Episode 88

Below the Clouds

Download Subscribe
00:00:00
/
01:34:00
RSS Feed Download (64.5 MB) Link with Timestamp

May 6th, 2015

1 hr 34 mins

Link with Timestamp

Download MP3 (64.5 MB)

Your Hosts
Tags
gateway workpad z50 router opnsense openhrc ipfw browser bundle diversity tor tor-bsd capsicum cloudabi openssh openntpd opensmtpd libressl 5.7 interview bsd guide howto tutorial pcbsd dragonflybsd netbsd openbsd freebsd

About this Episode

This time on the show, we'll be talking with Ed Schouten about CloudABI. It's a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week's BSD news and answers to your emails, on BSD Now - the place to B.. SD.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Headlines

FreeBSD quarterly status report

  • The FreeBSD team has posted a report of the activities that went on between January and March of this year
  • As usual, it's broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
  • The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
  • The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
  • FreeBSD's future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
  • Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
  • Lots of activity is happening in bhyve, some of which we've covered recently, and a number of improvements were made this quarter
  • Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
  • Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
  • The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
  • ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
  • The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
  • Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64) ***

OpenBSD 5.7 released

  • OpenBSD has formally released another new version, complete with the giant changelog we've come to expect
  • In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
  • If you're using one of the Soekris boards, there's even a new driver to manipulate the GPIO and LEDs on them - this has some fun possibilities
  • Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big WX improvements in the kernel space, static PIE on all architectures, deterministic "random" functions being replaced with strong randomness, and support for remote logging over TLS
  • The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD's libc from being vulnerable to earlier attacks affecting other BSDs' implementations
  • Being that it's OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
  • Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore - very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily
  • BIND and nginx have been taken out, so you'll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
  • Speaking of httpd, it's gotten a number of new features, and has had time to grow and mature since its initial debut - if you've been considering trying it out, now would be a great time to do so
  • This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
  • Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
  • Groundwork has also been laid for some major SMP scalability improvements - look forward to those in future releases
  • There's a song and artwork to go along with the release as always, and CDs should be arriving within a few days - we'll show some pictures next week
  • Consider picking one up to support the project (and it's the only way to get puffy stickers)
  • For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now... ***

Tor-BSD diversity project

  • We've talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
  • A new initiative has started to do just that, called the Tor-BSD diversity project
  • "Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. [...] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity."
  • In addition to encouraging people to put up more relays, they're also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
  • There's an additional progress report for that part specifically, and it looks like most of the work is done now
  • Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
  • If you've been considering running a node to help out, there's always our handy tutorial on getting set up ***

PC-BSD 10.1.2-RC1 released

  • If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
  • This quarterly update includes a number of new features, improvements and even some additional utilities
  • PersonaCrypt is one of them - it's a new tool for easily migrating encrypted home directories between systems
  • A new "stealth mode" option allows for a one-time login, using a blank home directory that gets wiped after use
  • Similarly, a new "Tor mode" allows for easy tunneling of all your traffic through the Tor network
  • IPFW is now the default firewall, offering improved VIMAGE capabilities
  • The life preserver backup tool now allows for bare-metal restores via the install CD
  • ISC's NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
  • It also includes the latest Lumina desktop, and there's another post dedicated to that
  • Binary packages have also been updated to fresh versions from the ports tree
  • More details, including upgrade instructions, can be found in the linked blog post ***

Interview - Ed Schouten - ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

  • This article introduces OpenHRC, the "Open Household Router Contraption"
  • In short, it's a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
  • It also makes use of Ansible playbooks for configuration, allowing for a more "mass deployment" type of setup
  • Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver - it even does DNSSEC validation
  • All the code is open source and on Github, so you can read through what's actually being changed and put in place
  • There's also a video guide to the entire process, if you're more of a visual person ***

OPNsense 15.1.10 released

  • Speaking of BSD routers, if you're looking for a "prebuilt and ready to go" option, OPNsense has just released a new version
  • 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
  • Going along with this theme, they've redone how they do ports, and are now kept totally in sync with the regular ports tree
  • Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
  • NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
  • Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs ***

IBM Workpad Z50 and NetBSD

  • Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
  • Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640x480 display
  • You can probably tell where this is going... the article is about installing NetBSD it
  • "What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running"
  • The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
  • He's also got a couple videos of the bootup process and running Xorg (neither of which we'd call "speedy" by any stretch of the imagination) ***

FreeBSD from the trenches

  • The FreeBSD foundation has a new blog post up in their "from the trenches" series, detailing FreeBSD in some real-world use cases
  • In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
  • While the installer allows for an automatic ZFS layout, Glen notes that it's not a one-size-fits-all thing, and goes through doing everything manually
  • Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool ***

Broadwell in DragonFly

  • DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
  • Their i915 driver has been brought up to speed with Linux 3.14's, adding not only Broadwell support, but many other bugfixes for other cards too
  • It's planned for commit to the main tree very soon, but you can test it out with a git branch for the time being ***

Feedback/Questions

Mailing List Gold