submissions (https://lumina-desktop.org/guides-getting-started-lumina-themes/) I am pleased to announce the beginning of a new sub-series of blog posts for the Lumina project: Guides! The TrueOS/Lumina projects want to support our users as they use Lumina or experiment with TrueOS. To that end, we've recently set up a central repository for our users to share instructions or other “how-to” guides with each other! Project developers and contributors will also submit guides to the repository on occasion, but the overall goal is to provide a simple hub for instructions written by any Lumina or TrueOS user. This will make it easier for users to not only find a “how-to” for some procedure, but also a very easy way to “give back” to the community by writing simple instructions or more detailed guides. Guides Repository Our first guide to get the whole thing started was created by the TrueOS Linebacker (https://discourse.trueos.org/t/introducing-the-trueos-linebacker/991) (with technical assistance from our own q5sys). In this guide, Terry Tate will walk you through the steps necessary to submit new wallpaper images to the Lumina Themes collection. This procedure is fully documented with screenshots every step of the way, walking you through a simple procedure that only requires a web browser and a Github account! Guide: Lumina Themes Submissions (https://github.com/trueos/guides/blob/master/lumina-themes-submissions/readme.md) The end result of this guide was that Terry Tate was able to submit this cool new “Lunar-4K” wallpaper to the “lumina-nature” collection. TrueOS Community Guides (https://github.com/trueos/guides/tree/master) ZFS vs. OpenZFS (by Michael Dexter) (https://www.ixsystems.com/blog/zfs-vs-openzfs/) You've probably heard us say a mix of “ZFS” and “OpenZFS” and an explanation is long-overdue. Our Senior Analyst clears up what ZFS and OpenZFS refer to and how they differ. I admit that we geeks tend to get caught up in the nuts and bolts of enterprise storage and overlook the more obvious questions that users might have. You've probably noticed that this blog and the FreeNAS blog refer to “ZFS” and “OpenZFS” seemingly at random when talking about the amazing file system at the heart of FreeNAS and every storage product that iXsystems sells. I will do my best to clarify what exactly these two terms refer to. From its inception, “ZFS” has referred to the “Zettabyte File System” developed at Sun Microsystems and published under the CDDL Open Source license in 2005 as part of the OpenSolaris operating system. ZFS was revolutionary for completely decoupling the file system from specialized storage hardware and even a specific computer platform. The portable nature and advanced features of ZFS led FreeBSD, Linux, and even Apple developers to start porting ZFS to their operating systems and by 2008, FreeBSD shipped with ZFS in the 7.0 release. For the first time, ZFS empowered users of any budget with enterprise-class scalability and data integrity and management features like checksumming, compression and snapshotting, and those features remain unrivaled at any price to this day. On any ZFS platform, administrators use the zpool and zfs utilities to configure and manage their storage devices and file systems respectively. Both commands employ a user-friendly syntax such as‘zfs create mypool/mydataset' and I welcome you to watch the appropriately-titled webinar “Why we love ZFS & you should too” or try a completely-graphical ZFS experience with FreeNAS. Yes, ZFS is really as good as people say it is. After enjoying nearly a decade of refinement by a growing group of developers around the world, ZFS became the property of database vendor Oracle, which ceased public development of both ZFS and OpenSolaris in 2010. Disappointed but undeterred, a group of OpenSolaris users and developers forked the last public release of OpenSolaris as the Illumos project. To this day, Illumos represents the official upstream home of the Open Source OpenSolaris technologies, including ZFS. The Illumos project enjoys healthy vendor and user participation but the portable nature and compelling features of ZFS soon produced far more ZFS users than Illumos users around the world. While most if not all users of Illumos and its derivatives are ZFS users, the majority of ZFS users are not Illumos users, thanks significantly in part to FreeNAS which uses the FreeBSD operating system. This imbalance plus several successful ZFS Day events led ZFS co-founder Matt Ahrens and a group of ZFS developers to announce the OpenZFS project, which would remain a part of the Illumos code base but would be free to coordinate development efforts and events around their favorite file system. ZFS Day has grown into the two-day OpenZFS Developer Summit and is stronger than ever, a testament to the passion and dedication of the OpenZFS community. Oracle has steadily continued to develop its own proprietary branch of ZFS and Matt Ahrens points out that over 50% of the original OpenSolaris ZFS code has been replaced in OpenZFS with community contributions. This means that there are, sadly, two politically and technologically-incompatible branches of “ZFS” but fortunately, OpenZFS is orders of magnitude more popular thanks to its open nature. The two projects should be referred to as “Oracle ZFS” and “OpenZFS” to distinguish them as development efforts, but the user still types the ‘zfs' command, which on FreeBSD relies on the ‘zfs.ko' kernel module. My impression is that the terms of the CDDL license under which the OpenZFS branch of ZFS is published protects its users from any patent and trademark risks. Hopefully, this all helps you distinguish the OpenZFS project from the ZFS technology. Beastie Bits Explaining Shell (https://explainshell.com/) OPNsense® 18.1 Released (https://opnsense.org/opnsense-18-1-released/) “SSH Mastery 2/e” copyedits back (https://blather.michaelwlucas.com/archives/3104) Sponsoring a Scam (https://blather.michaelwlucas.com/archives/3106) Thursday, February 8, 2018 - Come to Netflix to talk about FreeBSD (https://www.meetup.com/BAFUG-Bay-Area-FreeBSD-User-Group/events/246623825/) BSD User Group meeting in Stockholm: March 22, 17:30 - 21:00 (https://www.meetup.com/BSD-Users-Stockholm/events/247552279/) FreeBSD Flavoured talks from Linux.conf.au: You can't unit test C, right? (https://www.youtube.com/watch?v=z-uWt5wVVkU) and A Brief History of I/O (https://www.youtube.com/watch?v=qAhZEI_6lbc) EuroBSDcon 2018 website is up (https://2018.eurobsdcon.org/) Full day bhyvecon Tokyo, Japan, March 9, 2018 (http://bhyvecon.org/) *** Feedback/Questions Thomas - freebsd installer improvements (http://dpaste.com/3G2F7RC#wrap) Mohammad - FreeBSD 11 installation from a read only rescue disk (http://dpaste.com/0HGK3FQ#wrap) Stan - Follow up on guide you covered (http://dpaste.com/2S169SH#wrap) Jalal - couple questions (http://dpaste.com/35N8QXP#wrap)

George Neville-Neil is a computer scientist, software engineer, and author. He is FreeBSD Core Team Member and President of The FreeBSD Foundation.   He is the co-author (with Marshall Kirk McKusick) of the textbook The Design and Implementation of the FreeBSD Operating System.   He has coded and published several pieces of open source software, including work on the FreeBSD Operating System, Precision Time Protocol daemon, Conductor, Packet Construction Set and Packet Debugger. He also specializes in building High-speed, low-latency systems for customers in the financial services sector.   For the last 10 years, Neville-Neil has served on ACM Queue's magazine editorial board, where he developed the column Kode Vicious, which has been a regular feature in both Queue and Communications of the ACM for the last 10 years. He is also Editor in Chief at The FreeBSD Journal.

This episode gives you the full dose of BSDCan 2017 recap as well as a blog post on conference speaking advice. Headlines Pre-conference activities: Goat BoF, FreeBSD Foundation Board Meeting, and FreeBSD Journal Editorial Board Meeting The FreeBSD Foundation has a new President as Justin Gibbs is busy this year with building a house, so George Neville-Neil took up the task to serve as President, with Justin Gibbs as Secretary. Take a look at the updated Board of Directors (https://www.freebsdfoundation.org/about/board-of-directors/). We also have a new staff member (https://www.freebsdfoundation.org/about/staff/): Scott Lamons joined the Foundation team as senior program manager. Scott's work for the Foundation will focus on managing and evangelizing programs for advanced technologies in FreeBSD including preparing project plans, coordinating resources, and facilitating interactions between commercial vendors, the Foundation, and the FreeBSD community. The Foundation also planned various future activities, visits of upcoming conferences, and finding new ways to support and engage the community. The Foundation now has interns in the form of co-op students from the University of Waterloo, Canada. This is described further in the May 2017 Development Projects Update (https://www.freebsdfoundation.org/blog/may-2017-development-projects-update/). Both students (Siva and Charlie) were also the conference, helping out at the Foundation table, demonstrating the tinderbox dashboard. Follow the detailed instructions (https://www.freebsdfoundation.org/news-and-events/blog/blog-post/building-a-physical-freebsd-build-status-dashboard/) to build one of your own. The Foundation put out a call for Project Proposal Solicitation for 2017 (https://www.freebsdfoundation.org/blog/freebsd-foundation-2017-project-proposal-solicitation/). If you think you have a good proposal for work relating to any of the major subsystems or infrastructure for FreeBSD, we'd be happy to review it. Don't miss the deadlines for travel grants to some of the upcoming conferences. You can find the necessary forms and deadlines at the Travel Grant page (https://www.freebsdfoundation.org/what-we-do/travel-grants/travel-grants/) on the Foundation website. Pictures from the Goat BoF can be found on Keltia.net (https://assets.keltia.net/photos/BSDCan-2017/Royal%20Oak/index.html) Overlapping with the GoatBoF, members of the FreeBSD Journal editorial board met in a conference room in the Novotel to plan the upcoming issues. Topics were found, authors identified, and new content was discussed to appeal to even more readers. Check out the FreeBSD Journal website (https://www.freebsdfoundation.org/journal/) and subscribe if you like to support the Foundation in that way. FreeBSD Devsummit Day 1 & 2 (https://wiki.freebsd.org/DevSummit/201706) The first day of the Devsummit began with introductory slides by Gordon Tetlow, who organized the devsummit very well. Benno Rice of the FreeBSD core team presented the work done on the new Code of Conduct, which will become effective soon. A round of Q&A followed, with positive feedback from the other devsummit attendees supporting the new CoC. After that, Allan Jude joined to talk about the new FreeBSD Community Proposal (FCP) (https://github.com/freebsd/fcp) process. Modelled after IETF RFCs, Joyent RFDs, and Python PEP, it is a new way for the project to reach consensus on the design or implementation of new features or processes. The FCP repo contains FCP#0 that describes the process, and a template for writing a proposal. Then, the entire core team (except John Baldwin, who could not make it this year) and core secretary held a core Q&A session, Answering questions, gathering feedback and suggestions. After the coffee break, we had a presentation about Intel's QAT integration in FreeBSD. When the lunch was over, people spread out into working groups about BearSSL, Transport (TCP/IP), and OpenZFS. OpenZFS working group (https://pbs.twimg.com/media/DBu_IMsWAAId2sN.jpg:large): Matt Ahrens lead the group, and spent most of the first session providing a status update about what features have been recently committed, are out for review, on the horizon, or in the design phase. Existing Features Compressed ARC Compressed Send/Recv Recently Upstreamed A recent commit improved RAID-Z write speeds by declaring writes to padding blocks to be optional, and to always write them if they can be aggregated with the next write. Mostly impacts large record sizes. ABD (ARC buffer scatter/gather) Upstreaming In Progress Native Encryption Channel Programs Device Removal (Mirrors and Stripes) Redacted Send/recv Native TRIM Support (FreeBSD has its own, but this is better and applies to all ZFS implementations) Faster (mostly sequential) scrub/resilver DRAID (A great deal of time was spent explaining how this works, with diagrams on the chalk board) vdev metadata classes (store metadata on SSDs with data is on HDDs, or similar setups. Could also be modified to do dedup to SSD) Multi-mount protection (“safe import”, for dual-headed storage shelves) zpool checkpoint (rollback an entire pool, including zfs rename and zfs destroy) Further Out Import improvements Import with missing top-level vdevs (some blocks unreadable, but might let you get some data) Improved allocator performance -- vdev spacemap log ZIL performance Persistent L2ARC ZSTD Compression Day 2 Day two started with the Have/Want/Need session for FreeBSD 12.0. A number of features that various people have or are in the process of building, were discussed with an eye towards upstreaming them. Features we want to have in time for 12.0 (early 2019) were also discussed. After the break was the Vendor summit, which continued the discussion of how FreeBSD and its vendors can work together to make a better operating system, and better products based on it After lunch, the group broke up into various working groups: Testing/CI, Containers, Hardening UFS, and GELI Improvements Allan lead the GELI Improvements session. The main thrust of the discussions was fixing an outstanding bug in GELI when using both key slots with passphrases. To solve this, and make GELI more extensible, the metadata format will be extended to allow it to store more than 512 bytes of data (currently 511 bytes are used). The new format will allow arbitrarily large metadata, defined at creation time by selecting the number of user key slots desired. The new extended metadata format will contain mostly the same fields, except the userkey will no longer be a byte array of IV-key, Data-key, HMAC, but a struct that will contain all data about that key This new format will store the number of pkcs5v2 iterations per key, instead of only having a single location to store this number for all keys (the source of the original bug) A new set of flags per key, to control some aspects of the key (does it require a keyfile, etc), as well as possibly the role of the key. An auxdata field related to the flags, this would allow a specific key with a specific flag set, to boot a different partition, rather than decrypt the main partition. A URI to external key material is also stored per key, allowing GELI to uniquely identify the correct data to load to be able to use a specific decryption key And the three original parts of the key are stored in separate fields now. The HMAC also has a type field, allowing for a different HMAC algorithm to be used in the future. The main metadata is also extended to include a field to store the number of user keys, and to provide an overall HMAC of the metadata, so that it can be verified using the master key (provide any of the user keys) Other topics discussed: Ken Merry presented sedutil, a tool for managing Self Encrypting Drives, as may be required by certain governments and other specific use cases. Creating a deniable version of GELI, where the metadata is also encrypted The work to implemented GELI in the UEFI loader was discussed, and a number of developers volunteered to review and test the code Following the end of the Dev Summit, the “Newcomers orientation and mentorship” session was run by Michael W. Lucas, which attempts to pair up first time attendees with oldtimers, to make sure they always know a few people they can ask if they have questions, or if they need help getting introduced to the right people. News Roundup Conference Day 1 (http://www.bsdcan.org/2017/schedule/day_2017-06-09.en.html) The conference opened with some short remarks from Dan Langille, and then the opening keynote by Dr Michael Geist, a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law. The keynote focused on what some of the currently issues are, and how the technical community needs to get involved at all levels. In Canada especially, contacting your representatives is quite effective, and when it does not happen, they only hear the other side of the story, and often end up spouting talking points from lobbyists as if they were facts. The question period for the keynote ran well overtime because of the number of good questions the discussion raised, including how do we fight back against large telcos with teams of lawyers and piles of money. Then the four tracks of talks started up for the day The day wrapped up with the Work In Progress (WIP) session. Allan Jude presented work on ZSTD compression in ZFS Drew Gallatin presented about work at Netflix on larger mbufs, to avoid the need for chaining and to allow more data to be pushed at once. Results in an 8% CPU time reduction when pushing 90 gbps of TLS encrypted traffic Dan Langille presented about letsencrypt (the acme.sh tool specifically), and bacula Samy Al Bahra presented about Concurrency Kit *** Conference Day 2 (http://www.bsdcan.org/2017/schedule/day_2017-06-10.en.html) Because Dan is a merciful soul, BSDCan starts an hour later on the second day Another great round of talks and BoF sessions over lunch The hallway track was great as always, and I spent most of the afternoon just talking with people Then the final set of talks started, and I was torn between all four of them Then there was the auction, and the closing party *** BSDCan 2017 Auction Swag (https://blather.michaelwlucas.com/archives/2962) Groff Fundraiser Pins: During the conference, You could get a unique Groff pin, by donating more than the last person to either the FreeBSD or OpenBSD foundation Michael W. Lucas and his wife Liz donated some interesting home made and local items to the infamous Charity Auction I donated the last remaining copy of the “Canadian Edition” of “FreeBSD Mastery: Advanced ZedFS”, and a Pentium G4400 (Skylake) CPU (Supports ECC or non-ECC) Peter Hessler donated his pen (Have you read “Git Commit Murder” yet?) Theo De Raadt donated his autographed conference badge David Maxwell donated a large print of the group photo from last years FreeBSD Developers Summit, which was purchased by Allan There was also a FreeBSD Dev Summit T-Shirt (with the Slogan: What is Core doing about it?) autographed by all of the attending members of core, with a forged jhb@ signature. Lastly, someone wrote “I

