This week on BSDNow, Allan and I are back from AsiaBSDCon and we have an interview with Brad Davis about the new “Packaging Base” call-for-testing. We’ll be sharing our thoughts and stories on how the week

This episode was brought to you by

Headlines

AsiaBSDCon 2016 - Wrap-up

FreeBSD gets Haswell graphics support in time for 11.0-RELEASE

• The moment that many have been waiting for has finally arrived, support for Haswell graphics has been committed to FreeBSD -CURRENT
• The brings the DRM/i915 code up to date with Linux kernel 3.8.13
• Work has already started on updating to Linux kernel 3.9
• It is hoped that subsequent updates will be much easier, and much faster
• It does not appear to require setting the i915.preliminary_hw_support loader tunable ***

OpenBSD vmm/vmd Update

• For the third year running, bhyvecon was held last week, during the lead up to AsiaBSDCon
• Bhyvecon has expanded, and now covers all virtualization on BSDs
• There were presentations on bhyve, Xen Dom0 on FreeBSD, Xen DomU for OpenBSD, and OpenBSD’s vmm
• OpenBSD vmm started at the Brisbane 2015 hackathon in Australia
• Work continued through the summer and fall thanks to funding by the OpenBSD Foundation
• The presentation answered some outstanding questions, such as, why not just port bhyve?
• Initial focus is OpenBSD on OpenBSD
• Loader currently supports FreeBSD and NetBSD as well
• After the initial commits, other developers joined in to help with the work
• Reyk reworked the vmd and vmctl commands, to provide a better user interface
• Future plans:
  • Nested VMX
  • i386 support
  • AMD SVM support
  • Filesystem passthru
  • Live migration (with ZFS like command syntax)
• Other developers are working on related projects:
  • qemu interface: Allow qemu to be accelerated by the vmm backend, while providing emulated hardware, for legacy systems
  • KVM interface: Make vmm look like KVM, so existing tools like openstack “just work” ***

Interview - Brad Davis - brd@freebsd.org / @so14k

• Packaging Base

News Roundup

Packaging the base system with pkg(8)

• The official call for testing for FreeBSD’s pkg(8)’d base is out
• Users are requested to checkout the release-pkg branch, and build it as normal (buildworld, buildkernel)
• Instead of installworld, run: make packages
• This will produce a pkg repo in the /usr/obj directory
• The post to the mailing list includes an example pkg repo config file to point to those packages
• Run: pkg update -r FreeBSD-base
• This will read the metadata from the new repository
• Then run: pkg install -g 'FreeBSD-*'
• This will find all packages that start with ‘FreeBSD-’ and install them
• In the future, there will be meta packages, so you can just install FreeBSD-base and it will pull in other packages are dependencies
• Currently, there are a large number of packages (over 700), because each shared library is packaged separately, and almost all optional features are in a separate package
• The number of packages is also increased because there are separate -debug, -profiling, etc versions of each package
• New features are being added to pkg(8) to mark important system components, like libc, as ‘vital’, so they cannot be deleted accidently
• However, in the case of using pkg(8)’d base to create a jail, the administrator should be able to delete the entire base system
• Classic conundrum: “UNIX does not stop you doing something stupid, as that would also stop you doing something clever”
• Work is still ongoing
• At AsiaBSDCon, after the interview was recorded, bapt@ and brd@ had a whiteboarding session and have come up with how they expect to handle the kernel package, to ensure there is a /boot/kernel.old for you to fall back to incase the newly installer kernel does not work correctly. ***

FreeBSD 10.3-RC2 Now Available

• The second release candidate for FreeBSD 10.3 is now available for testing
• Notable changes include:
  • Import an upstream fix for ‘zfs send -i’ to avoid data corruption in specific instances
  • Boot loaders and kernel have been taught to handle ELF sections of type SHT_AMD64_UNWIND. This does not really apply to FreeBSD 10.3, but is required for 11.0, so will make upgrades easier
  • Various mkdb commands (/etc/services, /etc/login.conf, etc) commands now use fsync() instead of opening the files as O_SYNC, greatly increasing the speed of the database generation
• From the earlier BETA3, the VFS improvements that were causing ZFS hangs, and the new ‘tryforward’ routing code, have been reverted
• Work is ongoing to fix these issues for FreeBSD 11.0
• There are two open issues:
  • A fix for OpenSSH CVE-2016-3115 has not be included yet
  • the re-addition of AES-CBC ciphers to the default server proposal list. AES-CBC was removed as part of the update to OpenSSH version 7.1p2, but the plan is to re-add it, specifically for lightweight clients who rely on hardware crypto offload to have acceptable SSH performance
• Please go out and test ***

OPNsense 16.1.6 released

• A new point-release of OPNsense has dropped, and apart from the usual security updates, some new features have been included

• firmware: bootstrap utility can now directly install e.g. the development version
• dhcp: all GUI pages have been reworked for a polished look and feel
• proxy: added category-based remote file support if compressed file contains multiple files
• proxy: added ICAP support (contributed by Fabian Franz)
• proxy: hook up the transparent FTP proxy
• proxy: add intercept on IPv6 for FTP and HTTP proxy options
• logging: syslog facilities, like services, are now fully pluggable
• vpn: stripped an invalid PPTP server configuration from the standard configuration
• vpn: converted to pluggable syslog, menu and ACL
• dyndns: all GUI pages have been reworked for a polished look and feel
• dyndns: widget now shows IPv6 entries too
• dns forwarder: all GUI pages have been reworked for a polished look and feel
• dns resolver: all GUI pages have been reworked for a polished look and feel
• dns resolver: rewrote the dhcp lease registration hooks
• dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
• firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly
• interfaces: fix problem when VLAN tags weren't generated properly
• interfaces: improve interface capability reconfigure
• ipsec: fix service restart behaviour from GUI
• captive portal: add missing chain in certificate generation
• configd: improve recovery and reload behaviour
• load balancer: reordered menu entries for clarity
• ntp: reordered menu entries for clarity
• traffic shaper: fix mismatch for direction + dual interfaces setup
• languages: updated German and French

Call for testing - ASLR patch

• A patch that provides a first pass implementation of basic ASLR (Address Space Layout Randomization) for FreeBSD has been posted to the mailing list
• “Stack gap, WX, shared page randomization, KASLR and other techniques are explicitly out of scope of this work.”
• “ASLR is enabled on per-ABI basis, and currently it is only enabled on native i386 and amd64 (including compat 32bit) ABIs. I expect to test and enable ASLR for armv6 and arm64 as well, later”
• “Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD project for pursuing ASLR for FreeBSD. Although this work is not based on theirs, it was inspired by their efforts.” ***

Feedback/Questions

• Daniel - OpenZFS
• Florian - JBODS
• Hunter - SSL on DO
• Ben - Backups
• Damian - Bug’in Me! ***