Created by three guys who love BSD, we cover the latest news and have an extensive series of tutorials, as well as interviews with various people from all areas of the BSD community. It also serves as a platform for support and questions. We love and advocate FreeBSD, OpenBSD, NetBSD, DragonFlyBSD and TrueOS. Our show aims to be helpful and informative for new users that want to learn about them, but still be entertaining for the people who are already pros. The show airs on Wednesdays at 2:00PM (US Eastern time) and the edited version is usually up the following day.
Similar Podcasts
Elixir Outlaws
Elixir Outlaws is an informal discussion about interesting things happening in Elixir. Our goal is to capture the spirit of a conference hallway discussion in a podcast.
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Programming Throwdown
Programming Throwdown educates Computer Scientists and Software Engineers on a cavalcade of programming and tech topics. Every show will cover a new programming language, so listeners will be able to speak intelligently about any programming language.
112: Tracing the source
This week Allan is away at a ZFS conference, so it seems This episode was brought to you by Headlines pfsense - 2.3 alpha snapshots available (https://blog.pfsense.org/?p=1854) pfsense 2.3 Features and Changes (https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes) The entire front end has been re-written Upgrade of base OS to FreeBSD 10-STABLE The PPTP server component has been removed, PBIs have been replaced with pkg PHP upgraded to 5.6 The web interface has been converted to Bootstrap *** BSDMag October 2015 out (http://bsdmag.org/download/bsd-09-2015/) A Look at the New PC-BSD 10.2 - Kris Moore Basis Of The Lumina Desktop Environment 18 - Ken Moore A Secure Webserver on FreeBSD with Hiawatha - David Carlier Defeating CryptoLocker Attacks with ZFS - Michael Dexter Emerging Technology Has Increasingly Been a Force for Both Good and Evil - Rob Somerville Interviews with: Dru Lavigne, Luca Ferrari, Oleksandr Rybalko *** OpnSense 15.7.14 Released (https://opnsense.org/opnsense-15-7-14-released/) Another update to OpnSense has landed! Some of the notable takeaways this time are that it isn’t a security update Major rework of the firewall rules sections including, rules, schedules, virtual ip, nat and aliases pages Latest BIND and Squid packages Improved configuration management, including fixes to importing an old config file. New location for configuration history / backups. *** OpenBSD in Toyota Highlander (http://marc.info/?l=openbsd-misc&m=144327954931983&w=2) Images (http://imgur.com/a/SMVdp) While looking through the ‘Software Information’ screen of a Toyota Highlander, Chad Dougherty of the ACM found a bunch of OpenBSD copyright notices At least one of which I recognize as OpenCrypto, because of the comment about “transforms” It is likely that the vehicle is running QNX, which contains various bits of BSD QNX: Third Party License Terms List version 2.17 (http://support7.qnx.com/download/download/25111/TPLTL.v2.17.Jul23-13.pdf) Some highlights Robert N. M. Watson (FreeBSD) TrustedBSD Project (FreeBSD) NetBSD Foundation NASA Ames Research Center (NetBSD) Damien Miller (OpenBSD) Theo de Raadt (OpenBSD) Sony Computer Science Laboratories Inc. Bob Beck (OpenBSD) Christos Zoulas (NetBSD) Markus Friedl (OpenBSD) Henning Brauer (OpenBSD) Network Associates Technology, Inc. (FreeBSD) 100s of others OpenSSH seems to be included It also seems to contain tcpdump for some reason Interview - Adam Leventhal - adam.leventhal@delphix.com (mailto:adam.leventhal@delphix.com) / @ahl (https://twitter.com/ahl) ZFS and DTrace Beastie-Bits isboot, an iSCSI boot driver for FreeBSD 9 and 10 (https://lists.freebsd.org/pipermail/freebsd-current/2015-September/057572.html) tame() is now called pledge() (http://marc.info/?l=openbsd-tech&m=144469071208559&w=2) Interview with NetBSD developer Leoardo Taccari (http://beastie.pl/deweloperzy-netbsd-7-0-leonardo-taccari/) Fuguita releases LiveCD based on OpenBSD 5.8 (http://fuguita.org/index.php?FuguIta) Dtrace toolkit gets an update and imported into NetBSD (http://mail-index.netbsd.org/source-changes/2015/09/30/msg069173.html) An older article about how to do failover / load-balancing in pfsense (http://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/) Feedback/Questions Michael writes in (http://slexy.org/view/s217HyOZ9U) Possniffer writes in (http://slexy.org/view/s2YODjppwX) Erno writes in (http://slexy.org/view/s21xltQ6jd) ***
111: Xenocratic Oath
Coming up on this weeks episode, we have BSD news, tidbits and articles out the wazoo to share. Also, be sure to stick around for our interview with Brandon Mercer as he tells us about OpenBSD being used in the healthcare industry. This episode was brought to you by Headlines NetBSD 7.0 Release Announcement (http://www.netbsd.org/releases/formal-7/NetBSD-7.0.html) DRM/KMS support brings accelerated graphics to x86 systems using modern Intel and Radeon devices (Linux 3.15) Multiprocessor ARM support. Support for many new ARM boards, including the Raspberry Pi 2 and BeagleBone Black Major NPF improvements: BPF with just-in-time (JIT) compilation by default support for dynamic rules support for static (stateless) NAT support for IPv6-to-IPv6 Network Prefix Translation (NPTv6) as per RFC 6296 support for CDB based tables (uses perfect hashing and guarantees lock-free O(1) lookups) Multiprocessor support in the USB subsystem. GPT support in sysinst via the extended partitioning menu. Lua kernel scripting GCC 4.8.4, which brings support for C++11 Experimental support for SSD TRIM in wd(4) and FFS tetris(6): Add colours and a 'down' key, defaulting to 'n'. It moves the block down a line, if it fits. *** CloudFlare develops interesting new netmap feature (https://blog.cloudflare.com/single-rx-queue-kernel-bypass-with-netmap/) Normally, when Netmap is enabled on an interface, the kernel is bypassed and all of the packets go to the Netmap consumers CloudFlare has developed a feature that allows all but one of the RX queues to remain connected to the kernel, and only a single queue be passed to Netmap The change is a simple modification to the nm_open API, allowing the application to open only a specific queue of the NIC, rather than the entire thing The RSS or other hashing must be modified to not direct traffic to this queue Then specific flows are directed to the netmap application for matching traffic For example under Linux: ethtool -X eth3 weight 1 1 1 1 0 1 1 1 1 1 ethtool -K eth3 lro off gro off ethtool -N eth3 flow-type udp4 dst-port 53 action 4 Directs all name server traffic to NIC queue number 4 Currently there is no tool like ethtool to accomplish this same under FreeBSD I wonder if the flows could be identified more specifically using something like ipfw-netmap *** Building your own OpenBSD based Mail server! (http://www.theregister.co.uk/2015/09/12/feature_last_post_build_mail_server/?mt=1442858572214) part 2 (http://www.theregister.co.uk/2015/09/19/feature_last_post_build_mailserver_part_2/) part 3 (http://www.theregister.co.uk/2015/09/26/feature_last_post_build_mailserver_part_3/) The UK Register gives us a great writeup on getting your own mail server setup specifically on OpenBSD 5.7 In this article they used a MiniPC the Acer Revo One RL85, which is a decently priced little box for a mail server (http://www.theregister.co.uk/2015/07/24/review_acer_revo_one_rl85_/) While a bit lengthy in 3 parts, it does provide a good walkthrough of getting OpenBSD setup, PostFix and DoveCot configured and working. In the final installment it also provides details on spam filtering and antivirus scanning. Getting started with the UEFI bootloader on OpenBSD (http://blog.jasper.la/openbsd-uefi-bootloader-howto/) If you've been listening over the past few weeks, you've heard about OpenBSD.s new UEFI boot-loader. We now have a blog post with detailed instructions on how to get setup with this on your own system. The initial setup is pretty straightforward, and should only take a few minutes at most. In involves the usual fdisk commands to create a FAT EFI partition, and placing the bootx64.efi file in the correct location. As a bonus, we even get instructions on how to enable the frame-buffer driver on systems without native Intel video support (ThinkPad x250 in this example) *** Recipe for building a 10Mpps FreeBSD based router (http://blog.cochard.me/2015/09/receipt-for-building-10mpps-freebsd.html) Olivier, (of FreeNAS and BSD Router Project fame) treats us this week to a neat blog post about building your own high-performance 10Mpps FreeBSD router As he first mentions, the hardware required will need to be beefy, no $200 miniPC here. In his setup he uses a 8 core Intel Xeon E5-2650, along with a Quad port 10 Gigabit Chelsio TS540-CR. He mentions that this doesn't work quite on stock FreeBSD yet, you will need to pull code in from the projects/routing (https://svnweb.freebsd.org/base/projects/routing/) which fixes an issue with scaling on cores, in this case he is shrinking the NIC queues down to 4 from 8. If you don't feel like doing the compiles yourself, he also includes links to experimental BSDRouter project images which he used to do the benchmarks Bonus! Nice graphic of the benchmarks from enabling IPFW or PF and what that does to the performance. *** Interview - Brandon Mercer - bmercer@openbsd.org (mailto:bmercer@openbsd.org) / @knowmercymod (https://twitter.com/knowmercymod) OpenBSD in Healthcare Sorry about the audio quality degradation. The last 7 or 8 minutes of the interview had to be cut, a problem with the software that captures the audio from skype and adds it to our compositor. My local monitor is analogue and did not experience the issue, so I was unaware of the issue during the recording *** News Roundup Nvidia releases new beta FreeBSD driver along with new kernel module (https://devtalk.nvidia.com/default/topic/884727/unix-graphics-announcements-and-news/linux-solaris-and-freebsd-driver-358-09-beta-/) Includes a new kernel module, nvidia-modeset.ko While this module does NOT have any user-settable features, it works with the existing