This week on BSDNow, Allan is back in down from Europe! We'll get to hear some of his wrap-up and get caught up on the latest BSD This episode was brought to you by Headlines FreeBSD Quarterly Report (http://www.freebsd.org/news/status/report-2016-01-2016-03.html) This quarterly status report starts with a rather interesting introduction by Warren Block ASLR Porting CEPH to FreeBSD RCTL I/O Rate Limiting The Graphics Stack on FreeBSD (Haswell is in, work is progressing on the next update) CAM I/O Scheduler NFS Server updates, working around the 16 group limit, and implementing pNFS, allowing NFS to scale beyond a single server Static Analysis of the FreeBSD Kernel with PVS Studio PCI-express HotPlug GitLab Port committed! WITHFASTDEPEND and other improvements to the FreeBSD build system Lots of other interesting stuff *** A Prog By Any Other Name (http://www.tedunangst.com/flak/post/a-prog-by-any-other-name) Ted Unangst looks at what goes into the name of a program “Sometimes two similar programs are really the same program with two names. For example, grep and egrep are two commands that perform very similar functions and are therefore implemented as a single program. Running ls -i and observing the inode number of each file will reveal that there is only one file. Calling the program egrep is a shorthand for -E and does the same thing.” So BSD provides __progname in libc, so a program can tell what its name is But, what if it has more than one name? “In fact, every program has three names: its name in the filesystem, the name it has been invoked with, and whatever it believes its own name to be.” Of course it is not that easy. “there's another set of choices for each name, the full path and the basename” “It's even possible on some systems for argv[0] to be NULL.” He then goes on to rename doas (the OpenBSD light replacement for sudo) to banana and discuss what happens “On that note, another possible bug is to realize that syslog by default uses progname. A user may be able to evade log monitoring by invoking doas with a different name. (Just fixed.)” Another interesting article from our friend Ted *** FreeBSD (https://summerofcode.withgoogle.com/organizations/4892834293350400/) and NetBSD (https://summerofcode.withgoogle.com/organizations/6246531984261120/) Google Summer of Code projects have been announced Some FreeBSD highlights: Add SCSI passthrough to CTL (share an optical drive via iSCSI) Add USB target mode driver based on CTL (share a USB device via iSCSI) API to link created /dev entries to sysctl nodes Implement Ethernet Ring Protection Switching (ERPS) HD Audio device model in userspace for bhyve Some NetBSD highlights: Implement Ext4fs support in ReadOnly mode NPF and blacklistd web interface Port U-Boot so it can be compiled on NetBSD Split debug symbols for pkgsrc builds *** libressl - more vague priomises (http://www.tedunangst.com/flak/post/libressl-more-vague-promises) We haven't had a Ted U article on the show as of late, however this week we get several! In his next entry “LibreSSL, more vague promises” He then goes into some detail on what has happened with LibreSSL in the past while, as well as future plans going forward. “With an eye to the future, what new promises can we make? Some time ago I joked that we only promised to make a better TLS implementation, not a better TLS. Remains true, but fortunately there are people working on that, too. TLS 1.3 support is on the short term watchlist. The good news is we may be ahead of the game, having already removed compression. How much more work can there be?” “LibreSSL integrated the draft chacha20-poly1305 construction from BoringSSL. The IETF has since standardized a slightly different version because if it were the same it wouldn't be different. Support for standard variant, and the beginning of deprecation for the existing code, should be landing very shortly. Incidentally, some people got bent out of shape because shipping chacha20 meant exposing non IANA approved numbers to Internet. No promises that won't happen again.” *** Interview - Samy Al Bahra - @0xF390 (https://twitter.com/0xF390) Backtrace *** News Roundup systrace(1) is removed for OpenBSD 6.0 (http://marc.info/?l=openbsd-cvs&m=146161167911029&w=2) OpenBSD has removed systrace, an older mechanism for limiting what syscalls an application can make It is mostly replaced by the pledge() system OpenBSD was the first implementation, most others have been unmaintained for some time The last reported Linux version was for kernel 2.6.1 NetBSD removed systrace in 2007 *** pfSense Video Series: Comprehensive Guide To pfSense 2.3 (https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo0Zga2juUBxxFTH4Bk) A series of videos (11 so far), about pfSense Covers Why you would use it, how to pick your hardware, and installation Then the series covers some networking basics, to make sure you are up to speed before configuring your pfSense Then a comprehensive tour of the WebUI Then goes on to cover graphing, backing up and restoring configuration There are also videos on running DHCP, NTP, and DNS servers *** DuckDuckGo announces its 2016 FOSS Donations (https://duck.co/blog/post/303/2016-foss-donations-announcement) The theme is “raising the standard of trust online” Supported projects include: OpenBSD Foundation announces DuckDuckGo as a Gold Sponsor (http://undeadly.org/cgi?action=article&sid=20160503085227&mode=expanded) the Freedom of the Press Foundation for SecureDrop the Freenet Project the CrypTech Project the Tor Project Fight for the Future for Save Security Open Source Technology Improvement Fund for VeraCrypt (based on TrueCrypt) Riseup Labs for LEAP (LEAP Encryption Access Project) GPGTools for GPGMail *** Larry the BSD Guy hangs up his hat at FOSS Force (http://fossforce.com/2016/04/bsd-linuxfest-northwest/) After 15 years, Larry the BSD Guy has decided to hang it up, and walk into the sunset! (Figuratively of course) After wrapping up coverage of recent LinuxFest NorthWest (Which he didn't attend), Larry has decided it's time for a change and is giving up his column over at FOSS Force, as well as stepping away from all things technical. His last write-up is a good one, and he has some nice plugs for both Dru Lavigne and Michael Dexter of the BSD community. He will be missed, but we wish him all the luck with the future! He also puts out the plug that FOSS Force will be needing a new columnist in the near future, so if you are interested please let them know! *** Beastie Bits If you sponsored “FreeBSD Mastery: Advanced ZFS”, check your mail box (http://blather.michaelwlucas.com/archives/2648) pkg-1.7.0 is an order of magnitude slower than pkg-1.6.4 (https://marc.info/?l=freebsd-ports&m=146001143408868&w=2) -- Caused by a problem not in pkg LinuxFest Northwest 2016 Recap (https://www.ixsystems.com/blog/linuxfest-northwest-2016/) Dru Lavigne's 'Doc like an Egyption' talk from LFNW (https://www.linuxfestnorthwest.org/2016/sessions/doc-egyptian) Michael Dexters' 'Switching to BSD from Linux' talk from LFNW (https://www.linuxfestnorthwest.org/2016/sessions/devil-details-switching-bsd-linux) Michael Dexters' 'Secrets to enduring user groups' talk from LFNW (https://www.linuxfestnorthwest.org/2016/sessions/20-year-and-counting-secrets-enduring-user-groups) January issue of Freebsd Journal online for free (https://www.freebsdfoundation.org/journal/) Ghost BSD releases 10.3 Alpha1 for testing (http://ghostbsd.org/10.3_alpha1) EuroBSDcon 2016 - Call for Papers - Dealine: May 8th (https://www.freebsdnews.com/2016/04/15/eurobsdcon-2016-call-for-papers/) KnoxBUG Initial Meeting (http://www.knoxbug.org/content/knoxbug-maiden-voyage) Photos, slides, and videos from the Open Source Data Center Conference (https://www.netways.de/en/events_trainings/osdc/archive/osdc2016/) *** Feedback/Questions Mohammad - Replication (http://pastebin.com/KDnyWf6Y) John - Rolling new packages (http://pastebin.com/mAbRwbEF) Clint - Unicast (http://pastebin.com/BNa6pyir) Bill - GhostBSD (http://pastebin.com/KDjS2Hxa) Charles - BSD Videos (http://pastebin.com/ABUUtzWM) ***

This week, Allan is out of town, but since when has that ever stopped us from bringing you a new episode of BSDNow? We have news, This episode was brought to you by Headlines Unix's file durability problem (https://utcc.utoronto.ca/~cks/space/blog/unix/FileSyncProblem) Another article by Chris Siebenmann from the University of Toronto This time, the issue was a lost comment on his Python based blog which uses files on disk rather than a database After an unexpected restart of the system, a recently posted comment no longer existed The post goes on to investigate what the ‘right way' to ensure file durability is The answer, as you might expect, is “it depends…” Normally, fsync() should work, but it seems with ext4 and some other file systems, you must also fsync() the directory where the file was created, or it might not be possible to find the file after a crash Do you need to fsync() the parent of that directory too? Then what is fdatasync() for? What about just calling sync()? “One issue is that unlike many other Unix API issues, it's impossible to test to see if you got it all correct and complete. If your steps are incomplete, you don't get any errors; your data is just silently sometimes at risk. Even with a test setup to create system crashes or abrupt power loss (which VMs make much easier), you need uncommon instrumentation to know things like if your OS actually issued disk flushes or just did normal buffered writes. And straightforward testing can't tell you if what you're doing will work all the time, because what is required varies by Unix, kernel version, and the specific filesystem involved.” Second post by author: How I'm trying to do durable disk writes (https://utcc.utoronto.ca/~cks/space/blog/python/HowISyncDataDWiki) Additional Discussion on Hacker News (https://news.ycombinator.com/item?id=11511269) The discussion on HN also gets into AIO and other more complicated facilities, but even those seem to be vague about when your data is actually safe At least ZFS ensures you never get half of your new data, and half of your old data. *** Build a FreeBSD 10.3-release Openstack Image with bsd-cloudinit (https://raymii.org/s/tutorials/FreeBSD_10.3-release_Openstack_Image.html) Are you using FreeBSD and OpenStack or would you like to be? We next have a great tutorial which explains the ins-and-outs of doing exactly that. Remy van Elst brings us a great walkthrough on his site on how to get started, and hint it involves just a few ‘pip' commands. After getting the initial Python tools bootstrapped, next he shows us how to save our OpenStack settings in a sourceable shell command, which comes in handy before doing admin on a instance. Next the ‘glance' and ‘cinder' tools are used to upload the target OS ISO file and then create a volume for it to install onto. Next the VM is started and some specific steps are outlined on getting FreeBSD 10.3 installed into the instance. It includes some helpful hints as how to fix a mountroot error, if you installed to ada0, but need to mount via vtdb0 instead now. After the installation is finished, the prep for ‘cloudinit' is done, and the resulting image is compressed and made ready for deployment. We've kinda stepped through some of the more gory steps here, but if OpenStack is something you work with, this tutorial should be at the top of your “must read” list. *** Undeadly and HTTPS (http://undeadly.org/cgi?action=article&sid=20160411201504) Undeadly, the OpenBSD journal, is thinking of moving to HTTPS only In order to do this, they would like some help rewriting part of the site Currently, when you login to post comments, this is done over HTTPS, but to an stunnel instance running a custom script that gives you a cookie, and sends you back to the non-HTTPS site They would like to better integrate the authentication system, and otherwise improve the code for the site There is some pushback as well, questioning whether it makes sense to block users who are unable to use HTTPS for one reason or another I think it makes sense to have the site default to HTTPS, but, maybe HTTPS only doesn't make sense. There is nothing private on the site, other than the authentication system which is optional, not required to post a comment. There is also some discussion about the code for the site, including the fact that when the code was released, the salt for the password database was included This is not actually a security problem, but the discussion may be interesting to some viewers *** FreeBSD Journal March/April Edition (https://www.freebsdfoundation.org/journal/browser-based-edition/) The next issue of the FreeBSD Journal is here, and this time it is about Teaching with Operating Systems In addition to the usual columns, including: svn update, the ports report, a conference report from FOSDEM, a meetup report from PortsCamp Taipei, A book review of "The Algorithm Design Manual", and the Events Calendar; there are a set of feature articles about teaching Teaching with FreeBSD through Tracing, Analysis, and Experimentation CHERI: Building a foundation for secure, trusted computing bases A brief history of Fast Filesystems There is also an interview with Gleb Smirnoff, a member of the Core team, release engineering, and the deputy security officer, as well as a senior software developer at Netflix Get the latest issue from your favourite mobile store, or the “Desktop Edition” directly in your browser from the FreeBSD Foundation's website *** Interview - Brooks Davis - brooks@FreeBSD.org (mailto:brooks@FreeBSD.org) / @brooksdavis (https://twitter.com/brooksdavis) CHERI and Capabilities *** TrueNAS Three-Peats!!! (https://www.ixsystems.com/blog/truenas-three-peats/) News Roundup UbuntuBSD Is Looking To Become An Official Ubuntu Flavor (http://linux.softpedia.com/blog/ubuntubsd-is-looking-to-become-an-official-ubuntu-flavor-502746.shtml) You may recall a few weeks back that we were a bit surprised by the UbuntuBSD project and its longevity / goals. However the project seems to be pushing forward, with news on softpedia.com that they are now seeking to become an ‘official' Ubuntu Flavor. They've already released a forth beta, so it seems the project currently has some developers pushing it forward: "I would like to contribute all my work to Ubuntu Community and, if you think it is worthy, make ubuntuBSD an official Ubuntu project like Xubuntu or Edubuntu," said Jon Boden. "If you're interested, please let me know how would you like me to proceed." It's Just Bits (http://blog.appliedcompscilab.com/its_just_bits/index.html) We have next an interesting blog post talking about the idea that “It's just all bits!” The author then takes us down the idea of no matter how old or mysterious the code may be, in the end it is ending up as bits arranged a certain way. Then the article transitions and takes us through the idea that old bits, and bits that have grown too large should often be good candidates for replacement by “simpler” bits, using OpenBSD as an example. “The OpenBSD community exemplifies this in many ways by taking existing solutions and simplifying them. Processing man pages is as old as Unix, and even in the 21st century OpenBSD has taken the time to rewrite the existing solution to be simpler and safer. It's just bits that need to be turned into other bits. Similarly, OpenBSD has introduced doas as an alternative to sudo. While not replacing sudo entirely, doas makes the 99.99% case of what people use sudo for easier and safer. They are just bits that need to be authenticated. “ All in all, a good read, and it reinforces the point that nothing is really truly “finished”. As computing advances and new technologies / practices are made available, sometimes it makes a lot of sense to go back and re-write things in order to simplify the complexity that has snuck in over time. *** Disk IO limiting is coming to FreeBSD (https://lists.freebsd.org/pipermail/svn-src-head/2016-April/084288.html) A much requested feature for both Jails and VM's on FreeBSD has just landed with experimental support in -HEAD, Disk IO limiting! The Commit message states as follows: “Add four new RCTL resources - readbps, readiops, writebps and writeiops, for limiting disk (actually filesystem) IO. Note that in some cases these limits are not quite precise. It's ok, as long as it's within some reasonable bounds. Testing - and review of the code, in particular the VFS and VM parts - is very welcome.” Well, what are you waiting for? This is a fantastic new feature which I'm sure will get incorporated into other tools for controlling jails and VM's down the road. If you give it a spin, be sure to report back bugs so they can get quashed in time for 11. *** BeastieBits PC-BSD 10.3 Is the Last in the Series, PC-BSD 11.0 Arrives Later This Year (http://news.softpedia.com/news/pc-bsd-10-3-is-the-last-in-the-series-pc-bsd-11-0-arrives-later-this-year-502570.shtml) ASLR now on by default in NetBSD amd64 (http://mail-index.netbsd.org/source-changes/2016/04/10/msg073939.html) Daniel Bilik's fix for hangs on Baytrail (http://lists.dragonflybsd.org/pipermail/users/2016-April/228682.html) Don't forget about PGCon 2016 (http://www.pgcon.org/2016/) Get your paper in for EuroBSDCon 2016, deadline is May 8th (https://2016.eurobsdcon.org/call-for-papers/) Feedback/Questions John - Destroy all Dataset (http://pastebin.com/QdGWn0TW) Thomas - Misc Questions (http://pastebin.com/43YkwBjP) Ben - ZFS Copy (http://pastebin.com/gdi3pswe) Bryson - SysV IPC (http://pastebin.com/E9n938D1) Drin - IPSEC (http://pastebin.com/bgGTmbDG) ***

This week on BSDNow, we will be talking shop with Josh Paetzel of FreeNAS fame, hearing about his best do's and do-nots of using ZFS in production. Also, a quick iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** FreeNAS Logo Design Contest (https://www.ixsystems.com/freenas-logo-contest/) Rules and Requirements (https://forums.freenas.org/index.php?threads/freenas-logo-design-contest.39968/) For those of you curious about Kris' new lighting here are the links to what he is using. Softbox Light Diffuser (http://smile.amazon.com/gp/product/B00OTG6474?psc=1&redirect=true&ref_=oh_aui_detailpage_o01_s00&pldnSite=1) Full Spectrum 5500K CFL Bulb (http://smile.amazon.com/gp/product/B00198U6U6?psc=1&redirect=true&ref_=oh_aui_detailpage_o06_s00) *** This episode was brought to you by Headlines A Brief look back at 2015 (http://fossforce.com/2015/12/bsd-brief-look-back-2015/) As we start the show this week, we begin with a brief look back at BSD in 2015, brought to us by Larry at FOSS force. Aside from his issue with tap-to-click on the touchpad, his PC-BSD experience has been pretty good. (Larry, if you hear this, jump on #pcbsd on FreeNode and we will lend a hand) He mentions that this really isn't his first time running BSD, apparently back in ye-olden days he got NetBSD up and running on a PowerBook G3, until an update brought that experience to abrupt ending. He gives a shout-out to the FreeBSD Foundation as being a great go-to source for wrapup on the previous year in FreeBSD land, while also mentioning the great 4.4 release of DragonFly, and some of the variants, such as RetroBSD and LiteBSD He leaves us with a tease for 2016 that work is ongoing on Twitter to port over Mopidy, a python based extensible music server *** A look forward at BSD events throughout 2016 (http://www.bsdevents.org/scheduler/) After a quick look back at 2015, now its time to start planning your 2016 schedule. The BSDEvents site has a calendar of all the upcoming conferences / shows where BSD will have a presence this year. There are quite a few items on the agenda, including non BSD specific conferences, such as SCALE / Fosdem and more. Take a look and see, you may be able to find something close your location where you can come hang out with other BSD developers. (or better yet), if a linux conference is coming to your town, think about submitting a BSD talk! Additionally, if getting BSD Certification is something on your 2016 resolutions, you can often take the test at one of these shows, avoiding the need to travel to a testing center. *** The 'Hidden' Cost of Using ZFS for Your Home NAS (http://louwrentius.com/the-hidden-cost-of-using-zfs-for-your-home-nas.html) An article was recently posted that seems to be trying to dissuade people from using ZFS for their home NAS It points out what experienced users already know, but many newcomers are not strictly aware of: Expanding a ZFS pool is not always as straightforward as you think it should be ZFS was designed to be expanded, and it handled this very well However, a ZFS pool is made up of VDEVs, and it is these VDEVs that provide the redundancy. RAID-Z VDEVs cannot be changed once they are created. You can replace each disk individually, and the VDEV will grow to its new larger size, but you cannot add additional disks to a RAID-Z VDEV At this point, your option is to add an additional VDEV, although best practises dictate that the new VDEV should use an equal number of disks, to avoid uneven performance So, if you started with a 6 disk RAID-Z2, having to add 6 more disks to grow the pool does seem excessive For the best flexibility, use mirrors. If you had used 6 disks as 3 mirrors of 2 disks each, you could then just add 2 more disks at a time. The downside is that using 2TB disks, you'd only have 6TB of usable space, versus the 8TB you would get from those disks in a RAID-Z2 This is the trade-off, mirrors give you better performance and flexibility, but less space efficiency It is important to note that the diagrams in this article make it appear as if all parity information is stored on specific drives. In ZFS parity is spread across all drives. Often times, the data written to the drive is not of a size that can evenly be split across all drives, so the data actually ends up looking like this (http://blog.delphix.com/matt/files/2014/06/RAIDZ.png) The errors as I see it in the original article are: It notes that the hidden cost of ZFS is that if you add a second RAID-Z VDEV, you will have a whole second set of parity drives. While this is a cost, it is the cost of making sure your data is safe. If you had an array with more than 12 drives, it is likely that you would to be able to withstand the failure of the larger number of drives The article does not consider the resilver time. If you did create a configuration with a very wide RAID-Z stripe, the failure of a disk would leave the pool degraded for a much longer time, leaving your pool at risk for that longer period. The article does not consider performance. Two RAID-Z2 VDEVs of 6 disks each will give much better performance than a single VDEV of 10 or 12 disks, especially when it comes to IOPS. *** ZFS Boot Enviroments now availble in the FreeBSD bootloader (https://svnweb.freebsd.org/base?view=revision&revision=293001) It's been in phabricator for a while (and PC-BSD), but the support for Boot-Environments has now landed upstream in -CURRENT This work was helped by cross-project collaboration when an IllumOS Developer, Toomas Soome, started porting the FreeBSD loader to IllumOS to replace GRUB there This gives Beastie menu the ability to look at the ZFS disk, and dynamically list boot-environments that it finds. (Much nicer than GRUB, which required a pre-written configuration file) This work was extended further, when Toomas Soome also ported the Beastie Menu to the UEFI loader (https://svnweb.freebsd.org/base?view=revision&revision=293233) which is now enabled by default for UEFI (https://svnweb.freebsd.org/base?view=revision&revision=293234) All of these changes are scheduled to be merged back in time for FreeBSD 10.3 as well. There is also a patch being worked on to support booting from ZFS in UEFI (https://reviews.freebsd.org/D4515) This is exciting times for doing neat things with ZFS on root, these plus Allans forthcoming GELI support (https://reviews.freebsd.org/D4593) will negate the necessity for GRUB on PC-BSD for example (Kris is very happy) *** Interview - Josh Paetzel - email@email (mailto:email@email) / @bsdunix4ever (https://twitter.com/bsdunix4ever) ZFS Support *** News Roundup RetroBSD being tested on ESP32 (http://retrobsd.org/viewtopic.php?f=1&t=37470) More hardware news for RetroBSD and LiteBSD I don't know much about this hardware, but there is a lot of discussion in the forum threads about it Not sure what you are supposed to accomplish with only 400kb of ram LITEBSD Brings 4.4BSD to PIC32 (https://hackaday.com/2016/01/04/litebsd-brings-4-4bsd-to-pic32/) It is interesting to see these super-small boards with only 512kb of memory, but will crypto offload support It is also interesting to see talk of 140mbps WiFi, can the processor actually handle that much traffic? BSD Unix-like OS is Resurrected for Embedded IoT Market (http://thevarguy.com/open-source-application-software-companies/bsd-unix-os-resurrected-embedded-iot-market) Related to the above stories, we also have an article about BSD making a resurgence on various Internet of things devices, which mentions both RetroBSD and LiteBSD The article mentions that this is an exciting development for embedded vars who now have an alternative licensed open-source OS to potentially use *** HardenedBSD's new Binary Updater (https://hardenedbsd.org/article/shawn-webb/2015-12-31/introducing-hardenedbsds-new-binary-updater) It looks like there is now another way to update your FreeBSD(hardened) system The post by Shawn Web, details how the new updater will work in future releases of HBSD Right now it looks fairly straight-forward, creating both the base.txz and kernel.txz, along with some data for etcupdate It includes a nice option for the kernel name in the update, allowing different kernels to be installed / updated at will Everything is cryptographically signed and verified using the base system openssl The build system is fairly simple, only requiring “sh/git/openssl” to create the binary updates Planned features also include updating of jails, and ZFS boot-environments *** Sometimes, processors need (BSD) love too (http://functionallyparanoid.com/2016/01/02/sometimes-processors-need-love-too/) We have a blog post from Brian Everly, talking about his long journey into legacy processors and the plans for the future to work on better supporting them on OpenBSD ports He begins with the story of his UNIX journey to today, and why this fostered his love for many of these old (and not so old) architectures, such as Sparc64, PPC32, i386. This journey ended up with the purchase of some legacy hardware (ebay is your friend), and the creation of a database listing the major port blockers on each platform This is the great kind of thing folks can do to step up and help a project, even as a weekend hobby it's great to run some hardware and help test / fix up issues that other developers maybe don't interact with as much anymore. *** Beastie Bits The standard MWL disclaimer (http://blather.michaelwlucas.com/archives/2510) PC-BSD 11.0-CURRENTJAN2016 Available (http://lists.pcbsd.org/pipermail/testing/2016-January/010350.html) NetBSD pkgsrc-2015Q3 statistics (http://mail-index.netbsd.org/tech-pkg/2015/12/28/msg016193.html) NetBSD pkgsrc-2015Q4 released (http://mail-index.netbsd.org/tech-pkg/2016/01/01/msg016213.html) First Reproducible builds conference in Athens (http://blog.netbsd.org/tnf/entry/reproducible_builds_conference_in_athens) The creator of the original ThinkPad design passes away (http://www.theregister.co.uk/2016/01/06/thinkpad_designer_obituary) Feedback/Questions Andrew - High Contrast (http://slexy.org/view/s213iCKLwn) John - FreeNAS followup (http://slexy.org/view/s21ClGePLP) Giorgio - Custom Install (http://slexy.org/view/s21527pkO1) Don - ZFS Slowdowns (http://slexy.org/view/s2jOlCsjkU) Fred - Dual Boot PC-BSD/Linux (http://slexy.org/view/s21uaB0FDU) ***

