Engineering and Powder Kegs | BSD Now 2

BSD Now is BACK to talk with Glen Barber from the FreeBSD Release team, show you how to build your own binary package repository and discuss the latest BSD news!

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

64bit time in OpenBSD

Many operating systems face an upcoming challenge, similar to (but more complicated than) Y2K: Y2038. All of the BSDs and most other operating systems track time by counting the seconds since Jan 1st, 1970. In 2038 this value will reach the maximum value of a signed 32 bit integer.
Simply changing to a 64 bit counter may not be the best solution, because there may still be 32 bit systems in use for embedded applications
Theo will be giving the keynote at EuroBSDCon on the subject, explaining how OpenBSD has implemented the solution
No other BSDs have it yet
ABI incompatibility. Updating to this kernel requires extra work or you won\’t be able to login: install a snapshot instead. Upgrading by source is for the insane only.

AESNI pipelining gets a speed boost

AES-NI is a new processor instruction available on modern Intel and AMD chips that provides hardware acceleration for AES encryption and decryption. This feature is especially useful for encrypted disks, because it removes most of the performance penalty traditionally associated with encryption
The new commit has the instructions pipelined, so there is no latency between the instructions
Uses SSE2 instructions for calculating XTS tweak factor for further increased performance
GELI based disk encryption performance increased by 3x on capable CPUs
Should affect PEFS and other AES backed encryption schemes as well
Full disk encryption should be more or less transparent now

OpenBSD 5.4 Preorders

Every 6 months there is a new OpenBSD version
They include a fun song and nicely-packaged CD set
The proceeds from sale of these products is the primary funding of the OpenBSD project
The official ISOs will be uploaded on November 1st

GCC no longer built by default on FreeBSD -CURRENT

On platforms where clang is the default compiler, don\’t build gcc or libstdc++
GCC is still enabled on PC98, because the PC98 bootloader requires GCC to build
While the base FreeBSD system has been built by clang for a long time, this change also covers the ports tree

Patch to update Xorg and Mesa on FreeBSD

Updates xorg drivers
Expected to be committed in about 2 weeks
Adds option to use devd instead of HAL for X configuration
Updates the MESA stack (9.1.6), libGL, DRI, etc
Enables KMS for AMD/ATI cards
Call for Testing
OpenBSD has recently upgraded to Mesa 9.2 for their stable version of Xorg

Interview – Glen Barber – gjb@freebsd.org @g_j_b_

FreeBSD Release Engineering

Q: Tell us a little about yourself, your role with the project – K
Q: When did you join the release engineering team (re@) and how did that come about? -A
Q: What kind of tasks and decisions are in the hands of re@? – K
Q: Why it is /pub/FreeBSD/releases/amd64/amd64/ -A
Q: Any stand-out features of 9.2-RELEASE that you’re personally excited about? -K
Q: Tell us about net.inet.tcp.experimental.initcwnd10 in r242266 -A
Q: Why was it reverted for 9.2-RC3? Causing problems? -K
Q: Why was there an RC4 added? – A
Q: Talk about the new snapshot releases for -CURRENT/-STABLE (we’ll have a future segment on how to upgrade to these branches) – K
Q: Is there a possibility of freebsd-update someday offering snapshot-based upgrades to the -STABLE or -CURRENT branches? What technical difficulties need to be overcome? – A
Q: Are there plans to remove bind from the base system? -K
Q: Would it be possible in the future to have a “WITHOUT_BLOBS” src.conf option to remove any non-open source wifi firmware modules and such? -A
Q: Tell us about you joining the FreeBSD Foundation and what this will mean for users – K

Tutorial

Making your own binary repository

Live demo
Poudriere builds binary packages from a list of ports (or the whole tree)
Uses the fantastic BSD jail system for everything
Supports signing the repository with an RSA key
Easy way to deploy large number of systems or low-powered systems
Very flexible, works on different versions of the OS, lots of features

Place to B…SD

iXsystems hosts FreeBSD Anniversary party

Celebrating FreeBSD’s 20th anniversary
Saturday, November 2nd at the DNA Lounge in San Francisco
Notable FreeBSD figures will contribute words of wisdom on the past, present, and future of FreeBSD

News Roundup

NetBSD gets basic support for the cubieboard 1 & 2

Very preliminary support for cubieboard 1 & 2 based on the Allwinner A10 & A20 SoCs
Many drivers are stubs with autoconf glue
Contributed by Matt Thomas

