July 01, 2015

96: Lost Technology

1 hour 13 minutes

Coming up this week, we'll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He'll tell us what makes these old (and often forgotten) machines so interesting. As usual, we've also got answers to your emails and all this week's news on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

Out with the old, in with the less

Our friend Ted Unangst has a new article up, talking about "various OpenBSD replacements and reductions"

"Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs."

In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure

It starts off with a lesser-known SCSI driver that "tried to do too much" being replaced with three separate drivers

"Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver."

In contrast to that example, he goes on to cite mandoc as taking a very non "unixy" direction, but at the same time being smaller and simpler than all the tools it replaced

The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness)

He also talks about the rewritten "file" utility: "Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it."

Finally, sudo in OpenBSD's base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called "doas"

There's also a nice wrap-up of all the examples at the end, and the "Pruning and Polishing" talk is good complementary reading material

***

More OpenZFS and BSDCan videos

We mentioned last week that some of the videos from the second OpenZFS conference in Europe were being uploaded - here's some more

Matt Ahrens did a Q&A session and talked about ZFS send and receive, as well as giving an overview of OpenZFS

George Wilson talked about a performance retrospective

Toshiba, Syneto and HGST also gave some talks about their companies and how they're using ZFS

As for BSDCan, more of their BSD presentations have been uploaded too...

Ryan Stone, PCI SR-IOV on FreeBSD

George Neville-Neil, Measure Twice, Code Once

Kris Moore, Unifying jail and package management for PC-BSD, FreeNAS and FreeBSD

Warner Losh, I/O Scheduling in CAM

Kirk McKusick, An Introduction to the Implementation of ZFS

Midori Kato, Extensions to FreeBSD Datacenter TCP for Incremental Deployment Support

Baptiste Daroussin, Packaging FreeBSD's base system

Matt Ahrens, New OpenZFS features supporting remote replication

Ed Schouten, CloudABI Cloud computing meets fine-grained capabilities

The audio of Ingo Schwarze's talk "mandoc: becoming the main BSD manual toolbox" got messed up, but there's an alternate recording here, and the slides are here

***

SMP steroids for PF

An Oracle employee that's been porting OpenBSD's PF to an upcoming Solaris release has sent in an interesting patch for review

Attached to the mail was what may be the beginnings of making native PF SMP-aware

Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind - this is just one piece of the puzzle

The initial response has been quite positive though, with some back and forth between developers and the submitter

For now, let's be patient and see what happens

***

DragonFly 4.2.0 released

DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes

i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release

Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there's a wiki page about configuring it

They've also switched the default compiler to GCC 5, though why they've gone in that direction instead of embracing Clang is a mystery

The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools

Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement

There was also some hacker news discussion you can check out, as well as upgrade instructions

***

OpenSMTPD 5.7.1 released

The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently

Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default

The long-awaited filter API is now enabled by default, though still considered slightly experimental

Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones)

Many more small additions and bugfixes were made, so check the changelog for the full list

Starting with 5.7.1, releases are now cryptographically signed to ensure integrity

This release has gone through some major stress testing to ensure stability - Gilles regularly asks their Twitter followers to flood a test server with thousands of emails per second, even offering prizes to whoever can DDoS them the hardest

OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately

Let's all encourage Kris to stop procrastinating on switching from Postfix

***

Interview - Jun Ebihara (蛯原純) - [email protected] / @ebijun

Lesser-known CPU architectures, embedded NetBSD devices

News Roundup

FreeBSD foundation at BSDCan

The FreeBSD foundation has posted a few BSDCan summaries on their blog

The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: "Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people."

He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily

Their second trip report is from Ahmed Kamal, who flew in all the way from Egypt

A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum's about MINIX and NetBSD

There are also two more wrap-ups from Zbigniew Bodek and Vsevolod Stakhov, so you've got plenty to read

***

OpenBSD from a veteran Linux user perspective

In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time

"For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an 'old-school' Linux admin, and I've felt out of place with the latest changes on the system administration."

The post is a collection of his thoughts about what's different between Linux and BSD, what surprised him as a beginner - admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags

One of the things that surprised him (in a positive way) was the documentation: "OpenBSD's man pages are so nice that RTFMing somebody on the internet is not condescending but selfless."

He also goes through some of the basics, installing and updating software, following different branches

It concludes with "If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern."

***

FreeBSD on the desktop, am I crazy

Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up - this time about FreeBSD on the desktop

He begins with a bit of forewarning for potential Linux switchers: "It certainly wasn't an easy journey, and I'm tempted to say do not try this at home to anybody who isn't going to leverage any of FreeBSD's strong points. Definitely don't try FreeBSD on the desktop if you haven't used it on servers or virtual machines before. It's got less in common with Linux than you might think."

With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd

The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash

Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well

In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too

***

OpenIKED and Cisco CSR 1000v IPSEC

This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED

What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud

There are lots of details (and example configuration files) for using IKEv2 and OpenBSD's built-in IKE daemon

It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that's afraid to try them… don't be

***

HardenedBSD improves stack randomization

The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area

In their initial implementation, the stack randomization was a random gap - this update makes the base address randomized as well

They're now stacking the new on top of the old as well, with the goal being even more entropy

This change triggered an ABI and API incompatibility, so their major version has been bumped

***

OpenSSH 6.9 released

The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes

There are a couple new things though - the "AuthorizedKeysCommand" config option now takes custom arguments

One very notable change is that the default cipher has changed as of this release

The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo

Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to "no" by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they're under 1024 bits

Many small bugs fixes and improvements were also made, so check the announcement for everything else

The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon

***

Feedback/Questions

Brad writes in

Mason writes in

Jochen writes in

Simon writes in

***

...more

View all episodes

By JT Pennington

4.9

8989 ratings