This week on the show, we will be interviewing Alex Rosenberg, to This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Life with an OpenBSD Laptop: A UNIX-lover's tale of migrating away from the Mac. The Good, The Bad, The Ugly (http://www.nycbug.org/event/10356/openbsd_laptop_nycbug_2015.pdf) OpenBSD user Isaac (.ike) Levy details his switch from a Mac to an OpenBSD laptop He covers a bit about selecting hardware and dealing with wifi Talks about binary packages and system upgrades Talks about power management, suspend/resume, battery life Show screenshots of some of his favourite window managers Browsers and email clients are also discussed Things he found missing in OpenBSD: A journaling file system, every unclean shutdown means a full fsck(1) UTF-8/unicode was not everywhere Syncing pictures and contacts to his phone Drawing tools *** DragonFlyBSD matches its Intel kernel graphics driver against Linux 4.0 (http://lists.dragonflybsd.org/pipermail/commits/2015-December/459067.html) The DragonFlyBSD DRM stack continues to rapidly advance, now bringing in support from Linux 4.0! Some of the notable features: Basic Skylake support Panel Self-Refresh (PSR) now supported on Valleyview and Cherryview Preparations for atomic display updates Performance improvements on various GPU families, including Cherryview, Broadwell and Haswell GPU frequencies are now kept at a minimum of 450MHz when possible on Haswell and Broadwell, ensuring a minimum experience level for various types of workloads Improved reset support for gen3/4 GPUs, which should fix some OpenGL crashes on Core 2 and pre-2012 Atom machine Better sound/graphics driver synchronization for audio over hdmi support As usual, small bugfixes and stability improvements here and there *** A BSD Wish List for 2016 (http://fossforce.com/2015/12/bsd-wish-list-2016/) Larry over at Foss Force brings us his wish list for BSD support in 2016. Since he has converted most of his daily desktop usage to PC-BSD, he is specifically wanting support for some desktop applications. Namely Google hangouts and Spotify. This is something which has come up periodically among the PC-BSD community. At the moment most users are dual-booting or using alternatives, like WebRTC. However the Google Hangouts plugin is available for Linux, and perhaps this will encourage some developers to see if we can get it running with the newer Linux stack on -CURRENT. Spotify also has a native Linux version, which may need testing on FreeBSD - CURRENT. It may be closer now, and should be updated on the Wanted Ports Page https://wiki.freebsd.org/WantedPorts *** Hard Float API coming soon by default to armv6 (http://bsdimp.blogspot.com/2015/12/hard-float-api-coming-soon-by-default.html) Warner Losh talks about upcoming changes to armv6 on FreeBSD “All the CPUs that FreeBSD supports have hard floating point in them. We've supported hard float for quite some time in the FreeBSD kernel. However, by default, we still use a soft-float ABI.” First, “A new armv6hf (architecture) was created, but that caused some issues with some ports, and the meaning of 'soft float' sadly was ambiguous between the soft-float ABI, and the soft-float libraries that implement floating point when there's no hardware FPU” “Over the spring and summer, I fixed ld.so so that it can load both soft ABI and hard ABI libraries on the same system, depending on markings in the binaries themselves. Soft float ABI and hard float ABI binaries have different flags in the ELF headers, so it is relatively straightforward to know which is which.” “So, in the coming days, I'll commit the first set of changes to move to armv6 as a hard float ABI by default. The kernel doesn't care: it can execute both. The new ld.so will allow you to transition through this change by allowing old, compat soft ABI libraries to co-exist on the system with new hard ABI libraries. This change alone isn't enough, but it will be good to get it out into circulation.” “armv6hf will be removed before FreeBSD 11” A LIBSOFT will be created, similar in concept to the LIB32 available on AMD64 *** Interview - Alex Rosenberg - alexr@leftfield.org (mailto:alexr@leftfield.org) / @alexr (https://twitter.com/alexr) Former Manager of Platform Architecture at Sony *** Beastie Bits Tuesday, Dec 20, 2005 was the release date of the very first bsdtalkpodcast (http://bsdtalk.blogspot.com/2005/12/bsdtalk001-intro-to-bsd.html) Patch: Server side support for TCP FastOpen (https://reviews.freebsd.org/D4350) Learn to tame OpenBSD quickly (http://www.openbsdjumpstart.org/) Hardware Accerated iSCSI lands in FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=292740) Settings for full HD resolution on DragonFlyBSD under QEMU/KVM, thanks to reddit user Chapo_Rouge (https://www.reddit.com/r/dragonflybsd/comments/3x4n7u/psa_1920x1080_on_dragonflybsd_44_under_qemukvm/) Patch: An IllumOS developer has been porting the FreeBSD boot loader to replace their old version of GRUB. In doing so, he has also made improvements to the block caching in the boot loader (https://reviews.freebsd.org/D4713) A FreeBSD user working at Microsoft talks about Microsoft's shift to Open Source (http://blog.teleri.net/open-microsoft/) BSDCG Exam Session at FOSDEM'16 (https://fosdem.org/2016/schedule/event/cert_bsdcg/) Schedule for the BSD devroom at FOSDEM'16 (https://fosdem.org/2016/schedule/track/bsd/) OpenBSD snapshots are now 5.9 (http://marc.info/?l=openbsd-cvs&m=145055446007162&w=2) Notes on making BSD grep faster (http://blog.erratasec.com/2015/12/some-notes-on-fast-grep.html#.VoQKD1JSRhx) Intel's Platform Application Engineering (PAE) group within the Networking Division (ND) is looking for a Network Software Engineer (https://www-ssl.intel.com/content/www/us/en/jobs/job-search/js2.html?job=782165&src=ML-12080) Did you watch Die Hard at Christmas? Get the Die Hard FreeBSD boot screen: install this file in /boot and set loader_logo="tribute" in /boot/loader.conf (http://locheil.shxd.cx/logo-tribute.4th) Feedback/Questions Jeremy - ZFS without root (http://slexy.org/view/s20CTqtEan) Dan - Getting PC-BSD Media (http://slexy.org/view/s20sNPoDm5) Chris - VMs and FreeBSD (http://slexy.org/view/s2hjsVgGBK) Ben - Haswell and IRC (http://slexy.org/view/s21pwYOTHi) Instructions for trying the Haswell patch (https://wiki.freebsd.org/Graphics/Update%20i915%20GPU%20driver%20to%20Linux%203.8) Matt - Donation to foundation (http://slexy.org/view/s20vifHCyc) ***

This week on the show, we are going to be talking to Trent Thompson, This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Review: Guarding the gates with OpenBSD 5.8 (http://distrowatch.com/weekly.php?issue=20151207#openbsd) Jesse Smith over at DistroWatch treats us this week to a nice review of OpenBSD 5.8, which may be a good introduction for the uninitiated to learn more+ He first walks through some of the various highlights of 5.8, and spends time introducing the reader to a number of the projects that originate from OpenBSD, such as LibreSSL, OpenSSH, doas, the new “file” implementation and W^X support on i386. The article then walks through his impressions of performing a fresh install of 5.8, and then getting up and running in X. He mentions that you may want to check the installation defaults, since on his 8GB VM disk, it didn't leave enough room for packages on the /usr partition. It also includes a nice heads-up for new users about using the pkg_add command, and where / how you can set the initial repository mirror address. The “doas” command was also praised:“I found I very much appreciated the doas command, its documentation and configuration file. The doas configuration file is much easier to read than sudo's and the available options are well explained. The doas command allowed me to assign root access to a user given the proper password and doas worked as advertised.” A glowing summary as well:“OpenBSD may be very secure, but I think what sets the operating system apart are its documentation and clean system design. It is so easy to find things and understand the configuration of an OpenBSD system. The file system is organized in a clean and orderly manner. It always takes me a while to get accustomed to using OpenBSD, as for me it is a rare occurrence, but once I get settled in I like how straight forward everything is. I can usually find and configure anything on the system without referring to external documents or searching for answers on-line and that is quite an accomplishment for an operating system where virtually everything is done from the command line. “ *** OpenBSD Hackathon Reports Alexander Bluhm: multiprocessor networking (http://undeadly.org/cgi?action=article&sid=20151212192918) “The next step, we are currently working on, is to remove the big kernel lock from forwarding and routing. mpi@ has been doing this for a long time, but some corner cases were still left. I have written a regression test for handling ARP packets to show that all cases including proxy ARP are still working. Another thing that may happen with lock-free routing is that the interface is destroyed on one CPU while another CPU is working with a route to that interface. We finally got this resolved. The code that destroys the interface has to wait until all routes don't use this interface anymore. I moved the sleep before the destruction of the interface is started, so that the routes can always operate on a completely valid interface structure.” Vincent Gross: ifa_ifwithaddr() (http://undeadly.org/cgi?action=article&sid=20151215150708) Vincent worked on the function that finds the interface with the specified address, which is used to tell if the machine is the intended recipient of an incoming packet. A number of corner cases existed with broadcast addresses, especially if two interfaces were in the same subnet. This code was moved to the new in_broadcast() Ken Westerback: fdisk, installbot, and dhclient (http://undeadly.org/cgi?action=article&sid=20151216192843) Reyk Floeter: Hosting a hackathon, vmd, vmctl (http://undeadly.org/cgi?action=article&sid=20151217134417) “When I heard that Martin Pieuchot (mpi@) was looking for a place to hold another mini-hackathon for three to four people to work on multiprocessor (MP) enhancements of the network stack, I offered to come to our work place in Hannover, Northern Germany. We have space, gear, fast Internet and it is easy to reach for the involved people. Little did I know that it would quickly turn into n2k15, a network hackathon with 20 attendees from all over the world” “If you ever hosted such an event or a party for many guests, you will know the dilemma of the host: you're constantly concerned about your guests enjoying it, you have to take care about many trivial things, other things will break, and you get little to no time to attend or even enjoy it yourself. Fortunately, I had very experienced and welcomed guests: only one vintage table and a vase broke – the table can be fixed – and I even found some time for hacking myself.” Martin Pieuchot: MP networking (http://undeadly.org/cgi?action=article&sid=20151218175010) “ We found two kind of MP bugs! There are MP bugs that you fix without even understanding them, and there are MP bugs that you understand but can't fix” Stefan Sperling: initial 802.11n support (http://undeadly.org/cgi?action=article&sid=20151219160501) *** Hacking the PS4 (https://cturt.github.io/ps4.html) As a followup to the story last week about the PS4 being “jailbroken”, we have a link to further information about how far this project has come along This article also provides some great background information about whats running under the hood of your PS4, including FreeBSD 9, Mono VM and WebKit, with WebKit being the primary point of entry to jailbreak the box. One particular point of interest, was the revelation that early firmware versions did not include ASLR, but it appears ASLR was added sometime around firmware 1.70. (Wonder if they used HardenedBSD's implementation), and how they can bypass it entirely. “Luckily for us, we aren't limited to just writing static ROP chains. We can use JavaScript to read the modules table, which will tell us the base addresses of all loaded modules. Using these bases, we can then calculate the addresses of all our gadgets before we trigger ROP execution, bypassing ASLR.“ The article also mentions that they can prove that jails are used in some fashion, and provides examples of how they can browse the file system and dump a module list. The kernel exploit in question is SA-15:21 (https://www.freebsd.org/security/advisories/FreeBSD-SA-15:21.amd64.asc) from August of this year. The jailbreaking appears to be against an older version of PS4 firmware that did not include this patch *** Nokia and ARM leading the charge to implement better TCP/IP as part of the 5G standard (http://www.theregister.co.uk/2015/12/14/nokia_and_arm_bid_reinvent_tcpip_stack_5g/?page=1) “Many believe that a critical success factor for 5G will be a fully revamped TCP/IP stack, optimized for the massively varied use cases of the next mobile generation, for cloud services, and for virtualization and software-defined networking (SDN). This is the goal of the new OpenFastPath (OFP) Foundation, founded by Nokia Networks, ARM and industrial IT services player Enea. This aims to create an open source TCP/IP stack which can accelerate the move towards SDN in carrier and enterprise networks. Other sign-ups include AMD, Cavium, Freescale, Hewlett Packard Enterprise and the ARM-associated open source initiative, Linaro.” “The new fast-path TCP/IP stack will be based on the open source FreeBSD operating system” The general idea is to have a fast, open source, user space networking stack, based on the FreeBSD stack with an “optimised callback-based zero-copy socket API” to keep packet processing in user-space as far as possible It will be interesting to see a little bit more FreeBSD getting into every mobile and cloud based device. *** Interview - Trent Thompson - trentnthompson@gmail.com (trentnthompson@gmail.com) / @pr1ntf (https://twitter.com/pr1ntf) iohyve (https://github.com/pr1ntf/iohyve) *** News Roundup First cut of the FreeBSD modularized TCP stack (https://svnweb.freebsd.org/base?view=revision&revision=292309) FreeBSD now has more than one TCP stack, and better yet, you can use more than one at once Each socket pcb is associated with a stack, and it is possible to select a non-default stack with a socket option, so you can make a specific application use an experimental stack, while still defaulting to the known-good stack This should lead to a lot of interesting development and testing, without the level of risk usually associated with modifying the TCP stack The first new module available is ‘fastpath', which may relate to the Nokia story earlier in the show There are also plans to support changing TCP stacks after establish a session, which might land as early as January *** Faces of FreeBSD : Erin Clark (http://freebsdfoundation.blogspot.com/2015/12/faces-of-freebsd-2015-erin-clark.html) In this edition of “Faces of FreeBSD” the FreeBSD foundation gives us an introduction to Erin Clark, of our very own iXsystems! Her journey to the BSD family may sound similar to a lot of ours. She first began using Linux / Slackware in the early 2000's, but in 2009 a friend introduced her to FreeBSD and the rest, as they say, is history. “I use FreeBSD because it is very solid and secure and has a great selection of open source software that can be used with it from the ports collection. I have always appreciated FreeBSD's networking stack because it makes a great router or network appliance. FreeBSD's use of the ZFS file system is also very nice - ZFS snapshots definitely saved me a few times. I also like that FreeBSD is very well documented; almost everything you need to know about working with FreeBSD can be found in the FreeBSD Handbook.” Originally a sys admin at iXsystems, where she helped managed PC-BSD desktops among others, now she works on the FreeNAS project as a developer for the CLI interface functionality. *** New Olimex board runs Unix (https://olimex.wordpress.com/2015/12/16/new-product-in-stock-pic32-retrobsd-open-source-hardware-board-running-unix-like-retrobsd-os/) Looking for some small / embedded gear to mess around with? The Olimex folks have a new Pic32 system now available which runs “RetroBSD” “The current target is Microchip PIC32 microcontroller with 128 kbytes of RAM and 512 kbytes of Flash. PIC32 processor has MIPS M4K architecture, executable data memory and flexible RAM partitioning between user and kernel modes.” RetroBSD isn't something we've covered extensively here on BSDNow, so to bring you up to speed, it is a port of 2.11 BSD Their website lists the following features of this 2.11 refresh:“ Small resource requirements. RetroBSD needs only 128 kbytes of RAM to be up and running user applications. Memory protection. Kernel memory is fully protected from user application using hardware mechanisms. Open functionality. Usually, user application is fixed in Flash memory - but in case of RetroBSD, any number of applications could be placed into SD card, and run as required. Real multitasking. Standard POSIX API is implemented (fork, exec, wait4 etc). Development system on-board. It is possible to have C compiler in the system, and to recompile the user application (or the whole operating system) when needed.“ For those looking into BSD history, or wanting something small and exotic to play with this may fit the bill nicely. *** OpenSource.com reviews PCBSD (https://opensource.com/life/15/12/bsd-desktop-user-review-pc-bsd) Joshua over at opensource.com writes up a review of PC-BSD (10.2 we assume) Some of the highlights mentioned, include the easy to use graphical installer, but he does mention we should update the sorting of languages. (Good idea!) Along with including nice screenshots, it also covers the availability of various DE's / WM's, and talks a fair amount about the AppCafe and Control Panel utilities. “Thanks to being featured on PC-BSD's desktop, the PC-BSD Handbook is easily located by even the most novice user. There is no need to search through the system's installed applications for a manual, or relying solely on the help documentation for individual components. While not comprehensive, PC-BSD's handbook does a good job as striking a balance between concise and thorough. It contains enough information to help and provides detailed instructions for the topics it covers, but it avoids providing so much information that it overwhelms” *** BeastieBits Gandi introduces support for FreeBSD on their IaaS platform, with both ZFS and UFS based images available (https://www.gandi.net/news/en/2015-12-23/6473-introducing_freebsd_and_trimming_down_the_official_image_list/) Funny commit message from the Linux kernel (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f076ef44a44d02ed91543f820c14c2c7dff53716) FreeBSD Journal, Nov/Dec 2015 (https://www.freebsdfoundation.org/journal/vol2_no6) Feedback/Questions Zafer - NetBSD on DO (http://slexy.org/view/s2MPhvSFja) Richard - FreeNAS Replication (http://slexy.org/view/s2hhJktjRu) Winston - Android ADP (http://slexy.org/view/s2VK83ILlK) Alex - Multiple Domains (http://slexy.org/view/s20UVY8Bs5) Randy - Getting Involved (http://slexy.org/view/s20Cb076tu) Craig - zprezto (http://slexy.org/view/s2HNQ2aB42) ***