nvidia.ko to provide kernel-mode setting (KMS) used by the integrated DRM within the kernel. The beta adds support for 805A and 960A nvidia cards Also fixes a memory leak and some regressions *** MidnightBSD 0.7-RELEASE (http://www.midnightbsd.org/pipermail/midnightbsd-users/Week-of-Mon-20150914/003462.html) We missed this while away at Euro and elsewhere, but MidnightBSD (A desktop-focused FreeBSD 6.1 Fork) has come out with a new 0.7 release This release primarily focuses on stability, but also includes important security fixes as well. It cherry-picks updates to a variety of FreeBSD base-system updates, and some important ZFS features, such as TRIM and LZ4 compression Their custom .mports. system has also gotten a slew of updates, with almost 2000 packages now available, including a WiP of Gnome3. It also brings support for starting / stopping services automatically at pkg install or removal. They note that this will most likely be the last i386 release, joining the club of other projects that are going 64bit only. *** "Open Source as a Career Path" (http://media.medfarm.uu.se/play/video/5400) The FreeBSD Project held a panel discussion (http://www.cb.uu.se/~kristina/WomENcourage/2014/2015-09-25_Friday/2015-09-25%20113238.JPG) of why Open Source makes a good career path at the ACM.s womENcourage conference in Uppsala, Sweden, the weekend before EuroBSDCon The Panel was lead by Dru Lavigne, and consisted of Deb Goodkin, Benedict Reuschling, Dan Langille, and myself We attempted to provide a cross section of experiences, including women in the field, the academic side, the community side, and the business side During the question period, Dan gave a great answer (https://gist.github.com/dlangille/e262bccdea08b89b5360) to the question of .Why do open source projects still use old technologies like mailing lists and IRC. The day before, the FreeBSD Foundation also had a booth at the career fair. We were the only open source project that attended. Other exhibitors included: Cisco, Facebook, Intel, Google, and Oracle. The following day, Dan also gave a workshop (http://www.cb.uu.se/~kristina/WomENcourage/2014/2015-09-25_Friday/2015-09-25%20113238.JPG) on how to contribute to an open source project *** Beastie-Bits NetBSD 2015PkgSrc Freeze (http://mail-index.netbsd.org/pkgsrc-users/2015/09/12/msg022186.html) Support for 802.11N for RealTek USB in FreeBSD (https://github.com/freebsd/freebsd/commits/master/sys/dev/usb/wlan/if_rsu.c) Wayland ported to DragonFlyBSD (https://github.com/DragonFlyBSD/DeltaPorts/pull/123) OpenSMTPd developer debriefs on audit report (http://undeadly.org/cgi?action=article&sid=20151013161745) FreeBSD fixes issue with pf under Xen with TSO. Errata coming soon (https://svnweb.freebsd.org/base?view=revision&revision=289316) Xinuos funds the HardenedBSD project (http://slexy.org/view/s2EBjrxQ9M) Feedback/Questions Evan (http://slexy.org/view/s21PMmNFIs) Darin writes in (http://slexy.org/view/s20qH07ox0) Jochen writes in (http://slexy.org/view/s2d0SFmRlD) ***
110: - Firmware Fights
This week on BSDNow, we get to hear all of Allans post EuroBSDCon wrap-up and a great interview with Benno Rice from Isilon. We got to discuss some of the pain of doing major forklift upgrades, and why your business should track -CURRENT. This episode was brought to you by Headlines EuroBSDCon Videos EuroBSDCon has started posting videos of the talks online already. The videos posted online are archives of the live stream, so some of the videos contain multiple talks Due to a technical complication, some videos only have 1 channel of audio EuroBSDCon Talk Schedule (https://2015.eurobsdcon.org/talks-and-schedule/talk-schedule/) Red Room Videos (https://www.youtube.com/channel/UCBPvcqZrNuKZuP1LQhlCp-A) Yellow Room Videos (https://www.youtube.com/channel/UCJk8Kls9LT-Txu-Jhv7csfw) Blue Room Videos (https://www.youtube.com/channel/UC-3DOxIOI5oHXE1H57g3FzQ) Photos of the conference courtersy of Ollivier Robert (https://assets.keltia.net/photos/EuroBSDCon-2015/) *** A series of OpenSMTPd patches fix multiple vulnerabilities (http://undeadly.org/cgi?action=article&sid=20151005200020) Qualys recently published an audit of the OpenSNMPd source code (https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt) The fixes for these vulnerabilities were released as 5.7.2 After its release, two additional vulnerabilities (http://www.openwall.com/lists/oss-security/2015/10/04/2) were found. One, in the portable version, newer code that was added after the audit started All users are strongly encouraged to upgrade to 5.7.3 OpenBSD users should apply the latest errata or upgrade to the newest snapshot *** FreeBSD updates in -CURRENT (https://svnweb.freebsd.org/base?view=revision&revision=288917) Looks like Xen header support has been bumped in FreeBSD from 4.2 -> 4.6 It also enables support for ARM Update to Clang / LLVM to 3.7.0 (https://lists.freebsd.org/pipermail/freebsd-current/2015-October/057691.html) http://llvm.org/releases/3.7.0/docs/ReleaseNotes.html ZFS gets FRU (field replaceable unit) tracking (https://svnweb.freebsd.org/base?view=revision&revision=287745) OpenCL makes it way into the ports tree (https://svnweb.freebsd.org/ports?view=revision&revision=397198) bhyve has grown UEFI support, plus a CSM module bhyve can now boot Windows (https://lists.freebsd.org/pipermail/freebsd-virtualization/2015-October/003832.html) Currently there is still only a serial console, so the post includes an unattended install .xml file and instructions on how to repack the ISO. Once Windows is installed, you can RDP into the machine bhyve can also now run IllumOS (https://lists.freebsd.org/pipermail/freebsd-virtualization/2015-October/003833.html) *** OpenBSD Initial Support for Broadwell Graphics (http://marc.info/?l=openbsd-cvs&m=144304997800589&w=2) OpenBSD joins DragonFly now with initial support for broadwell GPUs landing in their development branch This brings Open up to Linux 3.14.52 DRM, and Mark Kettenis mentions that it isn.t perfect yet, and may cause some issues with older hardware, although no major regressions yet *** OpenBSD Slides for TAME (http://www.openbsd.org/papers/tame-fsec2015/) and libTLS APIs (http://www.openbsd.org/papers/libtls-fsec-2015/) The first set of slides are from a talk Theo de Raadt gave in Croatia, they describe the history and impetus for tame Theo specifically avoids comparisons to other sandboxing techniques like capsicum and seccomp, because he is not impartial tame() itself is only about 1200 lines of code Sandboxing the file(1) command with systrace: 300 lines of code, with tame: 4 lines Theo makes the point that .optional security. is irrelevant. If a mitigation feature has a knob to turn it off, some program will break and advise users to turn the feature off. Eventually, no one uses the feature, and it dies This has lead to OpenBSD.s policy: .Once working, these features cannot be disabled. Application bugs must be fixed. The second talk is by Bob Beck, about LibreSSL when LibreSSL was forked from OpenSSL 1.0.1g, it contained 388,000 lines of C code 30 days in LibreSSL, they had deleted 90,000 lines of C OpenSSL 1.0.2d has 432,000 lines of C (728k total), and OpenSSL Current has 411,000 lines of C (over 1 million total) LibreSSL today, contains 297,000 lines of C (511k total) None of the high risk CVEs against OpenSSL (there have been 5) have affected LibreSSL. It turns out removing old code and unneeded features is good for security. The talk focuses on libtls, an alternative to the OpenSSL API, designed to be easier to use and less error prone In the libtls api, if -1 is returned, it is always an error. In OpenSSL, it might not be an error, needs additional code to check errno In OpenBSD: ftp, nc, ntpd, httpd, spamd, syslog have been converted to the new API The OpenBSD Foundation is looking for donations in order to sponsor 2-3 developers to spend 6 months dedicated to LibreSSL *** Interview - Benno Rice - benno@FreeBSD.org (mailto:benno@FreeBSD.org) / @jeamland (https://twitter.com/jeamland) Isilon and building products on top of FreeBSD News Roundup ReLaunchd (https://github.com/mheily/relaunchd/blob/master/doc/rationale.txt) This past week we got a heads up about another init/launchd replacement, this time .Relaunchd. The goals of this project appear to be keeping launchd functionality, while being portable enough to run on FreeBSD / Linux, etc. It also has aspirations of being .container-aware. with support for jailed services, ala-docker, as well as cluster awareness. Written in ruby :(, it also maintains that it wishes to NOT take over PID1 or replace the initial system boot scripts, but extend / leverage them in new ways. *** Static Intrusion Detection in NetBSD (https://mail-index.netbsd.org/source-changes/2015/09/24/msg069028.html) Alistar Crooks has committed a new .sid. utility to NetBSD, which allows intrusion detection by comparing the file-system contents to a database of known good values The utility can compare the entire root file system of a modest NetBSD machine in about 15 seconds The following parameters of each file can be checked: atime, block count, ctime, file type, flags, group, inode, link target, mtime, number of links, permissions, size, user, crc32c checksum, sha256 checksum, sha512 checksum A JSON report is issued at the end, for any detected variances *** LibreSSL 2.3.0 in PC-BSD If you.re running PC-BSD 10.2-EDGE or October's -CURRENT image, LibreSSL 2.3.0 is now a thing Thanks to the hard work of Bernard Spil and others, we have merged in the latest LibreSSL which actually removes SSL support in favor of TLS Quite a number of bugs have been fixed, as well as patches brought over from OpenBSD to fix numerous ports. Allan has started a patchset that sets the OpenSSL in base to "private" (http://allanjude.com/bsd/privatessl_2015-10-07.patch) This hides the library so that applications and ports cannot find it, so only tools in the base system, like fetch, will be able to use it. This makes OpenSSL no longer part of the base system ABI, meaning the version can be upgraded without breaking the stable ABI promise. This feature may be important in the future as OpenSSL versions now have EoL dates, that may be sooner than the EoL on the FreeBSD stable branches. *** PC-BSD and boot-environments without GRUB (http://lists.pcbsd.org/pipermail/testing/2015-October/010173.html) In this month.s -CURRENT image of PC-BSD, we began the process of moving back from the GRUB boot-loader, in favor of FreeBSD.s A couple of patches have been included, which enables boot-environment support via the 4th menus (Thanks Allan) and support for booting ZFS on root via UEFI "beadm" has also been updated to seamlessly support both boot-loaders No full-disk encryption support yet (hopefully soon), but GRUB is still available on installer for those who need it *** Import of IWM wireless to DragonFly (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/24a8d46a22f9106b0c1466c41ba73460d7d22262) Matthew Dillon has recently imported the newer if_iwm driver from FreeBSD -> DragonFly Across the internet, users with newer Intel chipsets rejoiced! Coupled with the latest Broadwell DRM improvements, DragonFly sounds very ready for the latest laptop chipsets Also, looks like progress is being made on i386 removal (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/cf37dc2040cea9f384bd7d3dcaf24014f441b8a6) *** Feedback/Questions Dan writes in about PCBSD (http://slexy.org/view/s27ZeOiM4t) Matt writes in about ZFS (http://slexy.org/view/s219J3ebx5) Anonymous writes in about problems booting (http://slexy.org/view/s21uuMAmZb) ***