Rayservers ditches Linux for BSD

Used them all, Windows, Mac, OpenBSD, Linux
Needed PF, ZFS, disk encryption, lots of networking features, better security
In Linux, \”The new cgroups based memory management ran out of memory – on a 256 GB RAM system whilst it was not using more than 40.\”
BSD now protects the privacy of their email users

HPN for OpenSSH 6.2

High Performance Networking is an SSH patchset to improve transfer speeds by removing the fixed window size and take better advantage of TCP
Maintained as a patchset separate from OpenSSH
First integrated into FreeBSD base as of 9.0
Updated to support 6.2 (available in the ports tree as security/openssh-portable)
The HPN patch set also includes threaded AES-CTR support to increase performance and take advantage of multiple CPU cores for encryption. In this latest patch, threaded AES-CTR now works in all situations (it failed in some specific situations previously). Expected performance increase is ~50%
NONE cipher is now separate from the main patch set. The NONE cipher allows tools like scp and sftp to switch off the encryption for file transfers (when specifically told to do so) to keep encryption from bottlenecking performance and wasting CPU time

Call for testing: OpenSSH-6.3

Mostly a bugfix release
SFTP now supports resuming partially-downloaded or uploaded transfers
More logging features
Six weeks after the initial email, still no release. des@ is not pleased.

pkgsrc gets signing

pkgsrc is used on NetBSD, DragonflyBSD and other OSes
Comes from an EdgeBSD developer
Uses GPG for signing package files
Currently just a patch on github and in its infancy
Provides a short howto

FreeBSD vs. Linux: 10 points of superiority

New FreeBSD user, ex-Linux user writes about his experience
Mentions consistency, documentation, security, filesystems, updates, jails, community
Really long post, definitely worth a read

[Feedback/Questions]

We received TONS of email. We’ll get to a few of the questions, but a lot of them will be answered in future episodes.
hoopla writes in: “I\’m looking to install PCBSD on my laptop and was wondering if there was support for encryption of the root folder in the installer. For my arch linux install I ended up setting up an encrypted lvm by hand and it was hell but if it\’s built into the installer it\’d make the transition to BSD much simpler.”
Juergen writes in: \”hi guys, I want to listen to the new BSD podcast but I couldn\’t find the RSS feed. Can you publish the feed?\”
Due to the way publishing happens at JupiterBroadcasting, there were no RSS feeds until the first episode was published. The feeds for MP3, OGG, SD and HD Video and Torrent are now in the top right corner of the BSDNow.tv page. The episodes will also be published on iTunes once the show is approved by Apple.
Sam write in with two questions: “I want a few simple python web apps. What is the best \”FreeBSD way\” to deploy this? Nginx + uWSGI? It is surprisingly hard to find a usable nginx.conf that I can throw in a jail and run a python app. Is uWSGI even the right tool?”
“The PCBSD tools are great, but the tool versions that are in the ports tree are always out of date compared to what ships with PC-BSD. Why is this? Same with FreeNAS, why is the Warden more up to date in FreeNAS than PC-BSD.. then there\’s yet a 3rd version in ports?”
Frank writes in with a long question: “My company is a major CA. We run virtualized RHEL 6 virtualized on KVM, about 3000 nodes serving different purposes on about 350 pizza boxes also running RHEL/KVM. We have kind of a sale issue. To have both TLS 1.2 support and ECC ciphers available we have to recompile both OpenSSL and NGINX and a few other system packages. I\’ve built RPM\’s, but there still are issues on a default install, relating to other not to be disclosed core business software choughJava based cachough. However, compiling it all on each machine does work.

Now I\’ve got this working on FreeBSD kvm virtual machines, which both provide better performance (almost 30% less resource usage than the RHEL nodes) and also work with our configuration management stack (puppet + homegrown). It also would allow us to drop a lot of virtual nodes because less BSD boxes can handle the same amount as the CentOS ones. And of course the lack of security issues, less software by default on a fresh install and such.

My team also likes it, has knowledge, supports a migration, and the metrics support it, however management is not happy and does not want to do such a big \”migration\”. (Not knowing that about 100 VM\’s are already FreeBSD and working). Also, they don\’t like that they\’ve got a 10 year contract with Red Hat and have paid for that… But, in the end the cost would go down because of the migration.

Any tips to get support from them?”
+ The first thing that comes to mind is to see what other people have done in the past. There was a presentation at BSDCan 2013 in May of this year on this specific topic: Case study: Switching from Linux to FreeBSD

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter: @BSDNow (also acceptable)
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)