This week on BSDNow, we are going to be talking to Pawel about how his This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Note the recent passing of 2 members of the BSD community Juergen Lock / Nox (https://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributors/contrib-develinmemoriam.html) Benjamin Perrault / creepingfur (https://twitter.com/michaeldexter/status/676290499389485057) Memories from Michael Dexter (http://pastebin.com/4BQ5uVsT) Additional Memories (http://www.filis.org/rip_ben.txt) Benjamin and Allan at Ben's local bar (http://www.allanjude.com/bsd/bp/IMG_20151101_161727-auto.jpg) Benjamin treated Allan and Michael Dexter to their first ever Bermese food (http://www.allanjude.com/bsd/bp/IMG_20151101_191344-auto.jpg) Benjamin enjoying the hallway track at EuroBSDCon 2015 (http://www.allanjude.com/bsd/bp/IMG_20151003_105457-auto.jpg) *** NGINX as Reverse Proxy for Apache on FreeBSD 10.2 (http://linoxide.com/linux-how-to/install-nginx-reverse-proxy-apache-freebsd-10-2/) A tutorial on setting up NGINX as a reverse proxy for Apache Sometimes your users or application require some feature of Apache, that cannot be easily replicated in NGINX, like .htaccess files or a custom apache module In addition, because the default worker model in Apache does not accept new work until it is finished sending the request, a user with a slow connection can tie down that worker for a long time With NGINX as a reverse proxy, it will receive the data from the Apache worker over localhost, freeing that worker to answer the next request, while NGINX takes care of sending the data to the user The tutorial walks through the setup, which is very easy on modern FreeBSD One could also add mod_rpaf2 to the Apache, to securely pass through the users' real IP address for use by Apache's logging and the PHP scripts *** FreeBSD and FreeNAS in Business by Randy Westlund (http://bsdmag.org/freebsd_freenas/) The story of how a Tent & Awning company switched from managing orders with paper, to a computerized system backed by a FreeNAS “At first, I looked at off-the-shelf solutions. I found a number of cloud services that were like Dropbox, but with some generic management stuff layered on top. Not only did these all feel like a poor solution, they were very expensive. If the provider were to go out of business, what would happen to my dad's company?” “Fortunately, sourcing the hardware and setting up the OS was the easiest part; I talked to iXsystems. I ordered a FreeNAS Mini and a nice workstation tower” “I have r2d2 (the tower, which hosts the database) replicating ZFS snapshots to c3po (the FreeNAS mini), and the data is backed up off-site regularly. This data is absolutely mission-critical, so I can't take any risks. I'm glad I have ZFS on my side.” “I replaced Dropbox with Samba on c3po, and the Windows machines in the office now store important data on the NAS, rather than their local drives.” “I also replaced their router with an APU board running pfSense and replaced their PPTP VPN with OpenVPN and certificate authorization.” “FreeBSD (in three different incarnations) helped me focus on improving the company's workflow without spending much time on the OS. And now there's an awning company that is, in a very real sense, powered by FreeBSD.” *** Tutorial, Windows running under bhyve (http://pr1ntf.xyz/windowsunderbhyve.html) With the recent passing of the world's foremost expert on running Windows under bhyve on FreeBSD, this tutorial will help you get up to speed “The secret sauce to getting Windows running under bhyve is the new UEFI support. This is pretty great news, because when you utilize UEFI in bhyve, you don't have to load the operating system in bhyveload or grub-bhyve first.” The author works on iohyve, and wanted to migrate away from VirtualBox, the only thing stopping that was support for Windows Guests iohyve now has support for managing Windows VMs The tutorial uses a script to extract the Windows Server 2008 ISO and set up AutoUnattend.xml to handle the installation of Windows, including setting the default administrator password, this is required because there is no graphical console yet The AutoUnattended setup also includes setting the IP address, laying out the partitions, and configuring the serial console A second script is then used to make a new ISO with the modifications The user is directed to fetch the UEFI firmware and some other bits Then iohyve is used to create the Windows VM The first boot uses the newly created ISO to install Windows Server 2008 Subsequent boots start Windows directly from the virtual disk Remote Desktop is enabled, so the user can manage the Windows Server graphically, using FreeRDP or a Windows client iohyve can then be used to take snapshots of the machine, and clone it *** BSD Router Project has released 1.58 (http://sourceforge.net/projects/bsdrp/files/BSD_Router_Project/1.58/) The BSD Router project has announced the release of version 1.58 with some notable new features Update to FreeBSD 10.2-RELEASE-p8 Disabled some Chelsio Nic features not used by a router Added new easy installation helper option, use with “system install ” Added the debugging symbols for userland Includes the iperf package, and flashrom package, which allows updating system BIOS on supported boxes IMPORTANT: Corrects an important UFS label bug introduced on 1.57. If you are running 1.57, you will need to fetch their fixlabel.sh script before upgrading to 1.58 *** OPNsense 15.7.22 Released (https://opnsense.org/opnsense-15-7-22-released/) An update to OPNsense has landed this week which includes the important updates to OpenSSL 1.0.2e and LibreSSL 2.2.5 A long-standing annoying bug with filter reload timeouts has finally been identified and sorted out as well, allowing the functionality to run quickly and “glitch free” again. Some newer ports for curl (7.46), squid (3.5.12) and lighttpd (1.4.38) have also been thrown in for good measure Some other minor UI fixes have also been included as well With the holidays coming up, if you are still running a consumer router, this may be a good time to convert over to a OPNsense or PFsense box and get yourself ready for the new year. *** iXsystems iXSystems releases vCenter Web Client Plug-in for TrueNAS (https://www.ixsystems.com/whats-new/2015/12/vcenter-web-client-plug-in-for-truenas-now-available/) Interview - Pawel Jakub Dawidek - pjd@FreeBSD.org (mailto:pjd@FreeBSD.org) News Roundup Developer claims the PS4 has been jail-broken (http://www.networkworld.com/article/3014714/security/developer-claims-ps4-officially-jailbroken.html) While not exactly a well-kept secret, the PS4's proprietary “OrbOS” is FreeBSD based. Using this knowledge and a Kernel exploit, developer CTurt (https://twitter.com/CTurtE/) claims he was able jailbreak a WebKit process and gain access to the system. He has posted a small tease to GitHub, detailing some of the information gleaned from the exploit, such as PID list and root FS dump As such with these kinds of jailbreaks, he already requested that users stop sending him requests about game piracy, but the ability to hack on / run homebrew apps on the PS4 seems intriguing *** Sepherosa Ziehau is looking for testers if you have a em(4), emx(4), or igb(4) Intel device (http://lists.dragonflybsd.org/pipermail/users/2015-December/228461.html) DragonFly Testers wanted! Sephe has posted a request for users of the em(4), emx(4) and igb(4) intel drivers to test his latest branch and report back results He mentions that he has tested the models 82571, 82574 and 82573 (em/emx); 82575, 82576, 82580 and i350 specifically, so if you have something different, I'm sure he would be much appreciative of the help. It looks like the em(4) driver has been updated to 7.5.2, and igb(4) 2.4.3, and adds support for the I219-LM and I219-V NICS. *** OpenBSD Xen Support (https://marc.info/?l=openbsd-tech&m=144933933119525&w=2) Filed under the “Ohh, look what's coming soon” section, it appears that patches are starting to surface for OpenBSD Xen DOMU support. For those who aren't up on their Xen terminology, DomU is the unprivileged domain (I.E. Guest mode) Right now the patch exists at the link above, and adds a new (commented out) device to the GENERIC kernel, but this gives Xen users something new to watch for updates to. *** Thinkpad Backlit Keyboard support being worked on (http://freshbsd.org/commit/openbsd/b355449caa22e7bb6c460f7a647874836ef604f0) Another reason why Lenovo / ThinkPads are some of the best laptops currently to use with BSD, the kettenis over at the OpenBSD project has committed a patch to enable support for the “ThinkLight” For those who don't know, this is the little light that helps illuminate the laptop's keyboard under low-light situations. While the initial patch only supports the “real-deal” ThinkLight, he does mention that support will be added soon for the others on ThinkPads No sysctl's to fiddle with, this works directly with the ACPI / keyboard function keys directly, nice! *** Deadline is approaching for Submissions of Tutorial Proposals for AsiaBSDCon 2016 (https://2016.asiabsdcon.org/cfp.html) Call for Papers for BSDCAN 2016 now open (http://www.bsdcan.org/2016/papers.php) + The next two major BSD conferences both have their CFP up right now. First up is AsiaBSDCon in Tokyo from March 10th-13th, followed by BSDCan in Ottawa, June 8th-11th. + If you are working on anything interesting in the BSD community, this is a good way to get the word out about your project, plus the conference pays for Hotel / Travel. + If you can make it to both, DO SO, you won't regret it. Both Allan and Kris will be attending and we would look forward to meeting you. iohyve lands in ports (https://github.com/pr1ntf/iohyve) (http://www.freshports.org/sysutils/iohyve/) + Something we've mentioned in passing has taken its first steps in becoming reality for users! “iohyve” has now landed in the FreeBSD ports tree + While it shares a similar name to “iocage” its not directly related, different developers and such. However it does share a very similar syntax and some principles of ZFS usage + The current version is 0.7, but it already has a rather large feature set + Among the current features are ISO Management, resource management, snapshot support (via ZFS), and support for OpenBSD, NetBSD and Linux (Using grub-bhyve port) BeastieBits hammer mount is forced noatime by default (http://lists.dragonflybsd.org/pipermail/users/2015-November/228445.html) Show your support for FreeBSD (http://freebsdfoundation.blogspot.com/2015/12/show-your-support-for-freebsd.html) OpenBSD running in an Amazon EC2 t2.micro (https://gist.github.com/reyk/e23fde95354d4bc35a40) NetBSD's 2015Q4 Package freeze is coming (http://mail-index.netbsd.org/tech-pkg/2015/12/05/msg016059.html) ‘Screenshots from Developers' that we covered previously from 2002, updated for 2015 (https://anders.unix.se/2015/12/10/screenshots-from-developers--2002-vs.-2015/) Feedback/Questions (slexy was down when I made these, I only did 3, since the last is really long, save rest for next week) Mark - BSD laptops (http://pastebin.com/g0DnFG95) Jamie - zxfer (http://pastebin.com/BNCmDgTe) Anonymous - Long Story (http://pastebin.com/iw0dXZ9P) ***

This week on BSDNow - It's getting close to christmas and the This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines n2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20151208172029) tedu@ worked on rebound, malloc hardening, removing legacy code “I don't usually get too involved with the network stack, but sometimes you find yourself at a network hackathon and have to go with the flow. With many developers working in the same area, it can be hard to find an appropriate project, but fortunately there are a few dusty corners in networking land that can be swept up without too much disturbance to others.” “IPv6 is the future of networking. IPv6 has also been the future of networking for 20 years. As a result, a number of features have been proposed, implemented, then obsoleted, but the corresponding code never quite gets deleted. The IPsec stack has followed a somewhat similar trajectory” “I read through various networking headers in search of features that would normally be exposed to userland, but were instead guarded by ifdef _KERNEL. This identified a number of options for setsockopt() that had been officially retired from the API, but the kernel code retained to provide ABI compatibility during a transition period. That transition occurred more than a decade ago. Binary programs from that era no longer run for many other reasons, and so we can delete support. It's only a small improvement, but it gradually reduces the amount of code that needs to be reviewed when making larger more important changes” Ifconfig txpower got similar treatment, as no modern WiFi driver supports it Support for Ethernet Trailers, RFC 893 (https://tools.ietf.org/html/rfc893), enabled zero copy networking on a VAX with 512 byte hardware pages, the feature was removed even before OpenBSD was founded, but the ifconfig option was still in place Alexandr Nedvedicky (sashan@) worked on MP-Safe PF (http://undeadly.org/cgi?action=article&sid=20151207143819) “I'd like to thank Reyk for hackroom and showing us a Christmas market. It was also my pleasure to meet Mr. Henning in person. Speaking of Henning, let's switch to PF hacking.” “mpi@ came with patch (sent to priv. list only currently), which adds a new lock for PF. It's called PF big lock. The big PF lock essentially establishes a safe playground for PF hackers. The lock currently covers all pftest() function. The pftest() function parts will be gradually unlocked as the work will progress. To make PF big lock safe few more details must be sorted out. The first of them is to avoid recursive calls to pftest(). The pftest() could get entered recursively, when packet hits block rule with return-* action. This is no longer the case as ipsend() functions got introduced (committed change has been discussed privately). Packets sent on behalf of kernel are dispatched using softnet task queue now. We still have to sort out pfroute() functions. The other thing we need to sort out with respect to PF big lock is reference counting for statekey, which gets attached to mbuf. Patch has been sent to hackers, waiting for OK too. The plan is to commit reference counting sometimes next year after CVS will be unlocked. There is one more patch at tech@ waiting for OK. It brings OpenBSD and Solaris PF closer to each other by one tiny little step.” *** ACM Queue: Challenges of Memory Management on Modern NUMA System (http://queue.acm.org/detail.cfm?id=2852078) “Modern server-class systems are typically built as several multicore chips put together in a single system. Each chip has a local DRAM (dynamic random-access memory) module; together they are referred to as a node. Nodes are connected via a high-speed interconnect, and the system is fully coherent. This means that, transparently to the programmer, a core can issue requests to its node's local memory as well as to the memories of other nodes. The key distinction is that remote requests will take longer, because they are subject to longer wire delays and may have to jump several hops as they traverse the interconnect. The latency of memory-access times is hence non-uniform, because it depends on where the request originates and where it is destined to go. Such systems are referred to as NUMA (non-uniform memory access).” So, depending what core a program is running on, it will have different throughput and latency to specific banks of memory. Therefore, it is usually optimal to try to allocate memory from the bank of ram connected to the CPU that the program is running on, and to keep that program running on that same CPU, rather than moving it around There are a number of different NUMA strategies, including: Fixed, memory is always allocated from a specific bank of memory First Touch, which means that memory is allocated from the bank connected to the CPU that the application is running on when it requests the memory, which can increase performance if the application remains on that same CPU, and the load is balanced optimally Round Robin or Interleave, where memory is allocated evenly, each allocation coming from the next bank of memory so that all banks are used. This method can provide more uniform performance, because it ensures that all memory accesses have the same change to be local vs remote. If even performance is required, this method can be better than something more focused on locality, but that might fail and result in remote access AutoNUMA, A kernel task routinely iterates through the allocated memory of each process and tallies the number of memory pages on each node for that process. It also clears the present bit on the pages, which will force the CPU to stop and enter the page-fault handler when the page is next accessed. In the page-fault handler it records which node and thread is trying to access the page before setting the present bit and allowing execution to continue. Pages that are accessed from remote nodes are put into a queue to be migrated to that node. After a page has already been migrated once, though, future migrations require two recorded accesses from a remote node, which is designed to prevent excessive migrations (known as page bouncing). The paper also introduces a new strategy: Carrefour is a memory-placement algorithm for NUMA systems that focuses on traffic management: placing memory so as to minimize congestion on interconnect links or memory controllers. Trying to strike a balance between locality, and ensuring that the interconnect between a specific pair of CPUs does not become congested, which can make remote accesses even slower Carrefour uses three primary techniques: Memory collocation, Moving memory to a different node so that accesses will likely be local. Replication, Copying memory to several nodes so that threads from each node can access it locally (useful for read-only and read-mostly data). Interleaving, Moving memory such that it is distributed evenly among all nodes. FreeBSD is slowly gaining NUMA capabilities, and currently supports: fixed, round-robin, first-touch. Additionally, it also supports fixed-rr, and first-touch-rr, where if the memory allocation fails, because the fixed domain or first-touch domain is full, it falls back to round-robin. For more information, see numa(4) and numa_setaffinity(2) on 11-CURRENT *** Is that Linux? No it is PC-BSD (http://fossforce.com/2015/12/linux-no-pc-bsd/) Larry Cafiero continues to make some news about his switch to PC-BSD from Linux. This time in an blog post titled “Is that Linux? No, its PC-BSD” he describes an experience out and about where he was asked what is running on his laptop, and was unable for the first time in 9 years to answer, it's Linux. The blog then goes on to mention his experience up to now running PC-BSD, how the learning curve was fairly easy coming from a Linux background. He mentions that he has noticed an uptick in performance on the system, no specific benchmarks but this “Linux was fast enough on this machine. But in street racing parlance, with PC-BSD I'm burning rubber in all four gears.” The only major nits he mentions is having trouble getting a font to switch in FireFox, and not knowing how to enable GRUB quiet mode. (I'll have to add a knob back for that) *** Dual booting OS X and OpenBSD with full disk encryption (https://gist.github.com/jcs/5573685) New GPT and UEFI support allow OpenBSD to co-exist with Mac OS X without the need for Boot Camp Assistant or Hybrid MBRs This tutorial walks the read through the steps of installing OpenBSD side-by-side with Mac OS X First the HFS+ partition is shrunk to make room for a new OpenBSD partition Then the OpenBSD installer is run, and the available free space is setup as an encrypted softraid The OpenBSD installer will add itself to the EFI partition Rename the boot loader installed by OpenBSD and replace it with rEFInd, so you will get a boot menu allowing you to select between OpenBSD and OS X *** Interview - Paul Goyette - pgoyette@netbsd.org (mailto:pgoyette@netbsd.org) NetBSD Testing and Modularity *** iXsystems iXsystems Wins Press and Industry Analyst Accolades in Best in Biz Awards 2015 (http://www.virtual-strategy.com/2015/12/08/ixsystems-wins-press-and-industry-analyst-accolades-best-biz-awards-2015) *** News Roundup HOWTO: L2TP/IPSec with OpenBSD (https://www.geeklan.co.uk/?p=2019) *BSD contributor Sevan Janiyan provides an update on setting up a road-warrior VPN This first article walks through setting up the OpenBSD server side, and followup articles will cover configuring various client systems to connect to it The previous tutorial on this configuration is from 2012, and things have improved greatly since then, and is much easier to set up now The tutorial includes PF rules, npppd configuration, and how to enable isakmpd and ipsec L2TP/IPSec is chosen because most operating systems, including Windows, OS X, iOS, and Android, include a native L2TP client, rather than requiring some additional software to be installed *** DragonFly 4.4 Released (http://www.dragonflybsd.org/release44/) DragonFly BSD has made its 4.4 release official this week! A lot of big changes, but some of the highlights Radeon / i915 DRM support for up to Linux Kernel 3.18 Proper collation support for named locales, shared back to FreeBSD 11-CURRENT Regex Support using TRE “As a consequence of the locale upgrades, the original regex library had to be forced into POSIX (single-byte) mode always. The support for multi-byte characters just wasn't there. ” …. “TRE is faster, more capable, and supports multibyte characters, so it's a nice addition to this release.” Other noteworthy, iwm(4) driver, CPU power-saving improvements, import ipfw from FreeBSD (named ipfw3) An interesting tidbit is switching to the Gold linker (http://bsd.slashdot.org/story/15/12/04/2351241/dragonflybsd-44-switches-to-the-gold-linker-by-default) *** Guide to install Ajenti on Nginx with SSL on FreeBSD 10.2 (http://linoxide.com/linux-how-to/install-ajenti-nginx-ssl-freebsd-10-2/) Looking for a webmin-like interface to control your FreeBSD box? Enter Ajenti, and today we have a walkthrough posted on how to get it setup on a FreeBSD 10.2 system. The walkthrough is mostly straightforward, you'll need a FreeBSD box with root, and will need to install several packages / ports initially. Because there is no native package (yet), it guides you through using python's PIP installer to fetch and get Ajenti running. The author links to some pre-built rc.d scripts and other helpful config files on GitHub, which will further assist in the process of making it run on FreeBSD. Ajenti by itself may not be the best to serve publically, so it also provides instructions on how to protect the connection by serving it through nginx / SSL, a must-have if you plan on using this over unsecure networks. *** BSDCan 2016 CFP is up! (http://www.bsdcan.org/2016/papers.php) BSDCan is the biggest North American BSD conference, and my personal favourite The call for papers is now out, and I would like to see more first-time submitters this year If you do anything interesting with or on a BSD, please write a proposal Are the machines you run BSD on bigger or smaller than what most people have? Tell us about it Are you running a big farm that does something interesting? Is your university research using BSD? Do you have an idea for a great new subsystem or utility? Have you suffered through some horrible ordeal? Make sure the rest of us know the best way out when it happens to us. Did you build a radar that runs NetBSD? A telescope controlled by FreeBSD? Have you run an ISP at the north pole using Jails? Do you run a usergroup and have tips to share? Have you combined the features and tools of a BSD in a new and interesting way? Don't have a talk to give? Teach a tutorial! The conference will arrange your air travel and hotel, and you'll get to spend a few great days with the best community on earth Michael W. Lucas's post about the 2015 proposals and rejections (http://blather.michaelwlucas.com/archives/2325) *** Beastie Bits OpenBSD's lightweight web server now in FreeBSD's ports tree (http://www.freshports.org/www/obhttpd/) Stephen Bourne's NYCBUG talk is online (https://www.youtube.com/watch?v=FI_bZhV7wpI) Looking for owner to FreeBSDWiki (http://freebsdwiki.net/index.php/Main_Page) HOWTO: OpenBSD Mail Server (http://frozen-geek.net/openbsd-email-server-1/) A new magic getopt library (http://www.daemonology.net/blog/2015-12-06-magic-getopt.html) PXE boot OpenBSD from OpenWRT (http://uggedal.com/journal/pxe-boot-openbsd-from-openwrt/) Supporting the OpenBSD project (http://permalink.gmane.org/gmane.os.openbsd.misc/227054) Feedback/Questions Zachary - FreeBSD Jails (http://slexy.org/view/s20pbRLRRz) Robert - Iocage help! (http://slexy.org/view/s2jGy34fy2) Kjell - Server Management (http://slexy.org/view/s20Ht8JfpL) Brian - NAS Setup (http://slexy.org/view/s2GYtvd7hU) Mike - Radius Followup (http://slexy.org/view/s21EVs6aUg) Laszlo - Best Stocking Ever (http://slexy.org/view/s205zZiJCv) ***