109: Impish BSD
This week, we have a great interview with Warner Losh of the FreeBSD project! We will be discussing everything from automatic kernel module loading, IO scheduling and of course NanoBSD. This episode was brought to you by Interview - Warner Losh - imp@bsdimp.com (imp@bsdimp.com) / @bsdimp (https://twitter.com/bsdimp) SSD performance and driver auto-loader
108: ServeUp BSD
This week on the show, Allan is heading to Sweden, but we have a great interview with Andrew Pantyukhin to bring you. We will be discussing everything from contributions to FreeBSD, which technologies worked best in the datacenter, config management and more. This episode was brought to you by Headlines Allan is away this week, traveling to Sweden for the ACM womENcourage conference followed by EuroBSDCon, but we have an excellent interview for you, so sit back and enjoy the show. Allan will be back on October 5th, so we look forward to bringing you a live show, with all the details about EuroBSD and more! Interview - Andrew Pantyukhin - infofarmer@gmail.com (mailto:infofarmer@gmail.com) / @infofarmer (https://twitter.com/infofarmer) Building products with FreeBSD
107: In their midst
This week, we are going to be talking with Aaron Poffenberger, who has much to share about his first-hand experience in infiltrating Linux conferences with BSD-goodness. This episode was brought to you by Headlines Alexander Motin implements CTL High Availability (https://svnweb.freebsd.org/changeset/base/r287621) CTL HA allows two .head. nodes to be connected to the same set of disks, safely An HA storage appliance usually consists of 2 totally separate servers, connected to a shared set of disks in separate JBOD sleds The problem with this setup is that if both machines try to use the disks at the same time, bad things will happen With CTL HA, the two nodes can communicate, in this case over a special TCP protocol, to coordinate and make sure they do not step on each others toes, allowing safe operation The CTL HA implementation in FreeBSD can operate in the following four modes: Active/Unavailable -- without interlink between nodes Active/Standby -- with the second node handling only basic LUN discovery and reservation, synchronizing with the first node through the interlink Active/Active -- with both nodes processing commands and accessing the backing storage, synchronizing with the first node through the interlink Active/Proxy -- with second node working as proxy, transferring all commands to the first node for execution through the interlink The custom TCP protocol has no authentication, so it should never be enabled on public interfaces Doc Update (https://svnweb.freebsd.org/base?view=revision&revision=287707) *** Panel Self-Refresh support lands in DragonFlyBSD (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d13e957b0d66a395b3736c43f18972c282bbd58a) In what seems almost weekly improvements being made to the Xorg stack for DragonFly, we now have Panel Self-Refresh landing, thanks to Imre Vadász Understanding Panel Self-Refresh (http://www.anandtech.com/show/7208/understanding-panel-self-refresh) and More about Panel Self-Refresh (http://www.hardwaresecrets.com/introducing-the-panel-self-refresh-technology/) In a nutshell, the above articles talks about how in the case of static images on the screen, power-savings can be obtained by refreshing static images from display memory (frame-buffer), disabling the video processing of the CPU/GPU and associated pipeline during the process. And just for good measure, Imre also committed some further Intel driver cleanup, reducing the diff with Linux 3.17 (http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/6b231eab9db5ef4d4dc3816487d8e3d48941e0e2) *** Introducing Sluice, a new ZFS snapshot management tool (https://bitbucket.org/stevedrake/sluice) A new ZFS snapshot management tool written in Python and modeled after Apple.s Time Machine Simple command line interface No configuration files, settings are stored as ZFS user properties Includes simple remote replication support Can operate on remote systems with the zfs://user@host/path@snapname url schema Future feature list includes .import. command to moved files from non-ZFS storage to ZFS and create a snapshot, and .export. to do the inverse Thanks to Dan for tipping us about this new project *** Why WhatsApp only needs 50 engineers for 900 million users (http://www.wired.com/2015/09/whatsapp-serves-900-million-users-50-engineers/) Wired has a good write-up on the behind-the-scenes work taking place at WhatsApp While the article mentions FreeBSD, it spends the bulk of its discussion about Erlang and using its scalable concurrency and deployment of new code to running processes. FB messenger uses Haskell to accomplish much the same thing, while Google and Mozilla are currently trying to bring the same level of flexibility to Go and Rust respectively. video (https://www.youtube.com/watch?v=57Ch2j8U0lk) Thanks to Ed for submitting this news item *** Interview - Aaron Poffenberger - email@email (mailto:akp@hypernote.com) / @akpoff (https://twitter.com/akpoff) BSD in a strange place + KM: Go ahead and tell us about yourself and how did you first get involved with BSD? + AJ: You.ve presented recently at Texas Linux Fest, both on FreeBSD and FreeNAS. What specifically prompted you to do that? + KM: What would you say are the main selling points when presenting BSD to Linux users and admins? + AJ: On the flip side of this topic, in what areas to do you think we could improve BSD to present better to Linux users? + KM: What would you specifically recommend to other BSD users or fans who may also want to help present or teach about BSD? Any things specifically to avoid? + AJ: What is the typical depth of knowledge you encounter when presenting BSD to a mostly Linux crowd? Any surprises when doing so? + KM: Since you have done this before, are you mainly writing your own material or borrowing from other talks that have been done on BSD? Do you think there.s a place for some collaboration, maybe having a repository of materials that can be used for other BSD presenters at their local linux conference / LUG? + AJ: Since you are primarily an OpenBSD user have you thought about doing any talks related to it? Is OpenBSD something on the radar of the typical Linux conference-goer? + KM: Is there anything else you would like to mention before we wrap up? News Roundup GhostBSD 10.1 released (http://ghostbsd.org/10.1_release_eve) GhostBSD has given us a new release, this time it also includes XFCE as an alternative to the MATE desktop The installer has been updated to allow using GRUB, BSD loader, or none at all It also includes the new OctoPKG manager, which proves a Qt driven front-end to pkgng Thanks to Shawn for submitting this *** Moving to FreeBSD (https://www.textplain.net/blog/2015/moving-to-freebsd/) In this blog post, Randy Westlund takes us through his journey of moving from Gentoo over to FreeBSD Inspired in part due to Systemd, he first spent some time on Wikipedia reading about BSD before taking the plunge to grab FreeBSD and give it a whirl in a VM. "My first impression was that installation was super easy. Installing Gentoo is done manually and can be a "fun" weekend adventure if you're not sure what you're doing. I can spin up a new FreeBSD VM in five minutes." "There's a man page for everything! And they're well-written! Gentoo has the best documentation of any Linux distro I've used, but FreeBSD is on another level. With a copy of the FreeBSD Handbook and the system man pages, I can actually get things done without tabbing over to Google every five minutes." He goes on to mention everything from Init system, Jails, Security, Community and License, a well-rounded article. Also gives a nice shout-out to PC-BSD as an even easier way to get started on a FreeBSD journey, thanks! Shout out to Matt for tipping us to this blog post *** OpenBSD Enables GPT by default (https://marc.info/?l=openbsd-cvs&m=144190275908215&w=2) Looks like OpenBSD has taken the plunge and enabled GPT by default now Ken Westerback does us the honors, by removing the kernel option for GPT Users on -CURRENT should give this a whirl, and of course report issues back upstream Credit to Jona for writing in about this one *** DISCUSSION: Are reproducible builds worth-while? (http://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time) In this weeks article / rant, Ted takes on the notion of reproducible builds being the end-all be-all for security. What about compiler backdoors? This does not prevent shellshock, or other bugs in the code itself Personally, I.m all in favor, another .Trust but verify. mechanism of the distributed binaries, plus it makes it handy to do source builds and not end up with various checksum changes where no code actually changed. *** Feedback/Questions David writes in (http://slexy.org/view/s20Q7XjxNH) Possnfiffer writes in (http://slexy.org/view/s2QtE6XzJK) Daniel writes in (http://slexy.org/view/s20uloOljw) ***
