March 16, 2016

133: The Tokyo Debrief

1 hour 16 minutes

This week on BSDNow, Allan and I are back from AsiaBSDCon and we have an interview with Brad Davis about the new “Packaging Base” call-for-testing. We’ll be sharing our thoughts and stories on how the week

This episode was brought to you by

Headlines

AsiaBSDCon 2016 - Wrap-up

FreeBSD gets Haswell graphics support in time for 11.0-RELEASE

The moment that many have been waiting for has finally arrived, support for Haswell graphics has been committed to FreeBSD -CURRENT

The brings the DRM/i915 code up to date with Linux kernel 3.8.13

Work has already started on updating to Linux kernel 3.9

It is hoped that subsequent updates will be much easier, and much faster

It does not appear to require setting the i915.preliminary_hw_support loader tunable

***

OpenBSD vmm/vmd Update

For the third year running, bhyvecon was held last week, during the lead up to AsiaBSDCon

Bhyvecon has expanded, and now covers all virtualization on BSDs

There were presentations on bhyve, Xen Dom0 on FreeBSD, Xen DomU for OpenBSD, and OpenBSD’s vmm

OpenBSD vmm started at the Brisbane 2015 hackathon in Australia

Work continued through the summer and fall thanks to funding by the OpenBSD Foundation

The presentation answered some outstanding questions, such as, why not just port bhyve?

Initial focus is OpenBSD on OpenBSD

Loader currently supports FreeBSD and NetBSD as well

After the initial commits, other developers joined in to help with the work

Reyk reworked the vmd and vmctl commands, to provide a better user interface

Future plans:

Nested VMX

i386 support

AMD SVM support

Filesystem passthru

Live migration (with ZFS like command syntax)

Other developers are working on related projects:

qemu interface: Allow qemu to be accelerated by the vmm backend, while providing emulated hardware, for legacy systems

KVM interface: Make vmm look like KVM, so existing tools like openstack “just work”

***

Interview - Brad Davis - [email protected] / @so14k

Packaging Base

News Roundup

Packaging the base system with pkg(8)

The official call for testing for FreeBSD’s pkg(8)’d base is out

Users are requested to checkout the release-pkg branch, and build it as normal (buildworld, buildkernel)

Instead of installworld, run: make packages

This will produce a pkg repo in the /usr/obj directory

The post to the mailing list includes an example pkg repo config file to point to those packages

Run: pkg update -r FreeBSD-base

This will read the metadata from the new repository

Then run: pkg install -g 'FreeBSD-*'

This will find all packages that start with ‘FreeBSD-’ and install them

In the future, there will be meta packages, so you can just install FreeBSD-base and it will pull in other packages are dependencies

Currently, there are a large number of packages (over 700), because each shared library is packaged separately, and almost all optional features are in a separate package

The number of packages is also increased because there are separate -debug, -profiling, etc versions of each package

New features are being added to pkg(8) to mark important system components, like libc, as ‘vital’, so they cannot be deleted accidently

However, in the case of using pkg(8)’d base to create a jail, the administrator should be able to delete the entire base system

Classic conundrum: “UNIX does not stop you doing something stupid, as that would also stop you doing something clever”

Work is still ongoing

At AsiaBSDCon, after the interview was recorded, bapt@ and brd@ had a whiteboarding session and have come up with how they expect to handle the kernel package, to ensure there is a /boot/kernel.old for you to fall back to incase the newly installer kernel does not work correctly.

***

FreeBSD 10.3-RC2 Now Available

The second release candidate for FreeBSD 10.3 is now available for testing

Notable changes include:

Import an upstream fix for ‘zfs send -i’ to avoid data corruption in specific instances

Boot loaders and kernel have been taught to handle ELF sections of type SHT_AMD64_UNWIND. This does not really apply to FreeBSD 10.3, but is required for 11.0, so will make upgrades easier

Various mkdb commands (/etc/services, /etc/login.conf, etc) commands now use fsync() instead of opening the files as O_SYNC, greatly increasing the speed of the database generation

From the earlier BETA3, the VFS improvements that were causing ZFS hangs, and the new ‘tryforward’ routing code, have been reverted

Work is ongoing to fix these issues for FreeBSD 11.0

There are two open issues:

A fix for OpenSSH CVE-2016-3115 has not be included yet

the re-addition of AES-CBC ciphers to the default server proposal list. AES-CBC was removed as part of the update to OpenSSH version 7.1p2, but the plan is to re-add it, specifically for lightweight clients who rely on hardware crypto offload to have acceptable SSH performance

Please go out and test

***

OPNsense 16.1.6 released

A new point-release of OPNsense has dropped, and apart from the usual security updates, some new features have been included

firmware: bootstrap utility can now directly install e.g. the development version

dhcp: all GUI pages have been reworked for a polished look and feel

proxy: added category-based remote file support if compressed file contains multiple files

proxy: added ICAP support (contributed by Fabian Franz)

proxy: hook up the transparent FTP proxy

proxy: add intercept on IPv6 for FTP and HTTP proxy options

logging: syslog facilities, like services, are now fully pluggable

vpn: stripped an invalid PPTP server configuration from the standard configuration

vpn: converted to pluggable syslog, menu and ACL

dyndns: all GUI pages have been reworked for a polished look and feel

dyndns: widget now shows IPv6 entries too

dns forwarder: all GUI pages have been reworked for a polished look and feel

dns resolver: all GUI pages have been reworked for a polished look and feel

dns resolver: rewrote the dhcp lease registration hooks

dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well

firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly

interfaces: fix problem when VLAN tags weren't generated properly

interfaces: improve interface capability reconfigure

ipsec: fix service restart behaviour from GUI

captive portal: add missing chain in certificate generation

configd: improve recovery and reload behaviour

load balancer: reordered menu entries for clarity

ntp: reordered menu entries for clarity

traffic shaper: fix mismatch for direction + dual interfaces setup

languages: updated German and French

Call for testing - ASLR patch

A patch that provides a first pass implementation of basic ASLR (Address Space Layout Randomization) for FreeBSD has been posted to the mailing list

“Stack gap, WX, shared page randomization, KASLR and other techniques are explicitly out of scope of this work.”

“ASLR is enabled on per-ABI basis, and currently it is only enabled on native i386 and amd64 (including compat 32bit) ABIs. I expect to test and enable ASLR for armv6 and arm64 as well, later”

“Thanks to Oliver Pinter and Shawn Webb of the HardenedBSD project for pursuing ASLR for FreeBSD. Although this work is not based on theirs, it was inspired by their efforts.”

***

Feedback/Questions

Daniel - OpenZFS

Florian - JBODS

Hunter - SSL on DO

Ben - Backups

Damian - Bug’in Me!

***

...more

View all episodes

By JT Pennington

4.8

9191 ratings