Coming up on BSDNow - We know init systems have been all the rage This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Interview with Renato Westphal (http://undeadly.org/cgi?action=article&sid=20151123113224&mode=expanded) An interview with Brazilian OpenBSD developer Renato Westphal He describes how he first got into OpenBSD, working on a University-Industry partnership program and looking to deploy LDP (Label Distribution Protocol) for MPLS. He ported OpenBSDs ldpd(8) to Linux, but then contributed his bug fixes and improvements back to OpenBSD When asked if he was motivated to replace closed-source router implementations with OpenBSD: “Well, I don't administer any network, I work full time as a programmer. I have some friends however that succeeded replacing closed vendor solutions with OpenBSD boxes and that for sure motivates me to keep doing what I'm doing. My biggest motivation, however, is the challenge of resolving complex problems writing trivially simple code that is both secure and efficient.” They also go on to discuss some of the interesting features of EIGRP, and developing eigrpd(8) What do you think is missing from routing in OpenBSD: “Implementing new features and protocols while they are in their draft stage in IETF. I'd like to see OpenBSD as the reference platform for the development of new routing and networking technologies in general” *** Let's Encrypt on a FreeBSD NGINX reverse proxy (http://savagedlight.me/2015/11/24/lets-encrypt-on-a-freebsd-nginx-reverse-proxy/) We have a neat guide/story today on how to setup the “Let's Encrypt” certificates on a FreeBSD / nginx reverse proxy Backstory: For those who don't know, “Let's Encrypt” (https://letsencrypt.org) is a new Certificate Authority, which will allow you to create free and automated certificates. They have been in closed beta for several months now, and will be opening to a public beta Dec 3rd (tomorrow) This guide is particularly timely, since by the time most of you are watching this episode, the public beta will be up and running. Most of the instructions are fairly straight-forward. She starts by installing the lets-encrypt package from ports/pkg and modifying her nginx with a ‘catch-all' vhost that re-directs traffic to the https versions of a site. With that done, the certificate creation is just a few commands to get started, in which she shows creating a cert for multiple domains As a bonus! She includes a nice renewal script which can be run from cron. It will monitor the certs daily, and renew it when it's 14 days from expiring, or throw an error for somebody to look at. *** Mike Larkins OpenBSD vmm subsystem now in tree (http://marc.info/?l=openbsd-tech&m=144822644214614&w=2) An openBSD native hypervisor has taken another step closer to reality, with Mike Larkin pushing the initial bits of “vmm” into the base kernel/world He mentions in the commit message that it still needs a lot of work, and as such is disabled by default. However for the adventurous among you, it can be turned on and tested Right now there is no BIOS, and as such it can only be used to boot other OpenBSD instances, although he mentions other BSD's could be supported fairly quickly (He did a 1 hour port to bootstrap NetBSD) No big documentation expected for this release, since there is so much ongoing churn. Take a look at the man page for details on getting started. *** The story of how Yahoo switched to FreeBSD (http://zer0.org/daemons/yahoobsd.html) Yahoo originally started running on SunOS, but quickly found it not able to cope with the high frequency of HTTP requests “Having spend many frustrating hours trying to install other PC OS's, I was a bit skeptical. I had no intention of spending three days trying to install yet another one. To my surprise I went to the FreeBSD Web site, downloaded the floppy boot image, booted a PC with the created floppy, answered a few install questions, and a few minutes later FreeBSD was installing over the Net. The real surprise was when I came back later to a fully configured system that actually worked.” “If anything had gone wrong with that install it would likely been the end of that trial. Luckily for us that it was the easiest and most painless OS installs I had ever experienced.” Just that easily, Yahoo might never have ended up on FreeBSD “A couple of days later we added a FreeBSD box to our cluster of Web servers. Not only did it out-perform the rest of our machines, but it was more stable.” From my understanding of stories told over dinner, Yahoo had a few very important perl scripts, and they tended to crash on Linux, but kept running without issue on FreeBSD Related hackernews thread (https://news.ycombinator.com/item?id=10558288) *** iXsystems iXsystem's recap of LISA 2015 (https://www.ixsystems.com/whats-new/lisa-2015/) *** Interview - Mark Heily - mark@heily.com (mailto:mark@heily.com) / @MarkHeily (https://twitter.com/MarkHeily) relaunchd (https://github.com/mheily/relaunchd) *** News Roundup Inline Intrusion Prevision System is an upcoming OPNSense Feature (https://opnsense.org/inline-intrusion-prevention/) The next OPNSense release, 16.1 is around the corner and today we have a sneak peek at their new Inline Intrusion Prevention system Suricata working with Netmap 2.1 enabled version, which allows Deep Packet Inspection of traffic. Such as looking at each packet individually and only blocking specific ones. They use the example of blocking Warcraft (oh noes!) Enabling this feature is just a simple mouse-click away, and various default rules are included as part of the Emerging Threats Community rules. *** Matthew Dillion working on Hardlinks in Hammer2 (http://lists.dragonflybsd.org/pipermail/commits/2015-November/458763.html) We have an interesting commit from Matthew Dillon for Hammer2, specifically targeted at hard-links The backstory he gives us: “The H2 design has had a long-standing problem of losing track of hardlinks when intermediate directories are renamed, breaking the common-parent-directory design for the inode target.” The implemented fix was one which instead places the hardlink target in the first common parent directory, which is marked with “xlink” via chflag If no parent directory is marked “xlink”, it will fall-through instead to the root of the mount They also modified their installworld to set “/” /usr/,/var/,/home/ as “xlink” flagged This prevents moving hard-links across these directories, but is similar to dealing with multiple partitions / datasets already. *** Japan's NetBSD User Group showed off some NetBSD machines at the 2015 Tokushima Open Source Conference (http://lists.nycbug.org/pipermail/talk/2015-November/016403.html) It's been a little while since we've shown off a bunch of odd devices running NetBSD, but we have an update from the 2015 Tokushima Open Source Conference. This time around, we have pictures of the booth, as well as a variety of oddities such as: ODroid-C1 / Sharp X68030 Sharp NetWalker Sharp WZero3 (Cell phone) Give them a look, this time around they have nice cards pictured which details the hardware being used (in english none the less!) *** One of the three OpenBSD users Blog Post by Adam Wolk (http://blog.tintagel.pl/2015/11/22/one-of-the-three-openbsd-users.html) An OpenBSD user comments on a recent interaction with the syncthing project (a dropbox like alternative) The application has an auto-update feature (which doesn't mix well with package systems in the first place), but it doesn't work on OpenBSD because there is no /proc/curproc/file to determine the filename of the executable. This is a trivially easy task, but when the bug was reported, syncthings response was “Maybe one of the three (https://data.syncthing.net/#metrics) OpenBSD users feel strongly enough about this to propose a patch. :D” Part of the issue is that many users (especially the type that would run OpenBSD) opt out of reporting metrics, so OpenBSD is under-represented in the metrics the project developers are basing their decisions on Maybe someone can post a patch to solve the problem. While FreeBSD can provide a linux procfs, it would be better to use a more portable way to get the location of the process binary *** BeastieBits DragonFly BSD 4.4 RC branch created (http://lists.dragonflybsd.org/pipermail/commits/2015-November/458818.html) HOWTO: NFS booting bhyve (http://oshogbo.vexillium.org/blog/39/) DragonFly BSD is looking for a 4.4 RC image by the end of November (http://lists.dragonflybsd.org/pipermail/kernel/2015-November/175040.html) Support for Atheros QCA953x "Honeybee" has been added to FreeBSD (https://svnweb.freebsd.org/base?view=revision&revision=290910) Top updated in DragonflyBSD to allow the 'c' command (http://lists.dragonflybsd.org/pipermail/commits/2015-November/458692.html) FreeBSD textbook makes appearance on the 6pm news in the Netherlands 12:49 (http://www.npo.nl/nos-journaal/30-11-2015/POW_00941854) SemiBug gives a recap of its Inaugural meeting and its plans for future meetups (http://blather.michaelwlucas.com/archives/2495) *** Feedback/Questions Adam - GELI on USB (http://slexy.org/view/s204HRCPdR) Noble - Radius on FreeBSD (http://slexy.org/view/s21q2WWisr) Jim - Backporting Wifi Code (http://slexy.org/view/s21L59OGyF) Mohammad - Zombies! (http://slexy.org/view/s20nWwzTGS) Miguel - ScaleEngine BTS (http://slexy.org/view/s201Kpd4GX) ***

This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines Why did I choose the DragonFlyBSD Operating System by Siju George (http://bsdmag.org/siju_george/) We have a new article this week by Siju George posted over at BSDMag, talking about his reasons for using DragonFlyBSD in production. He ran through periods of using both Free/OpenBSD, but different reasons led him away from each. Specifically problems doing port upgrades on FreeBSD, and the time required to do fsck / raid parity checks on OpenBSD. During his research, he had heard about the HAMMER file-system, but didn't know of anybody running it in production. After some mailing list conversions, and pointers from Matthew Dillon, he took the plunge and switched. Now he has fallen in love with the operating system, some of the key strengths he notes at: Rolling-Release model, which can be upgraded every few weeks or whenever he has the time No time-consuming fsck after a unclean shutdown No RAID parity checks while still having redundancy Able to add volumes to HAMMER on the fly He also mentions looking forward to HAMMER2, and its potential for easy clustering support, along with eventual CARP implementation so he can run two systems on the same IP. *** The Devil & BSD - Larry Cafiero (http://fossforce.com/2015/11/devil-bsd-leaving-linux-behind/) A story that has been making the rounds on social media is by Larry Cafiero, on his reasons for deciding to switch from Linux over to the BSD side of things. While most of the reasons are over the conflicts surrounding behavior by Linux leaders towards those in the community, he does mention that he has converted his main workstation over to PC-BSD. According to Larry, “With a couple of hours of adding backup files and tweaking (augmented by a variety of “oh, look” moments which could easily make me the ADHD Foundation Poster Boy), it looks exactly like my personally modified Korora 22 Xfce which graced the machine earlier. “ He also gave a great compliment to the quality of the docs / applications in PC-BSD: “In addition, you have to like a operating system which gives you a book — in this case, the PC-BSD Handbook — which should be the gold standard of documentation. It's enviable, as in, “man, I wish I had written that.” Also programs like AppCafe provide a plethora of FOSS software, so there's no shortage of programs. Side by side, there's nothing on the Linux side of things that is lacking on the BSD side of things.” Regardless the initial reason for the switch, we are glad to have him and any other switchers join us on the BSD side of FOSS. *** New resource for BSD-schoolin' (http://teachbsd.org/) “The initial repository (https://github.com/teachbsd/course) contains all of the material for the practitioner and masters style courses as well as a PDF for the teaching guide. All of the material is licensed under a BSD doc team license, also visible in the repo and on the github site.” “we expect all other work, including the extension of the practitioner course to 5 days, and the adaptation of the graduate course to undergraduates will be in the github repo” “Our goal now is to recruit a small number of universities to partner with us to teach this material. We will keep you posted on our progress.” We are working on getting an interview lined up to talk more about this project If I somehow find the time, I am try to contribute towards a sysadmin course similar to what I used to teach at an Arts&Tech College here in Canada *** A Few thoughts on OpenBSD 5.8 (http://lippard.blogspot.co.uk/2015/11/a-few-thoughts-on-openbsd-58.html) A user details their thoughts, reactions, and concerns after upgrading to OpenBSD 5.8 Among the changes: sudo was removed and replaced as doas. The user decided to make the switch, but ran into a bug with line continuation ( to escape newline to continue a long line) The removal of TCP Wrappers support from ssh - this caused a number of rules in hosts.allow to no longer be respected. The FreeBSD port of openssh-portable has a patch to readd TCP wrappers because many people find it useful, including myself, when the ssh is in a jail and cannot run a firewall The removal of the pfrules= rc.conf variable. “I used to just put the default pf.conf rules file in place with each release and upgrade, and keep my changes in a pf.conf.local file that was specified in the pfrules variable. The effect was that from the period after the upgrade until I noticed the change, my systems were using the default rules and thus more exposed than they were supposed to be” This is what is often called a “POLA Violation”, Policy of Least Astonishment. When deciding what the system should do after some change or new feature is introduced, it should be the thing that will be the least “surprising” to the user. Having your firewall rules suddenly not apply, is surprising. “A minor annoying change that was made in 5.8 was putting the file /var/unbound/db/root.key into /etc/changelist, so that the file gets checked daily by the security script. The issue with this is that if you are actually using unbound with DNSSEC, this file changes daily, though only in the comments” It is very helpful to see a list of feedback like this after a release, so that the next release can be better I would be interested in seeing similar feedback for the other BSDs *** Interview - Bryan Cantrill - @bcantrill (https://twitter.com/bcantrill) Linux Interface Rants News Roundup FreeBSD AMI building AMI - Colin's Corner (http://www.daemonology.net/blog/2015-11-21-FreeBSD-AMI-builder-AMI.html) Colin Percival (Of TarSnap Fame) has brought us a new article this week on how to create your own custom EC2 AMI builds. This new tool and instructions allows the creation of AMI files, without needing to go through the hassle of doing a fresh FreeBSD release build each time. Essentially it works similar to Colin's previous “de-penguinator” utility, by running a FreeBSD in a memory instance, allowing the disk to be unmounted and prepped for becoming an AMI. The hope is that this new work allows easier creation of a new variety of “customized” FreeBSD instances, for end users to download and deploy at will. *** Peter Hessler on OpenBSD / OpenBGPd (https://ripe71.ripe.net/archives/video/1200/) Last week a new video landed of Peter Hessler giving us a status update on OpenBSD tech, and OpenBGPd specifically Of interest, he notes that LibreSSL is being used in iOS / OSX, and of course PF is used all over, Apple, BSD, Solaris and even a Windows port! OpenNTPD gets a mention as well, still ZERO CVEs for the lifetime of the project On the OpenBGPd side, it is considered production ready, so no reason to hold back deployment Very “feature-complete”, able to handle Edge Router, Route server, Multi-RIB. Slew of optional features like route reflector, looking glass, mrt dumps, mpls / mpls vpn. Bugs fixed, crashers, memory constraints and performance has been improved Filtering Performance, in example provided, importing 561K rules / 60K prefixes, went from 35 minutes down to 30 seconds. *** Onion Omega Updates (https://github.com/freebsd/freebsd-wifi-build/wiki/Onion-Omega) I have a newer kernel config that will be committed soon that hooks up the system LED, and the three LEDs on the expansion dock via /dev/led I also have the I2C interface working to talk to the Relay and Servo expansions I have not determined the exact protocol for the Servo expansions, but the relay expansion is fairly simple to operate Instructions have been added to the wiki I have managed to use the GPIO to toggle external LEDs and to read the value from a switch I have also used the Servo PWM controller to dim an LED and control the speed of a PWM computer case fan My plan is to operate a 32x32 multi colour LED matrix from the device for an interactive christmas display *** FreeBSD Mastery: ZFS Book review (http://www.cyberciti.biz/datacenter/book-review-freebsd-mastery-zfs/) Book can be purchased here (http://smile.amazon.com/FreeBSD-Mastery-ZFS-7/dp/0692452354/) or from the list of vendors including directly from the author here (http://www.zfsbook.com/) *** Beastie Bits Computer History Museum is looking for Bell Labs UNIX (http://www.computerhistory.org/artifactdonation/) ACM Queue Portrait: Robert Watson (https://youtu.be/rA_5Cz99z28) Video Collection about BSD History, put together by FreeBSDNews (https://www.freebsdnews.com/2015/11/12/bsd-videos/) Minix announces its 2016 conference (http://www.minix3.org/conference/2016/) Chris Henschen from fP Technologies' talk about BSD is now online (http://bsdtalk.blogspot.com/2015/10/bsdtalk258-chris-henschen-from-fp.html) Mike Larkin and Theo de Raadt's talks from Hackfest this year in Quebec are online (http://undeadly.org/cgi?action=article&sid=20151123161651&mode=expanded) FreeBSD on a BeagleBoneBlack with a Touchscreen Display (http://kernelnomicon.org/?p=534) Dan Langille will be talking at CINLUG (http://www.cinlug.org/meetings/2015/December) Feedback/Questions John - Rpi2 and BSD (http://slexy.org/view/s2Gm06eC0Y) Roger - Win10 + FreeBSD (http://slexy.org/view/s2Kf2FG84H) Anonymous - Sharing Socket (http://slexy.org/view/s21bOG5UhS) Brad - Scrub Repaired (http://slexy.org/view/s20bKjCNXW) Kelly - Automated Provisioning (http://slexy.org/view/s2qb07BC2G) ***