106: Multipath TCP
This week, we have Nigel Williams here to bring us all sorts of info about Multipath TCP, what it is, how it works and the ongoing effort to bring it into FreeBSD. All that and of course the latest BSD news coming your way, right now! This episode was brought to you by Headlines Backing out changes doesn.t always pinpoint the problem (https://blog.crashed.org/dont-backout/) Peter Wemm brings us a fascinating look at debugging an issue which occurred on the FreeBSD build cluster recently. Bottom line? Backing out something isn.t necessarily the fix, rather it should be apart of the diagnostic process In this particular case, a change to some mmap() functionality ended up exposing a bug in the kernel.s page fault handler which existed since (wait for it.) 1997! As Peter mentions at the bottom of the Article, this bug had been showing up for years, but was sporadic and often written off as a networking hiccup. *** BSD Router Project benchmarks new routing changes to FreeBSD (https://github.com/ocochard/netbenchs/blob/master/Xeon_E5-2650-8Cores-Chelsio_T540-CR/nXxq10g/results/fbsd11-melifaro.r287531/README.md) A project branch of FreeBSD -CURRENT has been created with a number of optimizations to the routing code Alexander V. Chernikov (melifaro@).s routing branch (https://svnweb.freebsd.org/base/projects/routing/?view=log) The net result is an almost doubling of peak performance in packets per second Performance scales well with the number of NIC queues (2 queues is 88% faster than 1 queue, 3 is 270% faster). Unlike the previous code, when the number of queues hits 4, performance is down by only 10%, instead of being cut nearly in half Other Benchmark Results, and the tools to do your own tests (https://github.com/ocochard/netbenchs) *** When is SSL not SSL? (http://www.tedunangst.com/flak/post/the-peculiar-libretunnel-situation) Our buddy Ted has a good write-up on a weird situation related to licensing of stunnel and LibreSSL The problem exists due to stunnel being released with a different license, that is technically incompatible with the GPL, as well as linking against non-OpenSSL versions. The author has also decided to create specific named exceptions when the *SSL lib is part of the base operating system, but does not personally consider LibreSSL as a valid linking target on its own Ted points out that the LibreSSL team considers LibreSSL == OpenSSL, so this may be a moot concern *** Update on systembsd (http://darknedgy.net/files/systembsd.pdf) We.ve mentioned the GSoC project to create a SystemD shim in OpenBSD before. Now we have the slides from Ian Sutton talking about this project. As a refresher, this project is to take DBUS and create daemons emulating various systemd components, such as hostnamed, localed, timedated, and friends. Written from scratch in C, it was mainly created in the hopes of becoming a port, allowing Gnome and related tools to function on OpenBSD. This is a good read, especially for current or aspiring porters who want to bring over newer versions of applications which now depend upon SystemD. *** Interview - Nigel Williams - njwilliams@swin.edu.au (njwilliams@swin.edu.au) Multipath TCP News Roundup OpenBSD UEFI boot loader (http://marc.info/?l=openbsd-cvs&m=144115942223734&w=2) We.ve mentioned the ongoing work to bring UEFI booting to OpenBSD and it looks like this has now landed in the tree The .fdisk. utility has also been updated with a new -b flag, when used with .-i. will create the special EFI system partition on amd64/i386 . (http://marc.info/?l=openbsd-cvs&m=144139348416071&w=2) Some twitter benchmarks (https://twitter.com/mherrb/status/641004331035193344) *** FreeBSD Journal, July/August issue (https://www.freebsdfoundation.org/journal/vol2_no4/) The latest issue of the FreeBSD Journal has arrived As always, the Journal opens with a letter from the FreeBSD Foundation Feature Articles: Groupon's Deal on FreeBSD -- How to drive adoption of FreeBSD at your organization, and lessons learned in retraining Linux sysadmins FreeBSD: The Isilon Experience -- Mistakes not to make when basing a product on FreeBSD. TL;DR: track head Reflections on FreeBSD.org: Packages -- A status update on where we are with binary packages, what issues have been overcome, and which still remain Inside the Foundation -- An overview of some of the things you might not be aware that the FreeBSD Foundation is doing to support the project and attract the next generation of committers Includes a book review of .The Practise of System and Network Administration. As usual, various other reports are included: The Ports Report, SVN Update, A conference report, a report from the Essen hackathon, and the Event Calendar *** Building ARMv6 packages on FreeBSD, the easy way (http://blogs.freebsdish.org/brd/2015/08/25/building-arm-packages-with-poudriere-the-simple-way/) Previously we have discussed how to build ARMv6 packages on FreeBSD We also interviewed Sean Bruno about his work in this area Thankfully, over time this process has been simplified, and no longer requires a lot of manual configuration, or fussing with the .image activator. Now, you can just build packages for your Raspberry Pi or similar device, just as simply as you would build for x86, it just takes longer to build. *** New PC-BSD Release Schedule (http://blog.pcbsd.org/2015/09/new-release-schedule-for-pc-bsd/) The PC-BSD Team has announce an updated release schedule for beyond 10.2 This schedule follows more closely the FreeBSD schedules, with major releases only occurring when FreeBSD does the next point update, or major version bump. PC-BSD.s source tree has been split into master(current) and stable as well PRODUCTION / EDGE packages will be built from stable, with PRODUCTION updated monthly now. The -CURRENT monthly images will contain the master source builds. *** Feedback/Questions Joris writes in (http://slexy.org/view/s21cguSv7E) Anonymous (http://slexy.org/view/s217A5NNGg) Darin (http://slexy.org/view/s20HyiqJV0) ***
105: Virginia BSD Assembly
It's already our two-year anniversary! This time on the show, we'll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year's vBSDCon. What's it have to offer in an already-crowded BSD conference space? We'll find out. This episode was brought to you by Headlines OpenBSD hypervisor coming soon (https://www.marc.info/?l=openbsd-tech&m=144104398132541&w=2) Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output (http://pastebin.com/raw.php?i=F2Qbgdde) on Twitter recently From what little he revealed at the time (https://twitter.com/mlarkin2012/status/638265767864070144), it appeared to be a new hypervisor (https://en.wikipedia.org/wiki/Hypervisor) (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled "vmm" Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation One thing to note: this isn't just a port of something like Xen or Bhyve; it's all-new code, and Mike explains why he chose to go that route He also answered some basic questions about the requirements, when it'll be available, what OSes it can run, what's left to do, how to get involved and so on *** Why FreeBSD should not adopt launchd (http://blog.darknedgy.net/technology/2015/08/26/0/) Last week (http://www.bsdnow.tv/episodes/2015_08_26-beverly_hills_25519) we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we've learned) In this article, the author talks about why he thinks this is a bad idea He doesn't oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself - this is also explained in more detail The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities Reddit had quite a bit (https://www.reddit.com/r/BSD/comments/3ilhpk) to say (https://www.reddit.com/r/freebsd/comments/3ilj4i) about this one, some in agreement and some not *** DragonFly graphics improvements (http://lists.dragonflybsd.org/pipermail/commits/2015-August/458108.html) The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs You should also see some power management improvements, longer battery life and various other bug fixes If you're running DragonFly, especially on a laptop, you'll want to get this stuff on your machine quick - big improvements all around *** OpenBSD tames the userland (https://www.marc.info/?l=openbsd-tech&m=144070638327053&w=2) Last week we mentioned OpenBSD's tame framework getting support for file whitelists, and said that the userland integration was next - well, now here we are Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools It's still a work-in-progress version; there's still more to be added (including the file path whitelist stuff) Some classic utilities are even being reworked to make taming them easier - the "w" command (https://www.marc.info/?l=openbsd-cvs&m=144103945031253&w=2), for example The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse) More discussion can be found on HN (https://news.ycombinator.com/item?id=10135901), as one might expect If you're a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release *** Interview - Scott Courtney - vbsdcon@verisign.com (mailto:vbsdcon@verisign.com) / @verisign (https://twitter.com/verisign) vBSDCon (http://vbsdcon.com/) 2015 News Roundup OPNsense, beyond the fork (https://opnsense.org/opnsense-beyond-the-fork) We first heard about (http://www.bsdnow.tv/episodes/2015_01_14-common_sense_approach) OPNsense back in January, and they've since released nearly 40 versions, spanning over 5,000 commits This is their first big status update, covering some of the things that've happened since the project was born There's been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more - the report touches on a little of everything *** LibreSSL nukes SSLv3 (http://undeadly.org/cgi?action=article&sid=20150827112006) With their latest release, LibreSSL began to turn off SSLv3 (http://disablessl3.com) support, starting with the "openssl" command At the time, SSLv3 wasn't disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example) They've