Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD.
This episode was brought to you by
Headlines
Out with the old, in with the less
Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions""Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs."In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secureIt starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers"Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver."In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replacedThe next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness)He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it."Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called "doas"There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing" talk is good complementary reading material***
More OpenZFS and BSDCan videos
We mentioned last week that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some moreMatt Ahrens did a Q&A session and talked about ZFS send and receive, as well as giving an overview of OpenZFSGeorge Wilson talked about a performance retrospectiveToshiba, Syneto and HGST also gave some talks about their companies and how they're using ZFSAs for BSDCan, more of their BSD presentations have been uploaded too...Ryan Stone, PCI SR-IOV on FreeBSDGeorge Neville-Neil, Measure Twice, Code OnceKris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSDWarner Losh, I/O Scheduling in CAMKirk McKusick, An Introduction to the Implementation of ZFSMidori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment SupportBaptiste Daroussin, Packaging FreeBSD's base systemMatt Ahrens, New OpenZFS features supporting remote replicationEd Schouten, CloudABI Cloud computing meets fine-grained capabilitiesThe audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here, and the slides are here***
SMP steroids for PF
An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for reviewAttached to the mail was what may be the beginnings of making native PF SMP-awareBefore you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzleThe initial response has been quite positive though, with some back and forth between developers and the submitterFor now, let's be patient and see what happens***
DragonFly 4.2.0 released
DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixesi915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a releaseSendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page about configuring itThey've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mysteryThe announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party toolsWork is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcementThere was also some hacker news discussion you can check out, as well as upgrade instructions***
OpenSMTPD 5.7.1 released
The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recentlyCrypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by defaultThe long-awaited filter API is now enabled by default, though still considered slightly experimentalDocumentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones)Many more small additions and bugfixes were made, so check the changelog for the full listStarting with 5.7.1, releases are now cryptographically signed to ensure integrityThis release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server with thousands of emails per second, even offering prizes to whoever can DDoS them the hardestOpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular latelyLet's all encourage Kris to stop procrastinating on switching from Postfix***
Interview - Jun Ebihara (蛯原純) -
[email protected] / @ebijun
Lesser-known CPU architectures, embedded NetBSD devices
News Roundup
FreeBSD foundation at BSDCan
The FreeBSD foundation has posted a few BSDCan summaries on their blogThe first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people."He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easilyTheir second trip report is from Ahmed Kamal, who flew in all the way from EgyptA bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSDThere are also two more wrap-ups from Zbigniew Bodek and Vsevolod Stakhov, so you've got plenty to read***
OpenBSD from a veteran Linux user perspective
In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time"For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration."The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flagsOne of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless."He also goes through some of the basics, installing and updating software, following different branchesIt concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern."***
FreeBSD on the desktop, am I crazy
Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktopHe begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think."With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemdThe rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe FlashAlso worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as wellIn the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too***
OpenIKED and Cisco CSR 1000v IPSEC
This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKEDWhat kind of networking blog post would be complete without a diagram where the internet is represented by a big cloudThere are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemonIt also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be***
HardenedBSD improves stack randomization
The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization areaIn their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as wellThey're now stacking the new on top of the old as well, with the goal being even more entropyThis change triggered an ABI and API incompatibility, so their major version has been bumped***
OpenSSH 6.9 released
The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixesThere are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom argumentsOne very notable change is that the default cipher has changed as of this releaseThe traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 comboTheir next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bitsMany small bugs fixes and improvements were also made, so check the announcement for everything elseThe native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon***
Feedback/Questions
Brad writes inMason writes inJochen writes inSimon writes in***