This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! Headlines How to create new binary packages in the Ports system on OpenBSD (http://functionallyparanoid.com/2015/11/06/where-do-binary-packages-come-from/) Creating a port is often a great first step you can take to get involved in your favorite BSD of choice, and (often) doesn't require any actual programming to do so. In this article we have a great walkthrough for users on creating a new ported application, and eventually binary package, on OpenBSD As mentioned in the tutorial, a good starting place is always an existing port, which can you use as a template for your new creation. Tip: Try to pick something similar, I.E. python for a python app, Qt for Qt, etc. This tutorial will first walk you through the process of creating your Makefile and related description about the new port. Once you've created the initial Makefile, there are a bunch of new “make” targets you can begin to run to try building your port, everything from “make fetch” to “make makesum” and “make package”. Using these tests you can verify that your port is correct and results in the installable package/app you wanted. *** Status update on pledge(2) (http://undeadly.org/cgi?action=article&sid=20151116152318) OpenBSD has been working very aggressively to convert much of their base system applications to using pledge(2) “Formerly Tame(2)) Theo has provided a great status update on where that stands as of right now and the numbers look like the following: Out of 600 ELF binaries, 368 of them have been updated to utilize pledge(2) in some manner This is quite a few, and includes everything from openssl, ping, sftp, grep, gzip and much more There are still a number of “pledge-able” commands waiting for conversion, such as login, sysctl, nfsd, ssh and others. He also mentions that there does exist some subset of commands which aren't viable pledge(2) candidates, such as simple things like “true”, or commands like reboot/mount or even perl itself. *** FreeBSD booting on the Onion Omega (https://onion.io/omega/) Tiny $19 MIPS SoC ($25 with dock that provides built in mini-USB Serial interface, power supply, LED lights, GPIO expansion, USB port, etc) A number of pluggable ‘expansions' are available, including: Arduino Dock (connect the Omega device to your existing Arduino components) Blue Tooth Lower Energy 10/100 Ethernet Port Relay expansion (2 relays each, can stack up to 8 expansions to control 16 relays) Servo expansion (control up to 16 PWM servos, like robotic arms or camera mounts) OLED expansion (1" monochrome 128x64 OLED display) Thermal Printer Kit (includes all wiring and other components) The device is the product of a successful Kick Starter campaign (https://www.kickstarter.com/projects/onion/onion-omega-invention-platform-for-the-internet-of/description) from March of this year Specs: Atheros AR9330 rev1 400MHZ MIPS 24K 64MB DDR2 400MHz 16MB Flash 802.11b/g/n 150Mbps Atheros Wifi + 100mbps Atheros Wired Ethernet 18 GPIO Pins USB Controller Using the freebsd-wifi-build (https://github.com/freebsd/freebsd-wifi-build/wiki) tool, I was able to build a new firmware for the device based on a profile for a similar device based on the same Atheros chip. I hope to have time to validate some of the settings and get them posted up into the wiki and get the kernel configuration committed to FreeBSD in the next week or two It is an interesting device compared to the TP-Link WDR3600's we did at BSDCan, as it has twice as much flash, leaving more room for the system image, but only half as much ram, and a slower CPU *** SSH Performance testing (https://wiki.freebsd.org/SSHPerf) There has been a discussion (https://lists.freebsd.org/pipermail/freebsd-current/2015-November/058244.html) about the value of upkeeping the HPN (High Performance Networking) patch to OpenSSH in the base system of FreeBSD As part of this, I did some fresh benchmarks on my pair of new high end servers The remaining part to be done is testing different levels of latency By tweaking the socket buffer sizes, I was able to saturate the full 10 gigabit with netcat, iperf, etc From the tests that have been done so far, it doesn't look like even the NONE cipher can reach that level of performance because of the MAC (Message Authentication Code) It does appear that some of the auto-tuning in HPN is not worked as expected Explicitly setting -oTcpRcvBuf=7168 (KB) is enough to saturate a gigabit with 50ms RTT (round trip time) *** iXsystems iX gives an overview of FreeBSD at SeaGl 2015 (https://www.ixsystems.com/whats-new/seagl-2015/) On the FreeNAS Blog, Michael Dexter explains the ZFS Intent Log and SLOG (http://www.freenas.org/whats-new/2015/11/zfs-zil-and-slog-demystified.html) Interview - George Wilson - wilzun@gmail.com (mailto:wilzun@gmail.com) / @zfsdude (https://twitter.com/zfsdude) OpenZFS and Delphix *** News Roundup Nicholas Marriott has replaced the aging version of less(1) in OpenBSD (http://undeadly.org/cgi?action=article&sid=20151105223808) Sometimes less isn't more, it's just less In this story, we have news that the old version of less(1) in OpenBSD has now been ripped out in favor of the more modern fork from illumos founder Garrett D'Amore. In addition to being a “more” modern version, it also includes far “less” of the portability code, uses terminfo, replacing termcap and is more POSIX compliant. *** FreeBSD gets initial support for advanced SMR drives (https://lists.freebsd.org/pipermail/freebsd-current/2015-November/058522.html) Kenneth D. Merry ken@freebsd.org has developed initial support for Host Managed, and Host Aware Shingled Magnetic Recording drives in FreeBSD, available as a patch against both -current and 10-stable “This includes support for Host Managed, Host Aware and Drive Managed SMRdrives that are either SCSI (ZBC) or ATA (ZAC) attached via a SAScontroller. This does not include support for SMR ATA drives attached viaan ATA controller. Also, I have not yet figured out how to properly detecta Host Managed ATA drive, so this code won't do that.” SMR drives have overlapping tracks, because the read head can be much smaller than the write head The drawback to this approach is that writes to the disk must take place in 256 MB “zones” that must be written from the beginning New features in the patch: A new 'camcontrol zone' command that allows displaying and managing drive zones via SCSI/ATA passthrough. A new zonectl(8) utility that uses the new DIOCZONECMD ioctl to display and manage zones via the da(4) (and later ada(4)) driver. Changes to diskinfo -v to display the zone mode of a drive. A new disk zone API, sys/sys/disk_zone.h. A new bio type, BIO_ZONE, and modifications to GEOM to support it. This new bio will allow filesystems to query zone support in a drive and manage zoned drives. Extensive modifications to the da(4) driver to handle probing SCSI and SATA behind SAS SMR drives. Additional CAM CDB building functions for zone commands. “We (Spectra Logic) are working on ZFS changes that will use this CAM and GEOM infrastructure to make ZFS play well with SMR drives. Those changes aren't yet done.” It is good to see active development in this area, especially from experts in archival storage A second patch (https://lists.freebsd.org/pipermail/freebsd-current/2015-November/058521.html) is also offered, that improves the pass(4) passthrough interface for disks, and introduces a new camdd(8) command, a version of dd that uses the pass(4) interface, kqueue, and separate reader/writer threads for improved performance He also presents a feature wishlist that includes some interesting benchmarking features, including a ‘sink' mode, where reads from the device are just thrown away, rather than having to write then to /dev/null *** Initial implemtnation of 802.11n now in iwm(4) (http://undeadly.org/cgi?action=article&sid=20151112212739) OpenBSD laptop users rejoice! 802.11n has landed! Initially only for the iwm(4) driver, support is planned for other devices in the future Includes support for all the required (non-optional) bits to make 802.11N functional Adds a new 11n mode to ifmedia, and MCS (modulation coding scheme) that sits alongside the ieee80211_rateset structure. No support for MIMO / SGI (Short Guard Interval) or 40 MHz wide-channels, but perhaps we will see those in a future update. They are asking users for testing against a wide variety of any/all APs! *** Freebsd adds support for Bluetooth LE Security Management (https://svnweb.freebsd.org/base?view=revision&revision=290038) FreeBSD + BlueTooth, not something we discuss a lot about, but it is still under active development. The most recently added features come from Takanori Watanabe, and adds new LE Security Management. Specifically, it enables support for BLE Security Manager Protocol(SMP), and enables a userland tool to wait for the underlying HCI connection to be encrypted. *** Building OpnSense on HardenedBSD (http://0xfeedface.org/2015/11/07/hbsd-opnsense.html) Looking for a way to further Harden your router? We have a tutorial from the HardenedBSD developer, Shawn Webb, about how to build OpnSense on HBSD 10-STABLE. You'll need to first be running HBSD 10-STABLE somewhere, in this article he is using bhyve for the builder VM. The build process itself is mostly pretty straight-forward, but there are a number of different repos that all have to be checked out, so pay attention to which goes where. +In this example he does a targeted build for a Netgate RCC-VE-4860, but you can pick your particular build. *** Beastie Bits 1 BTC bounty for chromium bug! (https://github.com/gliaskos/freebsd-chromium/issues/40) DesktopBSD 2.0 M1 released (http://www.desktopbsd.net/forums/threads/desktopbsd-2-0-m1-released.806/) By implementing asynchronous pru_attach for UDP, Sepherosa Ziehau has increased connect rate by around 15K connections per second (http://lists.dragonflybsd.org/pipermail/commits/2015-October/458500.html) Stephen Bourne, known for the Bourne Shell, will be giving a talk at NYCBUG this week (http://lists.nycbug.org/pipermail/talk/2015-October/016384.html) Tor Browser 5.0.3 for OpenBSD released (http://lists.nycbug.org/pipermail/talk/2015-October/016390.html) The Tor BSD Diversity Project (https://torbsd.github.io/) aim to Increase the number of Tor relays running BSDs. We envision this happening by increasing the total number of relays, with the addition of more BSD users running relays; Make the Tor Browser available under BSD operating systems using native packaging mechanisms. Our first target is OpenBSD; Engage the broader BSD community about the Tor anonymity network and the place that BSD Unix should occupy in the privacy community at large. Screenshots from Unix People circa 2002 (https://anders.unix.se/2015/10/28/screenshots-from-developers--unix-people-2002/) Feedback/Questions Dominik - Bhyve Setup (http://slexy.org/view/s21xTyirkO) John - beadm + GELI (http://slexy.org/view/s2YVi7ULlJ) Darrall - ZFS + RAID = Problems (http://slexy.org/view/s20lRTaZSy) Hamza - Which shell? (http://slexy.org/view/s2omNWdTBU) Amenia - FreeBSD routing (http://slexy.org/view/s21Y8bPbnm) ***

Controlling the Transmissions This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines FreeBSD 2015 Vendor Dev Summit (https://wiki.freebsd.org/201511VendorDevSummit) FreeBSD Quarterly Status Report - Third Quarter 2015 (https://www.freebsd.org/news/status/report-2015-07-2015-09.html) We have a fresh quarterly status report from the FreeBSD project. Once again it almost merits an entire show, but we will try to hit all the highlights. Bhyve - Porting of the Intel edk2 UEFI firmware, allowing Windows in headless mode, and Illumos support. Also porting to ARM has begun! Improved Support for Acer C720 ChromeBooks High Availability Clustering in CTL (Cam Target Layer) Root Remounting (Similar to pivot_root in Linux). This work allows using “reboot -r” to do a fast-reboot, with a partial shutdown, kill all processes, and re-mount rootfs and boot. Especially useful for booting from mfs or similar then transitioning to iscsi or some other backing storage OpenCL Support in Mesa, as well as kernel progress on the i915 driver Improved support for UEFI FrameBuffer on a bunch of recent MacBook Pro and other Macs, in addition to improvements to “vt” framebuffer driver for high resolution displays. ZFS support for UEFI Boot (Needs testing, but used in PC-BSD for a couple months now), and importing new features from IllumOS (resumable send, receive prefetch, replication checksumming, 50% less ram required for L2ARC, better prefetch) DTrace SDT probes added to TCP code, to replace the old TCPDEBUG kernel option. Recompiling the kernel is no longer required to debug TCP, just use DTrace Ongoing work to bring us a native port/package of GitLab *** Meteor, the popular javascript web application framework has been forked to run on FreeBSD, OpenBSD and NetBSD - FreeBSD testers requested (https://forums.meteor.com/t/freebsd-testers-please/12919/10) We have a public call for testing for FreeBSD users of Meteor by Tom Freudenberg The included link includes all the details on how to currently get meteor boot-strapped on your box and bring up the server So far the reports are positive, many users reporting that it is running on their 10.2 systems / jails just fine. Just a day ago the original porter mentioned that OpenBSD is ready to go for testing using the prepared dev bundle. *** Mike Larkin work continues on an native OpenBSD hypervisor, which he has announced is now booting (http://undeadly.org/cgi?action=article&sid=20151101223132) Speaking of OpenBSD, we have an update from Mike Larkin about the status of the OpenBSD native hypervisor vmm(4). His twitter post included the output from a successful VM bootup of OpenBSD 5.8-current, all the way to multi-user While the code hasn't been committed (yet) we will keep you informed when it lands so you too can begin playing with it. *** This is how I like open source (http://blog.etoilebsd.net/post/This_is_how_I_like_opensource) A blog post by FreeBSD Core Team member, and one of the lead developers of pkg, Baptiste Daroussin One project he has been working on is string collation Garrett d'Amore (of IllumOS) implemented unicode string collation while working for Nexenta and made it BSD license John Marino (from Dragonfly) imported the work done on Illumos into Dragonfly, while he was doing that he decided, it was probably a good idea to rework how locales are handled He discovered that Edwin Groothuis (from FreeBSD) had long ago started a project to simplify locales handling on FreeBSD He extended the tools written by Edwin and has been able to update Dragonfly to the latest (v27 so far) unicode definitions John Marino has worked with Bapt many times on various projects (including bringing pkg and ports to Dragonfly) Bapt decided it was time that FreeBSD got proper string collation support as well, and worked with John to import the support to FreeBSD Bapt spotted a couple of bugs and worked with John on fixing them: issues with eucJP encoding, issues with Russian encoding (John did most of the work on tracking down and fixing the bugs), Bapt also converted localedef (the tool to generate the locales) into using BSD license only code (original version used the CDDL libavl library which I modified to use tree(3)), fixed issues. I also took the locale generation from Edwin (extended by John) This work resulted in a nice flow of patches going from Dragonfly to FreeBSD and from FreeBSD to Dragonfly. And now Garrett is interested in grabbing back our patches into Illumos! The result of this collaboration is that now 3 OS share the same implementation for collation support! This is very good because when one discovers a bug the 3 of them benefit the fix! The biggest win here is that this was a lot of work, and not an area that many people are interested in working on, so it was especially important to share the work rather than reimplement it separately. *** Interview - Hiren Panchasara - hiren@freebsd.org (mailto:hiren@freebsd.org) / @hirenpanchasara (https://twitter.com/hirenpanchasara) Improving TCP *** iXsystems MissonComplete winners (https://www.ixsystems.com/whats-new/october-missioncomplete-winners/) *** News Roundup LibreSSL 2.3.1 released (http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt) LibreSSl keeps on chugging, the latest release has landed, 2.3.1, which is the second snapshot based upon the OpenBSD 5.9 development branch. Currently they are targeting a stable ABI/API sometime around March 2016 for the 2.3.X series. Included in this update are ASN. 1 cleanups and some compliance fixes for RFC5280 Switched internally to timet, with a check that the host OS supports 64bit timet Various TLS fixes, including the ability to check cert validity times with tlspeercert_not{before|after} Fixed a reported memory leak in OBJ_obj2txt *** Guide for Installing Ghost w/ Nginx on FreeBSD (http://linoxide.com/linux-how-to/install-ghost-nginx-freebsd-10-2/) A nice walkthrough for the week, we've found an article about how to install the Ghost blogging platform on FreeBSD 10.2. For those who don't know, Ghost is a MIT licensed blogging tool, started in 2012 by a former WordPress UI developer and is entirely coded in Node.js While a port for FreeBSD does not yet exist (somebody get on that please), this tutorial can walk you through the process of getting it deployed manually Most of the requirements are simple, www/node, www/npm and sqlite3. With those installed, most of the steps are simply creating the username / home for ghost, and some “npm” setup. The walkthrough even includes a handy rc.d script, making the possibility of a port seem much more likely *** Adrian Chadd on 'Why attention to detail matters when you're a kernel developer (http://adrianchadd.blogspot.com/2015/10/fixing-up-qca9558-performance-on.html) Adrian was correctly trolled in the FreeBSD embedded IRC chatroom and started looking at why the bridging performance in MIPS boards was so bad 120-150 mbit/sec is not really enough anymore Using previous MIPS24k support as a starting point, Adrian managed to get HWPMC (Hardware Performance Monitoring Counters) working on MIPS74k Using the data collected from the performance counters Adrian was able to figure out that packets were being copied in order to meet alignment requirements of the NIC and the FreeBSD networking stack. It turns out this is no longer a requirement for most modern Atheros NICs, so the workaround could be removed Now performance was 180 mbit/sec Next, on the receive side, only the TCP stack requires strict alignment, the ethernet stack does not, so offset the start point by 2 bytes so that TCP ends up aligned, and problem solved. Or not, no performance difference... The problem appeared to be busdma, Ian Lepore had recently made improves in this area on armv6 and helpfully ported these over to MIPS Now 420 mbit/sec. Getting better, but not as fast as Linux After some further investigation, a missing ‘sync' operation was added, and the memory caching was changed from writethrough to writeback Things were so fast now, that the descriptor ring was being run through the ring so quickly as to hit the next descriptor that is still being setup. The first was to mark the first descriptor of a multi-descriptor packet as ‘empty' until the entire chain was setup, so it would not be processed before the latter bits were done being added to the ring. So now MIPS can bridge at 720 mbit/sec, and route 320 mbit/sec Adrian wants to improve the routing speed and get it caught up to the bridging speed, but as always, free time is scarce. *** Switching from OS X to FreeBSD (http://mirrorshades.net/post/132753032310) The story of a user who had used OS X since its beta, but 10.9 and 10.10, became more and more dissatisfied They found they were spending too much time fighting with the system, rather than getting work done They cover the new workstation they bought, and the process of getting FreeBSD going on it, including why they chose FreeBSD rather than PCBSD Also covered it setting up a Lenovo X220 laptop They setup the i3wm and mutt The blog is very detailed and goes so far as to share a github repo of dotfiles and configuration files to ease the transition from OS X. *** BeastieBits The Stack behind Netflix's scaling (http://www.scalescale.com/the-stack-behind-netflix-scaling/) The Amiga port of NetBSD now has xorg support (https://mail-index.netbsd.org/source-changes/2015/11/04/msg069873.html) NetBSD has announced EOL for v5.x to be November 9th (http://blog.netbsd.org/tnf/entry/end_of_life_for_netbsd) RetroArch ports allow playing PlayStation, Sega, Atari, etc., games on FreeBSD (https://lists.freebsd.org/pipermail/freebsd-current/2015-November/058266.html) OpenBSD booting on a 75mhz Cyrex system with 32MB RAM (http://gfycat.com/InnocentSneakyEwe) Matthew Green reports Nouveau Nvidia can support GL with his latest commit (http://mail-index.netbsd.org/source-changes/2015/10/29/msg069729.html) Releases! OPNsense releases 15.7.18 (https://opnsense.org/opnsense-15-7-18-released/) pfSense releases 2.2.5 (https://blog.pfsense.org/?p=1925) Feedback/Questions Eric (http://slexy.org/view/s2ogdURldm) Andrew (http://slexy.org/view/s22bK2LZLm) Joseph (http://slexy.org/view/s2to6ZpBTc) Sean (http://slexy.org/view/s2oLU0KM7Y) Dustin (http://slexy.org/view/s21k6oKvle) *** For those of you curious about Kris' new lighting here are the links to what he is using. Softbox Light Diffuser (http://smile.amazon.com/gp/product/B00OTG6474?psc=1&redirect=true&ref_=oh_aui_detailpage_o01_s00&pldnSite=1) Full Spectrum 5500K CFL Bulb (http://smile.amazon.com/gp/product/B00198U6U6?psc=1&redirect=true&ref_=oh_aui_detailpage_o06_s00) ***