now flipped the switch, and the process of complete removal has started From the Undeadly summary, "This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!" With this change and a few more to follow shortly, LibreSSL won't actually support SSL anymore - time to rename it "LibreTLS" *** FreeBSD MPTCP updated (http://caia.swin.edu.au/urp/newtcp/mptcp/tools/v05/mptcp-readme-v0.5.txt) For anyone unaware, Multipath TCP (https://en.wikipedia.org/wiki/Multipath_TCP) is "an ongoing effort of the Internet Engineering Task Force's (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy." There's been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements Some big performance gains can be had with MPTCP, but only if both the client and server systems support it - getting it into the FreeBSD kernel would be a good start *** UEFI and GPT in OpenBSD (https://www.marc.info/?l=openbsd-cvs&m=144092912907778&w=2) There hasn't been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently Some support (https://github.com/yasuoka/openbsd-uefi) for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review This comes along with a number (https://www.marc.info/?l=openbsd-cvs&m=143732984925140&w=2) of (https://www.marc.info/?l=openbsd-cvs&m=144088136200753&w=2) other (https://www.marc.info/?l=openbsd-cvs&m=144046793225230&w=2) commits (https://www.marc.info/?l=openbsd-cvs&m=144045760723039&w=2) related to GPT, much of which is being refactored and slowly reintroduced Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should "just work" with GPT (once everything's in) The UEFI bootloader support has been committed (https://www.marc.info/?l=openbsd-cvs&m=144115942223734&w=2), so stay tuned for more updates (http://undeadly.org/cgi?action=article&sid=20150902074526&mode=flat) as further (https://twitter.com/kotatsu_mi/status/638909417761562624) progress (https://twitter.com/yojiro/status/638189353601097728) is made *** Feedback/Questions John writes in (http://slexy.org/view/s2sIWfb3Qh) Mason writes in (http://slexy.org/view/s2Ybrx00KI) Earl writes in (http://slexy.org/view/s20FpmR7ZW) ***
104: Beverly Hills 25519
Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you. This episode was brought to you by Headlines EdgeRouter Lite, meet OpenBSD (http://www.tedunangst.com/flak/post/OpenBSD-on-ERL) The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8) Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware More discussion can be found on Hacker News (https://news.ycombinator.com/item?id=10079210) and various (https://www.reddit.com/r/openbsd/comments/3hgf2c) other (https://www.marc.info/?t=143974140500001&r=1&w=2) places (https://lobste.rs/s/acz9bu/openbsd_on_edgerouter_lite) One thing to note (https://www.marc.info/?l=openbsd-misc&m=143991822827285&w=2) about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no W^X at all) *** Design and Implementation of the FreeBSD Operating System interview (http://www.infoq.com/articles/freebsd-design-implementation-review) For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points." Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics *** Path list parameter in OpenBSD tame (https://www.marc.info/?l=openbsd-cvs&m=144027474117290&w=2) We've mentioned OpenBSD's relatively new "tame (https://marc.info/?l=openbsd-tech&m=143725996614627&w=2)" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9 More discussion can be found on Reddit (https://www.reddit.com/r/openbsd/comments/3i2lk7) and Hacker News (https://news.ycombinator.com/item?id=10104886) *** FreeBSD & PC-BSD 10.2-RELEASE (https://www.freebsd.org/releases/10.2R/announce.html) The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13 New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail Check the full release notes (https://www.freebsd.org/releases/10.2R/relnotes.html) for the rest of the details and changes PC-BSD also followed with their 10.2-RELEASE (http://blog.pcbsd.org/2015/08/pc-bsd-10-2-release-now-available), sporting a few more additional features *** Interview - Damien Miller - djm@openbsd.org (mailto:djm@openbsd.org) / @damienmiller (https://twitter.com/damienmiller) OpenSSH: phasing out broken crypto, default cipher changes News Roundup NetBSD at Open Source Conference Shimane (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/22/msg000692.html) We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another This time they had NetBSD running on some Sony NWS devices (MIPS-based) JavaStations (https://en.wikipedia.org/wiki/JavaStation) were also on display - something we haven't ever seen before (made between 1996-2000) *** BAFUG videos (https://www.youtube.com/watch?v=-XF20nitI90) The Bay Area FreeBSD users group has been uploading some videos of their recent meetings Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts In a second video (https://www.youtube.com/watch?v=49sPYHh473U), Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X" In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc) People should record presentations at their BSD users groups and send them to us *** L2TP over IPSEC on OpenBSD (http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients) If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic This guide specifically covers L2TP, using npppd and pre-shared keys Server setup, client setup, firewall configuration and routing-related settings are all covered in detail *** Reliable bare metal with TrueOS (http://www.tubsta.com/2015/08/reliable-bare-metal-server-using-trueosfreebsd) Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution Most importantly, he also covers how to keep everything redundant and deal with hard drives failing The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are *** Kernel W^X on i386 (https://www.marc.info/?l=openbsd-cvs&m=144047868127049&w=2) We mentioned some big W^X kernel changes in OpenBSD a while back (https://www.marc.info/?l=openbsd-tech&m=142120787308107&w=2), but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now) Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well Check out our interview with Mike (http://www.bsdnow.tv/episodes/2015_05_13-exclusive_disjunction) for some more background info on memory protections like W^X *** Feedback/Questions Markus writes in (http://slexy.org/view/s2iGoeYMyb) Sean writes in (http://slexy.org/view/s21bIFfmUS) Theo writes in (http://slexy.org/view/s21Hjm8Tsa) ***
103: Ubuntu Slaughters Kittens
Allan's away at BSDCam this week, but we've still got an exciting episode for you. We sat down with Bryan Cantrill, CTO of Joyent, to talk about a wide variety of topics: dtrace, ZFS, pkgsrc, containers and much more. This is easily our longest interview to date! This episode was brought to you by Interview - Bryan Cantrill - bryan@joyent.com (mailto:bryan@joyent.com) / @bcantrill (https://twitter.com/bcantrill) BSD and Solaris history, illumos, dtrace, Joyent, pkgsrc, various topics (and rants) Feedback/Questions Randy writes in (http://slexy.org/view/s2b6dA7fAr) Jared writes in (http://slexy.org/view/s2vABMHiok) Steve writes in (http://slexy.org/view/s2194ADVUL) ***
102: May Contain ZFS
This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up. This episode was brought to you by Headlines FreeBSD on Olimex RT5350F-OLinuXino (https://www.bidouilliste.com/blog/2015/07/22/FreeBSD-on-Olimex-RT5350F-OLinuXino) If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it) It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment In part two of the series (https://www.bidouilliste.com/blog/2015/07/24/FreeBSD-on-Olimex-RT5350F-OLinuXino-Part-2), he talks about the GPIO and how you can configure it Part three is still in the works, so check the site later on for further progress and info *** The modern OpenBSD home router (https://www.azabani.com/2015/08/06/modern-openbsd-home-router.html) In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway (http://www.bsdnow.tv/tutorials/openbsd-router) for his home network "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst" Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless This guide also covers PPP and IPv6, in case you have those requirements In a similar but unrelated series (http://jaytongarnett.blogspot.com/2015/07/openbsd-router-bt-home-hub-5-replacement.html), another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge He also has a separate post (http://jaytongarnett.blogspot.com/2015/08/openbsd-l2tpipsec-vpn-works-with.html) for setting up an IPSEC VPN on the router *** NetBSD at Open Source Conference 2015 Kansai (https://mail-index.netbsd.org/netbsd-advocacy/2015/08/10/msg000691.html) The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it And what conference would be complete without an LED-powered towel *** OpenSSH 7.0 released (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034289.html) The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now If you're using an older configuration file, the "without-password" option still works, so no change is required You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications Various bug fixes and documentation improvements are also included Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled *** Interview - Peter Toth - peter.toth198@gmail.com (mailto:peter.toth198@gmail.com) / @pannonp (https://twitter.com/pannonp) Containment with iocage (https://github.com/iocage/iocage) News Roundup More c2k15 reports (http://undeadly.org/cgi?action=article&sid=20150809105132) A few more hackathon reports from c2k15 in Calgary are still slowly trickling in Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things) He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging Renato Westphal sent in a report (http://undeadly.org/cgi?action=article&sid=20150811171006) of his very first hackathon He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network Philip Guenther also wrote in (http://undeadly.org/cgi?action=article&sid=20150809165912), getting some very technical and low-level stuff done at the hackathon His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well *** FreeBSD jails, the hard way (https://clinta.github.io/freebsd-jails-the-hard-way) As you learned from our interview this week, there's quite a selection of tools available to manage your jails This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf Unlike with iocage, ZFS isn't actually a requirement for this method If you are using it, though, you can make use of snapshots for making template jails *** OpenSSH hardware tokens (http://www.tancsa.com/mdtblog/?p=73) We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server? This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too *** LibreSSL 2.2.2 released (http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.2-relnotes.txt) The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well *** Feedback/Questions James writes in (http://slexy.org/view/s216lrsVVd) Stuart writes in (http://slexy.org/view/s20uGUHWLr) ***