This week, Allan is out of town at another Developer Summit, but we have a great episode coming This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines WhatsApp founder, on how it got so HUGE (http://www.wired.com/2015/10/whatsapps-co-founder-on-how-the-iconoclastic-app-got-huge/) Wired has interviewed WhatsApp co-founder Brian Acton, about the infrastructure behind WhatsApp WhatsApp manages 900 million users with a team of 50, while Twitter needs around 4,000 employees to manage 300 million users. “FreeBSD has a nicely tuned network stack and extremely good reliability. We find managing FreeBSD installations to be quite straightforward.” “Linux is a beast of complexity. FreeBSD has the advantage of being a single distribution with an extraordinarily good ports collection.” “To us, it has been an advantage as we have had very few problems that have occurred at the OS level. With Linux, you tend to have to wrangle more and you want to avoid that if you can.” “FreeBSD happened because both Jan and I have experience with FreeBSD from Yahoo!.” Additional Coverage (http://uk.businessinsider.com/whatsapp-built-using-erlang-and-freebsd-2015-10) *** User feedback in the SystemD vs BSD init (https://www.textplain.net/blog/2015/problems-with-systemd-and-why-i-like-bsd-init/) We have a very detailed blog post this week from Randy Westlund, about his experiences on Linux and BSD, contrasting the init systems. What he finds is that while, it does make some things easier, such as writing a service file once, and having it run everywhere, the tradeoff comes in the complexity and lack of transparency. Another area of concern was the reproducibility of boots, how in his examples on servers, there can often be times when services start in different orders, to save a few moments of boot-time. His take on the simplicity of BSD's startup scripts is that they are very easy to hack on and monitor, while not introducing the feature creep we have seen in sysd. It will be interesting to see NextBSD / LaunchD and how it compares in the future! *** Learn to embrace open source, or get buried (http://opensource.com/business/15/10/ato-interview-jim-salter) At the recent “All Things Open” conference, opensource.com interviewed Jim Salter He describes how he first got started using FreeBSD to host his personal website He then goes on to talk about starting FreeBSDWiki.net and what its goals were The interview then talks about using Open Source at solve customers' problems at his consulting firm Finally, the talks about his presentation at AllThingsOpen: Move Over, Rsync (http://allthingsopen.org/talks/move-over-rsync/) about switching to ZFS replication *** HP's CTO Urges businesses to avoid permissive licenses (http://lwn.net/Articles/660428/) Martin Fink went on a rant about the negative effects of license proliferation While I agree that having too many new licenses is confusing and adds difficulty, I didn't agree with his closing point “He then ended the session with an extended appeal to move the open-source software industry away from permissive licenses like Apache 2.0 and toward copyleft licenses like the GPL” “The Apache 2.0 license is currently the most widely used "permissive" license. But the thing that developers overlook when adopting it, he said, is that by using Apache they are also making a choice about how much work they will have to put into building any sort of community around the project. If you look at Apache-licensed projects, he noted, "you'll find that they are very top-heavy with 'governance' structures." Technical committees, working groups, and various boards, he said, are needed to make such projects function. But if you look at copyleft projects, he added, you find that those structures simply are not needed.” There are plenty of smaller permissively licensed projects that do not have this sort of structure, infact, most of this structure comes from being an Apache run project, rather than from using the Apache or any other permissive license Luckily, he goes on to state that the “OpenSwitch code is released under the Apache 2.0 license, he said, because the other partner companies viewed that as a requirement.” “HP wanted to get networking companies and hardware suppliers on board. In order to get all of the legal departments at all of the partners to sign on to the project, he said, HP was forced to go with a permissive license” Hopefully the trend towards permissive licenses continues Additionally, in a separate LWN post: RMS Says: “I am not saying that competitors to a GNU package are unjust or bad -- that isn't necessarily so. The pertinent point is that they are competitors. The goal of the GNU Project is for GNU to win the competition. Each GNU package is a part of the GNU system, and should contribute to the success of the GNU Project. Thus, each GNU package should encourage people to run other GNU packages rather than their competitors -- even competitors which are free software.” (http://lwn.net/Articles/659757/) Never thought I'd see RMS espousing vendor lock-in *** Interview - Brian Callahan - bcallah@devio.us (mailto:bcallah@devio.us) / @twitter (https://twitter.com/__briancallahan) The BSDs in Education *** News Roundup Digital Libraries in Africa making use of DragonflyBSD and HAMMER (http://lists.dragonflybsd.org/pipermail/users/2015-October/228403.html) In the international development context, we have an interesting post from Michael Wilson of the PeerCorps Trust Fund. They are using DragonFlyBSD and FreeBSD to support the Tanzanian Digital Library Initiative in very resource-limited settings. They cite among the most important reasons for using BSD as the availability and quality of the documentation, as well as the robustness of the filesystems, both ZFS and HAMMER. Their website is now online over at (http://www.tandli.com/) , check it out to see exactly how BSD is being used in the field *** netflix hits > 65gbps from a single freebsd box (https://twitter.com/ed_maste/status/655120086248763396) A single socket server, with a high end Xeon E5 processor and a dual ported Chelsio T580 (2x 40 Gbps ports) set a netflix record pushing over 65 Gbps of traffic from a single machine The videos were being pushed from SSDs and some new high end NVMe devices The previous record at Netflix was 52 Gbps from a single machine, but only with very experimental settings. The current work is under much more typical settings By the end of that night, traffic surged to over 70 Gbps Only about 10-15% of that traffic was encrypted with the in-kernel TLS engine that Netflix has been working on with John-Mark Gurney It was reported that the machine was only using about 65% cpu, and had plenty of head room If I remember the discussion correctly, there were about 60,000 streams running off the machine *** Lumina Desktop 0.8.7 has been released (http://lumina-desktop.org/lumina-desktop-0-8-7-released/) A very large update has landed for PC-BSD's Lumina desktop A brand new “Start” menu has been added, which enables quick launch of favorite apps, pinning to desktop / favorites and more. Desktop icons have been overhauled, with better font support, and a new Grid system for placement of icons. Support for other BSD's such as DragonFly has been improved, along with TONS of internal changes to functionality and backends. Almost too many things to list here, but the link above will have full details, along with screenshots. *** A LiveUSB for NetBSD has been released by Jibbed (http://www.jibbed.org/) After a three year absence, the Jibbed project has come back with a Live USB image for NetBSD! The image contains NetBSD 7.0, and is fully R/W, allowing you to run the entire system from a single USB drive. Images are available for 8Gb and 4Gb sticks (64bit and 32bit respectively), along with VirtualBox images as well For those wanting X, it includes both X and TWM, although ‘pkgin' is available, so you can quickly add other desktops to the image *** Beastie Bits After recent discussions of revisiting W^X support in Mozilla Firefox, David Coppa has flipped the switch to enable it for OpenBSD users running -current. (http://undeadly.org/cgi?action=article&sid=20151021191401&mode=expanded) Using the vt(4) driver to change console resolution (http://lme.postach.io/post/changing-console-resolution-in-freebsd-10-with-vt-4) The FreeBSD Foundation gives a great final overview of the Grace Hopper Conference (http://freebsdfoundation.blogspot.com/2015/10/conference-recap-grace-hopper.html) A dialog about Compilers in the (BSD) base system (https://medium.com/@jmmv/compilers-in-the-bsd-base-system-1c4515a18c49) One upping their 48-core work from July, The Semihalf team shows off their the 96-core SMP support for FreeBSD on Cavium ThunderX (ARMv8 architecture (https://www.youtube.com/watch?v=1q5aDEt18mw) NYC Bug's November meeting will be featuring a talk by Stephen R. Bourne (http://lists.nycbug.org/pipermail/talk/2015-October/016384.html) New not-just-BSD postcast, hosted by two OpenBSD devs Brandon Mercer and Joshua Stein (http://garbage.fm/) Feedback/Questions Stefan (http://slexy.org/view/s21wjbhCJ4) Zach (http://slexy.org/view/s21TbKS5t0) Jake (http://slexy.org/view/s20AkO1i1R) Corey (http://slexy.org/view/s2nrUMatU5) Robroy (http://slexy.org/view/s2pZsC7arX) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv)

Coming up on this week's episode, we have an interview This episode was brought to you by iX Systems Mission Complete (https://www.ixsystems.com/missioncomplete/) Submit your story of how you accomplished a mission with FreeBSD, FreeNAS, or iXsystems hardware, and you could win monthly prizes, and have your story featured in the FreeBSD Journal! *** Headlines OpenBSD 5.8 is released on the 20th birthday of the OpenBSD project (http://bsdsec.net/articles/openbsd-5-8-released) 5.8 has landed, and just in time for the 20th birthday of OpenBSD, Oct 18th A long list of changes can be found on the release announcement, but here's a small scattering of them Drivers for new hardware, such as: rtwn = Realtek RTL8188CE wifi hpb = HyperTransport bridge in IBM CPC945 Improved sensor support for upd driver (USB power devices) Jumbo frame support on re driver, using RTL8168C/D/E/F/G and RTL8411 Updated to installer, improve autoinstall, and questions about SSH setup Sudo in base has been replace with “doas”, sudo moved to package tree New file(1) command with sandboxing and priv separation The tame(2) API WiP Improvements to the httpd(8) daemon, such as support for lua pattern matching redirections Bugfixes and the security updates to OpenSMTPD 5.4.4 LibreSSL security fixes, removed SSLv3 support from openssl(1) (Still working on nuking SSLv3 from all ports) And much more, too much to mention here, read the notes for all the gory details! OpenBSD Developer Interviews To go along with the 20th birthday, we have a whole slew of new interviews brought to us by the beastie.pl team. English and Polish are both provided, so be sure not to miss these! Dmitrij D. Czarkoff (http://beastie.pl/deweloperzy-openbsd-dmitrij-d-czarkoff/) Vadim Zhukov (http://beastie.pl/deweloperzy-openbsd-vadim-zhukov/) Marc Espie (http://beastie.pl/deweloperzy-openbsd-marc-espie/) Bryan Steele (http://beastie.pl/deweloperzy-openbsd-bryan-steele/) Ingo Schwarze (http://beastie.pl/deweloperzy-openbsd-ingo-schwarze/) Gilles Chehade (http://beastie.pl/deweloperzy-openbsd-gilles-chehade/) Jean-Sébastien Pédron has submitted a call for testing out the neIntel i915 driver (http://lists.freebsd.org/pipermail/freebsd-x11/2015-October/016758.html) A very eagerly awaited feature, Haswell GPU support has begun the testing process The main developer, Jean-Sébastien Pédron dumbbell@freebsd.org looking for users to test the patch, both those that have older supported cards (Sandybridge, Ivybridge) that are currently working, and users with Haswell devices that have, until now, not been supported Included is a link to the Wiki with instructions on how to enable debugging, and grab the updated branch of FreeBSD with the graphical improvements. Jean-Sébastien is calling for testers to send results both good and bad over to the freebsd-x11 mailing lists For those who want an “out of box solution” the next PC-BSD 11.0-CURRENT November images will include these changes as well How to install FreeBSD on a Raspberry Pi 2 (http://www.cyberciti.biz/faq/how-to-install-freebsd-on-raspberry-pi-2-model-b/) We have a nice walkthrough this week on how to install FreeBSD, both 10 or 11-CURRENT on a RPi 2! The walkthrough shows us how to use OSX to copy the image to SD card, then booting. In this case, we have him using a USB to serial cable to capture output with screen This is a pretty quick way for users sitting on a RPi2 to get up and running with FreeBSD Interview - Jordan Hubbard - jkh@ixsystems.com (mailto:email@email) NextBSD (http://www.nextbsd.org/) | NextBSD Github (https://github.com/NextBSD/NextBSD) Beastie Bits OpenBSD's Source Tree turned 20 on October 18th (https://marc.info/?l=openbsd-misc&m=144515087006177&w=2) GhostBSD working on Graphical ZFS Configuration Utility (https://plus.google.com/+GhostbsdOrg/posts/JoNZzrKrhtB) EuroBSDcon 2014 videos finally online (https://www.youtube.com/channel/UCz6C-szau90f9Vn07A6W2aA/videos) Postdoctoral research position at Memorial University is open (http://www.mun.ca/postdoc/tc-postdoc-2015.pdf) NetBSD Security Advisory: TCP LAST_ACK memory exhaustion, reported by NetFlix and Juniper (http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-009.txt.asc) DesktopBSD making a comeback? (http://www.desktopbsd.net/forums/threads/desktopbsd-2-0-roadmap.798/) Feedback/Questions Steve (http://slexy.org/view/s20PllfFXt) Ben (http://slexy.org/view/s21jJm1lFN) Frank (http://slexy.org/view/s20TsrN3uq) Tyler (http://slexy.org/view/s20AydOevW)

An interview with George Neville-Neil about the upcoming FreeBSD Journal electronic magazine.  More information at http://www.freebsdjournal.com/The interview was recorded using google voice, and I apologize for the low bit rate audio.File Info: 22Min, 10MB.Ogg Link: https://archive.org/download/bsdtalk237/bsdtalk237.ogg

NYCBSDCon 2014 was great, and I recorded a series of voices from the attendees.Also, the FreeBSD Journal release was announced at the conference.File Info: 9Min, 4Mb.Ogg Link: https://archive.org/download/bsdtalk238/bsdtalk238.ogg

This week, we have Nigel Williams here to bring us all sorts of info about Multipath TCP, what it is, how it works and the ongoing effort to bring it into FreeBSD. All that and of course the latest BSD news coming your way, right now! This episode was brought to you by Headlines Backing out changes doesn.t always pinpoint the problem (https://blog.crashed.org/dont-backout/) Peter Wemm brings us a fascinating look at debugging an issue which occurred on the FreeBSD build cluster recently. Bottom line? Backing out something isn.t necessarily the fix, rather it should be apart of the diagnostic process In this particular case, a change to some mmap() functionality ended up exposing a bug in the kernel.s page fault handler which existed since (wait for it.) 1997! As Peter mentions at the bottom of the Article, this bug had been showing up for years, but was sporadic and often written off as a networking hiccup. *** BSD Router Project benchmarks new routing changes to FreeBSD (https://github.com/ocochard/netbenchs/blob/master/Xeon_E5-2650-8Cores-Chelsio_T540-CR/nXxq10g/results/fbsd11-melifaro.r287531/README.md) A project branch of FreeBSD -CURRENT has been created with a number of optimizations to the routing code Alexander V. Chernikov (melifaro@).s routing branch (https://svnweb.freebsd.org/base/projects/routing/?view=log) The net result is an almost doubling of peak performance in packets per second Performance scales well with the number of NIC queues (2 queues is 88% faster than 1 queue, 3 is 270% faster). Unlike the previous code, when the number of queues hits 4, performance is down by only 10%, instead of being cut nearly in half Other Benchmark Results, and the tools to do your own tests (https://github.com/ocochard/netbenchs) *** When is SSL not SSL? (http://www.tedunangst.com/flak/post/the-peculiar-libretunnel-situation) Our buddy Ted has a good write-up on a weird situation related to licensing of stunnel and LibreSSL The problem exists due to stunnel being released with a different license, that is technically incompatible with the GPL, as well as linking against non-OpenSSL versions. The author has also decided to create specific named exceptions when the *SSL lib is part of the base operating system, but does not personally consider LibreSSL as a valid linking target on its own Ted points out that the LibreSSL team considers LibreSSL == OpenSSL, so this may be a moot concern *** Update on systembsd (http://darknedgy.net/files/systembsd.pdf) We.ve mentioned the GSoC project to create a SystemD shim in OpenBSD before. Now we have the slides from Ian Sutton talking about this project. As a refresher, this project is to take DBUS and create daemons emulating various systemd components, such as hostnamed, localed, timedated, and friends. Written from scratch in C, it was mainly created in the hopes of becoming a port, allowing Gnome and related tools to function on OpenBSD. This is a good read, especially for current or aspiring porters who want to bring over newer versions of applications which now depend upon SystemD. *** Interview - Nigel Williams - njwilliams@swin.edu.au (njwilliams@swin.edu.au) Multipath TCP News Roundup OpenBSD UEFI boot loader (http://marc.info/?l=openbsd-cvs&m=144115942223734&w=2) We.ve mentioned the ongoing work to bring UEFI booting to OpenBSD and it looks like this has now landed in the tree The .fdisk. utility has also been updated with a new -b flag, when used with .-i. will create the special EFI system partition on amd64/i386 . (http://marc.info/?l=openbsd-cvs&m=144139348416071&w=2) Some twitter benchmarks (https://twitter.com/mherrb/status/641004331035193344) *** FreeBSD Journal, July/August issue (https://www.freebsdfoundation.org/journal/vol2_no4/) The latest issue of the FreeBSD Journal has arrived As always, the Journal opens with a letter from the FreeBSD Foundation Feature Articles: Groupon's Deal on FreeBSD -- How to drive adoption of FreeBSD at your organization, and lessons learned in retraining Linux sysadmins FreeBSD: The Isilon Experience -- Mistakes not to make when basing a product on FreeBSD. TL;DR: track head Reflections on FreeBSD.org: Packages -- A status update on where we are with binary packages, what issues have been overcome, and which still remain Inside the Foundation -- An overview of some of the things you might not be aware that the FreeBSD Foundation is doing to support the project and attract the next generation of committers Includes a book review of .The Practise of System and Network Administration. As usual, various other reports are included: The Ports Report, SVN Update, A conference report, a report from the Essen hackathon, and the Event Calendar *** Building ARMv6 packages on FreeBSD, the easy way (http://blogs.freebsdish.org/brd/2015/08/25/building-arm-packages-with-poudriere-the-simple-way/) Previously we have discussed how to build ARMv6 packages on FreeBSD We also interviewed Sean Bruno about his work in this area Thankfully, over time this process has been simplified, and no longer requires a lot of manual configuration, or fussing with the .image activator. Now, you can just build packages for your Raspberry Pi or similar device, just as simply as you would build for x86, it just takes longer to build. *** New PC-BSD Release Schedule (http://blog.pcbsd.org/2015/09/new-release-schedule-for-pc-bsd/) The PC-BSD Team has announce an updated release schedule for beyond 10.2 This schedule follows more closely the FreeBSD schedules, with major releases only occurring when FreeBSD does the next point update, or major version bump. PC-BSD.s source tree has been split into master(current) and stable as well PRODUCTION / EDGE packages will be built from stable, with PRODUCTION updated monthly now. The -CURRENT monthly images will contain the master source builds. *** Feedback/Questions Joris writes in (http://slexy.org/view/s21cguSv7E) Anonymous (http://slexy.org/view/s217A5NNGg) Darin (http://slexy.org/view/s20HyiqJV0) ***

It's our last episode of 2014, and we'll be chatting with Dan Langille about the upcoming BSDCan conference. We'll find out what's planned and what sorts of presentations they're looking for. As usual, answers to viewer-submitted questions and all the week's news, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines More conference presentation videos (http://2014.asiabsdcon.org/timetable.html.en) Some more of the presentation videos from AsiaBSDCon are appearing online Masanobu Saitoh, Developing CPE Routers Based on NetBSD (https://www.youtube.com/watch?v=ApruZrU5fVs) Reyk Floeter (http://www.bsdnow.tv/episodes/2014_09_03-its_hammer_time), VXLAN and Cloud-based Networking with OpenBSD (https://www.youtube.com/watch?v=ufeEP_hzFN0) Jos Jansen, Adapting OS X to the enterprise (https://www.youtube.com/watch?v=gOPfRQgTjNo) Pierre Pronchery (http://www.bsdnow.tv/episodes/2014_04_01-edgy_bsd_users) & Guillaume Lasmayous, Carve your NetBSD (https://www.youtube.com/watch?v=vh-TjLUj6os) Colin Percival (http://www.bsdnow.tv/episodes/2014_01_22-tendresse_for_ten), Everything you need to know about cryptography in 1 hour (https://www.youtube.com/watch?v=jzY3m5Kv7Y8) (not from AsiaBSDCon) The "bsdconferences" YouTube channel has quite a lot of interesting older BSD talks (https://www.youtube.com/user/bsdconferences/videos?sort=da&view=0&flow=grid) too - you may want to go back and watch them if you haven't already *** OpenBSD PIE enhancements (https://www.marc.info/?l=openbsd-cvs&m=141922027318727&w=2) ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization) and PIE (https://en.wikipedia.org/wiki/Position-independent_executable) are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment For example, the default shells (and many other things in /bin and /sbin) are statically linked In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose (https://en.wikipedia.org/wiki/Return-oriented_programming) With this and a few related commits (https://www.marc.info/?l=openbsd-cvs&m=141927571832106&w=2), OpenBSD fixes this by introducing static self-relocation More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy It'll be available in 5.7 in May, or you can use a -current snapshot (http://www.openbsd.org/faq/faq5.html#BldBinary) if you want to get a slice of the action now *** FreeBSD foundation semi-annual newsletter (https://www.freebsdfoundation.org/press/2014dec-newsletter.html) The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already) You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too There are also sections about the FreeBSD Journal (http://www.bsdnow.tv/episodes/2014_01_29-journaled_news_updates)'s progress, a new staff member and a testimonial from NetApp It's a very long report, so dedicate some time to read all the way through it This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too As we go into 2015, consider donating to whichever (https://www.freebsdfoundation.org/donate) BSD (http://www.openbsdfoundation.org/donations.html) you (https://www.netbsd.org/donations/) use (http://www.dragonflybsd.org/donations/), it really can make a difference *** Modernizing OpenSSH fingerprints (https://www.marc.info/?l=openbsd-cvs&m=141920089614758&w=4) When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to Up until now, the key fingerprints have been an MD5 hash, displayed as hex This can be problematic (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033117.html), especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint You can add a "FingerprintHash" line in your ssh_config to force using only the new type There's also a new option (https://www.marc.info/?l=openbsd-cvs&m=141923470520906&w=2) to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type The new options should be in the upcoming 6.8 release *** Interview - Dan Langille - info@bsdcan.org (mailto:info@bsdcan.org) / @bsdcan (https://twitter.com/bsdcan) Plans for the BSDCan 2015 conference News Roundup Introducing ntimed, a new NTP daemon (https://github.com/bsdphk/Ntimed) As we've mentioned before in our tutorials (http://www.bsdnow.tv/tutorials/ntpd), there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD With all the recent security problems with ISC's NTPd, Poul-Henning Kamp (http://www.bsdnow.tv/episodes/2013_10_16-go_directly_to_jail) has been working on a third NTP daemon It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports (https://www.freshports.org/net/ntimed/) or on Github PHK also has a few blog entries (http://phk.freebsd.dk/time/) about the project, including status updates *** OpenBSD-maintained projects list (http://mdocml.bsd.lv/openbsd_projects.html) There was recently a read on the misc mailing list (https://www.marc.info/?t=141961588200003&r=1&w=2) asking about different projects started by OpenBSD developers The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example) A developer compiled a new list from all of the replies to that thread into a nice organized webpage Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout) *** Monitoring network traffic with FreeBSD (https://forums.freebsd.org/threads/howto-monitor-network-traffic-with-netflow-nfdump-nfsen-on-freebsd.49724/) If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage) This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike *** Trapping spammers with spamd (http://www.protoc.org/blog/2014/12/22/trapping-spammers-with-the-openbsd-spam-deferral-daemon) This is a blog post about OpenBSD's spamd (https://en.wikipedia.org/wiki/Spamd) - a spam email deferral daemon - and how to use it for your mail It gives some background on the greylisting approach to spam, rather than just a typical host blacklist "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation." The post also shows how to combine it with PF and other tools for a pretty fancy mail setup You can find spamd in the OpenBSD base system (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/spamd.8), or use it with FreeBSD (https://www.freshports.org/mail/spamd) or NetBSD (http://pkgsrc.se/mail/spamd) via ports and pkgsrc You might also want to go back and listen to BSDTalk episode 68 (https://archive.org/details/bsdtalk068), where Will talks to Bob Beck about spamd *** Feedback/Questions Sean writes in (http://slexy.org/view/s20rUK9XVJ) Brandon writes in (http://slexy.org/view/s20nfzIuT2) Anders writes in (http://slexy.org/view/s20wCBhFLO) David writes in (http://slexy.org/view/s20xGrBIyl) Kyle writes in (http://slexy.org/view/s2QHRaiZJW) *** Mailing List Gold NTP code comparison (https://www.marc.info/?l=openbsd-tech&m=141903858708123&w=2) - 192870 vs. 2898 (https://www.marc.info/?l=openbsd-tech&m=141905854411370&w=2) NICs have feelings too (https://lists.freebsd.org/pipermail/freebsd-hackers/2014-December/046741.html) Just think about it (https://www.marc.info/?l=openbsd-ports&m=141998130824977&w=2) ***