101: I'll Fix Everything
Coming up this week, we'll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like "what would you like to see in FreeBSD?" and hundreds of responses, well, we've got a lot to cover... This episode was brought to you by Headlines OpenBSD, from distribution to project (http://www.tedunangst.com/flak/post/from-distribution-to-project) Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through It's the third part of his ongoing (http://www.openbsd.org/papers/pruning.html) series (http://www.tedunangst.com/flak/post/out-with-the-old-in-with-the-less) of posts about OpenBSD removing large bits of code in favor of smaller replacements In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..) After importing new updates every release cycle, they eventually hit a transitional phase - things were updated, but nothing new was imported When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons More discussion on HN (https://news.ycombinator.com/item?id=9980373) and reddit (https://www.reddit.com/r/openbsd/comments/3f9o19/from_distribution_to_project/) *** Remote ZFS mirrors, the hard way (https://github.com/hughobrien/zfs-remote-mirror) Backups to "the cloud" have become a hot topic in recent years, but most of them require trade-offs between convenience and security You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren't without some compromise As the author puts it: "We don't need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we'll-deletes, or any of the noise that comes with using someone else's infrastructure." This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself The end result is an automatic system for incremental backups that's backed (pun intended) by ZFS If you're serious about keeping your important data safe and sound, you'll want to give this one a read - lots of detailed instructions *** Various DragonFlyBSD updates (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419064.html) The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree Intel ValleyView graphics support was finally committed to the main repository While on the topic of graphics, they've also issued a call for testing (http://lists.dragonflybsd.org/pipermail/users/2015-July/207923.html) for a DRM update (matching Linux 3.16's and including some more Broadwell fixes) Their base GCC compiler is also now upgraded to version 5.2 (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419045.html) If your hardware supports it, DragonFly will now use an accelerated console by default (http://lists.dragonflybsd.org/pipermail/commits/2015-July/419070.html) *** QuakeCon runs on OpenBSD (https://youtu.be/mOv62lBdlXU?t=292) QuakeCon (https://en.wikipedia.org/wiki/QuakeCon), everyone's favorite event full of rocket launchers, recently gave a mini-tour of their network setup For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution There's also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff Follow-up questions can be asked in this reddit thread (https://www.reddit.com/r/BSD/comments/3f43fh/bsd_runs_quakecon/) The host doesn't seem to be that familiar with the topics at hand, mentioning "OpenPF" multiple times among other things, so our listeners should get a kick out of it *** Interview - Adrian Chadd - adrian@freebsd.org (mailto:adrian@freebsd.org) / @erikarn (https://twitter.com/erikarn) Rethinking ways to improve FreeBSD (https://www.reddit.com/r/freebsd/comments/3d80vt) News Roundup CII contributes to OpenBSD (http://undeadly.org/cgi?action=article&sid=20150804161939) If you recall back to when we talked to the OpenBSD foundation (http://www.bsdnow.tv/episodes/2015_02_25-from_the_foundation_2), one of the things Ken mentioned was the Core Infrastructure Initiative (https://www.coreinfrastructure.org) In a nutshell (https://www.coreinfrastructure.org/faq), it's an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers) To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they've just made a large donation to the foundation - this makes them the first (http://www.openbsdfoundation.org/contributors.html) "platinum" level donor as well While the exact amount wasn't disclosed, it was somewhere between $50,000 and $100,000 The donation comes less than a month after Microsoft's big donation (http://undeadly.org/cgi?action=article&sid=20150708134520), so it's good to see these large organizations helping out important open source projects that we depend on every day *** Another BSDCan report (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-mark-linimon.html) The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon In his report, he mainly covers the devsummit and some discussion with the portmgr team One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch - Mark talks a bit about this as well He also gives his thoughts on using QEMU for cross-compiling packages (http://www.bsdnow.tv/episodes/2015_03_04-just_add_qemu) and network performance testing *** Lumina 0.8.6 released (http://blog.pcbsd.org/2015/08/lumina-desktop-0-8-6-released/) The PC-BSD team has released another version of Lumina (http://www.lumina-desktop.org/), their BSD-licensed desktop environment This is mainly a bugfix and performance improvement release, rather than one with lots of new features The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc) Lots of non-English translation updates and assorted fixes are included as well If you haven't given it a try yet, or maybe you're looking for a new window manager, Lumina runs on all the BSDs *** More c2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150730180506) Even more reports from OpenBSD's latest hackathon are starting to pour in The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle) He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD Second up is Andrew Fresh (http://undeadly.org/cgi?action=article&sid=20150731191156&mode=flat), who went without any specific plans, but still ended up getting some UTF8 work done On the topic of ARMv7, "I did enjoy being there when things weren't working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn't much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon." Florian Obser sent in a report that includes a little bit of everything (http://undeadly.org/cgi?action=article&sid=20150805151453): setting up the hackathon's network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food Paul Irofti wrote in as well (http://undeadly.org/cgi?action=article&sid=20150801100002&mode=flat) about his activities, which were mainly focused on the Octeon CPU architecture He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices) *** Feedback/Questions Hamza writes in (http://slexy.org/view/s205kqTEIj) Florian writes in (http://slexy.org/view/s2ogIP6cEf) Dominik writes in (http://slexy.org/view/s214xE9ulK) ***
100: Straight from the Src
We've finally reached a hundred episodes, and this week we'll be talking to Sebastian Wiedenroth about pkgsrc. Though originally a NetBSD project, now it runs pretty much everywhere, and he even runs a conference about it! This episode was brought to you by Headlines Remote DoS in the TCP stack (https://blog.team-cymru.org/2015/07/another-day-another-patch/) A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely This problem has a slightly confusing history that involves different fixes at different points in time from different people Juniper originally discovered the bug and announced a fix (https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10686) for their proprietary networking gear on June 8th On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch (https://svnweb.freebsd.org/base/head/sys/netinet/tcp_output.c?view=patch&r1=284941&r2=284940&pathrev=284941), but did not issue a security notice or MFC the fix back to the -stable branches On July 13th, two weeks later, OpenBSD fixed the issue (https://www.marc.info/?l=openbsd-cvs&m=143682919807388&w=2) in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found Immediately afterwards, they merged it back to -stable and issued an errata notice (http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/010_tcp_persist.patch.sig) for 5.7 and 5.6 On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix (https://svnweb.freebsd.org/base/head/sys/netinet/tcp_output.c?view=patch&r1=285777&r2=285776&pathrev=285777) and issued a security notice (https://lists.freebsd.org/pipermail/freebsd-announce/2015-July/001655.html) for the problem (which didn't include the first fix) After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way NetBSD confirmed they were vulnerable too, and applied another completely different fix (http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_output.c.diff?r1=1.183&r2=1.184&only_with_tag=MAIN) to -current on July 24th, but haven't released a security notice yet DragonFly is also investigating the issue now to see if they're affected as well *** c2k15 hackathon reports (http://undeadly.org/cgi?action=article&sid=20150721180312&mode=flat) Reports from OpenBSD's latest hackathon (http://www.openbsd.org/hackathons.html), held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these) The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?" With mandoc's new internal jump targets, this is a problem of the past now Jasper also sent in a report (http://undeadly.org/cgi?action=article&sid=20150723124332&mode=flat), doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information) Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!) Antoine