This time on the show we'll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan 2014 talks and reports (https://www.bsdcan.org/2014/schedule/) The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links Karl Lehenbauer's keynote (https://www.youtube.com/watch?v=13LiyjnTGsQ) (he's on next week's episode) Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (https://www.youtube.com/watch?v=0la06FHbdvg) (relevant to today's interview) Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD (https://www.youtube.com/watch?v=Lr5o1VQMtgA) Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage (https://www.youtube.com/watch?v=AVuF9eFeVWs) Warner Losh, NAND Flash and FreeBSD (https://www.youtube.com/watch?v=lj0XAE6C6-k) Simon Gerraty, FreeBSD bmake and Meta Mode (https://www.youtube.com/watch?v=4s0UY0sg6vI) Bob Beck, LibreSSL - The First 30 Days (https://www.youtube.com/watch?v=oM6S7FEUfkU) Henning Brauer, OpenBGPD Turns 10 Years Old (https://www.youtube.com/watch?v=cP8AW111IKg) Arun Thomas, BSD ARM Kernel Internals (https://www.youtube.com/watch?v=ZAM7fqhGRr8) Peter Hessler, Using BGP for Realtime Spam Lists (https://www.youtube.com/watch?v=i8UAVswpagA) Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation (https://www.youtube.com/watch?v=HMeTxViulgo) Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements (https://www.youtube.com/watch?v=EjGqVdCOIhM) Daichi Goto, Shellscripts and Commands (https://www.youtube.com/watch?v=MsRu0xIawaA) Benno Rice, Keeping Current (https://www.youtube.com/watch?v=jZp-ciB6mAg) Sean Bruno, MIPS Router Hacking (https://www.youtube.com/watch?v=LZjoFSfIv3k) John-Mark Gurney, Optimizing GELI Performance (https://www.youtube.com/watch?v=2qicD0tv_tI) Patrick Kelsey, Userspace Networking with libuinet (https://www.youtube.com/watch?v=LhIx8q8_7YY) Massimiliano Stucchi, IPv6 Transitioning Mechanisms (https://www.youtube.com/watch?v=WZoQzUZKaeo) Roger Pau Monné, Taking the Red Pill (https://www.youtube.com/watch?v=q6l9qtjlNXU) Shawn Webb, Introducing ASLR in FreeBSD (https://www.youtube.com/watch?v=jo8ObzR1tKQ) There's also a trip report (http://undeadly.org/cgi?action=article&sid=20140519164127) from Peter Hessler and one from Julio Merino (http://julipedia.meroh.net/2014/05/bsdcan-2014-summary.html) The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) *** Defend your network and privacy with a VPN and OpenBSD (http://networkfilter.blogspot.com/2014/05/defend-your-network-and-privacy-vpn.html) After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow) It also includes a few general privacy tips, recommended browser extensions, etc The intro to the article is especially great, so give the whole thing a read He mentions our OpenBSD router guide (http://www.bsdnow.tv/tutorials/openbsd-router) and other tutorials being a big help for this setup, so hello if you're watching! *** You should try FreeBSD (http://blog.pascalj.com/article/you-should-try-freebsd/) In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two Possibly the most useful part is how to address the question "my server already works, why bother switching?" "Stackoverflow's answers assume I have apt-get installed" It includes mention of the great documentation, stability, ports, improved security and much more A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" *** OpenBSD and the little Mauritian contributor (http://hacklog.in/openbsd-and-the-little-mauritian-contributor/) This is a story about a guy from Mauritius (https://en.wikipedia.org/wiki/Mauritius) named Logan, one of OpenBSD's newest developers Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back *** Interview - Jon Anderson - jonathan@freebsd.org (mailto:jonathan@freebsd.org) Capsicum and Casperd Tutorial Encrypting DNS lookups (http://www.bsdnow.tv/tutorials/dnscrypt) News Roundup FreeBSD Journal, May 2014 issue (http://i.imgur.com/f0qg6Ss.jpg) The newest issue of the FreeBSD Journal (http://www.bsdnow.tv/episodes/2014_01_29-journaled_news_updates) is out, following the bi-monthly release cycle This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read *** LibreSSL porting update (http://insanecoding.blogspot.com/2014/05/libressl-porting-update.html) Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that! This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good *** BSDMag May 2014 issue is out (http://bsdmag.org/magazine/1862-meteorjs-on-freebsd-11-may-bsd-issue) The usual monthly release from BSDMag, covering a variety of subjects This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things It's a free PDF, go grab it *** BSDTalk episode 241 (http://bsdtalk.blogspot.com/2014/05/bsdtalk241-bob-beck.html) A new episode of BSDTalk (http://www.bsdnow.tv/episodes/2014_03_05-bsd_now_vs_bsdtalk) is out, this time with Bob Beck He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more The interview itself isn't about LibreSSL at all, but they do touch on it a bit too Really interesting stuff, covers a lot of different topics in a short amount of time *** Feedback/Questions We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc (https://www.freshports.org/security/vpnc/) package seems to be what we were looking for Tim writes in (http://slexy.org/view/s20MK7bTyc) AJ writes in (http://slexy.org/view/s2OWREQdUA) Peter writes in (http://slexy.org/view/s202obAqbT) Thomas writes in (http://slexy.org/view/s21Kye2jAc) Martin writes in (http://slexy.org/view/s2zqFVqwxN) ***

We have a packed show for you this week! We'll sit down for an interview with Chris Buechler, from the pfSense project, to learn just how easy it can be to deploy a BSD firewall. We'll also be showing you a walkthrough of the pfSense interface so you can get an idea of just how convenient and powerful it is. Answers to your questions and the latest headlines, here on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon and AsiaBSDCon (http://2014.eurobsdcon.org/calendar/call-for-papers/) This year, EuroBSDCon will be in September in Sofia, Bulgaria They've got a call for papers up now, so everyone can submit the talks they want to present There will also be a tutorial section of the conference AsiaBSDCon (http://2014.asiabsdcon.org/timetable.html.en) will be next month, in March! All the info about the registration, tutorials, hotels, timetable and location have been posted Check the link for all the details on the talks - if you plan on going to Tokyo next month, hang out with Allan and Kris and lots of BSD developers! *** FreeBSD 10 on Ubiquiti EdgeRouter Lite (http://rtfm.net/FreeBSD/ERL/) The Ubiquiti EdgeRouter Lite is a router that costs less than $100 and has a MIPS CPU This article goes through the process of installing and configuring FreeBSD on it to use as a home router Lots of good pictures of the hardware and specific details needed to get you set up It also includes the scripts to create your own images if you don't want to use the ones rolled by someone else For such a cheap price, might be a really fun weekend project to replace your shitty consumer router Of course if you're more of an OpenBSD guy, you can always see our tutorial (http://www.bsdnow.tv/tutorials/openbsd-router) for that too *** Signed pkgsrc package guide (http://blog.saveosx.org/signed-packages/) We got a request on IRC for more pkgsrc stuff on the show, and a listener provided a nice write-up It shows you how to set up signed packages with pkgsrc, which works on quite a few OSes (not just NetBSD) He goes through the process of signing packages with a public key and how to verify the packages when you install them The author also happens to be an EdgeBSD developer *** Big batch of OpenBSD hackathon reports (http://undeadly.org/cgi?action=article&sid=20140212083627) Five trip reports from the OpenBSD hackathon in New Zealand! In the first one, jmatthew details his work on fiber channel controller drivers, some octeon USB work and ARM fixes for AHCI In the second (http://undeadly.org/cgi?action=article&sid=20140213065843), ketennis gets into his work with running interrupt handlers without holding the kernel lock, some SPARC64 improvements and a few other things In the third (http://undeadly.org/cgi?action=article&sid=20140213173808), jsg updated libdrm and mesa and did various work on xenocara In the fourth (http://undeadly.org/cgi?action=article&sid=20140214070023), dlg came with the intention to improve SMP support, but got distracted and did SCSI stuff instead - but he talks a little bit about the struggle OpenBSD has with SMP and some of the work he's done In the fifth (http://undeadly.org/cgi?action=article&sid=20140214130039), claudio talks about some stuff he did for routing tables and misc. other things *** Interview - Chris Buechler - cmb@pfsense.com (mailto:cmb@pfsense.com) / @cbuechler (https://twitter.com/cbuechler) pfSense Tutorial pfSense walkthrough News Roundup FreeBSD challenge continues (http://www.thelinuxcauldron.com/2014/02/13/freebsd-challenge-day-13-30/) Our buddy from the Linux foundation continues his switching to BSD journey In day 13, he covers some tips for new users, mentions trying things out in a VM first In day 14 (http://www.thelinuxcauldron.com/2014/02/14/freebsd-challenge-day-14-30/), he starts setting up XFCE and X11, feels like he's starting over as a new Linux user learning the ropes again - concludes that ports are the way to go In day 15 (http://www.thelinuxcauldron.com/2014/02/14/freebsd-challenge-day-15-30/), he finishes up his XFCE configuration and details different versions of ports with different names, as well as learns how to apply his first patch In day 16 (http://www.thelinuxcauldron.com/2014/02/17/freebsd-challenge-day-16-30/), he dives into the world of FreeBSD jails (http://www.bsdnow.tv/tutorials/jails)! *** BSD books in 2014 (http://blather.michaelwlucas.com/archives/1962) BSD books are some of the highest quality technical writings available, and MWL has written a good number of them In this post, he details some of his plans for 2014 In includes at least one OpenBSD book, at least one FreeBSD book and... Very strong possibility of Absolute FreeBSD 3rd edition (watch our interview with him (http://www.bsdnow.tv/episodes/2013_11_06-year_of_the_bsd_desktop)) Check the link for all the details *** How to build FreeBSD/EC2 images (http://www.daemonology.net/blog/2014-02-16-FreeBSD-EC2-build.html) Our friend Colin Percival (http://www.bsdnow.tv/episodes/2014_01_22-tendresse_for_ten) details how to build EC2 images in a new blog post Most people just use the images he makes on their instances, but some people will want to make their own from scratch (https://svnweb.freebsd.org/base/user/cperciva/EC2-build/) You build a regular disk image and then turn it into an AMI It requires a couple ports be installed on your system, but the whole process is pretty straightforward *** PCBSD weekly digest (http://blog.pcbsd.org/2014/02/pc-bsd-weekly-feature-digest-17/) This time around we discuss how you can become a developer Kris also details the length of supported releases Expect lots of new features in 10.1 *** Feedback/Questions Sean writes in (http://slexy.org/view/s216xJoCVG) Jake writes in (http://slexy.org/view/s2gLrR3VVf) Niclas writes in (http://slexy.org/view/s21gfG3Iho) Steffan writes in (http://slexy.org/view/s2JNyw5BCn) Antonio writes in (http://slexy.org/view/s2kg3zoRfm) Chris writes in (http://slexy.org/view/s2ZwSIfRjm) ***

This time on the show, we'll be talking with George Neville-Neil about the brand new FreeBSD Journal and what it's all about. After that, we've got a tutorial on how to track the -stable and -current branches of OpenBSD. Answers to all your BSD questions and the latest headlines, only on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD quarterly status report (https://lists.freebsd.org/pipermail/freebsd-stable/2014-January/077085.html) Gabor Pali sent out the October-December 2013 status report to get everyone up to date on what's going on The report contains 37 entries and is very very long... various reports from all the different teams under the FreeBSD umbrella, probably too many to even list in the show notes Lots of work going on in the ARM world, EC2/Xen and Google Compute Engine are also improving Secure boot support hopefully coming by mid-year (www.itwire.com/business-it-news/open-source/62855-freebsd-to-support-secure-boot-by-mid-year) There's quite a bit going on in the FreeBSD world, many projects happening at the same time *** n2k14 OpenBSD Hackathon Report (http://undeadly.org/cgi?action=article&sid=20140124142027) Recently, OpenBSD held one of their hackathons (http://www.openbsd.org/hackathons.html) in New Zealand 15 developers gathered there to sit in a room and write code for a few days Philip Guenther brings back a nice report of the event If you've been watching the -current CVS logs, you've seen the flood of commits just from this event alone Fixes with threading, Linux compat, ACPI, and various other things - some will make it into 5.5 and others need more testing Another report from Theo (http://undeadly.org/cgi?action=article&sid=20140127083112) details his work Updates to the random subsystem, some work-in-progress pf fixes, suspend/resume fixes and more signing stuff *** Four new NetBSD releases (https://blog.netbsd.org/tnf/entry/netbsd_6_1_3_netbsd) NetBSD released versions 6.1.3, 6.0.4, 5.2.2 and 5.1.4 These updates include lots of bug fixes and some security updates, not focused on new features You can upgrade depending on what branch you're currently on Confused about the different branches? See this graph. (https://www.netbsd.org/releases/release-map.html#graph1) *** The future of open source ZFS development (http://sites.ieee.org/scv-cs/archives/openzfs-future-open-source-zfs-development) On February 11, 2014, Matt Ahrens will be giving a presentation about ZFS The talk will be about the future of ZFS and the open source development since Oracle closed the code It's in San Jose, California - go if you can! *** Interview - George Neville-Neil - gnn@freebsd.org (mailto:gnn@freebsd.org) / @gvnn3 (https://twitter.com/gvnn3) The FreeBSD Journal (http://freebsdjournal.com/) Tutorial Tracking -STABLE and -CURRENT (OpenBSD) (http://www.bsdnow.tv/tutorials/stable-current-obsd) News Roundup pfSense news and 2.1.1 snapshots (https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes) pfSense has some snapshots available for the upcoming 2.1.1 release They include FreeBSD security fixes as well as some other updates There are recordings posted (https://blog.pfsense.org/?p=1198) of some of the previous hangouts Unfortunately they're only for subscribers, so you'll have to wait until next month when we have Chris on the show to talk about pfSense! *** FreeBSD on Google Compute Engine (https://groups.google.com/forum/#!msg/gce-discussion/YWoa3Aa_49U/FYAg9oiRlLUJ) Recently we mentioned some posts about getting OpenBSD to run on GCE, here's the FreeBSD version Nice big fat warning: "The team has put together a best-effort posting that will get most, if not all, of you up and running. That being said, we need to remind you that FreeBSD is being supported on Google Compute Engine by the community. The instructions are being provided as-is and without warranty." Their instructions are a little too Linuxy (assuming wget, etc.) for our taste, someone should probably get it updated! Other than that it's a pretty good set of instructions on how to get up and running *** Dragonfly ACPI update (http://www.shiningsilence.com/dbsdlog/2014/01/22/13225.html) Sascha Wildner committed some new ACPI code (http://lists.dragonflybsd.org/pipermail/commits/2014-January/199071.html) There's also a "heads up" to update your BIOS (http://lists.dragonflybsd.org/pipermail/users/2014-January/090504.html) if you experience problems Check the mailing list post for all the details *** PCBSD weekly digest (http://blog.pcbsd.org/2014/01/pc-bsd-weekly-feature-digest-6/) 10.0-RC4 users need to upgrade all their packages for 10.0-RC5 PBIs needed to be rebuilt.. actually everything did Help test GNOME 3 so we can get it in the official ports tree By the way, I think Kris has an announcement - PCBSD 10.0 is out! *** Feedback/Questions Tony writes in (http://slexy.org/view/s21ZlfOdTt) Jeff writes in (http://slexy.org/view/s2BFZ68Na5) Remy writes in (http://slexy.org/view/s20epArsQI) Nils writes in (http://slexy.org/view/s213CoNvLt) Solomon writes in (http://slexy.org/view/s21XWnThNS) ***

This time on the show, we'll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller - one of the lead developers of OpenSSH - about some recent crypto changes in the project. If you're into data security, today's the show for you. The latest news and all your burning questions answered, right here on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Secure communications with OpenBSD and OpenVPN (http://johnchapin.boostrot.net/blog/2013/12/07/secure-comms-with-openbsd-and-openvpn-part-1/) Starting off today's theme of encryption... A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show) Part 2 covers the initial setup of OpenVPN certificates and keys Parts 3 and 4 are the OpenVPN server and client configuration Part 5 is some updates and closing remarks *** FreeBSD Foundation Newsletter (https://www.freebsdfoundation.org/press/2013Dec-newsletter) The December 2013 semi-annual newsletter was sent out from the foundation In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored The president's letter alone is worth the read, really amazing Really long, with lots of details and stories from the conferences and projects *** Use of NetBSD with Marvell Kirkwood Processors (http://evertiq.com/design/33394) Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)." Really cool little NetBSD ARM project with lots of graphs, pictures and details *** Experimenting with zero-copy network IO (http://adrianchadd.blogspot.com/2013/12/experimenting-with-zero-copy-network-io.html) Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD Discusses the different OS' implementations and options He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there Tons of details, check the full post *** Interview - Damien Miller - djm@openbsd.org (mailto:djm@openbsd.org) / @damienmiller (https://twitter.com/damienmiller) Cryptography in OpenBSD and OpenSSH Tutorial Full disk encryption in FreeBSD & OpenBSD (http://www.bsdnow.tv/tutorials/fde) News Roundup OpenZFS office hours (https://www.youtube.com/watch?v=wWmVW2R_uz8) Our buddy George Wilson (http://www.bsdnow.tv/episodes/2013_12_04-zettabytes_for_days) sat down to take some ZFS questions from the community You can see more info about it here (http://open-zfs.org/wiki/OpenZFS_Office_Hours) *** License summaries in pkgng (http://www.shiningsilence.com/dbsdlog/2013/12/09/12934.html) A discussion between Justin Sherill (http://www.bsdnow.tv/episodes/2013_11_13-the_gateway_drug) and some NYCBUG guys about license frameworks in pkgng Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow Maybe we could get a "pkg licenses" command to display the license of all installed packages Ok bapt, do it *** The FreeBSD challenge continues (http://thelinuxcauldron.com/2013/12/08/freebsd-challenge/) Checking in with our buddy from the Linux foundation... The switching from Linux to FreeBSD blog series continues for his month-long trial Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding." Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more *** Ports gets a stable branch (https://svnweb.freebsd.org/ports?view=revision&revision=336615) For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 *** Feedback/Questions John writes in (http://slexy.org/view/s2iRV1tOzB) Spencer writes in (http://slexy.org/view/s21gAR5lgf) Campbell writes in (http://slexy.org/view/s203iOnFh1) Sha'ul writes in (http://slexy.org/view/s2yUqj3vKW) Clint writes in (http://slexy.org/view/s2egcTPBXH) ***