Jacoutot gave a report (http://undeadly.org/cgi?action=article&sid=20150722205349&mode=flat) on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services) It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool") He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example) His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades Foundation director Ken Westerback was also there (http://undeadly.org/cgi?action=article&sid=20150722105658&mode=flat), getting some disk-related and laptop work done He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say (http://undeadly.org/cgi?action=article&sid=20150722182236&mode=flat) about the hackathon and what he did there (and even sent in his write-up before he got home) He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report) Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year." Jeremy Evans wrote in (http://undeadly.org/cgi?action=article&sid=20150725180527&mode=flat) to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon Rafael Zalamena, who got commit access at the event, gives his very first report (http://undeadly.org/cgi?action=article&sid=20150725183439&mode=flat) on his networking-related hackathon activities With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS (https://en.wikipedia.org/wiki/Virtual_Private_LAN_Service) Jonathan Gray got a lot done (http://undeadly.org/cgi?action=article&sid=20150728184743&mode=flat) in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix) Martin Pieuchot gave an write-up (http://undeadly.org/cgi?action=article&sid=20150724183210&mode=flat) on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did." He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle We're still eagerly awaiting a report from one of OpenBSD's newest developers (https://twitter.com/phessler/status/623291827878137856), Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes) OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint (https://www.marc.info/?l=openbsd-cvs&m=143766883514831&w=2)," so that may mean more big changes are still to come... *** FreeBSD quarterly status report (https://www.freebsd.org/news/status/report-2015-04-2015-06.html) FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012) The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon) ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though) The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more *** The OpenSSH bug that wasn't (http://bsdly.blogspot.com/2015/07/the-openssh-bug-that-wasnt.html) There's been a lot of discussion (https://www.marc.info/?t=143766048000005&r=1&w=2) about a supposed flaw (https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/) in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even) There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections (https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-July/034209.html) FreeBSD in its default configuration, with PAM (https://en.wikipedia.org/wiki/Pluggable_authentication_module) and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH (https://www.marc.info/?l=openbsd-misc&m=143767296016252&w=2), nor any of the other BSDs, and not even the majority of Linux distros If you disable all forms of authentication except public keys, like you're supposed to (https://stribika.github.io/2015/01/04/secure-secure-shell.html), then this is also not a big deal for FreeBSD systems Realistically speaking, it's more of a PAM bug (https://www.marc.info/?l=openbsd-misc&m=143782167322500&w=2) than anything else OpenSSH added an additional check (https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab) for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update (https://lists.freebsd.org/pipermail/freebsd-security-notifications/2015-July/000248.html)) *** Interview - Sebastian Wiedenroth - wiedi@netbsd.org (mailto:wiedi@netbsd.org) / @wied0r (https://twitter.com/wied0r) pkgsrc (https://en.wikipedia.org/wiki/Pkgsrc) and pkgsrcCon (http://pkgsrc.org/pkgsrcCon/) News Roundup Now served by OpenBSD (https://tribaal.io/this-now-served-by-openbsd.html) We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it The use case for the author was for a webserver, so he decided to try out the httpd in base Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting TLS 1.2 by default, strong ciphers with LibreSSL and HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) combined give you a pretty secure web server *** FreeBSD laptop playbooks (https://github.com/sean-/freebsd-laptops) A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops" It's based on ansible, and uses the playbook format for automatic set up and configuration Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop *** NetBSD on the NVIDIA Jetson TK1 (https://blog.netbsd.org/tnf/entry/netbsd_on_the_nvidia_jetson) If you've never heard of the Jetson TK1 (https://developer.nvidia.com/jetson-tk1), we can go ahead and spoil the secret here: NetBSD runs on it As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything) You can even run X11 on it, pretty sweet *** DragonFly power mangement options (http://lists.dragonflybsd.org/pipermail/users/2015-July/207911.html) DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well He also did some testing with each of them and gave his findings about power saving If you've been thinking about running DragonFly on a laptop, this would be a good one to read *** OpenBSD router under FreeBSD bhyve (https://www.quernus.co.uk/2015/07/27/openbsd-as-freebsd-router/) If one BSD just isn't enough for you, and you've only got one machine, why not run two at once This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware The author also includes a little bit of history on how he got into both operating systems There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research Of course, the next logical step is to put that bhyve host under Xen on NetBSD... *** Feedback/Questions Kevin writes in (http://slexy.org/view/s2yPVV5Wyp) Logan writes in (http://slexy.org/view/s21zcz9rut) Peter writes in (http://slexy.org/view/s21CRmiPwK) Randy writes in (http://slexy.org/view/s211zfIXff) ***
99: BSD Gnow
This week we'll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we'll hear about how the recent porting efforts have been since. This episode was brought to you by Headlines OpenBSD presents tame (https://www.marc.info/?l=openbsd-tech&m=143725996614627&w=2) Theo de Raadt sent out an email detailing OpenBSD's new "tame" subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can't do When using tame, programs will switch to a "restricted-service operating mode," limiting them to only the things they actually need to do As for the background: "Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program 'initialization' versus 'main servicing loop.' systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops." Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously) Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation) Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source - only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc. This is an initial work-in-progress version of tame, so there may be more improvements or further (https://www.marc.info/?l=openbsd-tech&m=143740834710502&w=2) control (https://www.marc.info/?l=openbsd-tech&m=143741052411159&w=2) options added before it hits a release (very specific access policies can sometimes backfire (https://forums.grsecurity.net/viewtopic.php?f=7&t=2522), however) The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do - making it simple means third party programs are more likely to actually use it) Kernel bits are in the tree now (https://www.marc.info/?l=openbsd-cvs&m=143727335416513&w=2), with userland changes starting to trickle in too Combined with a myriad of memory protections (http://www.bsdnow.tv/episodes/2015_05_13-exclusive_disjunction), tight privilege separation and (above all else (https://en.wikipedia.org/wiki/OpenBSD_security_features)) good coding practices, tame should further harden the OpenBSD security fortress Further discussion (https://news.ycombinator.com/item?id=9928221) can (https://www.reddit.com/r/programming/comments/3dsr0t) be (http://undeadly.org/cgi?action=article&sid=20150719000800&mode=flat) found (https://news.ycombinator.com/item?id=9909429) in (https://www.reddit.com/r/linux/comments/3ds66o) the (https://lobste.rs/s/tbbtfs) usual (https://www.reddit.com/r/openbsd/comments/3ds64c) places (https://www.reddit.com/r/BSD/comments/3ds681) you'd expect *** Using Docker on FreeBSD (https://wiki.freebsd.org/Docker) With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up This docker is "the real thing," and isn’t using a virtual machine as the backend - as such, it has some limitations The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we're recording this, is where all the action is for 64bit support) For users on 10.X, there's also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally) Give it a try, let us know how you find it to be compared to other solutions *** OpenBSD imports doas, removes sudo (http://www.tedunangst.com/flak/post/doas) OpenBSD has included the ubiquitous "sudo" utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot) Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed "do as," with the aim of being more simple and compact There were concerns that sudo was too big and too complicated, and a quick 'n' dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 - which would you rather have as a setuid root binary? After the initial import, a number of developers began reviewing and improving various bits here and there You can check out the code (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/) now if you're interested Command usage (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1) and config syntax (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/doas.conf.5) seem pretty straightforward More discussion (https://news.ycombinator.com/item?id=9914693) on HN *** What would you like to see in FreeBSD (https://www.reddit.com/r/freebsd/comments/3d80vt/what_would_you_like_to_see_in_freebsd/) Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they'd like to see There are over 200 comments that span a wide range of topics, so we'll just cover a few of the more popular requests - check the very long thread if you're interested in more The top comment says things don't "just work," citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now - should they be removed, and more focus put into ipfw? Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD - similar comments were made about wireless chipsets as well Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more At least one user suggested better "marketing" for FreeBSD, with more advocacy and (hopefully) more business adoption That one really applies to all the BSDs, and regular users (that's you listening to this) can help make it happen for whichever ones you use right now Maybe Adrian can singlehandedly do all the work and make all the users happy *** Interview - Ryan Lortie & Baptiste Daroussin Porting the latest GNOME code to FreeBSD News Roundup Introducing resflash (http://stable.rcesoftware.com/resflash/) If you haven't heard of resflash before, it's "a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way" One of the major benefits to images like this is the read-only filesystem, so there's no possibility of filesystem corruption if power is lost There's an optional read-write partition as well, used for any persistent changes you want to make You can check out the source code on Github (https://github.com/bconway/resflash) or read the main site for more info *** Jails with iocage (http://pid1.com/posts/post10.html) There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others After looking at all the different choices, the author of this blog post eventually settled on iocage (https://github.com/iocage/iocage) for the job The post walks you through the basic configuration and usage of iocage for creating managing jails If you've been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration) *** DragonFly GPU improvements (http://lists.dragonflybsd.org/pipermail/users/2015-July/207892.html) DragonFlyBSD continues to up their graphics game, this time with Intel's ValleyView series of CPUs These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones A git branch was created to hold the fixes for now while the last remaining bugs get fixed Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing *** Branchless development (http://www.tedunangst.com/flak/post/branchless-development) Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once "For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else." The solution, according to him, is bringing all the code the developers are using closer together One big benefit is that WIP code gets tested much faster (and bugs get fixed early on) *** Feedback/Questions Matthew writes in (http://slexy.org/view/s21yQtBCCK) Chris writes in (http://slexy.org/view/s21oFA80kY) Anonymous writes in (http://slexy.org/view/s2JYvTlJlm) Bill writes in (http://slexy.org/view/s21LXvk53z) ***
98: Our Code is Your Code
Coming up this time on the show, we'll be talking with the CTO of Xinuos, David Meyer, about their adoption of FreeBSD. We also discuss the BSD license model for businesses and the benefits of contributing changes back. This episode was brought to you by Headlines Enabling FreeBSD on AArch64 (https://community.arm.com/groups/processors/blog/2015/07/07/enabling-freebsd-on-aarch64) One of the things the FreeBSD foundation has been dumping money into lately is ARM64 support, but we haven't heard too much about it - this article should change that Since it's on a mainstream ARM site, the article begins with a bit of FreeBSD history, leading up to the current work on ARM64 There's also a summary of some of the ARM work done at this year's BSDCan, including details about running it on the Cavium ThunderX platform (which has 48 cores) As of just a couple months ago, dtrace is even working on this new architecture Come 11.0-RELEASE, the plan is for ARM64 to get the same "tier 1" treatment as X86, which would imply binary updates for base and ports - something Raspberry Pi users often complain about not having *** OpenBSD's tcpdump detailed (https://www.youtube.com/watch?v=8kR-tW1kyDc#t=8) Most people are probably familiar with tcpdump (https://en.wikipedia.org/wiki/Tcpdump), a very useful packet sniffing and capturing utility that's included in all the main BSD base systems This video guide is specifically about the version in OpenBSD, which has gone through some major changes (it's pretty much a fork with no version number anymore) Unlike on the other platforms, OpenBSD's tcpdump will always run in a chroot as an unprivileged user - this has saved it from a number of high-profile exploits It also has support for the "pf.os" system, allowing you to filter out operating system fingerprints in the packet captures There's also PF (and pflog) integration, letting you see which line in your ruleset triggered a specific match Being able to run tcpdump directly on your router (http://www.bsdnow.tv/tutorials/openbsd-router) is pretty awesome for troubleshooting *** More FreeBSD foundation at BSDCan (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-kamil-czekirda.html) The FreeBSD foundation has another round of trip reports from this year's BSDCan First up is Kamil Czekirda, who gives a good summary of some of the devsummit, FreeBSD-related presentations, some tutorials, getting freebsd-update bugs fixed and of course eating cake A second post (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-christian.html) from Christian Brueffer, who cleverly planned ahead to avoid jetlag, details how he got some things done during the FreeBSD devsummit Their third report (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-warren-block.html) is from our buddy Warren Block, who (unsurprisingly) worked on a lot of documentation-related things, including getting more people involved with writing them In true doc team style, his report is the most well-written of the bunch, including lots of links and a clear separation of topics (doc lounge, contributing to the wiki, presentations...) Finally, the fourth one (http://freebsdfoundation.blogspot.com/2015/07/bsdcan-2015-trip-report-shonali.html) comes to us from Shonali Balakrishna, who also gives an outline of some of the talks "Not only does a BSD conference have way too many very smart people in one room, but also some of the nicest." *** DragonFly on the Chromebook C720 (https://www.dragonflydigest.com/2015/07/08/16391.html) If you've got one of the Chromebook laptops and weren't happy with the included OS, DragonFlyBSD might be worth a go This article is a "mini-report" on how DragonFly functions on the device as a desktop, and While the 2GB of RAM proved to be a bit limiting, most of the hardware is well-supported DragonFly's wiki has a full guide (http://www.dragonflybsd.org/docs/newhandbook/ConfigChromebook/) on getting set up on one of these devices as well *** Interview - David Meyer - info@xinuos.com (mailto:info@xinuos.com) / @xinuos (https://twitter.com/xinuos) Xinuos, BSD license model vs. others, community interaction News Roundup Introducing LiteBSD (https://github.com/sergev/LiteBSD) We definitely don't talk about 4.4BSD a lot on the show LiteBSD is "a variant of [the] 4.4BSD operating system adapted for microcontrollers" If you've got really, really old hardware (or are working in the embedded space) then this might be an interesting hobby project to look info *** HardenedBSD announces ASLR completion (http://hardenedbsd.org/article/shawn-webb/2015-07-06/announcing-aslr-completion) HardenedBSD, now officially a full-on fork of FreeBSD (http://hardenedbsd.org/content/about), has declared their ASLR patchset to be complete The latest and last addition to the work was VDSO (Virtual Dynamic Shared Object) randomization, which is now configurable with a sysctl This post gives a summary of the six main features they've added since the beginning (http://www.bsdnow.tv/episodes/2014_08_27-reverse_takeover) Only a few small things are left to do - man page cleanups, possibly shared object load order improvements *** Unlock the reaper (https://www.marc.info/?l=openbsd-tech&m=143636371501474&w=2) In the ongoing quest to make more of OpenBSD SMP-friendly, a new patch was posted that unlocks the reaper in the kernel When there's a zombie process (https://en.wikipedia.org/wiki/Zombie_process) causing a resource leak, it's the reaper's job (https://en.wikipedia.org/wiki/Wait_%28system_call%29) to deallocate their resources (and yes we're still talking about computers, not horror movies) Initial testing has yielded positive (https://www.marc.info/?l=openbsd-tech&m=143642748717836&w=2) results (https://www.marc.info/?l=openbsd-tech&m=143639356810690&w=2) and no regressions (https://www.marc.info/?l=openbsd-tech&m=143638955809675&w=2) They're looking for testers, so you can install a -current snapshot and get it automatically An updated version of the patch is coming soon (https://www.marc.info/?l=openbsd-tech&m=143643025118637&w=2) too A hackathon (http://www.openbsd.org/images/hackathons/c2k15-s.gif) is going on right now, so you can expect more SMP improvements in the near future *** The importance of mentoring (http://adrianchadd.blogspot.com/2015/07/the-importance-of-mentoring-or-how-i.html) Adrian Chadd has a blog post up about mentoring new users, and it tells the story of how he originally got into FreeBSD He tells the story of, at age 11, meeting someone else who knew about making crystal sets that became his role model Eventually we get to his first FreeBSD 1.1 installation (which he temporarily abandoned for Linux, since it didn't have a color "ls" command) and how he started using the OS Nowadays, there's a formal mentoring system in FreeBSD While he talks about FreeBSD in the post, a lot of the concepts apply to all the BSDs (or even just life in general) *** Feedback/Questions Sean writes in (http://slexy.org/view/s29LpvIxDD) Herminio writes in (http://slexy.org/view/s21I1MZsDl) Stuart writes in (http://slexy.org/view/s20kk3ilM6) Richard writes in (http://slexy.org/view/s2pL5xA80B) ***